Resolved: On balance, the benefits of the Internet of Things outweigh the harms of decreased personal privacy.
Con Position
My approach to the Con position will be to focus on the status quo. This is the world in which we live today. For us, a benefit is not a benefit until it is realized. Future benefits are mere claims and one never knows when some event or vulnerability will sink a trend. Older people (like some PF judges) have all seen many examples of "dot com" failures. Let us recognize that in the now world of cyber security, important transactions are fairly secure. For example, banks and many similar services uses elaborate and complex encryption schemes which guard against random hackers decoding messages and stealing personal information. When we see that little padlock symbol in our browser search bars, we can be sure our connection to some server on the Internet is using one of those secure methods. For the most part, only the most advanced hackers, usually those who are state-sponsored (i.e. working for a government agency) have the tools and computers needed to hack these communication streams and rarely would they concentrate on breaking the encrypted stream of Jane Doe who lives down the street. So what is the problem? I can isolate several major threats to personal security which are relevant to this topic. Usually, the weakest links on the Internet for hackers are the users themselves. Hackers and phishers can use rather simple exploits to "trick" individuals into giving up certain information or opening their computers in such a way, malicious entities can gain access to personal information. Just click a link in an enticing email from a friend's hacked email account and kiss your privacy goodbye. Usually these types of breaches are limited although they may ultimately be quite serious for the victim. A second, more insidious form of security breach are those perpetrated by the government itself. In the U.S. we are aware of certain government agencies which routinely collect massive amounts of data for the stated purpose of ensuring national security and often this data is disseminated to other government entities such as local police departments, and really, who knows who is looking at it? (search for "fusion center privacy abuse") Another, increasingly risky violation of personal information is being undertaken by corporate America. It can be subtle such as an email service provider scanning personal email messages in order to provide targeted advertising or it can be as overt as a company requiring employees to give up Facebook account information so they can read your Facebook, or requiring employees to use devices so their activities, or driving habits or health conditions can be monitored. Think it isn't happening? Welcome to the status quo.
Following my exploration of the "now" world, I will venture into the speculative world of the near future where we can claim disadvantages if the status quo is allowed to persist.
Terms of Service
Much of the subtle invasion of personal privacy is occurring in the fine-print. IoT service providers are happy to collect massive amounts of data in order to provide you with the social benefits you signed up for. For example, a user links their fitness tracker to an IoT service provider who provides useful life-style tracking information such as calories burned or the path and mileage taken on a long walk. Yet everyone of these service providers requires the acceptance of their terms of service and privacy policy and often by registering you are told that pushing this button is an implicit acceptance of those terms. But what is often buried in the fine-print of that agreement? Trust me, those agreements are not necessarily there to protect you. Its a question of what they are doing with your data.
Loewenthal (2014);
discussions about the data created are far more likely to focus on how to use the data rather than how to protect it. While devices and applications are generally designed and implemented with data protection in mind, that is unlikely to be enough. Developers and users must consider the broader implications for individual privacy as vast amounts of information -- about health, browsing history, purchasing habits, social and religious preferences, and finances, among other things -- accumulates. Internet of Things data, for now, is collected indiscriminately, and users have little inkling about how the data collected can be used for marketing, identification, and tracking. They typically ignore the privacy notices or terms of use, and the mechanisms for delivering the notices are often awkward, inconvenient, and unclear. The crucial question for the owner of the app or the device is whether data collection is limited to an identified purpose. The crucial question for users is whether they can determine when, how, and to what extent their information is communicated to others.
It should be clear, personal data collected is often not properly secured. More than 40 million Target accounts were stolen; over 500 million Yahoo accounts had passwords exposed. Sadly, there is no legal remedy for the end-user. Worse yet, even the most harmless of apps are legally acquiring access to many details of your so-called private lives and you may not be aware.
Doctorow (2016):
Of course, there were privacy implications to all this. As early breaches and tentative litigation spread around the world, lawyers for Google and for the major publishers (and for publishing tools, the blogging tools that eventually became the ubiquitous ‘‘Content Management Systems’’ that have become the default way to publish material online) adopted boilerplate legalese, those ‘‘privacy policies’’ and ‘‘terms of service’’ and ‘‘end user license agreements’’ that are referenced at the bottom of so many of the pages you see every day, as in, ‘‘By using this website, you agree to abide by its terms of service.’’
