Internet-connected versions iRobot’s robotic maid Roomba aren’t just sucking up dirt — they’re also mapping your home.
The company disclosed Roomba’s secondary talent to Reuters this week and announced that anonymized versions of its customers’ digital maps may soon be for sale to Amazon, Google or Apple — with users’ “informed consent,” the company insists. The lucky purchaser could then offer you recommendations on products for your home and/or enhancements for the user experience of your other connected home devices.
The financial markets seem to love iRobot’s new orientation toward data mining. Its stock price has nearly tripled in about a year.
Yes, your data could be big business for iRobot. But what does the already burgeoning business of IoT data repurposing mean for your privacy?
“Can you blame iRobot?” asked Erka Koivunen, F-Secure’s Chief Information Officer. “It’s yet one more device manufacturer that has first ‘gone cloud’ and then realized that the data they collect may be of use — and of value — to others.”
But should the opt-in nature of iRobot’s plans and other privacy assurances convince consumers that their data will remain private?
“It is next to impossible for the ‘data donors’ to know how their data will be used and for what purposes,” Erka said.
“iRobot will most likely do its best to pseudonymize or anonymize the data,” he said. “The ugly thing is that many of the buyers of that data will give rat’s ass about the privacy and will do their best to de-pseudonymize and de-anonymize the data by correlating huge data sets and combining with data collected from other devices.”
So even if a company intends to protect your privacy, it may not be able to keep its promise.
“The hard part of anonymization is that given access to large enough body of data and an ability to correlate distinct datasets that represent the same phenomenon, one will eventually be able to spot patterns of behaviors and telltale signs that can be linked to individuals.”
For instance, Roomba is already compatible with Amazon’s Alexa IoT assistant.
“It will be easy for Alexa to figure what kind of shape and material the room it is located is based on the reverberation. It will also hear when a device like Roomba is moving around it. Combine these two things along with timestamps and you’ve triangulated the Roomba user with incredible accuracy.”
Think about what could Roomba do with data correlated with Alexa and a house where almost everything, even your mattress, connects to the internet.
Once your identity is connected to your data, it becomes much more more valuable — which may be why Twitter and Facebook are so desperate to get your phone numbers, by the way.
In the U.S., a recent breach of 1.1 terabytes of data revealed that a major political data-analytics firm had successfully built profiles of 198 million voters that connected their voter ID numbers to various other information including their email addresses, telephone numbers and reddit.com browsing history. A lawsuit argues the damages of the “loss of privacy” from the breach exceed $5 million dollars.
Private data that identifies individuals may also be of great interest to hackers, and thus increases the potential costs of breaches for companies that do business in the European Union, where the new General Data Protection Regulation goes into full force next year and requires companies give consumers “informed consent” about how their data is being utilized.
Erka said, “The real danger here is the repurposing of data,” which he defines as “personal information collected for one purpose later reissued/shared/combined to address an altogether different purpose.”
Can you really know what you’re agreeing to when you let iRobot sell a map of your home when iRobot itself may not have known it was going into the map-selling business a year ago?
“What ‘informed consent’ are we talking about when the data that you gave out ages ago under one pretense is later used for completely different purposes by a completely different party?” Erka asked.
Hannes Saarinen — F-Secure’s Chief Privacy Officer — notes that these answers differ depending on the laws you live under.
“In US, one can honestly say that ‘informed consent’ would cover cases where data will be later reused and reshared for purposes other than originally intended,” Hannes said.
This wouldn’t be true just across the Atlantic Ocean.
“In EU, this would exactly against the law,” he said and pointed out the relevant piece of European legislation:
*) Personal data shall be …. (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
As we transition toward an economy where data is the new oil and anonymity is history, you need to think about what happens to your data when it’s sucked up and sold — because businesses already are.
[Image by Eirik Newth | Flickr]
After F-Secure principal security consultant Tom Van de Wiele stepped into the #CyberSauna for the second episode of…
January 19, 2018