Communications of the ACM

Vviewpoints

I M A G E B Y K O S T E N K O M A X I M

data controller must provide means for end users to determine whether their data is properly handled and means to effect their rights. Overall, there must be mechanisms to determine what data is processed, how, why, and where.

Such concerns have drawn researchers to look at means to develop more accountable and transparent systems. 10, 24 The problem has also been clearly highlighted by the EU Data Protection Working Party: “As a result of the need to provide pervasive services in an unobtrusive manner, users might in practice find themselves under third-party monitoring. This may result in situations where the user can lose all control on the dissemination of his/her data, depending on whether or not the collection and processing of this data will be made in a transparent manner or not.”

WE HAVE ALL read market predictions describing billions of devices and the hundreds of billions dollars in profit that the Internet of Things (Io T) promises.a Security and the challenges it represents27 are often highlighted as major issues for Io T, alongside scalability and standardization. In 2017, FBI Director James Comey warned, during a senate hearing, of the threat represented by a botnet taking control of devices owned by unsuspecting users. Such a botnet can seize control of devices ranging from connected dishwashers,b to smart home cameras and connected toys, not only using them as a platform to launch cyber-attacks, but also potentially harvesting the data such devices collect.

In addition to concerns about cyber-
security, corporate usage of personal
data has seen increased public scrutiny.
A recent focus of concern has been con-
nected home hubs (such as Amazon Alexa
and Google Home).c Articles on the topic
discussed whether conversations were be-
ing constantly recorded and if so, where
those records went. Similarly, the Univer-
sity of Rennes faced a public backlash af-
ter revealing its plan to deploy smart-beds
in its accommodation to detect “abnor-
mal” usage patterns.d A clear question
emerges from IoT-related fears: “How
and why is my data being used?”
a See https://bit.ly/2JNx0LZ
b See https://bit.ly/2JIOidc
c See https://bit.ly/2g Y9qKG
d See https://lemde.fr/2HLvEQb
As concerns grow, legislators across
the world are taking action in order to
protect the public. For example, the re-
cent EU General Data Protection Regu-
lation (GDPR) that took effect in May
2018,e and the forthcoming ePrivacy
Regulationf place strong responsibility
on data controllers to protect personal
data, and to notify users of security
breaches. The EU commission defines
a Data Controller as the party that de-
termines the purposes for which, and
the means by which, personal data is
processed (why and how the data is pro-
cessed). EU regulations further impose
constraints on EU citizens’ data pro-
cessing based on location and data type
(that is, “special category” data falls
under more stringent constraints). The
e See https://bit.ly/2lSJQfO
f See https://bit.ly/2j4Awz T