As more and more companies twigged to the power of ‘‘surveillance capitalism,’’ these agreements proliferated, as did the need for them, because before long, everything was gathering data. As the Internet everted into the physical world and colonized our phones, we started to get a taste of what this would look like in the coming years. Apps that did innocuous things like turning your phone into a flashlight, or recording voice memos, or letting your kids join the dots on public domain clip-art, would come with ‘‘permissions’’ screens that required you to let them raid your phone for all the salient facts of your life: your phone number, e-mail address, SMSes and other messages, e-mail, location – everything that could be sensed or inferred about you by a device that you carried at all times and made privy to all your most sensitive moments.
Think about the privacy and security of children as they download the next generation Pokemon game and click the "Accept" button But smartphone apps are the tip of the iceberg. The Internet of Things is a potential treasure trove of personal information and the current privacy agreements fail to properly meet consumer needs.
Loewenthal (2014):
The traditional privacy notice did not conceive of an Internet of Things. As the number of connected devices expands, the data collected will undoubtedly yield social benefits. However, the challenge will be finding a privacy paradigm that respects individual rights and accommodates choice and makes sure that the social benefits don't come at the cost of individual privacy. Progress won't wait for us to develop new ways to deal with this challenge, which is why we must give serious consideration to new approaches now.
And when the data is stolen or used against us, the companies which held it are seldom held responsible, often thanks to iron-clad service agreements.
Doctorow (2016):
Right now, companies that breach their users’ data face virtually no liability. When Home Depot lost 53 million credit-card numbers and 56 million associated e-mail addresses, a court awarded its customers $0.34 each, along with gift certificates for credit monitoring services, whose efficacy is not borne out in the literature.
Company Spies
The problem of corporate espionage has cost companies billions of dollars as intellectual property is stolen and often marketed to the highest bidder. But few consider the other side of company espionage where the company is keeping a watchful eye on the employees. Or the implications of routinely using devices which on-face provide a benefit but which may also be used to justify harms against individuals.
Bradbury (2015):
“People can pull that information together in ways that are very difficult to predict,” said NetIQ’s Webb.
Some rental car firms now include sensors in the vehicles that warn drivers if they are driving too recklessly, based on how quickly and volatile its movements are. Some services are using phone services to do the same. He worries that people might be denied car insurance, for example, based on sensors like these delivering data to interested parties. “The capacity to correlate information is going to change all of those interactions,” worries Webb. “I lose power over a great deal of my life when there’s a massive amount of information over me that I don’t have control over.”
In some situations the devices are marketed as tools aimed at improving employee working conditions. But the kinds of personal information that can be collected and analyzed is frightening.
Giang (2013):
Sociometric Solutions has created tracking devices for Bank of America, Steelcase, and Cubist Pharmaceuticals Inc., and is in talks with General Motors. It was started by a team of Ph.D students from MIT who decided to study the chemistry behind what makes certain workspaces like Google great at building teams. They came up with sensors placed in employee identification badges that gather real-time information to help companies measure productivity. The sensors identify a person's tone of voice, movement and even their posture when communicating with others.
While it is known these kinds of data can be and are being collected, often we have no real idea how the information is being used. Corporations claim a wide latitude of freedom when it comes to what kinds of power they can exercise over employees and courts will often agree since in the U.S. workers have freedom to choose where they will work if they disagree with company policies. But sometimes, corporations go too far, and it is the Internet of Things which make such abuses possible.
Claburn (2016):
Companies have a right and an obligation to operate efficiently. Some oversight of employees is undoubtedly necessary. But as legal scholars Ifeoma Ajunwa, Kate Crawford, and Jason Schultz argue in "Limitless Worker Surveillance," unrestrained surveillance raises privacy and discrimination concerns.
Sometimes it's easy to see when workplace surveillance goes too far. The paper cites the outrage that followed at The Daily Telegraph in the UK when workers discovered "OccupEye" sensors that had been placed under desks to track worker attendance under the pretense of gathering energy efficiency data. The outcry ultimately ended the project.
Government Intrusion
The bright promises of the social benefits of the Internet of Things fades when we begin to realize the many ways the information can be exploited, not only by mischievous hackers, but also the Criminal Justice System?
