Skip to main content

Primary Ethical Challenges of Adapting Internet of Things: Privacy, Security, Environment, and Consent

· 15 min read
Sean Radel

Abstract

This paper explores the history, implementation, and ethical challenges of adopting Internet of Things (IoT) devices. IoT devices are an emerging market with an increasing level of risk due to their invasive ability to record and track users. This paper provides an analysis of existing regulations, use cases, cybersecurity threats, and privacy risks. Finally, the paper analyzes the ethical practices that can greatly help or hurt consumer trust in IoT.

Introduction

The paper’s main research question is, “What are the primary ethical challenges of adapting Internet of Things (IoT) devices regarding privacy, security, environment, and consent.” The main goals of the paper are to demonstrate the application and rationale of IoT device adaptation and the privacy and security hurdles that must be overcome for regulatory compliance and ethics. The paper aims to provide an overview of the IoT device industry that includes its history, significant products and firms, and its uses across various domains. The paper covers privacy regulation, data collection, and the security implications of such devices. Finally, the paper analyzes ethical considerations and the need for greater IoT device regulation. The comprehensive analysis of IoT devices and the privacy, security, and ethical concerns is relevant because of the increasing number of IoT devices. IoT devices are becoming increasingly relevant in our society, with the number of connected devices growing by 18% to 14.3 Billion globally in 2022 1. As the adoption of IoT devices increases, their ability to peer into our private lives increases. The devices are capable of collecting sensitive information like location and healthcare data, which were especially exacerbated during the height of the Covid-19 pandemic 2. When individuals purchase IoT devices, they are often also consenting to privacy policies for the related device or service, which allows the company to use personally identifiable data for their own purposes or transfer it to third parties 2. Finally, this paper is important because adopters of these technologies may not always be fully informed of what they are consenting to, businesses may not always be handling the collected data ethically, and incidental users of IoT devices may not have consent over how their data is collected.

Background

1. What Is “Internet of Things?”

Internet of Things devices are physical objects that utilize sensors and software to collect and exchange data with other devices 6. IoT devices can be found around a home or industrial setting. Particularly popular home devices are Amazon Alexa 7, or smart home security cameras.

2. History of Internet of Things Devices

The concept of Internet of Things was first created in the early 1980s when a Carnegie Mellon University graduate student modified a Coca-Cola vending machine to track the status of it’s inventory 3. In 1990 John Romkey created a toaster that was controlled by the internet, but it wasn’t until 1999 when Kevin Ashton of Massachusettes Institute of Technology proposed tracking supply chain items using radio-frequency identification (RFID) chips and coined the term “Internet of Things” 3. In the year 2000, LG announced the first smart refrigerator, and in 2009, FitBit launched its wrist-worn fitness tracker 3. In 2011, Google released Google Nest, which is used for remote control of home HVAC systems 4. In 2016, the Mirai botnet became the first major IoT cyber attack that leveraged hacked smart home network devices to commit denial of service attacks 35. In 2020, health tracking with IoT devices expanded due to Covid-19, and the privacy risks grew stronger 3.

3. What is Personal Data and Privacy Regulation?

Personal data, as defined by the European Union, is any information that relates to an identified or identifiable living individual 8. This data includes and is not limited to, a name and surname, contact information, data held by a hospital or doctor, voice captures, surveillance footage, location data, and more. Personal data is protected under regulations such as the General Data Protection Regulation (GDPR) 9 and the California Consumer Privacy Act (CCPA) 10. GDPR is applicable to businesses that process or control the personal data of European Union citizens, while CCPA is applicable to for-profit businesses that do business in California, with some other stipulations, that process or control California citizens’ data 910. Privacy regulations expand the rights of users to include consent, fair deletion, and retention periods. These regulations are important in the context of IoT because of the scale of collection IoT devices are capable of.

4. Computer Ethics

Computer ethics are the principles that computer scientists follow to provide safe, fair, and equal access to computing resources and services 11. Computer ethics are not always based on laws and regulations, but it may be ethical to be compliant. Following ethical “soft laws” can increase business value through consumer trust. It is ethical, and corporations have a duty to follow regulations like GDPR to protect consumers 12. Ethics must guide software decisions because of issues like data retention, poor security, and protection of personally identifiable information (PII) 13. Engineers need to understand and manage risk as they develop their products to avoid catastrophic disasters 14.

