Our Privacy Nightmare and What Can Be Done About It


The Internet of Things (IoT) is not just a security problem. It's also a privacy nightmare. Few people in Washington know more about the issue than Marc Rotenberg, a Georgetown Law Professor who serves as president and executive director of the Electronic Privacy Information Center (EPIC). In 1994, he founded the Washington D.C.-based organization to fight to protect individual privacy and civil liberties on the burgeoning computer network. At the time banks and other large commercial interests just beginning to establish an online presence. Today there's a lot more to worry about.

Newsweek spoke with Rotenberg about what the emerging world of networked devices means for our privacy—and what protections, if any, exist to protect it. Edited excerpts:

Big Tech already collects a lot of data on their customers. What's to stop IoT manufacturers from collecting even more?
In the absence of a privacy law, like the GDPR in Europe, American consumers who have purchased devices, door locks and thermostats are basically allowing these companies to collect and use their personal data.

Should we be concerned?
It's been very interesting to watch the public response to recent news about Amazon's Ring, the Internet-connected doorbell. We've learned recently that Amazon has actually entered into arrangements with 400 police departments across the country that give police access to the video feed from the Internet-connected device on the front of the home. Most people who bought that product didn't know that that was a possibility and had no idea that was going on. When you have a video camera on the front of someone's home sending a feed to the police, who is most likely to appear in the feed? It's not some bad guy, it's actually going to be the residents. It's not just the privacy risk, it's also the risk of surveillance by law enforcement.

Any other examples?
We've raised concerns about Google's Nest thermostat. There was actually an audio mic that could hear people, which created some Alexa-like functionality. Apparently they're now exploring adding facial recognition to the home thermostat. A device that most people understand in a pretty straightforward way, once connected to the Internet, creates some real risks. This isn't just something consumers need to worry about. The largest drone manufacturer in the world is DJI, a Chinese firm. The Department of Defense, after some testing, figured out that the manufacturer of the device could obtain remote access to the [drone's] imagery and audio. So the DOD suspended the purchase of so-called over-the-counter drones partly out of concern that the device was, itself, keeping information and transferring it to a third party.

What needs to be done?
Much of our work has been to try to get Congress and the agencies to focus on these risks, because they're going to increase rapidly. But it's not just about privacy, it's [also] about public safety. If you have door locks that are connected to the Internet, someone else [can] hack your front door and go into your home. If you had a comprehensive privacy law, then any company that was collecting personally identifiable data would be limited in how it could collect the data, and how it could use the data. We need federal legislation to limit the collection and use of personal data. We need to adopt robust security standards to ensure that Internet-connected devices can't be hacked by others. We need to minimize data collections. And we need to make meaningful decisions about the risks associated with Internet-connected devices, involving automobiles, drones, and door locks. Even thermostats.

What are the prospects for that kind of regulation?
The good news is that privacy, unlike a lot of other issues in Washington, is nonpartisan. So you do see Republicans and Democrats working together on legislation. There are about a dozen bills that have been introduced so far. But there hasn't been much movement. Part of the problem here is that we don't have strong advocacy for privacy within the Congress. And the Federal Trade Commission, which holds itself out as a privacy agency, really has not done enough to inform the Congress about the privacy risks from some of these devices.

Why isn't the market providing a solution, or a service, that shields people from this exposure? Seems like it would be a selling point.
It's very difficult for people to evaluate the privacy risks. The technology rapidly changes and most of the companies are actually making their money off the data, not off the product. The business model makes it unlikely that consumers will be able to make meaningful choices.

What has to happen for Congress or the Federal Trade Commission to step up and take care of this problem?
There has to be a willingness to recognize that market based solutions are not working. That's typically the argument that's made against legislation—"let's find a market-based solution." But if consumers can't meaningfully evaluate the risks, then it's unlikely that they're going to provide incentives in the market that are going to produce better products.

What will it take to create the sense of urgency needed to enact protections?
It's going to require more people understanding the risk of Internet-connected devices. It may take a few well-publicized episodes. I also have said that, in the United States, in addition to privacy legislation, we need a new agency that's tasked with addressing these emerging challenges. In Europe, where you have data protection agencies, one of the issues that they are studying and proposing regulations for is precisely the Internet of Things.