The European Data Protection Supervisor, the authority responsible for overseeing the compliance of EU institutions with privacy and data protection norms, recently published an analysis of the deployment of Smart Glasses in its first technology report, in which it brings to light a variety of market and compliance issues with different systems. In particular, the guidelines examine the technology and security issues related to the use of such Internet of Things (IoT) devices.
Smart glasses are wearable, IoT-connected (in most cases) computers that allow the user to interact with their environment whilst also serving as a visual display unit (VDU). Whilst not exactly a widespread technology, they have garnered some attention, in particular, that of Google Glass, which was subject to scrutiny from several national data protection authorities when it was released. At one end of the spectrum, they simply provide the user with wearable audio and video functionalities, whereas on the other, they can immerse users in virtual or augmented reality surroundings. Smart glasses raise several notable legal and security concerns owing to the fact that:
- Sensors can be used to track and record a variety of information about a wearer – including location data, photograph and video images and audio recordings;
- Like other connected technologies, smart glasses may be linked to other interfaces, either locally or via the internet, such as through WiFi, Bluetooth and other networks, which can raise security concerns.
Data Protection Considerations
From a data protection perspective, the EDPS’ analysis centres around the scale of personal data that can be collected by wearable devices, and the lack of transparency. The EDPS, for example, refers to the fact that “One of the main concerns regarding smart glasses is their capacity to record video and audio in such a discreet way that the people being recorded are not aware of it”. We have seen this raised with other connected devices, for example, in the smart homes sphere, where devices recorded and profiled a resident’s consumption of their utilities, often with no transparent privacy notices in place. This can be exacerbated by the possibility of incidental recording of members of the public through the glasses
As such, wearable technology manufacturers need to consider what are the reasonable expectations of the users and of any unwitting data subjects. To solve this problem, Privacy by Design concerns would see, or perhaps even necessitate, such collection being highlighted either with a regular, timely notification to the user that the device is recording or maintaining limitations, such as those in Google Glass, to keep a standard recording time to one hour.
Another in-built problem is the lack of user control over how the data can be stored and shared by the IoT-connected devices. The EDPS raises the potential for leveraging different types of personal data collected by the sensors on ‘connected glasses’ for profiling. One of the aspects of smart glasses is the fact that, by their very nature, they collect a significant amount of different personal data, and simultaneously. The use and collection of video images, alongside recordings, can be very intrusive and include compound data – i.e. as well as recordings of people, the devices could be used to scan financial information and sensitive personal data. This could allow organisations to combine such data to create more and more complex maps of user’s behaviour and interests.
As a result, the lack of control and specification of this personal information raises several headaches in terms of data protection, most notably due to the fact that it makes it difficult to give appropriate transparency notices and apply set retention periods or security measures to ill-defined, and potentially indefinite, categories of personal data.
Data Security Considerations
From a security perspective, there are a few impediments affecting smart glasses.
The first is premised upon functional requirements of the battery. Enabling a long charge life dictates processing to be restricted to a bare minimum, however this is antithetical to maximum security. The cornerstones of modern security – Integrity, Confidentiality, Availability – find common technical implementations through Hashing, Encryption, and Reply Protection for exchanged messages; all require adequate processing capability to be done well. Smart glasses require small batteries for convenience and bearing in mind that they must make possible faculties such as intelligence, light/sound sensing, user notifications, and so on, to provision their respective use cases, the balancing act becomes challenging. Frequently, we observe security taking a back seat here.
The second is the lack of a mainstream security standard for connected devices. There is no IoT equivalent of a global standard that holds vendors and manufacturers of connected devices accountable under serious breach. Applicability of common rules is tenuous. Case in point: the GDPR requires intelligence to be explainable, however, this is difficult for algorithms that require a black-box approach or arbitrary choice making by design to ensure greatest efficiency. Additionally, such requirements find practical implementation in multitudinous ways; this is unhelpful when trying to ascertain causality of breach. Overall accountability in this space is still limited.
Third is a lack of convergence in the IoT landscape. There is value to be capitalised if an IoT device can connect across multiple protocols and products, dispersed across geographies. For example, assume that you are on holiday abroad and wanted to see why the smart camera in your home has sounded an alarm. Doing so requires data to traverse across multiple protocols; it may originate from a ZWave camera, land beyond the home on WiFi, traverse the waters in 4G, and end up with a local transmission on Bluetooth from your phone to the camera. Every node along the chain is exploitable by a determined black hat actor. Add in the backdrop of emerging protocols – LPWAN, Sigfox, NB-IoT etc. – alongside the various devices and proprietary implementations, the picture is an inextricable mess.
As a result, the security of such devices – both physical and in terms of software or data – is currently entering a space without much consensus, transparency, and accountability.
Like any novel technology, smart glasses were designed with functionality and its heart, and privacy and security as incidental considerations, which has led to concern over their data collection and sharing abilities. The GDPR aims to solve several of these concerns, and is increasingly being used as a tool to demand accountability from companies from the online advertising industry to the provision of health and fitness apps. However, we share the opinion of the EDPS that future regulation such as the ePrivacy Regulation, which may impose stricter requirements around consent and data retention on IoT providers, can help introduce more stringent privacy and security standards.