By Rebecca Herold | January 1, 2023
Here at Privacy & Security Brainiacs, we get many questions from our monthly Privacy Tips and blog readers, those using our free awareness videos, infographics, and e-books, clients using our online, Master Expert and in-person education courses, those who listen to the Data Security & Privacy with the Privacy Professor radio-show/podcast, and those who use my soon-to-be twenty-two published books. Thank you for using our products and services, and for sending all your questions! We read them all.
The following is a really great question we recently received. Our team discussed, and we are including an abbreviated answer in our January Privacy Tips (which will be published on January 3, 2023), but we wanted to provide a more in-depth answer here to highlight several additional important points, and provide even more information to our reader who asked the question, as well as to everyone else reading this.
Q: I received a pretty “smart” necklace for Hanukkah. From invisaWear. If the button on the charm is pushed twice, texts will immediately be sent to up to five friends/family members to let them know that I need help, and will include my GPS location. There is also an option to contact 911. Sounds good! But, based on what you’ve been reporting all these years, it sounds like it could be extremely privacy-invasive. What tips do you have for me?
A: What a nice-looking necklace, and thoughtful gift! We love products that help to improve our safety.
However, they also need to do so without requiring the use of the associated personal information for other purposes. Plus, the devices need to be secure, to prevent unauthorized and unapproved access to, and sharing of, the data of those using the devices, which ironically create safety threats. And with many smart devices, they also are collecting information from the surrounding environments, including personal information of others, so that also needs to be considered.
Many types of “smart” internet-of-things (IoT) wirelessly-connected jewelry have popped up in recent years. We even answered a question about the Oura Ring, in our August issue. But, is this jewelry, meant to provide safety alerts, privacy-friendly, and cyber-secure?
No blanket answer for all IoT products exists. And indeed, when discussing this question with my communications team, one marketing professional said, “Most people don’t care about privacy! They figure that all their data has already been breached so why worry?”
I get that. I’ve heard this statement thousands of times throughout my career.
However, it has been my passion for my entire career to help consumers and organizations understand that the impacts on their lives, positive and negative, depend upon the context within which their personal data is used, with whom it is shared, how accurate the data is, how long it is retained, and more.
Privacy and cyber-security risks depend upon how each manufacturer engineers each item, and the contexts for which the devices, and associated data, are used.
To provide the privacy and security tips our reader requested, let’s start by performing a high-level security and privacy assessment of the invisaWear necklace based on the information that the manufacturer and/or vendor is providing on their website about the IoT product. This is important for consumers since they will typically not have access to the physical device to test out each of the product components. Since most consumers are not cybersecurity and privacy experts, most would not know what to check even with such access anyway.
Everyone who cares about cybersecurity and privacy, and who use any smart devices including those meant to provide safety, should perform similar types of analyses as what we will provide in the following paragraphs. To support this activity consumers need to be provided with accurate and comprehensive information about the cybersecurity and privacy capabilities, and risks, of the IoT products that they are contemplating purchasing to make an informed purchase decision.
All IoT product manufacturers need to provide cybersecurity and privacy information to allow consumers (individuals and businesses) to make informed decisions about whether or not to use such devices based on the risks the smart devices create for the security and privacy of the users.
Answering this question provides a good opportunity to use the IoT product in question and provide an example of how a consumer can review these types of policies in a similar way as we are about to do to determine whether or not basic security and privacy protections are built within them or supported in other nontechnical ways.
It is interesting to note that to review the privacy policy and terms of use, I visited the company’s site but did not provide my email address, did not ask to stay in touch, and did not consent to receiving messages from them. I input no information whatsoever. However, I received an explicit marketing email from invisaWear within 24 hours of visiting the site. This remarkable coincidence indicates the likelihood that my information was collected by their site, and used in ways that were not explicitly communicated within their privacy policy, which does indicate I can opt-out of receiving marketing information. They indicate consumers have data protection rights that can be requested, but then indicate, “If you make a request, we have one month to respond to you.” So, without even looking closely at the manufacturer’s security and privacy information, we already have identified a couple of security and privacy red flags.
First we’ll do a quick review the business’s website Privacy Policy (last updated in February, 2022).
The policy lists many different web beacons, cookies, and tracking technologies (all types of surveillance technologies) that are used, and describes how the data collected from the jewelry wearer is shared with social media sites and third parties. They provide a long list of many types of personal, and some quite sensitive, data that is collected. It is not explained by many of the data are needed to support the purpose, goals and functioning of the IoT product to the benefit of the consumer using it. Another red flag.
The company also indicates that it “may combine” individuals’ data with other data to pinpoint even more websites the jewelry wearer has visited, and to gain other insights. Using any variation of the word “combine” in this way is a common way to imply the use of artificial intelligence (AI), to also recognize each person’s activities. Another red flag.
The company indicates they will use the data for marketing, and to share it with other businesses, but claim no responsibility for the security or privacy of that data once they have shared it with others. Why aren’t they requiring those third parties to agree within their contracts with them to commit to providing such protections as a condition of sharing that data? If they have done this, then they should document this important requirement is in place for all the third parties they are entrusting with their customers’ personal information. Another red flag.
The data security protections are described within the Privacy Policy in a vague, brief section. The only mention of encrypting the data is for the data backups, and not for data while it is being transmitted, or stored in the apps and cloud servers being used. They also seem to offload more responsibility by saying the customer is responsible for the security of their password; so they are not using multi-factor authentication? Much security information that should be included is not mentioned. Another red flag.
There is no documentation indicating that the necklace provides a technical capability to delete some or all of the customer’s personal data. However, the information indicates that if the data of a child younger than 13 was collected, the parent or guardian can contact the company to request to have the data deleted. Otherwise, the only way in which the data is deleted, based upon the information provided, is if the customer, “deletes their account from the mobile app, if the account is inactive for 3 years, or on [sic] accordance with state and country laws.” They did include a statement indicating, “You have the right to request that we erase your personal data, under certain conditions.” What are those conditions? It doesn’t say. More red flags.