Hill (Jun 2015):
[a woman] told police she’d been sleeping and that she was woken up around midnight and sexually assaulted by a “man in his 30s, wearing boots.” However, [the woman] was wearing her Fitbit band at the time. She initially said that the Fitbit had been lost in the struggle, but police found it in a hallway and when they downloaded its activity, the device became a witness against her. According to ABC 27, [the woman] handed the username and password for her Fitbit account over to police. What they found contradicted her account of what happened that night. Via Lancaster Online:
[A] Fitbit device Risley was wearing told a different story, the affidavit shows.
The device, which monitors a person’s activity and sleep, showed Risley was awake and walking around at the time she claimed she was sleeping. [note: I have removed the woman's name to protect her privacy. It is retained in the source]
It this case, hackers were not required and in fact, the police did not need warrants since the woman handed over the password. Moreover, this case in fact, exposed her deceit. However, consider the implications of this case. Data collected by an IoT device was acquired and used in a criminal investigation. In this case, it was movement, activity and location data. In some cases it is information which is much more intrusive.
Hill (Feb 2015):
Dropcam, which makes popular $199 cameras that capture audio and video for live streams to smartphones or for storage in the cloud, tells Fusion that it has received a “limited number of law enforcement requests”—search warrants—for video from its customers’ cameras. The six-year-old company, which was purchased by Google-owned Nest Labs last year for more than $500 million, says it has only received these requests “in individual cases” and has not received “any broad-based government requests.” In other words, when law enforcement has come to Dropcam, it has been for eyes into a single home at a time, not a whole neighborhood.
If you think your data is secure and personal life is hidden, that may only be true until the government knocks on your door, or worse yet, knocks on the door of your IoT data service providers. In 2012, then CIA Director, David Petraeus let it be known, how the IoT data will we swept up by government agencies
Ackerman (2012):
All those new online devices are a treasure trove of data if you’re a “person of interest” to the spy community. Once upon a time, spies had to place a bug in your chandelier to hear your conversation. With the rise of the “smart home,” you’d be sending tagged, geolocated data that a spy agency can intercept in real time when you use the lighting app on your phone to adjust your living room’s ambiance.
“Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing,” Petraeus said
Four years later, James Clapper confirmed Petraeus' casual proclamation, that IoT data can and will be used as the government feels necessary to protect its interests.
Ackerman & Thielman (2016):
James Clapper, the US director of national intelligence, was more direct in testimony submitted to the Senate on Tuesday as part of an assessment of threats facing the United States.
“In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,” Clapper said.
Clapper did not specifically name any intelligence agency as involved in household-device surveillance. But security experts examining the internet of things take as a given that the US and other surveillance services will intercept the signals the newly networked devices emit, much as they do with those from cellphones. Amateurs are already interested in easily compromised hardware; computer programmer John Matherly’s search engine Shodan indexes thousands of completely unsecured web-connected devices.
Future Watch
Right now, no one cannot predict with accuracy where the IoT is leading and what will be the actual implications for massive amounts of personal information gathering in in the Internet cloud. What is clear is current privacy policies are inadequate, and the legal nuances of whose data is it have yet to be adequately addressed. This points to a risky future, indeed.
Zanolli (2015):
One of the biggest gray areas in the still murky world of the IoT is the issue of data ownership. On the question of who owns all the data generated by all your smart appliances and devices, Rapid7's Weiner says: "It’s not clear today. While it’s your data, it is sitting in a variety of places that could be accessed by others for perfectly good use or for malicious use."
Overall, IoT data, like most other applications, is bound for the cloud. Research firm IDC predicts that 90% of IoT data will be stored in the cloud by 2020. Once it’s there, says Weiner, it’s up to the app or device provider to secure it as they see fit.
What are the future impacts of decreasing personal privacy on the Internet of Things? Professor Richards, warns, the greatest blow may be dealt to the Fourth Amendment.
Richards (2016):
Any tech company’s attempt to protect their customers’ data from government scrutiny will at some point run into the third-party doctrine. According to this controversial legal thinking, the Constitution’s Fourth Amendment doesn’t protect a person’s data when someone else possesses it. Thus any personal data held by companies becomes fair game for government seizure without the warrant that would be required if law enforcement wanted to search papers in a private home. The doctrine emerged in the 1970s and ’80s when the Supreme Court heard criminal cases involving bank records and telephone company records of the phone numbers their customers dialed. The Court’s intuition in those cases was that when we put information “out there,” we no longer can treat it as though it were private. There is a certain amount of sense in this logic: if you tell someone your secrets, you don’t get to complain when they blab. The doctrine had obvious application in an analog world in which our documents usually remained in our homes, we read exclusively on paper, and the phone company recorded just the phone numbers we dialed and not the contents of conversations themselves. In the phone numbers case, Smith v. Maryland (1979), the Supreme Court seems to have been persuaded by Maryland’s argument to the effect that, in the old days, a caller had to tell a human operator the recipient’s number. In that case, too, the stakes for civil liberties seemed small, and the defendant, a purse-snatcher turned stalker, clearly guilty.
