Thief in the Night: the Invasive Nature of Home Internet of Things and Its Attempt to Silently Shift Rules of Personal Data Ownership

• Publication year: 2018
• Author: Celine Melanie A. Dee*

THIEF IN THE NIGHT: THE INVASIVE NATURE OF HOME INTERNET OF THINGS AND ITS ATTEMPT TO SILENTLY SHIFT RULES OF PERSONAL DATA OWNERSHIP

Celine Melanie A. Dee*

I. INTRODUCTION

When faced with a choice between privacy and convenience, most individuals often, albeit unwittingly, choose the latter over the former. It appears that privacy is the price individuals are willing to pay for convenience, and history has borne witness to this fact. Despite the absence of privacy, individuals historically embraced (then) novel means of communication on account of the convenience they provided. The 1870s saw a shift from the use of sealed letters to less private but more convenient postcards.¹ During the early 20th century, people welcomed shared technology by using telephones with party lines in lieu of individual telephone lines.² In the present internet age, individuals willingly "partake in the offerings of the internet and participate in what has become one of the most important social spheres."³ Evidently, privacy in the realm of technological innovation is perceived to be far less important than ostensible benefits made available by technology.

The most recent iteration of the choice of convenience over privacy in the realm of communication relates to the Internet of Things (IoT), defined as "a network that connects uniquely identifiable Things to the Internet, [which] have sensing [or] actuation and potential programmability capabilities."⁴ A beacon of convenience, the IoT allows "billions of digital devices, from smartphones to sensors in homes, cars, and machines of all kinds, [to] communicate with each other to automate tasks and make life better."⁵ It monitors users' everyday lives by collecting information,⁶ and consequently claims to improve said lives through automation by streamlining daily and routine tasks.⁷It likewise creates possibilities to "improve energy conservation, efficiency, productivity, public safety, health, education and more,"⁸ thus aiding in the development of "new economic and social opportunities"⁹ in an interconnected world. The IoT has also disrupted everyday lives by encouraging connectivity through "a variety of cool and mundane objects that people interact with"¹⁰ as opposed to interacting with each other.

But behind the smoke and mirrors of the IoT and the convenience it purportedly offers lie serious concerns regarding security and privacy. To achieve the connectivity and efficiency it promises, the IoT collects unparalleled amounts of data regarding users' personal lives. The technology within the IoT gathers data and "provides for a real-time application of data processing, data storage, and data analysis."¹¹ In fact, the IoT has effectively changed the notion of privacy. By design, it is "a system of surveillance,"¹² which "has the potential to generate an almost inescapable data web that monitors many aspects of [users'] li[ves]."¹³ This runs counter to human behavior in our society; people typically exclude strangers from entering their homes or private spaces for fear of invasions to their privacy or risk of harm to their safety and security. However, people knowingly and willingly place IoT devices inside their homes, referred to as Home Internet of Things (Home IoT) devices. They willingly purchase these devices for convenience wrapped in "cool" technology, but, in reality, they have let strangers inside their most private spaces, allowed them to listen to their most private conversations and even welcomed them inside their own thoughts.

The preference for convenience is also manifested in the response to lengthy contracts in the form of terms and conditions, or licenses in the guise of operating manuals that accompany Home IoT devices. People scroll over these contractual documents as quickly as possible, or sometimes not at all, to access a website or to use a new technological gadget without a second thought as to the need to protect their personal privacy. This behavior may have arisen from the ambiguity and one-sidedness of such form contracts, which people encounter on a frequent basis. The recent Facebook and Cambridge Analytica fiasco is an example. Facebook's user data was collected through a personality quiz and later sold to the political firm Cambridge Analytica.¹⁴ In Congressional

[Page 31]

hearings, the Terms of Use of the leading technology giant Facebook were criticized for being too difficult for average users to comprehend.¹⁵ The contract was also deemed too one-sided in favor of Facebook.¹⁶ In other words, the incomprehensibility of the Terms of Use could have led Facebook's users to give up on any attempts to read and understand the contract, and instead encouraged them to simply agree with the one-sided contractual provisions as they were written. It is likely that technology manufacturers are taking advantage of individuals' strong preference for convenience.

