The rise of high-tech smart devices that store and share personal data poses a serious threat to Canadians’ privacy, and one that is not adequately addressed by existing privacy laws, according to a new report from Western University.
Law professor Samuel Trosow examined security and data collection protocols of an array of consumer smart devices, combing their fine print and putting them up against Canadian privacy laws.
He found that many products have inherent security flaws that leave them vulnerable to intrusions, while others may be intentionally stockpiling personal data for marketing purposes, unbeknownst to consumers.
What’s more, the pace of technological development has left Canadian data privacy laws, many of which were implemented at the turn of the century, trailing in the dust.
Smart devices, which range from lightbulbs and kitchen appliances to fitness wearables and even sex toys, harness the internet to bring the benefits of network connectivity to a plethora of activities, chores and hobbies.
Many of these gadgets utilize the Internet of Things (IoT), a system for connecting physical electronic devices via WiFi, Bluetooth and companion smartphone apps.
Whether it’s using a grocery-tracking gadget to streamline your grocery shopping, or using an app-connected smart lock to thwart bicycle thieves, the conveniences are unquestionable. But they come at the cost of privacy, whether consumers are aware of it are not.
WATCH: Most Internet of Things devices have privacy issues: study
Exacerbating this problem is the fact that Canadian privacy laws simply haven’t caught up to the complexity of data collection and storage by smart devices.
For instance, the law prohibits product manufacturers from divulging identifying personal information to outside parties. Trouble is, modern statistical algorithms make it possible to take humongous chunks of anonymous data and break them down to identify individual information, a process known as re-identification.
“The re-identification can be accidental, but can also be intentional,” the report says. It points to the case of a teenage Target customer who was sent ads for maternity products after the retail giant used sophisticated analytics to deduce that she was pregnant.
Among privacy policies of 20 product lines studied by Trosow, only one — the Fitbit fitness tracker — explicitly said it prevented recipients of consumer data from re-identification.
To get around the blurred lines between supposedly identifying and non-identifying data, Trosow’s report recommends that privacy law be altered to consider all consumer data as identifying and sensitive.
He also suggests that a standard format be developed to make privacy terms and conditions easier to read and understand, and that information pertaining to use of customer data “be specified with greater clarity.”
The report also takes issue with products forcing consumers to agree to share their personal data if they want to take advantage of the product.
“For example, in the case of wearable devices that generate health data, consumers should have the option of turning off the data collection that is reported back to the vendor,” the report states.
WATCH: Woman suing company over sex toy data sharing
Further complicating matters is the fact that many smart devices used by Canadians are manufactured by U.S. companies; their products often require Canadian consumers to effectively waive their privacy rights.
Despite this being legally questionable, current privacy laws aren’t anywhere near clear and strong enough, which emboldens U.S. tech vendors to continue the practice.
To tackle these and other privacy challenges, the report calls on Canada’s privacy commissioner to proactively update privacy laws to bring them up to speed.
“Like other technological developments in the past, the Internet of Things presents compelling evidence that laws need to adopt to changing circumstances.”
It’s a task that the report warns will require considerable funding and resources.
But with Canadians increasingly embracing connected devices — and exposing their personal data to tech companies, marketers and other third parties — it’s something that will need to happen if Canadians’ privacy and security interests are to be protected, the report concludes.