But in a digital world, the Court’s intuition not only makes much less sense but also threatens the end of the Fourth Amendment as we know it.
So what is the greatest harm of decreased personal privacy? It is the fact we are unknowingly giving it away to Corporate and Government interests behind the promise of social benefits which are not guaranteed. And neither it seems, is our personal privacy guaranteed. Thus we urge a Con ballot.
For the Intro and Pro position or for more information on past topics or Public Forum debate in general, click the Public Forum tab at the top of this page, for additional links.
Sources:
Ackerman (2012), CIA Chief: We'll spy on you thorugh your dishwasher, Wired, 3/15/2012, accessed 10/2016 at: https://www.wired.com/2012/03/petraeus-tv-remote/
Ackerman S, Thielman S (1016), US intelligence chief: we might use the internet of things to spy on you, The Guardian, 9 Feb 2016, accessed 10/3/2016 at: https://www.theguardian.com/technology/2016/feb/09/internet-of-things-smart-home-devices-government-surveillance-james-clapper
Bradbury D, (2015), How can privacy survive in the era of the internet of things?, The Guardian, 7 April 2015, accessed 10/3/16 at: https://www.theguardian.com/technology/2015/apr/07/how-can-privacy-survive-the-internet-of-things
Claburn T, (2016), Employee Surveillance: Business Efficiency Vs. Worker Privacy, Information Week, Healthcare, 3/2/2016, accessed 10/3/2016 at: http://www.informationweek.com/healthcare/security-and-privacy/employee-surveillance-business-efficiency-vs-worker-privacy/d/d-id/1324763
Doctorow G (2016), The Privacy Wars Are About to Get a Whole Lot Worse, Locus Online, 4 September 2016 accessed 10/3/2016 at: http://www.locusmag.com/Perspectives/2016/09/cory-doctorowthe-privacy-wars-are-about-to-get-a-whole-lot-worse/
[Note: don't be fooled by this source. Cory Doctorow's credentials are impressive enough. He served as European Affairs Coordinator for the Electronic Frontier Foundation; was named the 2006–2007 Canadian Fulbright Chair for Public Diplomacy at the USC Center on Public Diplomacy; served as a teaching resident at the University of Southern California in Los Angeles.]
Giang V (2013), Companies Are Putting Sensors On Employees To Track Their Every Move, Business Insider, Mar 14, 2013, accessed 10/3/2016 at: http://www.businessinsider.com/tracking-employees-with-productivity-sensors-2013-3
Hill K (Feb 2015), Police have asked Dropcam for video from people’s home cameras, Fusion, 2/18/15. accessed 10/3/2016 at: http://fusion.net/story/50925/police-have-asked-dropcam-for-video-from-peoples-home-cameras/
Hill K (Jun 2015), Fitbit data just undermined a woman’s rape claim, Fusion, 6/29/2015. accessed 10/3/2016 at: http://fusion.net/story/158292/fitbit-data-just-undermined-a-womans-rape-claim/
Loewenthal M (2014), Internet Of Things: Current Privacy Policies Don't Work, Information Week, Data Management / Harware Architectures, 6/30/2014. Accessed 10/3/2016 at: http://www.informationweek.com/big-data/hardware-architectures/internet-of-things-current-privacy-policies-dont-work/a/d-id/1278925
Richards N (2016), The iPhone Case and the Future of Civil Liberties, Technology, Aceademics, Policy; Mar 7, 2016, accessed 10/3/2016 at: http://www.techpolicy.com/Blog/Featured-Blog-Post/iPhone-Case-and-the-Future-of-Civil-Liberties,-The.aspx
Zanolli L (2015), Welcome To Privacy Hell, Also Known As The Internet Of Things, Fast Company; Technology; 3/25/15 accessed 10/3/2016 at: https://www.fastcompany.com/3044046/tech-forecast/welcome-to-privacy-hell-otherwise-known-as-the-internet-of-things