Last week, the Office of the Privacy Commissioner of Canada (the “OPC”) published a new guidance document: Privacy guidance for manufacturers of Internet of Things devices (the “IoT Guidance”). The IoT Guidance provides overdue clarity on how the Personal Information and Protection of Electronic Documents Act (“PIPEDA”) applies to Internet of Things (“IoT”) devices, and guidance to manufacturers of those devices on specific security and other measures they should consider.
The Internet of Things: Context and the regulatory environment
The OPC defines the IoT as “the networking of physical objects through the Internet.” IoT devices include so-called “smart” appliances for use in the home such as lighting systems, smoke alarms, TVs, doorbells, locks, speakers, security cameras, thermostats, and air quality monitors; as well as connected cars, toys, watches, and health trackers.
We have previously discussed the myriad forms of jeopardy that may arise for manufacturers of IoT devices, including liability based on privacy and data security issues. This is because IoT devices invariably collect, use, and disclose personal information by way of embedded sensors, including, heart rate, body temperature and movement; temperature or energy usage in a home; voice and facial recordings; geolocation data; and behavioural patterns.
To date, the OPC has only issued a single decision dealing with connected devices, dealing with a data breach affecting the systems of a manufacturer of children’s e-readers and laptops. The IoT Guidance is therefore welcome, as it begins to provide at least some clarity as to how the OPC thinks Canada’s privacy regime applies to IoT devices.
Guidance: Identifying purposes and openness
The end user of an IoT device is often not aware of how that device interacts with the broader IoT ecosystem. This creates a risk that the company will contravene its obligation to communicate clearly its purposes for collecting personal information, and how it handles such personal information. Communicating this information is complicated by the fact that IoT devices are often designed to be inconspicuous and blend in with their surroundings, and often do not have screens where such information can be communicated.
Guidance: limiting collection and retention
PIPEDA requires organizations to limit the collection and retention of personal information. The OPC recommends that manufacturers design IoT devices to limit collection, taking into account the information that is necessary for the device to function. For example, a smart speaker that collects audio data can require a triggering event to activate (such as a push button or “wake phrase”), or can be continuously collecting data. The former is more privacy-protective. Where information is collected over and above what is needed for the device to function, such collection should be communicated to the consumer and consent obtained for the collection. Ideally, manufacturers would also build in features to allow consumers to control the amount of information being collected (e.g. a do-not-collect “switch” in the form of a mute button or a software toggle).
The OPC also encourages manufacturers to provide consumers with user-friendly options to delete permanently information held about them (e.g. going online or calling customer support).
The OPC comments that the inherently connected nature of IoT devices creates serious potential security risks. In order to fulfill their obligations under PIPEDA to safeguard against such risks, manufacturers of IoT devices should:
- Undertake security risks assessments in order to assess device-specific threats and vulnerabilities, and to develop appropriate security measures;
- Design devices to minimize the risk of data breaches, such as:
- Limiting microphone sensitivity and range;
- Enabling a hardware linked on/off mute control;
- Filtering out unnecessary audio data at the point of collection;
- Proving the ability to disable temporarily or permanently a camera to prevent it from being activated accidentally;
- Giving the user the option of completely disconnecting the device from the Internet and IoT networks, or the ability to disassociate an individual user from the device and easily remove that user’s personal information from it;
- Encrypt device data, configuration settings or other access control features using both hardware and software encryption;
- Regularly assess for security risks in order to catch new potential threats;
- Design devices to require users to change default passwords and Bluetooth pairing keys before using the device;
- Require users to set up long passwords and pairing keys;
- Provide the ability to wipe the file system or reset the device back to factory defaults; and
- Ensure that users are informed of when firmware updates are required (e.g. on the device display, or where the device has no display, a blinking LED and/or by email subscription);
In addition, where manufacturers rely on third party vendors to supply components, manufacturers should revisit their agreements with those vendors in order to assess whether such components are secure. Where a supplier is new or less experienced, manufacturers may consider obtaining the underlying device source code in order to vet the software and firmware for security risks. Manufacturers should also keep in mind that under PIPEDA, they remain accountable for information transferred to third parties – for example, where subcontractors are used for the manufacturers of components.
While the IoT Guidance looks at devices and consumer communications through a privacy lens, there are other regulators which have commented on the IoT space, notably the Competition Bureau. In its Big Data and Innovation paper, for instance, the Competition Bureau notes that the IoT may lead to a broader use of performance claims derived from third-party data. For example, users of Wi-Fi connected home appliances may be able to test the energy efficiency of their appliances. Companies that sell such appliances may obtain these data from third parties to promote their products. However, the Competition Bureau notes that such crowd-sourced performance claims may not be free of external influence and advises that companies should not be taking such claims at face value, but rather ask whether such representations supported by adequate and proper testing.
There is an evolving tension for companies which, on the one hand, try and meet the privacy requirements of transparency and openness, but on the other, must also be cautious about the representations they make.
The OPC is now among several privacy regulators and governments to turn their attention to the privacy and cybersecurity implications of the IoT. For example, in October 2018, the U.K. government published a self-regulatory Code of Practice that included device security recommendations for IoT devices. These include requiring all IoT device passwords to be unique and not resettable to a factory setting, requiring manufacturers to provide a public point of contact as part of a “vulnerability disclosure policy”, and requiring manufacturers to explicitly state the minimum length of time for which their devices will receive security updates. The U.K. has recently launched a consultation process for regulating IoT security, with the ultimate aim of introducing legislation that would make these recommendations mandatory. California has also passed legislation mandating certain minimum privacy and security safeguards for IoT devices.
Although there has only been one OPC decision to date dealing with a data breach involved and IoT device, the IoT Guidance sets out important reminders to manufacturers about the PIPEDA principles, and how to safeguard privacy in the IoT context.
It is important that IoT manufacturers consider how to obtain meaningful consent, and that they limit the collection and retention of personal information. When it comes to security safeguards, manufacturers should, among other things, undertake continuous risks assessments, encrypt data services, limit how and what information the hardware is able to collect, and require users to change default passwords. Keeping privacy in mind at the design and planning stage can be key to minimizing risk. Companies producing products which incorporate embedded IoT capabilities via third party devices should ensure they undertake due diligence both about what such devices are actually doing, but also about what they are saying such devices do.
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, and training in respect of personal information.