Science

Smart devices think you're 'too lazy' to opt out of privacy defaults

The uproar over Samsung's "eavesdropping" SmartTV last week reveals a potentially invasive type of factory preset — one that consumer and privacy advocates worry gets too easily lost in the fine print.

Privacy lawyers warn web-enabled devices automatically share data, put burden on users to opt out

Smart devices such as the Amazon Echo, which responds to voice commands as a hands-free digital assistant, are intended to bring more convenience to people's lives. But privacy lawyers warn consumers should study terms of service to find out whether web-enabled products are defaulted to share their personal data. (YouTube)

Smart devices are designed to save time. But their privacy policies sometimes seem designed to waste it.

One way or another, the uproar over Samsung's "eavesdropping" SmartTV last week revealed a potentially invasive type of factory preset — one that consumer and privacy advocates worry gets too easily lost in the fine print.

Jaigris Hodson, who lectures on digital communications and big data at Ryerson University, says tech companies often default to share user information unless users know to opt out. (YouTube)

"The default from these tech companies is they will share your information unless you opt out," says Jaigris Hodson, a digital media professor at Ryerson University who teaches courses on social media and Big Data.

"The line they always give is, 'we're putting your privacy in your hands.' What they don't mention is that the default option could be the other way around."

Consumers often don't care much at first. But that feeling can turn once they're reminded how the always-on, always-sharing devices can reveal a little too much.

Fitbit wearers came to this realization in 2011, after their fitness-tracking bracelets began publishing statistics charting their vigour in the bedroom. Results were easily searchable on Google.

Sharing 'sexual activity' via Fitbit

"Unfortunately, one of the Fitbit settings was for 'sexual activity,' so they were inadvertently broadcasting [their statistics] to the world," said Kirsten Thompson, a Toronto privacy lawyer who specializes in cybersecurity and data protection.

Owners of Fitbit tracking bracelets discovered in 2011 that although they permitted the devices to track their sexual activity, they were also making that data available to the public online and searchable through Google. The company later made all user data private by default. (Screengrab)

"They knew they were recording it. They just didn't make the connection that it was going to also be shared online because that was just the default setting."

An unfair burden?

Media reports last week revealed that Samsung's updated privacy policy included a line mentioning that its voice-controlled SmartTV, which has a built-in microphone, can overhear "personal or other sensitive" chats and transmit that data to a third party.

Privacy experts worry that users may not realize their internet-enabled electronics are sharing their data amid the rise of the internet of things. (Steve Marcus/Reuters)

Ann Cavoukian, Ontario's former privacy watchdog, was appalled.

"It's unbelievable. I mean, how outrageous is that?" said Cavoukian, who devised the privacy-by-design concept that’s meant to be used by as the "gold standard" for data protection.

Samsung's response did little to allay her concerns.

In a statement, the Korean electronics giant said any TV owners worried about whether they would need to censor their speech in their own homes could "disconnect the TV from the Wi-Fi network" and disable voice-recognition capabilities.

A simple fix? To Cavoukian, it sounded more like an unfair burden to place on customers. Not to mention defeating the purpose of a voice-controlled TV in the first place.

"Nobody would think the default would be disclosure that your voice can be picked up and used for a variety of unknown purposes," she says.

To Thompson, that's tantamount to a company selling a car without brakes "and then saying, but you can turn on the brakes if you want to."

Pre-programmed to share

Simplicity of design may be partly to blame for why smart devices are pre-programmed to process and share all the information it can.

Samsung caused a stir when reports surfaced that its SmartTV voice-command system might capture and send snippets of personal conversations to third parties. (Rick Wilking/Reuters)

Manufacturers, search engines and social media companies say user data helps improve search algorithms and service.

But fears that the info might be used for ulterior purposes have inspired new web services built around confidentiality.

Facebook's tracking of its users' web-browsing histories to create targeted ads, for example, spawned the pro-privacy rival Ello.

The search engine DuckDuckGo, which has been billed as "the anti-Google," promises: "We do not collect or share personal information by default."

Those remain niche services, however.

According to a 2010 report from the office of Ontario's privacy commissioner, the default setting prevails 80 per cent of the time.

Unwitting users who stick with default settings could be automatically giving consent to share data by virtue of failing to opt out.

What is consent?

"But does a person really consent if we're talking about terms they probably won't look at?" asks John Lawford, the head of Canada's Public Interest Advocacy Centre, a non-profit group.

A man displays a range of fitness trackers, from left: Basis Peak, Adidas Fit Smart, Fitbit Charge, Sony SmartBand, and the Jawbone Move. Fitbit decided to make all of its user data private by default after it was revealed in 2011 that some users' fitness information was searchable online. (Bebeto Matthews/Associated Press)

"They'll start talking about their finances, health, sexual preferences, and they won't remember the thing in front of them has a microphone."

Therein lies one of the pitfalls of the so-called internet of things, the catch-all term describing the growing number of web-enabled devices — from smart fridges to cars — in the digital world.

"People by their nature are too lazy or they don't have the time to figure out how many clicks or how many screens they have to go through to switch these settings off," Thompson says.

People by their nature are too lazy or they don't have the time to figure out how many clicks or how many screens they have to go through to switch these settings off.- Kirsten Thompson, privacy and technology lawyer

She argues that manufacturers know full well their customers can't be bothered to scour dense terms of service to figure out a new gadget's privacy controls.

"On the other hand, if you didn't read fine print, certainly it's my perspective that there should be some requirement on manufacturers to bring that information more to the forefront," says Mandy Woodland, a privacy lawyer in St. John's.

Cavoukian has also pushed for companies to market the value of privacy in their products as a competitive edge.

Proposed amendments to privacy law

In Canada, the expectation is that manufacturers would honour her concept of privacy by design, in which manufacturers build privacy protections into the data architecture from the outset.

Former Ontario privacy commissioner Ann Cavoukian devised the so-called 'privacy by default' standards that have been endorsed by the European Union and the U.S. Federal Trade Commission. (CBC)

Although privacy by design has not been legislated, David Fewer, director of the Canadian Internet Policy and Public Interest Clinic, believes it's only a matter of time.

Lawmakers never foresaw the future of the internet of things when privacy legislation was first passed in 2004.

Now that smart devices are so ubiquitous, proposed amendments to the Personal Information Protection and Electronic Documents Act could grant new enforcement powers to the federal privacy commissioner.

"Improving the enforcement tools in PIPEDA would go a long way," Fewer says, adding that litigation might otherwise drive change.

"There's nothing like the threat of class action to invite deeper thinking about how to design our products in a privacy-accommodating way."