Wearable technology is big news – and while we’re yet to see wide-scale adoption of hardware like Google Glass, the imminent arrival of the Apple Watch suggests that it’s only a matter of time before the wearable tech floodgates burst.
For information security professionals, the wave of new wearable tech will pose new concerns and threats. For legal practitioners, the implications of devices’ ability to surreptitiously collect personal information will create a minefield of data protection concerns. And for the consumer base that is slowly taking up smart versions of traditionally ‘dumb’ wearables, there will be plenty of reasons to worry about who has access to personal information.
These misgivings are nothing new. Among others, the ICO issued a warning relating to the use of Google Glass in enterprise earlier this year. But as we head towards 2015, interest in wearables is reaching new heights – as are fears that privacy is under greater threat than ever.
Tapping into (no pun intended) these prescient anxieties, legal think tank Halsbury’s Law Exchange (HLE) this week hosted a debate on wearable technology and its impact on society and privacy. The panel, made up of legal and technology experts, covered everything from apocalyptic predictions about a smart fridge’s capacity to leak your dietary habits to the government, to broad-ranging ethical concerns about how developers could misuse personal data.
During the debate, several issues of clear significance to information security professionals were tabled – including the increasing adoption of wearable tech in the enterprise. Panellist Sally Annereau, data protection analyst at Taylor Wessing LLP, was quick to point out some beneficial examples of how wearable tech could be harnessed in the workplace: “Technicians fixing a boiler with a real-time video relay back to the office, or a surgeon performing open heart surgery with Glass technology.” On a more sinister note, she prophesied “employers using wearable technology that is monitoring people’s attention spans.”
Remotely monitoring the activity of employees is not a new concept – there are numerous ways that businesses can, and do, keep track of their staff’s electronic activities. However, with technology like smart glasses and other wearables, the potential to harvest data becomes much more wide-ranging and surreptitious.
Also consider smart glasses’ potential for abuse by employees in a BYOD context. If confidential business data is being recorded at a mere glance, regardless of whether there is the intent for misuse, this raises clear problems. Security professionals will have their work cut out not only in ensuring that the way new technology records data about employees is compliant, but also in tightening policies to safeguard data in situations where employee use of smart wearables presents a data breach threat.
As in all aspects of privacy and surveillance, there are two sides to the ethical debate. Having devices in the workplace that record not only personal data, but also data about co-workers, threatens, in the words of panellist Andrew Caldecott QC, “the legal idea that [we should be entitled] to keep control of our own private information and when and how to release it. You get a problem when one person wants to tell their story and their story involves somebody else who doesn’t want it to be told.”
But, as Caldecott later suggested, imagine a situation where smart technology allows for the gathering of hard evidence about a case of racist or sexist abuse in the workplace. This is clearly beneficial – and such examples need not be limited to the business environment.
Then there is the threat of unauthorised access gained by hackers to data gathered by smart technology. This is a clear concern with any new technology implemented in the enterprise. The threat here is complicated and heightened by the interconnectivity that wearable tech promises.
Indeed, as the HLE debate moved onto the internet of things, panellists discussed smart technologies’ tendency to automatically interact with other devices. If your smart glasses are sharing information with your phone, which is sharing data to social media channels, which are then collecting data about users’ behaviour to sell to advertisers, there are clearly many boundaries across which data is travelling, with no clear nexus. “In that messiness we can often end up with novel security threats,” summarised Jennifer Bland, senior researcher in technology at Nesta.
That “messiness” is also a source of concern from a legal point of view. Where multiple smart devices are sharing information by default in way that users are unaware of (whether they’ve ‘signed’ an agreement policy or not) how can responsibility for protecting data be apportioned? Data that’s being recorded on one device could fall into the wrong hands, not through deliberate hacking of that device, but through breaches in the cloud, information sent to developers, or sharing data with other, less secure devices.
This debate highlighted more than anything that wearable technology and the internet of things will necessitate and expedite legal reform that has been rumbling in the background for a number of years. Panellist Eduardo Ustaran, partner in global privacy and information management at Hogen Lovells explained that, “The idea of relying on consent is becoming more of a fallacy. We don’t really know what is going to happen with our information. The emphasis is shifting from the individual determining whether this can or cannot happen, to the developer deciding whether that is intrusive.”
He added that new EU-wide legislation in the pipeline – which will supersede the Data Protection Directive of 1995 – will introduce “a new principal that requires any user of information to assess the risk to the individual, and dependent on that risk, different obligations will apply.”
Moving forward, it’s clear that placing more obligations on developers to increase transparency, or introduce ‘privacy by default’, will become a major theme of the next few years. Security professionals will also face new challenges in adapting to responsibilities surrounding wearables within the enterprise – both in the handling of employee data and safeguarding data stored and recorded by wearable devices.