How secure is the privacy of smart home device data?

Consumers are becoming savvier about Internet of Things (IoT) data ownership and privacy issues and are more likely to ask questions, according to panelists at a CES panel on “Security, Privacy, and Data Ownership Challenges in the IoT Era.” Even so, the answers around consumer IoT privacy are still evolving.

Privacy Regulations and Their Effect on IoT Market Growth

The global regulatory landscape for data privacy is far from harmonized. The few efforts in place include Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the United States.

As a result, manufacturers of smart home products lack an approved regulatory framework to develop against. IoT device developers can’t check the boxes on a checklist to know if they’re doing what’s needed to protect users’ data privacy.

“From a privacy standpoint, the regulations coming into play are actually quite vague in what they intend to do,” said Dima Tokar, Senior Product Manager IoT for Keurig Dr. Pepper. “It’s very difficult as a device maker to know what will be considered adequate security or adequate consent from a data privacy perspective.”

While many consumers conflate privacy and security, they’re not the same—but neither are they unrelated. As Shaked Ilan, VP of Security and Research for Firedome, said: “You can’t have privacy without security.”

Smart home device manufacturers can avoid privacy concerns being a barrier to adoption, said Christian Renaud, Research VP of IoT for 451 Research, by “getting out in front of it to eliminate that roadblock in the sales cycle.” According to a recent survey by 451 Research, data privacy was very important to 85% of consumers surveyed. So the first step is user awareness.

What Smart Home Product Manufacturers Can Do

The CES panelists highlighted a number of actions and best practices that manufacturers of smart home devices can take with respect to consumer IoT and smart home device privacy:

  • Be deliberate about what data you’re collecting, and why. Data is so easy to collect, there’s a temptation to collect it all in case it’s useful in the future. But assuming that all the data stored will get hacked and leaked—and there’s a good chance it will—enables greater discrimination in collecting only the data that that’s truly needed.
  • Also consider where you’ll store users’ data. Does it need to be stored on the IoT device, which can be accessed physically? If it can it be stored in the vendor’s cloud, does it need to be personally identifiable? If not, minimize risks by not storing things like social security numbers or identifying specific individuals with the data about their connected products’ operation.
  • Make privacy and security a pillar of your product development. Keurig Dr. Pepper’s Tokar stressed that taking such an approach is crucial for his company’s high-profile brand. As a result, giving consumers visibility into and control over their data is something they strive to build in from the beginning.
  • Be transparent about your privacy policies, and present them in human language. Be very clear about what kinds of data each connected product collects, and what will be done with that data. Avoid legalese and overly technical jargon when communicating about what data you’ll collect and why.
  • Get consent for the type of data your smart home products will collect. Clarify if any of the data being collected will provide value-added capabilities for consumers, and which data are necessary for the correct functioning of the connected product. Don’t minimize the marketing and psychological advantages of gaining explicit consent even for data collection that is required for the smart device’s operation.
  • Provide choice for consumers. Many kinds of IoT products can be functional IoT devices without requiring the consumer to share every potential piece of data. Whenever possible, allow consumers to opt in or opt out of providing certain kinds of data.
  • Keep informed about what your peers are doing. In the absence of clear regulatory guidelines, manufacturers of connected products must stay aware of what others in their markets are doing. The goal is not to fall behind the others—but also not to get too far ahead of the pack. When regulations are a moving target, being too far ahead will probably mean backtracking as expectations and rules change.
  • Privacy can’t happen without security. Without security measures in place to prevent third parties from accessing consumers’ personal data from connected devices, privacy policies and practices mean nothing.
  • Don’t try to ‘do’ privacy and security yourself. IoT security and privacy are extremely complicated, and the technologies, best practices, and user expectations are constantly evolving. Engage with experts, specifically those who have experience with connected-product security and data privacy.

For example, leading IoT platform provider Ayla Networks embraces the best practice of creating an end-to-end security model covering the device, cloud, and mobile app layers. This end-to-end approach establishes the strong security foundation upon which all data privacy measures rely.

Are you a manufacturer of smart home products? Contact Ayla Networks to schedule a free consultation to find out more about the best ways to secure your connected devices and make protecting your customers’ data privacy a competitive advantage.