And speaking of children, they state that, “Anyone under the age of thirteen (13) must seek and obtain parent or guardian permission to use our Services.” However, on their pages selling products, and on their checkout page, there is no question to the potential customer asking to confirm their age to make sure they are not younger than 13. And we could not find any way to allow for parental permission, other than stating, “If we learn that we have collected or received Personal Information from a child under the age of thirteen (13) without parental consent, we shall immediately take the necessary steps to ensure that such information is deleted from our system's database.” How many children’s personal information do they actually then collect, with no checking for age during the purchase processes? Red flags.
For a device meant to increase personal safety, it is ironic that they indicate real-time location data may be shared to third-parties who are not the specified emergency contacts or, if chosen, the 911 emergency services. Many personal safety risks are involved with these practices. Red flags.
The Terms of Use (last updated in November 2020) expand the rights of invisaWear over your information. Plus, information in the Terms of Use contradict the information in the Privacy Policy. For example, it states that customers must be at least 18, but the Privacy Policy indicated they could not be younger than 13. Red flag.
One excerpt states, “You grant invisaWear a worldwide, non-exclusive, royalty-free right and license (with the right to sublicense) to host, store, transfer, display, perform, reproduce, modify, and distribute Your Content, in whole or in part, in any media formats and through any media channels (now known or hereafter developed). invisaWear’s use of Your Content may be without any compensation paid to you.” Holy cow! Several red flags here.
We are stopping further review here, since we have already identified so many concerns, in addition to the concerns with the Privacy Policy.
It is also important to point out that the context within which IoT products are used must be considered; not only by the consumers using them but also by the manufacturers designing and engineering them.
Consider the context of accessing and using the data that this smart necklace is collecting and sharing with others. The site indicates that the wearer’s real-time GPS location is transmitted, and the security protections indicate that only the stored backup data is encrypted. It does not indicate the data collected from customers or their IoT products are encrypted when being transmitted, or in storage beyond the backups. This reveals the risk that the GPS transmissions could be accessible, creating the risk that the wearer could be physically located. If someone is traveling alone, and a criminal can locate their victim using the GPS being transmitted in the clear, this intended safety-protection jewelry could quickly become a victim-location tool.
I’ve been an expert witness for cases involving assaults that occurred by the attackers and criminals monitoring IoT devices. These situations are increasing. Manufacturers need to strengthen the security and privacy protections within their IoT products, and most certainly include them within the IoT products being promoted as personal safety devices.
At this point we’ve accumulated a large collection of privacy and security red flags. These indicate there are few privacy and cybersecurity protections built within the IoT product technology, and practices for their customers’ data. The privacy practices as described are not aligned with longstanding privacy, cybersecurity and data security standards.
We’ve found more than enough to determine that the security and privacy risks this IoT product creates more risks than what we accept, without taking an even deeper dive.
The lack of privacy and security information, and the resulting implied lack of it being in existence within the IoT product, is not surprising, based upon my IoT research I’ve done since 2007, including being a subject matter expert for multiple NIST teams since 2009, including on the IoT Cybersecurity Development team for the past three years. I wish more IoT manufacturers would realize that not only is including such security and privacy protections an important protection for their consumers, but it is also a competitive differentiator that they could and should tout in their marketing! We’ll expand on those in future publications.
Oh! And as I’m typing this, I just received another invisaWear marketing email offer in my inbox…after I have already unsubscribed three other times. And I’ve never yet even signed up to receive such emails in the first place. Their data collection from those visiting their site is apparently quite expansive, along with the use of tracking tech to keep overriding my opt-outs. Another red flag.
In a nutshell:
These described actions should provide a good idea of what to look for within any IoT product’s privacy policy and terms of use. They also demonstrate a few of the key items to look for within manufacturers’ posted documents about security and privacy practices, and how consumers can make a decision to not purchase based on the lack of key security and privacy protections, without needing to read the full documents.
As described earlier, all of these issues do not need to be checked. If enough problems (“red flags”) are found after just checking a few of these issues, the decision may be made that it is too risky to put personal privacy, data security, and for many IoT products, personal safety, at risk by purchasing and using the IoT product. These should be considered when considering an IoT product as a gift for others as well.
Privacy protections and strong cybersecurity controls within IoT products depend upon how the manufacturer engineers each IoT product. To identify if they have enough protections and controls, start with the manufacturer’s posted privacy policy, security policy, and terms of use, which are often within separate documents, and often have conflicting statements. Such conflicts are also huge red flags in terms of privacy and security. So are statements telling consumers of the rights they DO NOT have, instead of the rights they DO HAVE over their own information.
If our reader asking us the original question, and any others reading this, want to make sure sufficient privacy protections and cybersecurity controls are in place before using any type of IoT product that has been determined through review of the manufacturer’s online privacy and security documents is too risky, we encourage contacting the manufacturer and telling them to strengthen their privacy practices and security protections.
We’ve spoken to many IoT product manufacturers, and the majority of them tell us that consumers do not tell them that they want privacy protections and security capabilities. Which they have then explained that, from their viewpoint, this mean that consumers to not care about and do not want security capabilities and privacy protections within the IoT product. Therefore, the manufacturer won’t spend time or resources developing them.
For more security and control over personal data, remember to speak up! Consumers can help improve the security and privacy of IoT products by telling the manufacturer that they care about and require such protections before purchasing the products.
We will be providing more information about IoT product security and privacy in 2023 in our Privacy & Security Brainiacs online courses.
Do you have more suggestions? Drop us a line.