The concern of technology consumers over the extent of incursions into their privacy and the confidentiality of their data is nothing new, and it’s certainly a subject never far from the headlines. Just recently, there was a backlash in the press against unscrupulous tech companies that were accused of harvesting data gathered from facial recognition technology, and this sparked major concerns over data privacy.
Emerging technologies like the Internet of Things (IoT) and Artificial Intelligence (AI) have the potential to transform our lives, but not everyone is excited at this prospect. In January, the World Economic Forum listed cyber attacks as one of the top threats facing the world in 2020, and pointed to recent hacks of smart home brands and mass data thefts as particular areas of concern.
As a smart home alarm startup ourselves, we take these concerns seriously. An IoT device like ours exists in an ecosystem of smart devices. And each device has a responsibility to protect that ecosystem - and its users - by ensuring that it is impervious to hackers.
Successful AI and IoT businesses are those that recognise and take action to manage concerns around the potential for technology to erode user privacy.
So how can businesses in this space alleviate the quite understandable concerns that customers may have over their data privacy? And what practices can they put in place to show a genuine commitment to protecting their customers in this regard? Here is our advice...
Be completely transparent
When a customer’s use of a product generates data, it is vital that the business in question makes it clear to the customer what data they need to retain, and the purpose of them doing so.
If the data collection is purely to improve customer experience, the customer is far more likely to view such data usage as legitimate.
It becomes a different situation if data is collected for commercial or marketing reasons, or if it is apparent that the company has not been upfront about its data collection policy in the first place.
It is vital that AI or IoT businesses communicate to customers that they are focused only on the job at hand, and to reassure customers that they don’t ever share their data with partner brands so they can upsell products.
The bottom line? Only collect data that is required from customers and that will truly benefit them.
Customer interfaces, such as smartphone apps, form the foundation of most IoT businesses. So to any company operating within this industry, two-factor authentication (2FA) should be seen as compulsory.
With 2FA, customers are asked to enter a secondary form of verification after the username and password. Many of us will already be familiar with this as most UK banks use 2FA as standard, and will text you a unique code if you are logging in from an unfamiliar device. 2FA creates a second layer of security that can stop even the most persistent of hackers in their tracks.
Many of the breaches or hacks seen in smart home alarm systems, for example, have been due to low complexity passwords. Often, camera feeds are left ‘open’ by not having a password set up at all.
Enforcing 2FA ensures that password guessing or brute force attacks are ineffective, as well as reassuring customers of the business’s commitment to customer privacy and protection of data.
IoT security foundations compliance framework
IoT businesses should consider investing in on-board security protocols in their hardware if they have not already done so.
With IoT, new vulnerabilities are constantly being discovered, which means there is an essential need to monitor, maintain and review policy and practice regularly.
The IoT Security Foundations Compliance Framework is a comprehensive framework that sets out the do’s and don'ts of launching an IoT product into the market. It includes contributions from security practitioners, researchers, industrially experienced staff and other relevant sources to promote and encourage best practice when it comes to security.
By conforming to this framework, companies are able to send a clear message to the market that they understand the potential concerns around security and are taking them seriously.
Compliance with stringent regulations
Wherever a business is based, whether it be the European Union (EU) or internationally, it must have a full understanding of the rules and regulations that are in place around data protection and security.
In 2018, the General Data Protection Regulation (GDPR) came into force in the EU and is a law focused solely on data protection and privacy.
The aim of GDPR is to give individuals control over their personal data, meaning that businesses must have appropriate technical and organisational measures in place to implement data protection principles.
It is vital that all businesses understand exactly what is required from them to ensure total compliance with this stringent new law. Guaranteeing compliance to GDPR goes a long way to putting their customers’ minds at rest.
Consider end-to-end encryption
Technology businesses operating in the AI or IoT sector should give consideration to implementing end-to-end encryption using industry standards to ensure that data cannot be viewed by any unauthorised individuals.
A good example of this in the world of smart home security is where recording - whether it be sound or video - takes place as part of an integrated home security package. In this instance, the video or recording itself should be end-to-end encrypted. One option here for deployment could involve ensuring that only minimal amounts of recorded footage is actually streamed to the cloud, with the customer having their recording processed locally by a hub type device instead.
Data privacy and concerns around the security of data continue to weigh heavily on the minds of consumers across the globe. The harsh reality is that it can be hard for even the most tech savvy among us to know who to trust nowadays. It is for this very reason that IoT and AI businesses absolutely must sit up and take note. By recognising these concerns and taking action to reassure consumers that the business has practices in place to protect data privacy, they can manage concerns around the risks of technology to end user privacy.
Robin Knox, Co-founder and CEO, Boundary