Data Privacy in the Internet of Things (IoT)

Covering issues concerning data governance, technical, legal and institutional mechanisms of protecting privacy in the Internet of Things, and individual data rights.

Connecting the Dots between IoT and Data

When we speak about the Internet of Things, the association that frequently comes to mind is that of multiple interconnected IoT devices. And we think of the multifarious ways in which they communicate both with each other and with their human facilitators. The vision is that of a universe of things streaming data in all sorts of formats, using an array of different protocols, towards data centers, platforms, edge devices, and local aggregators. 

Within this perpetual enmeshment, the one constant currency in the communication between people, enabling interfaces, and connected things remains the data. But data, at the same time, is perhaps the most clandestine actor in this interweave of reality textures that involve digital twins, human and nonhuman actors, as well as the hidden agency of IoT architectures and data infrastructures. 

The Confluence of IoT and AI: AIoT 

According to a recent global study, the strengths of IoT and the stunning wealth of data generated by an IoT device can only be leveraged to the fullest when combined with the powers of AI. The study goes as far as to propose its own acronym, AIoT, signaling a strategic combination of AI and IoT as the new goal in IoT strategy. According to Melvin Greer, Chief Data Scientist at Intel,

“The benefits from AI and IoT are enhanced when we put them together. An AIoT approach provides visibility from edge to cloud and drives analytics to smart connected devices.”

The mindset of thinking AI and IoT as inseparable is slowly making its way into the mainstream. More and more companies are becoming aware of the necessity of data science solutions to come on top of the tremendous amounts of data that their IoT systems generate. 

Considering IoT and AI as two sides of the same coin is perhaps even becoming the norm. More companies, according to the study, are becoming aware that the value of IoT data can only become fully palpable when combined with data analytics and AI.

Traditional systems can no longer sustain the challenges posed by big data. AI has been increasingly implemented alongside IoT to close the loop in various efforts to automate processes, learn from data, and endorse sophisticated reliability and efficiency initiatives. 

“Those who have developed an AIoT capacity report much stronger results across a number of critical organizational goals–everything from their ability to speed up operations and introduce new digital services to improving employee productivity and decreasing costs. In every case, there are double-digit percentage differences between those who say they are achieving significant value and those who aren’t – with AI making the difference.” 

IDG study

Data in the Internet of Things: Considering the Infrastructure 

But to get there, you need to start with the IoT data. How does this data flow? What structures enable its journey from the sensors and local IoT edge devices all the way to the cloud? For you to get to that data, multiple decisions need to be made regarding the very data collection infrastructure. You need to consider the way the data is aggregated, the application of various de-identification techniques such as pseudonymisation and anonymisation, the form in which the data will reach the cloud, and so, infinitely, on.

In sum, this multilayered picture of data running through an infrastructure and becoming part of sophisticated IoT architectures shows us that data is complexly interwoven with its IoT ecosystem. The very infrastructural setting may, to a great extent, influence the ways the data is collected, interacted with, and ultimately interpreted. And an infrastructure created from the vantage of a particular mindset may generate data outcomes that are, in a very visceral way, the products of this mindset.

We encounter this phenomenon everywhere in lived environments: Ecosystems have an influence on the living and non-living beings that inhabit them, architectural decisions can influence the well-being of dwellers, and infrastructures — broadly conceived — can have limiting or enabling effects on the entities that operate within them. 

It is often the case that, when it comes to unfavourable outcomes in data protection and IoT security, we point our fingers to end users. But at times, this is not about those at the very end of the data chain. Equally so, we need to consider the facilitating role of IoT infrastructures in the complex process of making data visible. 

Data Privacy in the Internet of Things: What is an Enabler and What is a Constraint 

One special case of enabling and facilitating data flows within a pre-established infrastructure is that of IoT data privacy. The majority of contemporary discussions on privacy focus on personally identifiable information (PII), which is seen as an identifiable piece of property. The so-called “privacy paradox” (Barnes 2006) shows a cleft between intent + concern on the one hand and actual behaviour on the other hand. That is to say, whereas a concern for privacy may be articulated, actions that effectively work towards the preservation of privacy may be lacking. 

This long-standing bias feeds into debates on privacy laws in digital environments, trivializing complex processes of what philosopher D. E. Wittkower calls “responsibilization”. Here we have the trivialisation of the coercive extraction of personal data on the one hand, and making privacy protection a user issue on the other hand. In such scenarios, a clear intent to protect is in fact articulated. Yet the responsibility to protect that sensitive data is bounced back to the end user. At the same time, the intent to protect is not backed up by a corresponding concern about the very nature of the infrastructural arrangements that facilitate the data transfer.

An IoT infrastructure, therefore, should consider privacy from the very outset. A viable IoT infrastructure needs to embed data privacy concerns into the various aspects of its makeup. These include the embedding of:

• design decisions
• effective data security choices 
• the promotion of concepts of the nature and value of privacy

How do we get there?

Robust IoT Infrastructures: The Preventive Turn

Back in 2019, some 67% of all companies in a survey reported to have experienced security disruptions linked to connected IoT devices. At the same time, the question of IoT data privacy as part of security concerns at large is still mostly unaddressed. At best, it is only cursorily acknowledged in most IT departments. What we need is a robust IoT infrastructure with strong security features. One such IoT infrastructure will take into account the different types of handled data at a very granular level.

A preventive approach, broadly conceived, will take its insights from prevention best practices, risk assessments, security considerations, and existing privacy violation histories to embed privacy hygiene at the very core of an IoT infrastructure, making it an inextricable component of what constitutes good IoT practice. One such approach will alleviate the tension between the importance placed on individual autonomy (and hence responsibility), and the perceived need for prevention as the condition for securing that very autonomy.

So when looking into IoT products, a preventive approach will allow you to create structures that foreclose cybersecurity and IoT privacy issues at the outset. This is how you make sure that the data is available only to those who are authorized to access it. This way, you will not only avoid issues with IT infrastructure security but will introduce an extra layer of privacy hygiene when handling incoming streams of IoT data.

The Record Evolution Platform makes IoT data privacy one of its greatest concerns. The platform’s IoT development studio differentiates between four forms of data. These include user data, device data, code data, and data gathered from devices and intended for IoT analytics. We protect all four forms of data against unauthorized access using granular authentication and authorization mechanisms.