Welcome to 'uber-veillance' says Australian Privacy Foundation

You're already quantified and known, says researcher Katina Michael

Regulators are way behind the game when it comes to wearable and IoT privacy, and users are willingly conspiring with companies that don't care about them to help create a society of “uber-veillance”.

That's the grim conclusion reached by Australian Privacy Foundation (APF) board member and University of Wollongong researcher Katina Michael in conversation with The Register.

In light of the US Federal Trade Commission's warning at CES that it's watching the Internet of Things closely, Vulture South wondered how things might stand in Australia and asked Michael for her views on the topic.

One of the things that makes it hard for a regulator to formulate privacy rules covering things like RunKeeper, Fitbits and the like is that so much of the privacy invasion seems almost voluntary. Users take the defaults of the product-plus-service, create a social media stream informing the world of everything from their sleep patterns to the distances and even places they walk, run, cycle – with too little understanding of just how much about them can be inferred from the data.

“We know about peoples' measurements – sleeping, health, where they are, who they're with, engaged in sex, walking, running, speeding, burning calories”, Michael told Vulture South.

“How long does it take until we're constantly being monitored and tracked, and people are predicting our next action?”

She noted that individuals don't realise how much trackers, and the companies that sell them, know about us, how companies use that information, nor how their policies let them on-sell that information.”

She added that it's no longer a fiction that the services behind wearables and IoT devices could know more about us – at least in specific areas – than we know ourselves.

To Vulture South's scepticism, Michael answered “I'm busy: I can't count the number of steps, because I'm too busy walking. I can't count the calories I burn at the gym, or tell you the speed I walked, the distance I covered or the time I spent on a particular activity.

“Spatio-temporal models know these things and can make inferences about what you're doing,” she explained.

Michael reminded Vulture South that these models have been under development for decades. “I worked in a telecoms vendor for six years. We had voice and data traffic models; we were fairly accurate, we knew where traffic was coming from, where it was going to.”

The advent of mobile telephony expanded both the data and the inference that could be drawn from it dramatically, she said, so that by 1997-1998, she was able to find very good details that associated the individual to his or her behaviour.

Since then, the data sources contained in just one device, the smartphone, have exploded: “Not only can we collect the personal data from the sensors – the GPS, the accelerometer, the altimeter, the temperature sensor, and make the speed/distance/time calculation,” she said, but it's now trivial to plot that against data amassed by Google's StreetView or national address files (the GNAF in Australia).

“I not only know your X and Y coordinate, I know the building name, what floor you visited,” she said, and since people are creatures of habit, the inferences that can be drawn from phone data alone are invasive and revealing.

Add data from wearables and implantables, add consumer confusion about who owns the data (you don't, for example, own the data generated by “your” pacemaker, she said), and combine it with vague and liquid company privacy policies and user enthusiasm for self-publishing their “quantified self” data, and the emerging situation “blows the National Privacy Principles out of the water,” Michael said.

“For example, you can easily bucket someone into categories – social sorting – 'I won't hire them because they're lazy, or they're not eligible for credit, or I won't insure them, or hike up the premium'.

(For example, El Reg had its attention separately drawn to the AAMI “Safe Driver” app, which offers the inducement of rewards for the user to link back to the company. It's a short distance from carrot to stick.)

“How long is it going to take before this data is used to make decisions that the person is not aware of?”, she continued, citing the possibility that a future user doesn't realise they're being charged a different insurance premium “because of the data you put online from the Fitbit?”

Wearables, she said, are not so far in capability from state surveillance anklets (for example, that are used to monitor persons subject to control orders). “We're being duped into thinking they're liberating devices, when they're devices of enslavement,” she said. “And consumers aren't saying 'uh-oh, there's a problem here'. They're saying 'bring it on!'”

We're creating a world not of surveillance – that's already here – but of “uber-veillance” where the combination of data and analysis “gets inside your head” and increasingly predicts actions.

Michael says it's also easy to imagine that non-participation – a decision to keep some data private – could draw a punitive response from the corporate world.

Today, she said, people pay attention to the idea that their “things” might be hacked, that their phones might be vulnerable.

In the future, she said, “you won't be able to hide: you will get hit with fees for not disclosing.”

Penalties for non-disclosure of metrics will, at least, offer one opportunity for regulators to act, and such opportunities will be few.

Another spot where regulators could apply a wedge is in how devices and their associated apps treat privacy at purchase.

“They shouldn't be automatic opt-in,” she said. Individuals might find it inconvenient in the short term, but instead of hiding poison pills on page nineteen of a document nobody reads, users should have to go through dialogues, understanding and okaying each of the invasions the wearable's maker hopes to achieve.

“We get the devices, they have inherent policies built in and we're not told what could happen. The location information doesn't have to come built in and already enabled,” she said – it's just that's the preference of the vendor.

Orwell's vision is already obsolete, she said, usurped by Google and a world that has you tagged. Until privacy watchdogs awake from their slumber, it's only users who can resist the cargo-cult tradeoff of their secrets for a shiny toy. ®

Narrower topics

Other stories you might like

  • EU-US Trade and Technology Council meets to coordinate on supply chains
    Agenda includes warning system for disruptions, and avoiding 'subsidy race' for chip investments

    The EU-US Trade and Technology Council (TTC) is meeting in Paris today to discuss coordinated approaches to global supply chain issues.

    This is only the second meeting of the TTC, the agenda for which was prepared in February. That highlighted a number of priorities, including securing supply chains, technological cooperation, the coordination of measures to combat distorting practices, and approaches to the decarbonization of trade.

    According to a White House pre-briefing for US reporters, the EU and US are set to announce joint approaches on technical discussions to international standard-setting bodies, an early warning system to better predict and address potential semiconductor supply chain disruptions, and a transatlantic approach to semiconductor investments aimed at ensuring security of supply.

    Continue reading
  • US cops kick back against facial recognition bans
    Plus: DeepMind launches new generalist AI system, and Apple boffin quits over return-to-work policy

    In brief Facial recognition bans passed by US cities are being overturned as law enforcement and lobbyist groups pressure local governments to tackle rising crime rates.

    In July, the state of Virginia will scrap its ban on the controversial technology after less than a year. California and New Orleans may follow suit, Reuters first reported. Vermont adjusted its bill to allow police to use facial recognition software in child sex abuse investigations.

    Elsewhere, efforts are under way in New York, Colorado, and Indiana to prevent bills banning facial recognition from passing. It's not clear if some existing vetoes set to expire, like the one in California, will be renewed. Around two dozen US state or local governments passed laws prohibiting facial recognition from 2019 to 2021. Police, however, believe the tool is useful in identifying suspects and can help solve cases especially in places where crime rates have risen.

    Continue reading
  • RISC-V needs more than an open architecture to compete
    Arm shows us that even total domination doesn't always make stupid levels of money

    Opinion Interviews with chip company CEOs are invariably enlightening. On top of the usual market-related subjects of success and failure, revenues and competition, plans and pitfalls, the highly paid victim knows that there's a large audience of unusually competent critics eager for technical details. That's you.

    Take The Register's latest interview with RISC-V International CEO Calista Redmond. It moved smartly through the gears on Intel's recent Platinum Membership of the open ISA consortium ("they're not too worried about their x86 business"), the interest from autocratic regimes (roughly "there are no rules, if some come up we'll stick by them"), and what RISC-V's 2022 will look like. Laptops. Thousand-core AI chips. Google hyperscalers. Edge. The plan seems to be to do in five years what took Arm 20.

    RISC-V may not be an existential risk to Intel, but Arm had better watch it.

    Continue reading

Biting the hand that feeds IT © 1998–2022