Applications of IoT Devices

1. IoT Devices in Healthcare

IoT devices have an existing and growing presence in healthcare. The devices can be used in a range of healthcare applications, including the patient, the physician, the hospital, and even in healthcare insurance 15. Specifically, IoT can monitor patient biometrics or blood pressure and cardiac control 15. IoT devices found even more purpose with the Covid-19 pandemic. Remote healthcare workers are able to monitor patients' heart rates, blood pressure, and blood glucose to ensure they are safe without risking the spread of Covid 15. While these applications are helpful, they increase risk because of possible HIPPA violations.

2. Home Assistant Devices

The most notable home assistant devices are Amazon Echo and Google Home16[17]. These smart home devices listen to user-prompted commands and can play music, find information from the internet, communicate with contacts, and more. Privacy-conscious consumers have chosen not to adopt these technologies because of fears they could be misused and that the companies could break their terms of service agreements. 7

3. Wearable Technologies

Wearable IoT devices started with health insights from Fitbit and have now expanded to communication, biometrics, and small apps on Apple Watch Series 9 18[19]. Meta has partnered with Rayban to create smart glasses that not only have camera and audio capabilities but live streaming, too [20].

4. Home Security

IoT devices can be used to bolster home security with SimpliSafe and Ring products [21][22]. Ring produces IoT cameras, doorbells, and security systems and has expanded to pet collars that allow you to remotely track and communicate with your pet [22]. SimpliSafe offers a suite of security systems as well as a security monitoring service where agents can alert authorities if there are risks [21].

IoT Privacy and Security

1. Consent and Incidental Users

IoT devices, specifically smart home systems like Amazon Echo and Google Home, can provide extra utility to a household, like checking the weather or setting a timer, but not all users of a household are required to consent to these systems 7. Many surveyed users mentioned that after setting up their smart home system, bystanders who may not be aware of or understand how the smart speakers work become secondary users of their devices 7. This is problematic because these users may be too young to consent to the data collection of the devices. Lau’s research showed that five (of 34 participants) users’ children use their smart system 7.

2. Overcollection of Information

Lau’s work showed that adopters of smart speakers tried to place their device in a location where it could best hear users, but privacy-conscious non-adopters cited that the idea of the device always listening turned them away 7. This is important because while privacy-concerned users don’t want to be heard, users who are not concerned want to be heard as much as possible. Amazon claims that their smart home devices are not always listening and that voice data is only stored in the cloud if the “wake word” Alexa is heard [23]. Furthermore, participants in Lau’s study, despite having “nothing to hide,” strongly valued their right to privacy 7[27].

3. IoT Device Vulnerabilities and Security

The MITRE Corporation maintains a catalog of Common Vulnerability and Exposures (CVEs) [24]. When querying this catalog for the keyword “IoT,” 1210 CVEs are returned to the user. IoT software vulnerabilities could allow malicious actors access to your home network and potentially to your personal data. The Mirai Botnet was the first notable IoT malware that remotely controlled a hundred thousand devices to execute code for the purpose of denying service to the domain registration services provider, Dyn 5,7. IoT devices, particularly due to their rapid growth, have security challenges like a lack of standards, a lack of regular patching and maintenance, and a lack of strong encryption [29]. Users who adopt IoT devices and are not security-minded may leave themselves vulnerable to attack via weak passwords and authentication if they do not update default credentials and configurations.

4. Do we need greater IoT device regulations?

As IoT device adoption becomes increasingly more common, regulation needs to be followed to ensure some level of standardization. On January 1, 2020, two laws were enacted that mandated unique credentials for IoT devices[29]. California’s IoT Security Regulation Law (SB-327) and Oregon’s IoT Security Regulation Law (HB-2395) are very similar but differ in that Oregon’s law applies primarily to consumer devices, while California’s applies to businesses as well [29]. Multiple other regulations have been proposed, but they have not been passed. The following regulations are as follows[29]:

-Federal Cyber Shield Act (S-2020) - US Senate 2017:

If passed, this bill would have required the Department of Commerce to establish a Cyber Shield Advisory Committee to recommend the format and content of Cyber Shield labels for consumer IoT devices and introduce compliance standards for cyber security [29].

