Smart home devices have begun to become staples in modern households due to the increasing prioritisation of convenience as well as evolving technology. From voice-controlled devices to smart refrigerators, these devices are built to make life easier and more convenient. However, do these devices invade our privacy?
Smart home devices connected through the Internet of Things (IoT) enable them to gather, process and share a large amount of data. While convenience is no doubt enhanced, this technology often exposes users to significant privacy risks.
Smart Home Devices and Data Privacy
Data Collection and Purpose Limitation: Smart home devices are often designed to collect vast amounts of data to function efficiently. For example, a smart fridge may track food usage, grocery patterns and user preferences. However, the Digital Personal Data Protection Act (DPDPA) emphasises the principle of data minimisation and mandates that the collection of personal data must be limited to what is actually necessary for the intended function of the device. Additionally, the collected data must be limited to the purpose expressly informed to the data principal or user at the time of seeking consent or collection of data. The Act, under Section 5, requires users to be informed about the personal data to be collected, the purpose of processing the data, the rights of the data principal and the grievance redressal mechanism while obtaining consent.
Informed Consent and Transparency
Under the DPDPA, smart devices are required to obtain express consent from users in accordance with Section 6 of the Act. The nature, purpose, manner of processing, retention periods, data sharing and rights of the data principal must be informed at the stage of obtaining consent or collection of data. Unfortunately, however, many smart home devices fail to provide a clear and transparent consent mechanism. The requirement of free, specific, informed, unconditional and unambiguous consent is often absent. Consent sought is also often hidden in lengthy or vague terms and conditions.
Third-Party Data Sharing and Secondary Purposes
Smart Home Devices often share personal data with third parties like grocery stores and advertisers for purposes beyond their primary purpose. For example, a smart fridge may track a user’s purchase patterns, use patterns and food choices and share them with advertisers for behavioural advertising. Smart home devices also frequently process data for secondary purposes, like behavioural advertising, beyond their primary function, undermining user understanding of how their data is being used.
Data Security
The DPDPA, under Section 8(5)requires data fiduciaries to implement reasonable technical and operational security measures to prevent data breaches and cyber-attacks. However, it has been observed that smart devices are often manufactured without adequate security measures in place, increasing their vulnerability to cyber-attacks. These attacks can be exploited to access personal data stored on the device as well as other sensitive information like Wi-Fi details or even connected bank accounts, if any. For example, if a smart fridge is hacked, attackers can gain access to not just the personal data stored in the database of the device but also connected devices.
Data Retention
Smart home devices often store data for long periods. For instance, a smart fridge may track a user’s eating habits over the years. The DPDPA mandates that personal data should only be stored for the duration necessary for the purpose for which it was collected. Data retention policies should be clearly defined, and users should have the right to delete or modify the data. The access and awareness of such data retention periods and the right to delete and modify data are severely lacking.
Step Towards Compliance
Smart Home devices can ensure that the privacy of their users is protected in the following ways:
- Implement privacy by design
- Obtain informed consent
- Enhance data security
- Allow users to exercise their rights
- Engage in data minimisation and purpose limitation
- Regulate third-party access
- Adhere to data localisation and data transfer rules
Individuals can protect their privacy by:
- Reading the fine print and giving informed consent
- Updating the device regularly
- Ensuring that strong passwords and authentication methods are in place
- Secure networks
Conclusion
While smart home devices have become more prominently used across households today as they enhance convenience, their integration into daily life must not come at the cost of privacy. Adhering to DPDPA principles ensures data protection for users while fostering trust in these technologies. Aligning with DPDPA principles fosters trust and ensures data protection. While the Act provides a robust framework, many devices remain non-compliant. Until full compliance is achieved, users should stay vigilant and take proactive steps to protect their data.
If your organization is dealing with copious amounts of data, do visit www.tsaaro.com.
You May Also Like this > Privacy Concerns in the Airline Industry
Bi-Weekly News Updates
- Ford Investigates Alleged Data Breach, Finds Third-Party Involvement
Ford has investigated allegations of a data breach involving 44,000 customer records leaked on a hacker forum. The company confirmed its systems and customer data were not compromised. Instead, the issue involved a third-party supplier and included a small set of publicly available dealer business addresses. The leaked records contained information such as names, locations, and timestamps, potentially aiding phishing attempts. Ford assured stakeholders that the matter has been resolved.
- German Court Approves Compensation for Facebook Data Breach
Germany’s Federal Court of Justice ruled that Facebook users affected by a 2018-2019 data breach can seek compensation, even without proving financial loss, stating that loss of control over one’s data is sufficient ground. The breach involved six million users whose data was accessed via the Facebook friend search feature. The court proposed 100 euros per user and directed a review of Meta’s transparency and consent practices. Meta disputes the ruling, citing alignment with EU case law and past dismissals by German courts.
