The Internet of Things (IoT) is considered to be one of the most significant disruptive technologies of modern times, and promises to impact our lives in many positive ways. At the same time, its interactivity and interconnectivity poses significant challenges to privacy and data protection. Following an exploratory interpretive qualitative case study approach, we interviewed 14 active IoT users plus ten IoT designers/developers in Melbourne, Australia to explore their experiences and concerns about privacy and data protection in a more networked world enabled by the IoT. We conclude with some recommendations for ‘responsive regulation’ of the IoT in the Australian context.
Collaboration, networking and innovation are predicted to change radically as we move into an era of the Internet of Things (IoT). One of the fastest-growing trends in computing, the IoT promises to be one of the most significant disruptive technologies of modern times, affecting multiple areas of human life including manufacturing, energy, health, automotive, retail, insurance, crime, fraud and threat detection (Dutton, 2014; Gartner, 2014; OECD, 2015; Vermesan et al., 2011). Although there are multiple definitions of the IoT (Noto La Diega and Walden, 2016), the essence is that the IoT involves computing beyond the traditional desktop, concentrated on smart connectivity of objects with existing networks and context-aware computation using network resources (Gubbi, Buyya, Marusi and Palaniswami, 2013). Indeed, connectivity of heterogeneous objects and smart devices is a crucial part of the IoT (Atzori, Iera, andMorabito, 2010; Caron, Bosua, Maynard and Ahmad, 2016; Gubbi et al., 2013; Noto La Diega & Walden, 2016). Interactivity and interconnectivity are therefore at the heart of the IoT, and promise to impact our lives in many positive ways.
At the same time, while the IoT holds great promise, it poses significant challenges to users’ abilities to control access to and use of their personal data (Caron et al., 2016; Dutton, 2014; Weber, 2009, 2010). This challenge and the attitudes of users and designers/developers in Australia is the particular focus of this paper. In the sections that follow we commence with a brief overview of the literature on privacy, data protection and the IoT, followed by a description of our qualitative research design, key findings and discussion of the findings. We conclude with some minimalist proposals for legal regulation of the IoT in Australia, based on an idea of responsive regulation i.e. of law responding to public concerns in fashioning legal standards (Nonet & Selznick, 1978; Nonet and Selznick, 2001).The authors conclude
n this article, based on voiced concerns about privacy and data protection raised by a number of IoT users as well as some designers/developers in Australia, we have proposed a responsive system of privacy and data protection for the IoT beginning with privacy/data protection by design, covering basic matters such as notice and control throughout the life cycle of the data, then building up to more stringent consumer and privacy/data protection regulation provided under (inter alia) the Australian Consumer Law and Privacy Act 1988 (Cth), and as a third tier actions brought by individuals in court to vindicate their claims relying on privacy-type doctrines as applied by judges (for instance, through the current action for breach of confidence, and/or a specific privacy tort if and when this becomes part of Australian law).
We note that our discussion has not touched on the question of higher levels of regulation, for instance the use of the criminal law to restrain and control the ways in which the IoT might be used for antisocial purposes, including, for instance, undesirable forms of ubiquitous surveillance. For our users, on the whole, seemed to be rather unconcerned about the dangers of surveillance by the IoT, or as Andrejevic and Burdon put it (2015, 24) ‘the dimensions of a sensor society in which the devices we use to work and to play, to access information and to communicate with one another, come to double as probes that capture the rhythms of the daily lives of persons, things, environments, and their interactions’, with attendant risks for human dignity and freedom. Thus users’ responses to our interview questions do not offer much support for broader reform of what might be termed Australian surveillance law. Accordingly, based on a model of responsive regulation (i.e. law responding to existing public concerns), our recommendations have centred around more limited questions of how well IoT users’ private and personal information will be looked after, whether IoT users will be able to understand what is happening, and whether they can maintain control.
That is not to say that surveillance will not ultimately come to be seen more widely as a real problem of the IoT and that broader law reform measures will not be a focus of further public discussion. Indeed, already some of our interviewees argued that a coming issue will be the prospect of ubiquitous surveillance, affecting the basic structure of society (see Richardson et al., 2016). In response to this concern, law reform efforts in Australia may eventually need to be more deeply structural than the small-scale changes we have so far been contemplating.