Canada's federal privacy watchdog is participating in a global initiative that's raising red flags about connected devices – everything from "smart" TVs to fitness-tracking wristbands and Internet-connected toys – and their failure to provide users with control over the personal information those gadgets collect.
The Office of the Privacy Commissioner of Canada (OPC) took part in the global "privacy sweep" in April, and is now releasing the results. The sweep involved 25 privacy authorities . It looked at 314 connected devices – often collectively referred to as the "Internet of Things" – and how they communicate their privacy practices. Canada's focus was on 21 health and wellness devices that are popular among Canadians, including fitness trackers, smart watches, smart scales and blood pressure monitors.
They found that connected devices "fail to inform users about exactly what personal information is being collected and how it will be used" – including sensitive data such as health and financial information.
The OPC says that the concept of "the body as information" is a major focus, as health, genetic and biometric information is being tracked more than ever. During the sweep, staff used connected products and analyzed what information those devices asked for – and what privacy collection and protection information they provided to users. Nearly half of Canadian "sweepers" – OPC staff who tested the devices – and more than three-quarters of international sweepers were unable to find basic instructions on how to delete their data once they had begun using the devices.
The Global Privacy Enforcement Network, now in its fourth year, is a joint effort among privacy organizations in many countries, including the United States, Britain , members of the European Union and China, and has conducted such privacy sweeps before. By acting in tandem, the group is attempting to add global heft to major privacy concerns.
Last year, for example, the network conducted another sweep that showed how websites and mobile applications targeted to kids often do not do enough to protect children's privacy.
Among the devices that the OPC analyzed in this sweep, it highlighted concerns about a blood pressure monitor and a thermometer that both asked to track users' locations, without giving adequate explanations about why that was necessary for the device's purposes.
Another concern was the Jawbone UP3, which tracks a user's activity, sleep and heart rate. The OPC noted that the device provided an easy online form to request that the company delete all personal information on its servers, including data shared with partners. But the "sweeper" found his account was still active, with personal information intact, two months later .
Both the Fitbit and Garmin Vivosmart HR fitness trackers were highlighted by the OPC for being too vague in their privacy policies about safeguards they put in place to protect users' data.
In another case, the iMazeFitness heart rate strap had a placeholder on its personal information page that said "[Insert customer data privacy clause here if applicable.]"
"Many of the privacy communications were generic or vague, or had privacy policies that weren't specific to the devices being evaluated," said Brent Homan, the OPC's director-general of PIPEDA investigations. (PIPEDA stands for the Personal Information Protection and Electronic Documents Act, which is the law in Canada concerning privacy and personal data.)
"Providing information about what is being collected at key points – such as registration or purchase – is a best practice … rather than having it buried in privacy policies," Mr. Homan said.
Not only should devices make clear what types of data are being collected and shared, Mr. Homan said, they should make it easier for users to exercise control over that information. Further, where information gathering is not essential to the device's purposes, user consent should be explicit – and the default setting should be not to gather that information, he said.
On the positive side, the OPC noted that many companies did give detailed explanations of how information would be shared with third parties such as advertisers.
"With the proliferation of the Internet of Things, the activities, movements, behaviours and preferences of individuals are being measured, recorded and analyzed on an increasingly regular basis," Privacy Commissioner Daniel Therrien said in a statement. "As this technology expands, it is imperative that companies do a better job of explaining their personal information handling practices."
What is the 'Internet of Things'?
It's a term that covers an extremely wide range of Internet-connected devices that use technology to increase their functionality.
These include self-driving cars; TVs that can stream content from the Internet and may include voice and gesture recognition; sleep trackers; home security systems; location-tracking devices to help people find their keys or other lost objects; and smart thermostats that monitor and adjust energy use in homes, among other devices.
Cisco Systems has forecast that there will be 50 billion such connected devices worldwide by 2020. Research firm IDC has predicted the global market for the Internet of Things will grow from $655.8-billion (U.S.) in 2014 to $1.7-trillion by 2020.
Often, the information that such devices can gather is exceptionally valuable for marketers. Personal devices may give third parties information about the users to help companies better target advertising to them. Others are for commercial use, such as devices that pick up WiFi signals from mobile devices and use those signals to track customers' visits to a store. Beacons can use mobile devices' Bluetooth signals for similar purposes.