IoT’s PII tsunami

Thelma Arnold, a 62-year old widow living in Lilburn Georgia with her beloved dog Dudley, was quietly minding her own business. Dudley had an incontinent problem and consequently peed on everything. In 2006 Mrs Arnold was suddenly thrust into the spotlight. An employee at her ISP thought it would benefit academic researchers if he published the anonymised 3-month search histories of more than half a million of their customers. Little did the over-zealous employee realise, but individuals can be identified from snippets of anonymous information, such as their search history. A reporter examined the published search history of person #4417749, and through the search items was able to identify Mrs Arnold and track her down.

Aggregation of data leads to personal identification. While the search history data publication was a mistake for which the ISP apologised, it serves as an alarm bell as the Internet of Things gathers momentum – a smart alarm bell, if you like. Aggregated anonymous data in sufficient quantities, becomes personally identifiable. When aggregated, anonymised data is an oxymoron.

Personally identifiable information (PII) is any data that can potentially identify a specific individual. Traditionally, PII has been restricted to data such as name, date of birth, home address, telephone number, email address, passport number, credit card number, etc. Organisations typically prioritise resources on protecting traditional PII. Privacy laws mandate the protection of traditional PII.

The Internet of Things is about to change all of this. A tsunami of data flowing through IoT systems will significantly raise the threat of data aggregation of anonymous data enabling personal identification. If you think about it, it is quite simple technology which allows us to distinguish between individuals based on the way they type a single word, or based on characteristics of their heart beat. When aggregated data comes from disparate sources, it raises the likelihood of personal identification considerably.

It will be trivial to identify individuals from the mass of sensor data once IoT takes off. Data from our bodies, our clothes, our devices, our homes, our car, our office, and just about every aspect of our lives will be collected and much of it automatically aggregated. With IoT, things share data with other things. Anonymity of the data provides no protection from identification. All data related to an individual becomes PII. Our identities and activities, interests, proclivities and even thoughts, are at risk of exposure, just like it was for Thelma Arnold and Dudley.

Profiling individuals based on internet activity is not new. We have all experienced its effects through the individually-targeted adverts that appear when we visit websites. After I check out camping gear on Amazon, sleeping bag adverts appear on my online news site. IoT will take profiling into the stratosphere – with inputs far beyond our internet activity. IoT provides data from a large number of disparate sources which will be used for profiling. While this may have positive benefits, there are obvious and significant privacy and security threats which can have profound, unforeseen effects on our lives.

Many IoT manufacturers have typically been rather lax with sensor data – sending it to their cloud app, to analytics apps, and to third parties – and who knows where it goes from there. IoT data is also generally transmitted in clear text within a wifi network. There will no doubt be many privacy and security breaches as IoT gathers momentum.


Leave a Reply

%d bloggers like this: