The Internet of Things (IoT) is a broad term that generally refers to physical devices connected

to the internet that collect, share or use data. This includes personal wearable devices such as
watches and glasses, home appliances such as televisions and toasters, features of buildings such
as lifts and lights, supply chain and industrial machinery such as forklifts and sprinklers, and
urban infrastructure such as traffic lights and rubbish bins. It refers to the collective network of
connected devices and the technology that facilitates communication between devices and the
cloud, as well as between the devices themselves.

The Internet of Things has a wide-ranging impact on human life and work. It allows machines to
do more heavy lifting, take over tedious tasks and make life more healthy, productive, and
comfortable.

For example, connected devices could change your entire morning routine. When you hit the
snooze button, your alarm clock would automatically get the coffee machine to turn on and open
your window blinds. Your refrigerator would auto-detect finishing groceries and order them for
home delivery. Your smart oven would tell you the menu for the day — it might even cook pre-
assembled ingredients and make sure your lunch is ready. Your smartwatch will schedule
meetings as your connected car automatically sets the GPS to stop for a fuel refill. The
opportunities are endless in an IoT world!

What are examples of IoT devices?

Let’s look at some examples of IoT systems in use today:

Connected cars

There are many ways vehicles, such as cars, can be connected to the internet. It can be through
smart dashcams, infotainment systems, or even the vehicle's connected gateway. They collect
data from the accelerator, brakes, speedometer, odometer, wheels, and fuel tanks to monitor both
driver performance and vehicle health. Connected cars have a range of uses:

 Monitoring rental car fleets to increase fuel efficiency and reduce costs.
 Helping parents track the driving behavior of their children.
 Notifying friends and family automatically in case of a car crash.
 Predicting and preventing vehicle maintenance needs.

Connected homes

Smart home devices are mainly focused on improving the efficiency and safety of the house, as
well as improving home networking. Devices like smart outlets monitor electricity usage and
smart thermostats provide better temperature control. Hydroponic systems can use IoT sensors to
manage the garden while IoT smoke detectors can detect tobacco smoke. Home security systems
like door locks, security cameras, and water leak detectors can detect and prevent threats, and
send alerts to homeowners.

Connected devices for the home can be used for:

  Automatically turning off devices not being used.
 Rental property management and maintenance.
 Finding misplaced items like keys or wallets.
 Automating daily tasks like vacuuming, making coffee, etc.

Smart cities

IoT applications have made urban planning and infrastructure maintenance more efficient.
Governments are using IoT applications to tackle problems in infrastructure, health, and the
environment. IoT applications can be used for:

 Measuring air quality and radiation levels.

 Reducing energy bills with smart lighting systems.
 Detecting maintenance needs for critical infrastructures such as streets, bridges, and pipelines.
 Increasing profits through efficient parking management.

Smart buildings

Buildings such as college campuses and commercial buildings use IoT applications to drive
greater operational efficiencies. IoT devices can be use in smart buildings for:

 Reducing energy consumption.

 Lowering maintenance costs.
 Utilizing work spaces more efficiently.

Examples of how we use Internet of Things in our everyday lives include: Smart appliances
(stoves, refrigerators, washers and dryers, coffee machines, slow cookers) Smart security
systems, smart locks, and smart doorbells. Smart home hubs (that control lighting, home heating
and cooling, etc.)

How does IoT improve our lives?

How has IoT changed our daily lives? IoT has changed our lives through increased convenience
of automating mundane tasks, enhancing home security systems, wearable devices to
improve health and wellness, and improved connectivity.

IoT devices and the data they collect can provide convenience, efficiency and insights into
essentially every aspect of our world. For the public sector, the IoT is currently providing many
benefits and has the potential to generate even greater public value in the future.

Smart bins can alert waste trucks when they are nearly full, networked ticketing systems can help
optimise public transportation, and automated attendance systems can free up time for teachers in
classrooms.
Consumers, governments and businesses everywhere have been increasingly using IoT devices,
and it is widely expected that the use of IoT will continue to expand rapidly. However, rushing
into the IoT without proper consideration of privacy can lead to harmful and unexpected
consequences. As the IoT grows, the amount of data it generates will naturally increase alongside
it. These large collections of data can, in many cases, constitute personal, health and sensitive
information, raising many privacy challenges.

This paper has been developed to assist the Victorian public sector in understanding some of
these challenges. It may also be useful to a broader audience.

What is internet of things (IoT) privacy?

Internet of things privacy is the special considerations required to protect the information of
individuals from exposure in the IoT environment. These steps are necessary because in an IoT
setting almost any physical or logical entity or object can be given a unique identifier and the
ability to communicate autonomously over the Internet or similar network.

As endpoints, or the "things," in the IoT environment transmit collected data autonomously over
the internet and typically display that data on mobile applications, they also work in conjunction
with other endpoints and communicate with them. Interoperability of things is essential to the
IoT's functioning so that, for example, networked elements of a smart home work together
smoothly.

The data transmitted by a given endpoint might not cause any privacy issues on its own. For
instance, a smart meter used in remote monitoring and data collection for a consumer and their
utility company is commonplace and typically harmless. However, when even fragmented data
from multiple IoT devices is gathered, collated and analyzed, it can yield sensitive information
about people's whereabouts or living patterns, for instance.

The idea of networking appliances and other objects is relatively new, especially in terms of the
global connectivity and autonomous data transfer that are central to the internet of things. As
such, security risks haven't always been considered in product design, which can make even
everyday household objects points of vulnerability. For example, in 2014, researchers at Context
Information Security found a vulnerability in a Wi-Fi-enabled light bulb that let them request its
Wi-Fi credentials and use those credentials to get network access.

The Internet of Things (IoT) is transforming the way we interact with the physical world,
enabling new levels of automation, efficiency, and convenience. However, IoT also introduces
new challenges and risks for the security and privacy of your data and devices.
Personal information

It is very common for privacy laws, such as Victoria’s Privacy and Data Protection Act 2014, to
focus on the protection of personal information. While the definition of personal information
varies between jurisdictions, it normally refers to information about an identified or identifiable
individual.

Privacy laws generally protect personal information by giving individuals control over if how
their personal information is handled by governments and businesses. Organisations using IoT
devices that collect or use personal information must abide by laws and regulations that prescribe
how personal information can be handled.

As the name suggests, the Industrial Internet of Things (IIoT) refers to the rapidly growing
practice of using IoT devices for industrial applications. The industrial focus of IIoT ecosystems
means that they generally collect less personal information than regular IoT ones. However, the
IIoT is not without privacy issues. For example, trucks and other heavy vehicles can have IoT
devices that identify when a driver is fatigued, alerting their employer; and factory workers can
wear wristbands that sense when they are fidgeting or procrastinating for extended periods of
time, potentially leading to disciplinary actions.

Much of the data collected by IoT devices, personal or otherwise, was previously difficult to
collect. For example, some fitness trackers can measure blood pressure, something that otherwise
requires specialised equipment to collect. With millions of fitness trackers, the blood pressure of
large groups of people can easily be collected. Data such as this could benefit everyone through
better health research, but it could also cause harm if used inappropriately, such as by an insurer
raising the premiums of fitness tracker users with high blood pressure.

IoT security's role in ensuring privacy

The fact that internet-connected devices can operate with high performance in remote locations
is useful and even critical in many cases. But this also means hackers and cybercriminals are
coming up with new, sophisticated tactics to hack these devices. Denial-of-service and malware
attacks are both methods hackers use to compromise IoT device data.

A lack of testing and mandatory software updates both before and during IoT deployments
leaves many organizations vulnerable to attack. If IoT device manufacturers don't pay attention
to security concerns when businesses and consumers are trusting them to deliver highly secure
products and smart devices, they could be blindsided by malicious actors. If manufacturers
enforce routine software and firmware updates, their devices will have less data security
vulnerabilities over time.

Another security issue that affects IoT privacy is the bandwagon effect in different industries,
such as healthcare providers, insurance companies and automotive manufacturers. Companies
adopt new technologies like IoT as part of a broader Industry 4.0 transformation without
rigorously vetting them. For instance, an organization might quickly set up an IoT network
without assessing the resources needed to maintain and secure the network and its IoT devices in
the long term.

Lastly, flaws in IoT security ecosystem may be more fundamental if manufacturers produce
devices without the computing power needed for built-in security. Some devices are built for
core functions, like processing data, without attention to security. Future hacks and data breaches
will likely draw attention to the need for built-in security.

We have the rights to privacy of our information online through ensuring it.

Privacy is a human rights issue. Technological advances like IoT and AI, which depend on the
connection of just about everything, have major privacy concerns. But it isn't doom all the way
down. Used responsibly, these technologies could even support the right to privacy.

human rights provide a helpful framework for measuring the predicted effects of IoT
adoption. This is because human rights present a generalizable global consensus about the
conditions for human flourishing—goals that guide legal systems, government policies, NGO
work, etc. Rights endowed to people by virtue of their humanity take on utmost importance; their
violation is a denial of opportunity for core human wellbeing.

Privacy in the Digital Age

I wrote before that human rights provide a helpful framework for measuring the predicted
effects of IoT adoption. This is because human rights present a generalizable global consensus
about the conditions for human flourishing—goals that guide legal systems, government policies,
NGO work, etc. Rights endowed to people by virtue of their humanity take on utmost
importance; their violation is a denial of opportunity for core human wellbeing.

Privacy is one such right. Article 12 of the 1948 Universal Declaration of Human Rights states
the following:

“No one should be subjected to arbitrary interference with his [or her] privacy, family, home or
correspondence, nor to attacks on his [or her] honour or reputation. Everyone has the right to
the protection of the law against such interferences or attacks.”

