Who really owns your Internet of Things data?

In a world where more and more objects are coming online and vendors are getting involved in the supply chain, how can you keep track of what's yours and what's not?
Written by Jo Best, Contributor

Keeping track of your data won't be easy in a connected, Internet-of-Things world.

Image: Cienpies Design&Communication

In an Internet of Things future, everything from your toothbrush to your car could be collecting data on you -- about your personal habits as well as the way your business works. But with 50 billion objects set to come online by 2020, who will really own that goldmine of information?

Data gathered by IoT sensors and systems can pass through any number of hands -- those of the end-user that creates it, or of the company whose hardware collects it, even the software business the processes it, and the app maker that shares it, and all of them may want to claim rights over it. Whether you're part of a company wanting to improve their business with industrial internet systems or an individual planning to make their home a little smarter with IoT, whose data is it anyway?

According to law firm Taylor Wessing, end users don't really have ownership rights to the data gathered by off-the-shelf systems they've installed. If you've rolled out a smart home set-up, you can't legitimately claim that all the details about when you switched on your lights or opened your garage belong to you and you alone.

However, in Europe, companies that have spent time and money creating a fixed database that they can query could legitimately claim to have ownership of that data. If more than one company has had a hand in building that database, though, all may be able to claim ownership and then use it in their business contracts. "Where ownership has not been appropriately provided for, we can expect to see big disputes between those involved, given the potential value in data captured from the IoT," Taylor Wessing senior associate Adam Rendle noted in a blog.

Of course, building up collections of data about customers, selling, sharing, and claiming ownership over them isn't new to the Internet of Things -- app makers have been doing just that for years. Also, most data protection legislation has been worded to ensure it applies to technology already in use, as well as that yet to come, so most existing laws that apply to current IT as well as whatever IoT systems become the norm in future.

That's not to say IoT doesn't have its unique challenges, however. Take that app comparison - if the app maker wants to change how a customer's data is handled, the app can be configured to show the user a message asking for their permission to do so. For smart home appliances, which may not have any screen to show such a message or input mechanism to accept or reject it, it's far harder to keep customers informed.

Harder, but not impossible, according to the Information Commissioner's Office, the UK's data regulator.

In a large number of cases the IoT device will need to be connected to and configured by a smart phone app or online service which provides "ample opportunity" to inform customers about data processing activities, the ICO said. Including information within the user manual, packaging and marketing material can also be an effective means to inform individuals.

"Indicators of ongoing data processing can also be provided through the use of lights, buzzers or other signals which can also be useful for other individuals who may be in the vicinity of the IoT device (eg displaying a red light on the front of a video recording device as a signal to those in the field of view)," an ICO spokesperson told ZDNet.

But with the Internet of Things still relatively early on its adoption curve, companies are still getting to grips with best practice for handling customer data. One recent high profile misstep case in point: the privacy policy for Samsung smart TVs told customers that if they had discussed personal or sensitive information in front of the TV, "that information will be among the data captured and transmitted to a third party through your use of Voice Recognition", causing consternation among users. The company subsequently published a blog to explain to users exactly how and when their TVs were listening in.

"There are challenges to ensure that individuals are fully informed about the data processing taking place and ensuring a secure environment but are not impossible for organisations to address. There are also a large number of opportunities to learn from the mistakes of those who have gone before," the ICO spokesperson added.

And learn they must. With predictions that the Internet of Things could connect 50 billion objects by 2020, there's going to be huge wave of data coming, and huge potential for use and misuse. Take an industrial vehicle hire company: by using sensors in their vehicles, they could gather useful information on faults, crashes, and breakdowns that could be used to make future models more reliable, but equally, customers may feel uncomfortable knowing their driving habits are being monitored, albeit indirectly.

And there's plenty that can be revealed about individuals and businesses accidentally thanks to IoT deployments set up unthinkingly, Andy Stanford-Clark, IBM distinguished engineer for the Internet of Things, told ZDNet recently.

"For well-implemented IoT systems, security is front of mind and in from the beginning. It's easy to rush things to market, and either from naivety or not having the right skills or cutting corners, it's easy to leave holes in things... The fact that my car engine is running - not where it is or how fast it's going - might sound innocuous. But the fact that my engine's running means I'm not at home, I'm out in the car somewhere. That combined with my address - two seemingly uncorrelated pieces of information - could have unintended consequences."

To do Internet of Things data-gathering right, clear boundaries need to be drawn. In consumer IoT systems, often when data is transferred ownership is too - for example, moving from one app to another - and consumers can agree to that transfer or not.

For businesses, data shouldn't be treated in such a wholesale manner, according to Eric Harper, lead software architect for ABB, a member of the Industrial Internet Consortium.

There are two classes of data in the industrial internet, internal and external, Harper said. Internal data covers what the vendor need to deliver the product or service to the customer, and external is what's useful to customers and the broader market.

"When we think about those two types of data we make some clarifications on what should and could be shared, and designed the architecture of our systems to support that.

"With internal data, if you think about one of our control systems, or something like that, that really is our data, even if it's being generated at the customer's site. It's not something that would typically be revealed to a customer... we want to keep that internal product data from being surveilled, even by the customer."

"External data - that's being produced by say a robot or smart transformer - then the customer is free to use that data however they please, and since it's their data, they should be free to share it with whoever they like," Harper said.

From there, data handlers should stick to some best practice rules.

For data that customers elect to share with their providers, providers should only be share it themselves an aggregated or anonymised way.

Similarly, providers should guarantee not to use data fusion to reverse engineer information about their customers without their explicit consent. For example, if the customer has several systems all made by a single supplier, the supplier could offer to merge those to give better insight into how the whole setup is working together.

And if customers are willing to share extra data, they may be able to get additional services -- data on industrial equipment usage could optimise or service the equipment, for example. The exchange of value -- both parties getting something -- has to be clear, however.

A lot of problems can be avoided if suppliers get the information architecture right initially.

"The idea is I have some directory or lookup for where the data is, and in that directory, I ought to be able to mark up the characteristics and properties of the data. It should be able to be marked up by ABB, but also by the customer.

"That may evolve over time. The customer may say, if I share that with you, that might reveal some intellectual property about my process, so I'll mark that as property. ABB might have some property in the directory that would reveal exactly how the control system works so we're going to mark that as private," Harper said.

"There also could be this idea that the transfer or data shouldn't imply transfer of ownership, the owner should be able to provision third parties for access to their data. That should involve some contractual arrangement -- that might mean that I'm sharing that data with you today, but if I say you need to delete it tomorrow, legally you're bound to do that."

More on the Internet of Things

Editorial standards