Internet of Things Can Have Unintended Consequences
There is a lot of anticipation, investor excitement, and hype regarding the potential benefits of the Internet of Things (IoT), as often happens with transformational products at the start of their adoption cycle.
Forward-thinking organizations must consider user privacy implications throughout the entire product lifecycle, beyond just getting the initial devices out the door.
How will these devices be supported and maintained over time? Speed to market in the IoT realm can have unintended and expensive consequences.
Consideration should be given to devices with an extended operational lifespan or whose software undergoes several iterations of updates or releases. For instance, how often do people replace their refrigerators?
If the device is smart, the expectation is that the features and functionality will evolve over the product’s lifecycle.
This already occurs in televisions where Samsung has provided ‘upgrades,’ including additional processors and memory to enable the use of advanced smart features.
User Consent and Notices for IoT Product Lifecycles
Additionally, situations have already occurred where devices have been launched with some hardware or software features not supported by the release software but subsequently added via a patch.
From a privacy perspective, it is important that appropriate notice is provided to the user in the form of an updated privacy statement if the data collected from the device will change due to increased device capabilities.
User consent, such as an opt-in or acceptance feature, may also be required depending on the update.
Old world technologies such as corporate telephone systems give clear notice that your conversation may be recorded.
Callers can act on that information by hanging up or proceeding with the call thereby giving an implied consent to the possible recording of the conversation.
The main consideration when providing consumer notice is that it is conspicuous and prior in time to the collection/use of data.
A good example in mobile is Geo-location notice. Consumers see a pop-up notice that they can act upon that requests access to their location information and they can deny such access.
When sensitive data that requires explicit consent is going to be captured, the process to capture and maintain that consent is something that needs to be thought out as part of the product development process.
Especially when the device or the associated update mechanisms may not have any input or display capabilities.
One also has to consider the data in light of EU GDPR and make sure there are ways to ensure data deletion mechanisms are in place as well as data portability if a user wants to terminate her relationship with your service and move her data to another service.
How Will IoT Products Maintain Security?
Another consideration must be how to maintain security over the entire lifecycle of a product.
While mature design practices should enable products to be sold in a secure manner, it is likely that security vulnerabilities will be identified in many early connected devices.
This may require a security patch to be rolled out, or even worse, force the product to be recalled at significant expense and brand impact.
Managing this update process and giving the user of the device an opportunity to be notified about any changes needs to be considered as part of a complete sunrise to sunset product strategy.
Approach these challenges by taking an end-to-end view of the product lifecycle, as it moves between research, development, manufacture and operational stages.
Work to understand the current functionality and ensure that you are set up for success throughout the lifecycle of the device, by applying good practices at every stage.
Although the Internet of Things is in its infancy, users and customers expect that their data will be appropriately managed and protected now.