Global IoT sweep finds connected devices poor on privacy

September 26, 2016 //By Jean-Pierre Joosting
Results of the fourth annual Global Privacy Enforcement Network (GPEN) Privacy Sweep, just released show that many companies neglect to explain how information is stored and safeguarded or how a user can delete their personal information.

According to the Sweep, Internet-connected devices generally score poorly with respect to privacy communications and fail to inform users about exactly what personal information is being collected and how it will be used, a global Sweep has found.

While a number of the devices swept can collect a great deal of often sensitive data, including health and financial information, privacy communications tended to be generic and those companies demonstrating good communication practices were in the minority.

"Overall there was significant room for improvement with respect to the privacy communications of the Internet-connected devices swept," Commissioner Daniel Therrien said.

"With the proliferation of the Internet of Things, the activities, movements, behaviours and preferences of individuals are being measured, recorded and analyzed on an increasingly regular basis. As this technology expands, it is imperative that companies do a better job of explaining their personal information handling practices."

Twenty-five privacy enforcement authorities participated in this year's Sweep, which took place April 11-15, 2016. Over the course of the week, participants looked at the privacy communications and practices of 314 Internet connected devices, focusing largely on how organizations communicate their personal information handling practices.

Each authority had the flexibility to choose a different category of products and different sweep method. While some opted to sweep connected toys, health devices and household aids, others looked at very specific areas like smart meters, connected cars and smart TVs. Authorities also had the flexibility to examine the privacy communications that came in the box with the devices and/or those provided by the companies online. They could also choose to interact with the devices to assess how well privacy communications matched their experience using the product, and/or contact the relevant companies directly with follow-up privacy questions.