Smart devices think you're 'too lazy' to opt out of privacy defaults
Privacy lawyers warn web-enabled devices automatically share data, put burden on users to opt out
Smart devices are designed to save time. But their privacy policies sometimes seem designed to waste it.
One way or another, the uproar over Samsung's "eavesdropping" SmartTV last week revealed a potentially invasive type of factory preset — one that consumer and privacy advocates worry gets too easily lost in the fine print.
"The default from these tech companies is they will share your information unless you opt out," says Jaigris Hodson, a digital media professor at Ryerson University who teaches courses on social media and Big Data.
"The line they always give is, 'we're putting your privacy in your hands.' What they don't mention is that the default option could be the other way around."
Consumers often don't care much at first. But that feeling can turn once they're reminded how the always-on, always-sharing devices can reveal a little too much.
- Samsung SmartTVs may share private talks with 3rd party
- Smart TVs that send data without consent will be fixed: LG
- What's hidden among the Internet of Things?
Fitbit wearers came to this realization in 2011, after their fitness-tracking bracelets began publishing statistics charting their vigour in the bedroom. Results were easily searchable on Google.
Sharing 'sexual activity' via Fitbit
"Unfortunately, one of the Fitbit settings was for 'sexual activity,' so they were inadvertently broadcasting [their statistics] to the world," said Kirsten Thompson, a Toronto privacy lawyer who specializes in cybersecurity and data protection.
"They knew they were recording it. They just didn't make the connection that it was going to also be shared online because that was just the default setting."
An unfair burden?
Ann Cavoukian, Ontario's former privacy watchdog, was appalled.
"It's unbelievable. I mean, how outrageous is that?" said Cavoukian, who devised the privacy-by-design concept that’s meant to be used by as the "gold standard" for data protection.
Samsung's response did little to allay her concerns.
In a statement, the Korean electronics giant said any TV owners worried about whether they would need to censor their speech in their own homes could "disconnect the TV from the Wi-Fi network" and disable voice-recognition capabilities.
- Samsung smart home system to be built into Toronto condo
- Read the Personal Information Protection and Electronic Documents Act
A simple fix? To Cavoukian, it sounded more like an unfair burden to place on customers. Not to mention defeating the purpose of a voice-controlled TV in the first place.
"Nobody would think the default would be disclosure that your voice can be picked up and used for a variety of unknown purposes," she says.
To Thompson, that's tantamount to a company selling a car without brakes "and then saying, but you can turn on the brakes if you want to."
Pre-programmed to share
Simplicity of design may be partly to blame for why smart devices are pre-programmed to process and share all the information it can.
Manufacturers, search engines and social media companies say user data helps improve search algorithms and service.
But fears that the info might be used for ulterior purposes have inspired new web services built around confidentiality.
- The iHome expected to be Apple's answer to HAL 9000: Don Pittis
- Jeremy Rifkin sees new economy arising from Internet of Things
- Samsung SmartTV an 'absurd' privacy intruder, Ann Cavoukian says
The search engine DuckDuckGo, which has been billed as "the anti-Google," promises: "We do not collect or share personal information by default."
Those remain niche services, however.
According to a 2010 report from the office of Ontario's privacy commissioner, the default setting prevails 80 per cent of the time.
Unwitting users who stick with default settings could be automatically giving consent to share data by virtue of failing to opt out.
What is consent?
"But does a person really consent if we're talking about terms they probably won't look at?" asks John Lawford, the head of Canada's Public Interest Advocacy Centre, a non-profit group.
"They'll start talking about their finances, health, sexual preferences, and they won't remember the thing in front of them has a microphone."
Therein lies one of the pitfalls of the so-called internet of things, the catch-all term describing the growing number of web-enabled devices — from smart fridges to cars — in the digital world.
"People by their nature are too lazy or they don't have the time to figure out how many clicks or how many screens they have to go through to switch these settings off," Thompson says.
People by their nature are too lazy or they don't have the time to figure out how many clicks or how many screens they have to go through to switch these settings off.- Kirsten Thompson, privacy and technology lawyer
She argues that manufacturers know full well their customers can't be bothered to scour dense terms of service to figure out a new gadget's privacy controls.
"On the other hand, if you didn't read fine print, certainly it's my perspective that there should be some requirement on manufacturers to bring that information more to the forefront," says Mandy Woodland, a privacy lawyer in St. John's.
Cavoukian has also pushed for companies to market the value of privacy in their products as a competitive edge.
Proposed amendments to privacy law
In Canada, the expectation is that manufacturers would honour her concept of privacy by design, in which manufacturers build privacy protections into the data architecture from the outset.
Although privacy by design has not been legislated, David Fewer, director of the Canadian Internet Policy and Public Interest Clinic, believes it's only a matter of time.
Lawmakers never foresaw the future of the internet of things when privacy legislation was first passed in 2004.
Now that smart devices are so ubiquitous, proposed amendments to the Personal Information Protection and Electronic Documents Act could grant new enforcement powers to the federal privacy commissioner.
"Improving the enforcement tools in PIPEDA would go a long way," Fewer says, adding that litigation might otherwise drive change.
"There's nothing like the threat of class action to invite deeper thinking about how to design our products in a privacy-accommodating way."