Vviewpoints
I
M
A
G
E
B
Y
K
O
S
T
E
N
K
O
M
A
X
I
M
data controller must provide means for
end users to determine whether their
data is properly handled and means to
effect their rights. Overall, there must
be mechanisms to determine what
data is processed, how, why, and where.
Such concerns have drawn researchers to look at means to develop
more accountable and transparent systems.
10, 24 The problem has also been
clearly highlighted by the EU Data
Protection Working Party: “As a result
of the need to provide pervasive services in an unobtrusive manner, users
might in practice find themselves under third-party monitoring. This may
result in situations where the user can
lose all control on the dissemination
of his/her data, depending on whether
or not the collection and processing of
this data will be made in a transparent
manner or not.”
WE HAVE ALL read market predictions describing billions of devices and the hundreds of billions dollars in profit that the
Internet of Things (Io T) promises.a Security and the challenges it represents27 are
often highlighted as major issues for Io T,
alongside scalability and standardization. In 2017, FBI Director James Comey
warned, during a senate hearing, of the
threat represented by a botnet taking
control of devices owned by unsuspecting users. Such a botnet can seize control of devices ranging from connected
dishwashers,b to smart home cameras
and connected toys, not only using
them as a platform to launch cyber-attacks, but also potentially harvesting
the data such devices collect.
In addition to concerns about cyber-
security, corporate usage of personal
data has seen increased public scrutiny.
A recent focus of concern has been con-
nected home hubs (such as Amazon Alexa
and Google Home).c Articles on the topic
discussed whether conversations were be-
ing constantly recorded and if so, where
those records went. Similarly, the Univer-
sity of Rennes faced a public backlash af-
ter revealing its plan to deploy smart-beds
in its accommodation to detect “abnor-
mal” usage patterns.d A clear question
emerges from IoT-related fears: “How
and why is my data being used?”
a See https://bit.ly/2JNx0LZ
b See https://bit.ly/2JIOidc
c See https://bit.ly/2g Y9qKG
d See https://lemde.fr/2HLvEQb
As concerns grow, legislators across
the world are taking action in order to
protect the public. For example, the re-
cent EU General Data Protection Regu-
lation (GDPR) that took effect in May
2018,e and the forthcoming ePrivacy
Regulationf place strong responsibility
on data controllers to protect personal
data, and to notify users of security
breaches. The EU commission defines
a Data Controller as the party that de-
termines the purposes for which, and
the means by which, personal data is
processed (why and how the data is pro-
cessed). EU regulations further impose
constraints on EU citizens’ data pro-
cessing based on location and data type
(that is, “special category” data falls
under more stringent constraints). The
e See https://bit.ly/2lSJQfO
f See https://bit.ly/2j4Awz T
Viewpoint
Personal Data and
the Internet of Things
It is time to care about digital provenance.
DOI: 10.1145/3322933