« The anonymous hand | Main | After the search »

Unfit for private purpose

wizard-of-oz.jpgBe careful what you put in your privacy policy: someone might read it. This week, Shane Harris at The Daily Beast discovered this in the privacy policy for Samsung's smart TVs:

Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party..."

Well, that's honest enough. On Twitter, Parker Higgins helpfully showed the manual page alongside a passage delineating exactly how surveilled Winston was in George Orwell's 1949 novel Nineteen Eighty-Four.

It's hard to know what to do with this other than to marvel and laugh in disbelief at the disconnect between corporate lawyers and...I don't know, *people*. Someone wrote that, someone reviewed it, someone third approved it, and on it went, probably through committees and departments. And yet no one in that whole giant company - not even in marketing - stopped and said, "Uh, guys? People don't like feeling they can't be alone in their own living rooms. Remember the fuss they made last time?"
new-22portobelloroad.jpgOf course, *now* they have. The policy has been changed. But the key thing to remember is that the TVs have not. The win here is that the company has now identified the third party that processes the voice data and the types of data the TVs collect, and it's clearer what you have to do to disable voice commands and what you gain and lose by doing so. So: if you want to have the privacy of your own living room *in* your own living room, you disable voice recognition and unplug the TV from the wifi network. At which point...it's a dumb old TV just like you used to buy back in 2014.

The Great Oz has spoken. The market has failed.

One of the unfortunate things about the mismatch between the speed of technology and the speed of legislation is that by the time a law gets passed the technology it covers is last-generation stuff. This is the situation with the General Data Protection Regulation, which MEP Jan Philipp Albrecht heroically oversaw into law last year. Privacy policies and subject access rights are the wrong approach for large appliances, not least because the consumer never sees the policy until after the box has been delivered and opened. In other situations where a consumer buys one thing (a television) and gets another (a spy in their living room) we have a name for it: bait and switch.

I don't think it's enough to take the same approach we did with software, where the presumption has become that when you open the clickwrap you have some idea of what standard terms the license is likely to contain. Instead, we are probably already overdue for a system of transparent labelling right there on the box that has something like the following list, with tickboxes for the ones that apply:

- Collects usage data;
- Shares data with third parties;
- Listens via audio microphone(s);
- Watches via camera(s);
- Other data collection sensors.

And then an overall privacy score based on how well the company is known to comply with the law, the terms of its privacy policy, the number of third parties that get the data it collects; and how many data breaches it and its sub-contractors have had in the past. We are going to need this for the myriad "smart" devices people are going to try to sell us over the next few years, beginning with smart meters. The internet became, as Bruce Schneier says, a giant surveillance platform because we weren't fully paying attention; making hidden data collection visible will be essential if the physical world is not going to become an even bigger, more intimate one.

Now, someone out there is going to say, "But people don't care about privacy." This would be a way to find out. Are voice commands for a television just a novelty that people will find they can do without, or is it an invaluable improvement that's worth trading for the sovereignty of your living room? As Charles Arthur has frequently noted at The Overspill, despite the electrons being excitedly splattered over the Alexa Echo, it's hard to find anyone who, after a running-in period of experimentation, uses it as anything much more than a glorified clock radio.

I continue to believe that people do care about their privacy, but they do not have good enough tools; the harm is very difficult to quantify or predict; their threat models are often not those of privacy advocates (PDF); and many are so overwhelmed with the pressures of everyday life that even modest amounts of convenience or savings seem worth the trade.

And where do we go next? Will the third-party processing companies that parse the sounds smart TVs collect be next on the list of targets for copyright holders? As in: we give you a database of fingerprints of sounds from copyrighted works, and your system finds a match you run an automated check for a valid license? If someone inside one of those companies for some reason overhears suggestive sounds collected by a bedroom TV, will they sue for sexual harassment? These things seem absurd now - but so many realities of 2017 would have seemed absurd only a year ago.

Illustrations: Frank Morgan as the Wizard of Oz.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.


TrackBack URL for this entry:

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)