- Turkey Fines Twitch Over Data Breach Affecting 35,000 Users
Turkey’s Personal Data Protection Board (KVKK) fined Twitch 2 million lira ($58,000) for a 125 GB data breach impacting 35,274 individuals. The KVKK found Twitch had insufficient security measures and risk assessments, addressing vulnerabilities only after the breach. The fine includes 1.75 million lira for inadequate security and 250,000 lira for failing to report the breach. Twitch has yet to comment.
https://www.reuters.com/technology/turkey-fines-amazons-twitch-2-mln-lira-data-breach-2024-11-16
- CCI Fines META Over WhatsApp Privacy Policy Breach
India’s Competition Commission fined Meta ₹213 crore ($25.4 million) and barred WhatsApp from sharing user data with Meta applications for advertising purposes for five years, citing antitrust violations linked to its 2021 privacy policy. The policy, which allowed data sharing between Meta entities, faced global backlash. Meta plans to challenge the ruling, asserting no privacy changes affected personal messages or account functionality in 2021.
- Finastra Confirms Data Breach
Finastra confirmed a data breach, impacting its Secure File Transfer Platform (SFTP). The breach, attributed to stolen credentials, led to the theft of approximately 400GB of data, including sensitive client information and internal documents. The cybercriminal, “abyss0,” advertised the stolen data on BreachForums. Finastra replaced the compromised platform with a secure alternative, notified impacted clients within 24 hours, and is analysing the breach’s scope. The company is working closely with affected clients and enhancing its security measures to prevent further incidents.
- MGN Faces Phone-Hacking Lawsuits from Celebrities
London’s High Court has revealed that Mirror Group Newspapers (MGN), publisher of the Daily Mirror, Sunday Mirror, and Sunday People tabloids, is facing 101 lawsuits over alleged phone hacking and unlawful information gathering. The claimants include notable figures such as actors Kate Winslet, Sean Bean, Gillian Anderson, and the estate of late cricketer Shane Warne. MGN, owned by Reach PLC, has been embroiled in these legal disputes for over a decade.
- Australia Enacts Major Reforms for Privacy and Children’s Online Safety
In a significant legislative push, Australia has introduced sweeping changes to privacy laws and online protections for children. During the final days of its 2024 legislative session, Parliament passed reforms to modernize the Privacy Act and adopted a social media bill mandating age verification and banning use by minors under 16.
Key changes include enhanced enforcement powers for the Australian Information Commissioner’s privacy division, authorization to create a Children’s Online Privacy Code, and new transparency rules for automated decision-making. Additionally, a statutory tort addressing “serious invasions of privacy,” such as doxxing, has been established. These reforms, prioritized by the Albanese government, were finalized despite being introduced late in the session.
https://iapp.org/news/a/australia-approves-first-privacy-act-reforms-social-media-ban-for-minors
- LinkedIn to Update Privacy Practices Following €310 Million Fine by Irish Data Regulator
LinkedIn announced plans to comply with a €310 million fine imposed by the Irish Data Protection Commission regarding its handling of personal data for digital advertising in the EU. The company will update its European Regional Privacy Notice and seek user consent for personalized ads by January 22, 2025. As part of its compliance measures, LinkedIn will request opt-in consent in affected countries for using data inferred or observed about users, including age range, gender, interests, traits, location (from IP address), and activity on LinkedIn services.
- Italy’s Data Authority Criticizes Intesa Sanpaolo Over Downplaying Data Breach
Italy’s data protection authority has criticized Intesa Sanpaolo for underestimating the severity of a data breach involving thousands of clients, reportedly including Prime Minister Giorgia Meloni. Last month, the authority requested clarification after allegations surfaced about an employee accessing the data of approximately 3,500 customers. Intesa later stated that further investigations revealed the actual number of affected customers to be significantly lower than media reports had suggested.
- SmokeLoader Malware Targets Taiwanese Manufacturing, Healthcare, and IT Sectors
A new cyberattack campaign has targeted Taiwanese entities in manufacturing, healthcare, and IT sectors using the SmokeLoader malware. Known for its adaptability and advanced evasion techniques, SmokeLoader operates as a modular tool capable of various attacks. According to a Fortinet FortiGuard Labs report shared with The Hacker News, while typically functioning as a downloader for additional malware, this campaign sees SmokeLoader directly executing attacks by retrieving plugins from its command-and-control server.
https://thehackernews.com/2024/12/smokeloader-malware-resurfaces.html
