A new survey from Unisys shows that people are protective of their personal data, particularly when it comes to health, but when their safety might be at stake, they're a little more flexible.
Americans want the benefits of an emerging Internet of Things, but are wary of ceding control of their personal data, according to a new report from IT firm Unisys.
The 2017 Unisys Security Index shows that most Americans are interested in gaining benefits from IoT in the realms of public safety and health care, but only if their personal data is shared on their terms. Automatic tracking and data sharing was found to be far less popular, particularly when it involved government or insurance authorities.
Bill Searcy, a Unisys executive and former FBI deputy assistant director, told StateScoop that there is a pervasive fear held by the public of losing control of personal data and that IoT devices must be secured if government is retain the public's trust.
"You want to work with a trusted partner, someone who's been down this road before, someone who understands how to implement these things — maybe a systems integrator — who understands the objective," Searcy said.
Hypothetical scenarios that gave survey respondents control of when they could share personal data tended to be more popular, according to survey data. An emergency button on a smartphone or smartwatch to send location data to police was supported by 84 percent of respondents, while giving authorities discretion to access location data from a wearable fitness monitor was supported by just 32 percent of respondents.
The survey, published Tuesday, also showed that the public is interested in the potential benefits to be gained in personal health from IoT devices, but don't want to share certain information with health insurance companies or other private entities. While 78 percent of respondents said they would support a medical device — like a blood sugar monitor — that immediately transmits "significant changes" of the wearer's health, only 36 supported a fitness tracker that would monitor activity and reward the wearer with lower health insurance premiums.
When respondents were asked why they didn't want to share data with health insurance companies, 71 percent answered either that they didn't want those organizations to have that information or that they believed there wasn't a compelling reason for those groups to see the data.
There are technical solutions to minimizing risk of privacy collapse in the unfortunate event of a breach, Searcy said, like network microsegmentation, but there's no replacement for good governance.
"They should not implement technologies willy-nilly," Searcy said, recalling an incident in which a city launched a free public Wi-Fi project without first establishing a rapport with the community or designing a comprehensive plan.
"They didn't bother to make sure they educated their citizens about what they were doing and what the restrictions would be, that police would not be allowed to camp on the network and monitor everything that was going on. People believed that was going to happen," he said. "The result was they spent a lot of money implementing it and a then a lot of money shutting it down because the citizens got irate because they didn't understand it."
Privacy standards hold a prominent position in New York City's Guidelines for the Internet of Things, a policy template created by the city's technology department with aspirations of nationwide adoption. The guidelines are to ensure that data is only collected and used for "legitimate" purposes, that all data be anonymized before being made public, and that how data is collected be made public via the a city's open data portal or public website.
New York City Chief Technology Officer Miguel Gamiño told StateScoop in an email that new technologies will come and go, but public trust is sacred.
"Public education and awareness is critical to help protect individual privacy," Gamiño said. "New York City government is leading by example with our IoT guidelines and a commitment to always put individual privacy and security first. That means ensuring that we only collect data where there is a clear, defined use case and public benefit. It also means limiting or avoiding the collection of personally identifiable information where possible and never selling this personal data to third parties."
The City of Seattle recently hired a smart city coordinator with the intention of preventing just such a scenario as it deploys more sensors and prepares to become the second city after Chicago to operate an Array of Things.
Seattle's director of digital engagement, Jim Loter, told StateScoop in an email that the Unisys survey underscores the challenges cities face in balancing data collection with the need to preserve personal privacy.
"Our own local engagement with the community …. has indicated that many individuals have different concerns about privacy when it’s related to their voluntary interactions with private companies, such as Facebook or Amazon, than they do when it’s related to their interactions with government," Loter said. "In most cases, people don’t have a choice to get government services from a competitor or to not receive certain government services."
Loter pointed to pet licensing and remodeling permits as examples of essential services for which government is the sole provider and therefore must be held to higher privacy standards.
Health care and public safety, in particular, are areas where the increased use of sensor data could dramatically improve outcomes, but also deal with the most protected and private of data sets. The Electronic Frontier Foundation characterizes personal medical data as "some of the most sensitive information in the world," citing the inclusion of prescription history, drug use, and sexual history. While there are many laws to protect privacy of medical information, like the Health Insurance Portability and Accountability Act (HIPAA), which outlines stringent rules on information sharing and disclosure by health care professionals, the EFF notes that most of these laws serve to ensure the flow of information throughout the health care industry, not necessarily to protect privacy.
Fears of what law enforcement might do with personal information if given a chance were brought to life earlier this year when an Ohio man was charged with arson after police were granted a search warrant to check his pacemaker history. Police used the data to poke holes in the man's story, who had claimed that he escaped his own burning home carrying a few precious items in a panic, when in fact he had arranged carefully planned the entire crime. A record of his steady heartbeat gave him away and he eventually pled guilty to charges.
The scenario illuminates the possibility of many others in which a citizen's personal activity or location is unwillingly shared with authorities or embarrassingly made public.
Searcy, who worked with local police jurisdictions for 21 years during his work with the FBI, said one thing encouraging good behavior from police in cases like these is the fact that officers really don't want their evidence to be ruled inadmissible. When police don't follow the rules, their whole investigation can fall apart, and he'd seen it plenty of times, he said.
"I've seen cops literally break down and cry," Searcy said.
IoT implementations that promise personal safety seem to be the most likely to gain permission from the public. Sensors that can automatically detect "harmful chemicals or radiation" were supported by 86 percent of survey respondents, while projects that detect emergency vehicles, change traffic signals, use camera systems to notify police of "suspicious" activity, use facial recognition systems to identify criminals, and automatically detect gunshots, were also supported by at least 76 percent of respondents.