-Protecting Privacy in Our Homes Act (S-2432) - US Senate 2019: If passed, this bill would require the Federal Trade Commission to introduce regulations requiring manufacturers to give notice to consumers when internet-connected devices contain cameras or microphones [29].

-Automatic Listening Exploitation Act (HR-4048) - US House of Representatives 2019:

This bill would limit the use of any sound, speech, or video captured by a smart speaker or video doorbell and prohibit any kind of service without the express consent of the consumer [29]. - Internet of Things Cybersecurity Improvement Act of 2019 (S-734) - US Senate 2019: This bill would allow the federal government procurement powers to increase cybersecurity standards around the Internet of Things devices [29].

Ethics of IoT Devices

1. Ethical Challenges of IoT Devices

The internet of things poses significant ethical challenges across mutliple parties. IoT developers need to implement privacy by design principles to ensure they are proactive and preventative against privacy related threats [31]. As part of following privacy by design principles, IoT engineers must ensure their system has end-to-end security throughout the entirety of it’s lifecycle [31]. Engineers must respect user privacy by requiring consent before processing data. Adopters of IoT devices need to be cognizant of secondary users who may not be able to consent due to their age or understanding of the technology. Both parties must follow the Categorical Imperative when developing or deploying services that can be relatively invasive by nature 12.

2. Environmental Impact of IoT Devices

Due to the size of IoT devices, they are designed to collect and process data efficiently [32]. Furthermore, they should produce low amounts of e-waste [32]. Smart climate control with IoT devices can improve efficiency in home or industrial HVAC. Smart thermostats can assist in energy reduction by not heating or cooling when it is not necessary [33]. IoT also has important use cases in environmental monitoring that can provide trend data of air quality and climate [34]. With low e-waste and power usage, IoT devices can be an important tool that can lower emissions and provide critical insights.

3. Digital Nudging and IoT Devices

IoT devices are becoming increasingly popular for tech companies to release alongside their suite of products. Apple is nudging consumers to adopt Apple Watches by including the Watch app by default on iPhone. Furthermore, Ring advertises packages that include other sensors and lists Alexa compatibility, nudging consumers to accept more invasive devices that collect different types of data than what they were originally interested in [22][35]. As the market continues to grow, consumers are increasingly pressured to adopt more and more devices that have the ability to create a complete data profile of them.

4. Pros and Cons of IoT Devices

The internet of things can provide significant utility to homes and businesses with its tracking, sensing, and listening capabilities. Virtual assistants can provide insights on demand, and cameras can alert users of threats at their homes or just when a package is delivered. Unfortunately, these benefits don’t come without risk, and the major con is that breaches and unethical actions do take place. In 2019, Apple Watch contractors were caught regularly listening to confidential conversations through Siri voice data [26]. Another major con is the possibility of cybersecurity attacks. If operated ethically, IoT devices provide attractive features, but with unethical actors, those cybersecurity and privacy risks will be realized.

5. Business Case for IoT Device Ethics

here is a strong business case for ethics in IoT devices. Lau’s research found that privacy concerned individuals didn’t want to adopt IoT devices because businesses may act unethically and break their terms of service [7]. If businesses were to increase their trust by following ethical soft laws, they could win over concerned non-adopters.

Conclusion

The rapid growth of IoT devices since 1999, when Kevin Ashton coined the term “Internet of Things,” has placed privacy-invasive in the homes of millions [3]. As these devices continue to grow more popular, the adherence to regulations like GDPR and CCPA is paramount to protecting consumers from unethical actors [9] [10]. To further protect users from the rapidly growing list of IoT related CVEs, cybersecurity standards must be taken seriously, and privacy by design standards should be at the forefront of the engineering process.

IoT devices are becoming more popular in a wide range of domains, from home assistants with thermostat control to supply chain tracking, and with Covid-19 assistance, ethics and acting with moral duty are important to increasing trust in the technology. Consent has never been more important with biometrics and confidential voice recordings at risk. Conclusively, industry leaders need to follow ethical soft laws to protect their business and foster consumer trust.

