Who’s Listening? A Call for Data Protection in Smart Devices

Written by

UK households are set to spend £10.8bn on smart devices in 2019. The responsive nature of these devices means they need to be “always-on”, which has led to concerns as to when the device is “listening” and what data it records and stores. Even while consumers demand more privacy and claim to be worried about how technology tracks their behavior, they are installing connected microphones and other sensors in their homes.

From bulbs to home security cameras, we are slowly being indoctrinated to an “always-on” technology culture. Smart devices, particularly speakers, are increasingly common in both the home and workplace, listening to our most private conversations and requests. While there is the question of who owns the recorded data, there is a greater issue: where is the data stored, and how it is tracked through to end-of-life?

Turn it down! Increased volume of data 
The IoT creates new volumes of data which can be stored, managed and analyzed by device manufacturers: recorded audio from smart speakers, or access to data on individual habits or preferences. The data can be used in a variety of ways, from targeted advertisements to personalized content. However, this is also a security concern as personalized and sensitive customer data has the potential to be manipulated by malicious parties.

There is confusion as to how these devices process data and consumers don’t actually know what is done with their data: a recent YouGov survey found a third of smart speaker owners did not know that their devices collected and stored voice recordings.

Smart devices are clearly popular, and their functionality demands access to and the storage of sensitive data—it’s what makes them smart. Without being “always on” the device would not fulfil its most basic functions and optimizing the user experience means storing certain types of data. But that does not exonerate the device manufacturers over data management, especially in taking responsibility of sensitive data throughout the data lifecycle. 

Don’t hate: Regulate 
With IDC predicting there will be over 41.6 billion connected IoT devices generating over 79 trillion gigabytes of data by 2025, data management processes and transparency needs to change now. The problem is that regulation is still falling behind the rate of innovation in the smart device industry, leaving a data management gap for companies launching such devices.

There are also basic practical problems with regulating data collected by smart devices, as the nature of the data is slow input, of a wide variety and can differ immensely from device to device. For example, audio data collected by a smart speaker is an entirely different asset to sensory data collected by a smart alarm system. 

GDPR granted a “right to erasure” but the nature of data collected by smart devices makes this difficult for manufacturers to fulfil. It means having to locate the specific data set within a server—often manually—before securely erasing it.

This, combined with the shift from data being stored in hardware to being uploaded straight to the cloud, means there is a need for smart device manufacturers to go beyond regulation to get data collection and storage in data centers right.

These smart devices work by always being connected to the internet, allowing for streamlined hardware and a lack of physical storage space in the device itself. Sensitive data recorded by smart devices is sent straight to a data center where it can be stored indefinitely.

So, what does the manufacturer do when a device reaches end-of-life and this data, often personal and sensitive, must be erased? Often data is stored, whether in data centers or in-house, without a formalized retention period or process in place to dispose of the data when it reaches end-of-life.

Data also leaves a digital trail which means it can be recovered when being transferred from one piece of hardware to a data center and back. If a manufacturer stores smart device data in a data center, it’s imperative that data is tracked and managed appropriately, as the personal property of the customer.

Data Management 
The buzz around IoT, especially regarding security concerns and data privacy, is part of a wider conversation around the need for more stringent data management. Data privacy regulation has exposed data management processes as inefficient and incomprehensive.

This can be linked to a general lack of education in data management best practice and amplified by the fact that it’s never been necessary until now to process and regulate such intense volumes of data.

The sheer volume of data is no excuse—automated techniques can make the data management process entirely manageable. What should be a primary concern for an enterprise or manufacturer is the ability to track sensitive data from collection to end-of-life, with an auditable trail. This is the only way to comply with new data privacy laws.

Data collected from smart devices needs to be tracked and managed, especially when data is being stored in the cloud. Manufacturers relying on data centers to store and manage sensitive customer data must ensure the drives containing the data are securely erased following the retention period. Simply deleting the data or transferring it out of the data center does not ensure full erasure, or compliance with regulatory laws.

Smart device manufactures must be proactive in overhauling data protection practices. Smart devices are only going to get smarter, and this intelligence will be a result of storing and analyzing greater quantities of sensitive data. Keeping consumer trust means that data protection needs to get smarter, too.

What’s hot on Infosecurity Magazine?