Since this document was written sixty years ago, technology has skyrocketed—literally. While
Article 12 (above) clearly aims to protect against invasions of privacy like breaking into
someone’s home and stealing their mail, we need to evolve the idea of a right to privacy in
this digital age. The storing and sharing of personal information, for example, is a process
worthy of serious consideration. It underpins other foundational rights such as freedom of speech
and freedom of association.
One of the most important aspects of IoT security is to ensure that your data is encrypted and
authenticated. Encryption means that your data is transformed into a secret code that can only be
read by authorized parties. Authentication means that your data is verified to ensure its integrity
and origin. You should use strong encryption and authentication methods, such as SSL/TLS,
AES, or RSA, to protect your data in transit and at rest. You should also use certificates or
tokens to identify and authorize your IoT devices and applications.

IoT and Privacy Infringements

The first laws governing the use of personal information came out of Europe in the 1970s when
it became clear that new forms of communication needed new forms of protection. Since then,
the UN has stated, “the rights held by people offline must also be protected online.” In 2013, the
UN adopted a resolution to reaffirm and outline the right to privacy in a digital age, which calls
upon governments to be transparent and proactive in how they handle two key privacy
vulnerabilities: surveillance and misuse of personal data.

1. Surveillance and Policing

The UN has stated that surveillance “inhibits the free functioning of a vibrant civil society”—or
rather, that the vulnerability of digital communications to surveillance does so. If IoT systems are
vulnerable to (or subject to) surveillance, there are a host of human rights violations that can
occur.

On one hand, surveillance can enable corrupt regimes (or corporations) to exercise power more
efficiently and more effectively. The dangers of government surveillance are widely discussed.
The dangers of non-government surveillance are just as alarming. Surveillance can empower
individuals or governments monitor and disarm political dissent. It can concentrate knowledge in
the hands of the powerful few and allow commercial entities to influence consumer behavior. It
can rub up against the limits of police power, particularly in urban areas. It can allow for
restrictions on freedom of movement within state borders, a right guaranteed in Article 13 of the
UDHR. Spyware, as in extreme cases like the Syrian Civil War, can be a very powerful weapon
on any front.

You could write a book about all the ways IoT (and other information communication
technologies) can be abused by political and commercial actors. What’s more important is how it
will most likely be adopted and used by these entities. Citizen surveillance and security
monitoring are already in place in many areas of our world. IoT will only make these capabilities
more advanced and more ubiquitous.

2. Misuse of Personal Data

Exposing personal data can be catastrophic. However, even if it isn’t catastrophic, it’s still a
violation of rights. Personal data can be gathered digitally, biometrically, genetically, and via
video and other media. The kind of data gathered, and what is done with it, affects more than the
right to be protected against “arbitrary interference with … [one’s] correspondence.” It bleeds
into other foundational rights protected by the UDHR, such as…
  The right to a fair trial, if communication between a defendant and their lawyer is
exposed, for example.
 The right to freedom of assembly and freedom of association, which could be limited
if details about one’s beliefs and identities are accessible via the Internet and monitored
by external parties.
 The right to freedom from discrimination, if associated or proxy data (e.g. algorithms
that profile individuals, voting behavior, religion) is collected and used to block access to
information or opportunities.
 The right to freedom of expression, if (by processes like surveillance) it is known or
expected that personal expression will be monitored. Thus, expression will be modified to
influence conformist behavior.

As we all may be well aware, there are also subversive effects of “personalized” technologies.
The Partnership on AI writes the following: “While technologies that personalize information
and that assist people with recommendations can provide people with valuable assistance, they
[can] also inadvertently or deliberately manipulate people and influence opinions.”

Influencing consumer behavior is not a rights violation per se, but it can erode the systems that
keep other rights protections in place. Even though human rights are mostly individual rights,
they require collective systems (like privacy and data use standards) to be upheld in order to
secure protections for all.

IoT Can Increase Privacy Protections

Encryption and other security measures found within IoT systems can help promote and protect
the right to privacy in many cases. Encryption reorganizes information into an unreadable
format, accessible only by an encryption key—a process explained in more detail here. Robust
encryption can ensure that certain messages and thus certain personal data are safe from prying
eyes. In many cases, this can help support the right to freedom of expression, association, and
assembly—especially among vulnerable people groups. Oppositional political groups, and those
fleeing persecution or abuse, for example, can make critical use of these avenues for privacy and
safety.

Image Credit: Marcus Spiske

However, encryption can presumably disguise riots and other public safety concerns as well.
Protecting people’s privacy doesn’t always mean protecting the security of all people. Crime is
harder to fight when information is not as accessible to the police. It’s often hard to figure out
what kind of personal data is covered within a “right to privacy,” and what data is public domain.
However, as I hope I’ve demonstrated, it’s worth making that distinction.

Without a sphere of privacy, all information—however intrusive or misleading—is fair game for
public and corporate analysis.

Public safety and national security are the upsides to the myriad concerns about privacy
infringements and IoT. With more data being collected and transformed within IoT systems,
safety and security can (in theory) be more well-monitored by those who have the data. Privacy
can then be protected by the processes used to secure data. For example, companies like Protenus
are ensuring health systems remain HIPAA compliant using artificial intelligence. IoT tools that
can be used to surveil (and thus violate the privacy of citizens) can be used to protect the privacy
of a home or workplace. IoT can allow almost anything to communicate, which can be used to
protect privacy rather than violate it—it all hinges on data ownership and verifiable standards of
use.