References

  1. State of IOT 2023: Number of Connected IOT Devices Growing 16% to 16.7 Billion Globally IoT Analytics, 3 Aug. 2023, source
  2. Elvy, S. (2022, February 9). Data Privacy and the internet of things. unesco. source
  3. World Economic Forum. (2020, December). The State of the Connected World 2020. source
  4. Marchant, Natalie, 2021, (March 31). What is the Internet of Things? source
  5. Gamblin, Jerry, (2016, October) Mirai-Source-Code, Github source
  6. Oracle, What is IoT? source
  7. Lau, Josephine, Benjamin Zimmerman, and Florian Schaub. "Alexa, are you listening? Privacy perceptions, concerns and privacy-seeking behaviors with smart speakers." Proceedings of the ACM on human-computer interaction 2.CSCW (2018): 1-31.
  8. “What Is Personal Data?” European Commission, source: commission.europa.eu/law/law-topic/data-protection/reform/what-personal-data_en. Accessed 6 Nov. 2023.
  9. Official Legal Text. General Data Protection Regulation (GDPR). (2022, September 27). source
  10. California Consumer Privacy Act (CCPA). State of California - Department of Justice - Office of the Attorney General. (2023, May 10). source
  11. Radel, Sean, (2023, September, 10) “Blog 1, Ethics”, source
  12. Johnson, Robert and Adam Cureton, "Kant’s Moral Philosophy", The Stanford Encyclopedia of Philosophy (Fall 2022 Edition), Edward N. Zalta & Uri Nodelman (eds.),source.
  13. Lawton, George. “5 Examples of Ethical Issues in Software Development: TechTarget.” Software Quality, TechTarget, 22 Dec. 2020, source.
  14. Lynch, William & Kline, Ronald. (2000). Engineering Practice and Engineering Ethics. Science, Technology, and Human Values, v.25, 195-225 (2000). 25. 10.1177/016224390002500203.
  15. Mukati N, Namdev N, Dilip R, Hemalatha N, Dhiman V, Sahu B. Healthcare Assistance to COVID-19 Patient using Internet of Things (IoT) Enabled Technologies. Mater Today Proc. 2023;80:3777-3781. doi: 10.1016/j.matpr.2021.07.379. Epub 2021 Jul 24. PMID: 34336599; PMCID: PMC8302836.
  16. Google, 2023, What is Google Home, source
  17. Amazon, 2023, Alexa features, source
  18. Apple Watch, 2023, source
  19. FitBit, 2023, source
  20. Meta, (2023, Septemeber 27), Introducing the New Ray-Ban | Meta Smart Glasses, source
  21. SimpliSafe, 2023, source
  22. Ring, 2023, source
  23. source
  24. MITRE (2023, November) source
  25. MITRE, (2023, November) source
  26. CloudFlare, 2023, What is Mirai? source
  27. Solove, Daniel J., 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy. San Diego Law Review, Vol. 44, p. 745, 2007, GWU Law School Public Law Research Paper No. 289, Available at SSRN: source
  28. Wachter, S. (2018). Normative challenges of identification in the internet of things: Privacy, profiling, discrimination, and the GDPR. Computer Law & Security Review, 34(3), 436–449. source
  29. KeyFactor, 2023, IoT Device Security + How to Get Started, source
  30. Azrour, Mourade & Irshad, Azeem & Chaganti, Rajasekhar. (2022). IoT and Smart Devices for Sustainable Environment. source
  31. Cavoukian, Ann (2011). "Privacy by Design" (PDF). Information and Privacy Commissioner.
  32. Belokrylov, Alexander, (2022, September 26)“The Environmental Impact Of IoT”, Forbes, source
  33. Anderson, Colleen, (2020, March 11) “How IoT Will Transform Heating Systems”, Contractor Mag, source
  34. Jones, Quinn, (2022, April 15), IoT-Based Environmental Monitoring: Types and Use Cases, DIGI, source
  35. Schneider, C., Weinmann, M., and vom Brocke, J. (2018). Digital Nudging–Guiding Choices by Using Interface Design, Communications of the ACM, 61(7), 67-73.
  36. Mozilla, (2022, November, 9) Apple Watch.source