This article seeks to address the way in which Home IoTs, specifically those with recording capabilities, invade an individual's sphere of privacy. The invasive nature of Home IoTs is considered in light of the consent-based approach of, and principles on the lawful processing of data espoused in, the European Union General Data Protection Regulation (GDPR or Regulation), as well as the sector-specific data privacy protection framework of the U.S., with a particular focus on the State of California. The article will also examine contractual abuses resulting from contracts of adhesion and data ownership issues arising from Home IoTs and related data breaches.

This article is structured as follows: Part II discusses the interconnected nature of Home IoTs and related risks. Part III focuses on the contracts that govern the use of Home IoTs, which expand the individual's sphere of privacy, albeit unwittingly, and attempt to change the rules of ownership. Part IV briefly introduces the GDPR and explores its consent-based approach for protection of personal data; it also examines the sector-specific framework of relevant U.S. privacy-related laws, and their effects on the use of Home IoTs.

II. THE INTERCONNECTED NATURE OF HOME INTERNET OF THINGS

More commonly known as "smart objects,"¹⁷ the IoT encompasses an "intelligent, invisible network fabric"¹⁸ of everyday objects which are embedded with technology allowing them to connect and communicate with each other and the internet.^{19 20} The IoT movement has been well embraced by individuals to the point that the number of connected devices has exceeded the number of people.²¹

A subset of the IoT comprises Home IoTs, which consist of devices specifically catered to home automation. These include "monitoring systems, smart appliances, and connected entertainment,"²² which allow people to control their homes at their own convenience.²³ Through optimal use and proper programming, home automation contributes to improved efficiencies,²⁴ reduced costs and conservation of energy.²⁵ However, by allowing these devices to control home environments, people are also permitting them to collect, transmit and analyze data about their way of life.

This is made easier through Home IoTs with recording capabilities or smart speakers such as Amazon's Alexa, Google Home and Apple HomePod (Home IoT Smart Speakers), which allow individuals to instruct them to perform certain tasks and to control other Home IoT devices.²⁶ These devices are trained in vocal recognition to respond to instructions to provide personalized results.²⁷ However, an underlying aspect of vocal recognition is listening and, consequently, recording any information and conversations made within the devices' vicinity.²⁸ Although the information gathered is used "to improve the accuracy of the results provided to [individuals] and to improve [the] services [provided],"²⁹ the information may likewise be used for nefarious purposes which ultimately compromises privacy and security.

The growing risk of Home IoTs is manifested in security and privacy concerns surrounding the use of these devices. Security considerations primarily arise due to poorly secured devices,³⁰which "enable[s] unauthorized access and misuse of personal information, facilitate[s] attacks on other systems, and create[s] physical safety risks."³¹ The lack, or absence, of strong and reliable security features acts as an entry point for cyberattacks.³²

The nature of interconnectivity and promise of convenience likewise increase security risks. Home automation encourages individuals to use several Home IoTs in their homes to maximize the benefits of interconnectivity. This results in an "increase[d] . number of vulnerabilities" which cyber attackers may target to attack network systems and remotely control Home IoTs.³³ The same interconnectivity which offers convenience poses a danger³⁴ by inviting potential attackers to access and steal massive amounts of information³⁵ for identity theft, and to compromise access points with the goal of spying on individuals or attacking third parties.³⁶

Home IoT Smart Speakers, in particular, are most vulnerable to eavesdropping and unauthorized conversation attacks.³⁷Eavesdropping, also termed "sniffing," is defined as "intentionally listening to private conversations over the communication links."³⁸ The listening and recording features of Home IoTs in the form of smart speakers allow cyber attackers to access and process "captured information to design other tailored attacks."³⁹ Unauthorized conversation refers to the connective and communicative ability of Home IoTs to acquire and share information with other Home IoTs which may result in the "control of the whole home automation

[Page 32]

system."⁴⁰ Should a cyber attacker successfully take control of Home IoT Smart Speakers that have the ability to control other Home IoTs, then the security risk associated with controlling a home is aggravated.

Another prevalent concern is the invasive nature of Home IoTs on individuals' privacy. As a concept, privacy pertains to...