More Data Collection, More Data Protection

It seems like the only topics getting more media attention than the Internet of Things (IoT) these days are privacy and security (once the latest reality TV star headlines are removed from contention). Target, Home Depot, Sony Pictures and Anthem are the latest high-profile company names that have made headlines for hacks and data breaches. As more manufacturers deploy connected devices capable of collecting and sharing data, they also need to ensure that data is well protected. No company wants to see its name connected to a breach of customer data, whether those customers are consumers or business partners.

One sure way to protect private data is to not collect it in the first place. In a report released earlier this year, “Internet of Things: Privacy & Security in a Connected World,” the Federal Trade Commission (FTC) promoted the concept of “data minimization.” The report is full of what you’d expect—designing security into IoT products from the start, training employees and monitoring connected devices over their lifecycle—but the idea of just collecting the information you need, and then only keeping it for as long as it’s needed jumped out at me.

Data minimization made me think of overengineering. Many design engineers used to think “if a little material on a stress area is good, a lot of material is better” (before simulation and testing provided more guidance). Likewise, the hype surrounding Big Data has a lot of people thinking “if a little data is good, a lot is better.” After all, you never know what information might be useful a few years down the road.

Not to harp on reality TV, but it’s that kind of thinking that makes the show Hoarders possible. Keeping what you don’t need runs the risk of “just-in-case” data being left unsecured or stolen. It’s rarely worth the reward of having it.

“Data minimization can help guard against two privacy-related risks,” according to the FTC report. “First, larger data stores present a more attractive target for data thieves, both outside and inside a company—and increases the potential harm to consumers from such an event. Second, if a company collects and retains large amounts of data, there is an increased risk that the data will be used in a way that departs from consumers’ reasonable expectations.”

The report goes on to recognize business’ need to balance future “just-in-case” uses of data with privacy protection by advocating a flexible approach to data minimization efforts that take into account the sensitivity and of data being retained, and whether it identifies people.

Privacy vs. Security

Its an approach some in the government might want to take themselves. At last month’s White House Summit on Cybersecurity and Consumer Protection—held at Stanford University as a nod to the importance of Silicon Valley companies in the fight against hackers—a number of big names were conspicuously absent. Google, Facebook and Yahoo! CEOs were reportedly invited to the summit in which President Obama signed an executive order to promote more information sharing between government and industry, but declined to attend. It’s no secret that many of the tech giants have been at odds with the National Security Agency’s spying practices brought to light by the Edward Snowden leaks, and have made it more difficult for the government to access their customers’ information.

Apple’s Tim Cook was among the high-tech CEOs in attendance. He used the occasion to promote Apple’s take on data minimization in a not-too-subtle jab at competitors.

“We have a straightforward business model that’s based on selling the best products and services in the world, not on selling your data,” Cook said. “We don’t sell advertisers any information from your email content, from your messages or your web browsing history.”

He went on to stress the importance of keeping data that is collected safe, and the importance of privacy: “If those of us in positions of responsibility fail to do everything in our power to protect the right of privacy, we risk something far more valuable than money—we risk our way of life.”

As the IoT continues to expand and new companies find themselves in the data collection and analysis business, more and more people will be in those positions of responsibility. A little planning on what data is needed, how it will be used and how long it will be retained can go a long way toward enhancing its value, as well as the privacy of customers and business partners.