Proliferation of smart home tech creates privacy conundrum

March 30, 2017
Recent incidents could provide future legal, regulatory guidance for IoT devices

As consumer adoption rates for devices that comprise the Internet of Things (IoT) continues to grow, clear legal and regulatory guidance addressing IoT technology’s privacy and security requirements has failed to keep pace. To take one example, IoT devices that collect data from the solitude of people’s homes implicate both general privacy protections and the Fourth Amendment. And because the Fourth Amendment provides more privacy protection to activities in the home, does the fact that smart home devices operate in the home confer greater privacy protections to the data they collect?  If so, Congress and regulators may impose higher baseline privacy and security requirements for smart home devices to accommodate that heightened expectation of privacy.

This would make sense, as devices that compromise security and privacy in the seclusion of one’s home may be perceived by consumers as more invasive and objectionable.  Moreover, establishing higher privacy and security standards for smart home devices would be consistent with the FTC’s flexible approach to evaluating an IoT device in light of a consumer’s reasonable expectations.

Although many IoT devices for the home collect broader information regarding home inhabitants that is not strictly personal or limited to a specific person, the Fourth Amendment privacy rationale has recently been asserted to protect this non-individualized information as well. 

In November 2016, police in Arkansas sought recordings from an Amazon Echo device located in the home of a murder scene, hoping to discover recordings of the crime.  But Amazon refused to turn over the recordings, asserting in an email to the Washington Post that it “will not release customer information without a valid and binding legal demand properly served.”

Additionally, the suspect’s attorney told the tech industry news website The Information, “[y]ou have an expectation of privacy in your home, and I have a big problem that law enforcement can use the technology that advances our quality of life against us.”

To many, the notion that devices brought into consumers’ homes could be turned against them is an affront to fundamental privacy rights, and, thus, the data these devices acquire should be afforded greater privacy protections.

Similarly, in supporting a non-profit’s opposition to the installation of smart meters in a suburban Illinois town, two privacy interest groups – the Electronic Frontier Foundation and Privacy International ­– argued that consumers have a reasonable expectation of privacy in smart meter data in part because those meters collect information about activities in people’s homes. 

These groups asserted in court documents that, “Americans reasonably expect details of their private, in-home activities to remain private.  The home is ‘entitled to special [Fourth Amendment] protection as the center of the private lives of our people.  And in the home, ‘all details are intimate details.’”  Thus, these devices and the information they gather may warrant greater privacy protections in light of the in-home setting and the enormous amount of intimate personal data these devices can generate.

The expectation of privacy also implicates another concern:  Consumers not only want to protect and secure the data smart devices collect but also worry about what information can be obtained.  Wikileaks’ recent release of the Vault 7 documents that contained details relating to the vulnerabilities in Samsung’s Smart TV illustrates how these expectations of privacy converge.  Samsung’s smart TVs not only had the capability to record and transmit private conversations in the home, unbeknownst to the consumer, they also were susceptible to security breaches which were exploited by the CIA to listen in while in a “fake off” mode, according to the documents.  This government intrusion into private residences not only flouts the Fourth Amendment’s protection of an individual’s expectation of privacy, it raises notions of unfairness to consumers, against which the FTC protects.  Not surprisingly, this revelation has already triggered a class action lawsuit against Samsung.

Thus, with the understanding that people have an elevated expectation of privacy for devices in their homes, the relative sense of “unfairness” that drives the FTC’s enforcement actions could include many more data collection practices and impose higher security standards.  The result may be a broader view by the FTC over what is unfair.  In its 2015 Internet of Things report, the FTC explained that the information IoT devices acquire and use should generally be consistent with consumers’ reasonable expectations.  An elevated expectation for privacy and security for smart home devices would accordingly raise the bar for those devices.

Nevertheless, it is unclear whether the FTC will impose a heightened standard on IoT devices in the home based on the mere sanctity of the home.  In FTC v. Vizio, the FTC’s settlement with Vizio protected viewing data, i.e., the content viewed on the TV, and required Vizio to provide prominent notice about its proposed collection, use, and sharing of that information and to obtain affirmative express consent should it choose to gather that information. 

While Acting Chairman Maureen Ohlhausen recognized in her concurring statement that “consumers do not expect televisions to collect and share information about what they watch,” she did not necessarily agree with the implication that that data is “sensitive information” requiring protection under the FTC Act.  At the same time, that may not be the driving inquiry. Olhausen explains “[i]nstead, we must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers.” The erosion of the protections afforded to people in their own homes could therefore still be a factor.

About the Author:

Adrienne Ehrhardt is a partner in the Michael Best law firm’s Corporate & Transactional Practice Group, focusing her practice on complex aspects of privacy and data management matters. Her extensive background includes experience with issues relating to the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), and the Telephone Consumer Protection Act (TCPA), as well as privacy programs and cyber security issues.

About the Author

Adrienne Ehrhardt | Partner, Corporate & Transactional Practice Group, Michael Best

Adrienne Ehrhardt is a partner in the Michael Best law firm’s Corporate & Transactional Practice Group, focusing her practice on complex aspects of privacy and data management matters. Her extensive background includes experience with issues relating to the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), and the Telephone Consumer Protection Act (TCPA), as well as privacy programs and cyber security issues.