Government Data Authorities do Privacy Sweep of IoT Devices

 

Consumers should be wary of privacy and security issues affecting Internet-connected products according to the Online Trust Alliance.
Consumers should be wary of privacy and security issues affecting Internet-connected products according to the Online Trust Alliance.

In-brief: Federal data protection authorities from 29 countries including the U.S. and Canada have turned their collective attention to The Internet of Things in an annual “privacy sweep” that is looking at connected devices including personal health products.

Federal data protection authorities from 29 countries including the U.S. and Canada have turned their collective attention to The Internet of Things in an annual “privacy sweep” that is looking at connected devices including personal health products.

The global effort, which is coordinated by the UK Information Commissioner’s Office, included both the U.S. Federal Trade Commission and the Canadian Office of the Privacy Commissioner and delved into the practices of Internet-connected  devices including fitness and health trackers, thermostats, smart meters and TVs and connected cars. Results from the coordinated work are expected by the end of the year.

In Canada, authorities at that country’s Office of the Privacy Commissioner looked at connected, personal healthy devices, according to Brent Homan, Canada’s Director General of private sector privacy investigations told The Security Ledger.

Investigators from Canada’s Office of the Privacy Commissioner did their investigation between April 11 and the 15th, looking at devices like connected scales, blood pressure cuffs and heart monitors, said Homan, who declined to name the specific devices the OPC studied until its research was complete.

“We looked at (the devices) from the perspective of the consumer – what they would expect,” said Homan. That includes communications that are part of the device packaging and other instructions, to information on companion web sites that IoT devices frequently communicate with. “We’re looking to assess the privacy communications that the device is conveying to consumers in terms of data collected and in terms of accountability – what is being done with that information,” Homan said in a phone interview.

This is the fourth annual sweep and is conducted under the auspices of the Global Privacy Enforcement Network, (GPEN), which was the product of a OECD call for greater cross-border cooperation on privacy issues. Past sweeps have focused on issues such as children’s privacy.

This year, data privacy authorities included those in France, which made a study of home-based IoT devices like connected cameras as well as health devices and fitness trackers. In Belgium, the sweep looked at privacy communications on the websites of smart metering systems.
The Italian DPA focused on companies’ transparency about the use of personal data and compliance with data protection rules.

In the U.S., the Federal Trade Commission also participated in the sweep, according to Guilherme Roschke, the FTC’s Counsel for International Consumer Protection. However, Roschke could not provide details of the agency’s participation.

GPEN said that the “explosion of Internet-connected everyday objects and privacy concerns surrounding our increasingly wired world” were what prompted the group to urge countries to focus on the Internet of Things during the 2016 global privacy Sweep.

Homan of the Canadian Office of the Privacy Commissioner said that the sweep was not an “investigation,” so much as an inquiry into whether “privacy is conveyed in a meaningful way to consumers.”

That might include purchasing and installing connected products. Where issues are identified, officials may contact manufacturers, retailers or third-party organizations to learn more. Their findings form the basis of a write-up and, in some cases, specific recommendations to companies where changes are warranted. “We give them the ability to make the privacy enhancements on their own,” Homan said.