ARN

INSIGHT: How to avoid crossing the “creepy line” with the Internet of Things

Organisations worry about four types of risks when they balance innovation and privacy concerns.

Smart televisions provide convenience when voice commands operate the controls, but what happens when the manufacturer collects and possibly shares the data from conversations recorded in the living room?

How do we create products and services that avoid crossing the creepy line?

Carsten Casper, managing vice president at Gartner, explored the types of privacy risks we might expect with the Internet of Things (IoT) and controls necessary to avoid the creepy line at the recent Gartner Security & Risk Management Summit.

“Most people worry about surveillance, and how to avoid being spied on,” he said. “Individuals risk that something will be concluded abut them that they didn’t know about themselves.”

According to the Gartner Risk and Security Survey, 2015 organisations worry about four types of risks:

Reputation and brand damage - 45 per cent of companies were concerned about reputation damage from privacy risk, and 43 per cent about loss of customers.

For example, smart trash bins installed in London before the Olympics were removed when it was discovered that they collected the MAC addresses of people passing by on the sidewalk.

Compliance:

One third of respondents were worried about fines, audits and other enforcement. Here, the concern is that by not complying with privacy requirements, a company will be put on a black list.

Lost Business Opportunities:

The Dutch tax office tried to use SMS parking data for tax fraud detection. While the courts agreed, the public objected to this approach.

Companies might develop solutions that push the privacy line too far and never pan out. 33 per cent were concerned about lengthy sales cycles due to privacy concerns or about missing marketing opportunities.

Infrastructure:

32 per cent were concerned about maintaining unnecessary IT infrastructure to comply with national privacy laws. Both technology and process are of concern in regards to collecting and storing employee and customer data.

Where is the creepy line?

Organisations face a growing tension between the competitive need to innovate with the IoT and the risk of damage through the loss or inappropriate use of information.

With every piece of data collected from an IP address, smoke detector, streetlight, or other method; there’s a risk it gets lost, abused, or stolen. In this important tradeoff, organisations must weigh where to draw the line for putting in controls.

Often, the creepy line depends on demographic, nationality, and the culture of a market. For example, the creepy line is earlier for seniors than for digital natives.

But in this tradeoff between exploiting and protecting data, 31 per cent of organisations see it as a privacy risk to lose market share because information is not fully exploited.

Wearable devices are a growing privacy concern, and vendors can stipulate how long to store data, whether users have the ability to delete it or use pseudonyms, and whether they can refuse disclosure.

In the enterprise, it’s important to find the right amount of risks and types of risks to mitigate and implement the right controls. Try assuming the burden for educating individuals about privacy rather than relying on them to understand it.

“It’s no longer about meeting the privacy laws; it’s about meeting customer expectations,” Casper said.

“It’s their trust that you need to achieve, not just compliance with the law.”

By Heather Levy - Gartner