Contributed by Lin Nease, Chief Technologist, IoT at Hewlett-Packard Enterprise Group. Co-authored by Mary Jane Vesey, Client Principal, HP Enterprise Services – Americas.
The hype about the so-called “Internet of Things” (IoT) has reached a fever pitch lately. While reality trails behind the hype for many industries and use cases, there is little disagreement that five years from now the amount of stored cyber-physical data – the type of data obtained from physical-world sensors – will extend exponentially across boundaries we don’t think about today. Furthermore, many new markets for IoT data will emerge; markets that provide benefits in exchange for consumer opt-in – for example how the service WAZE uses real-time location data from its members to precisely assess traffic conditions and route them more effectively than purely algorithmic mapping software. In this case, users receive a benefit (improved traffic routing) in exchange for their personal information (their ongoing location). Could we not envision significant improvement in health care via analogous opt-in schemes?
As a result of the cyber-physical data explosion driven by IoT, the focus of regulation will need to shift (effectively) from data collection and storage to the boundaries across which data is shared. Why? Because information that has the potential to personally identify people is growing even faster than electronics capacity! The explosion in personally-identifiable information (PII) is driven by at least four primary factors:
- Dramatic growth in stored rich media and biometrics – pictures, videos, audio, physiological – not only from social media, but also expanding use in security/identity, behavioral analytics, process automation, and much more.
- Dramatic growth in personal data stored by commercial entities and service providers, due to productivity improvements from cloud and context-aware services (for example, location and connected services).
- Constant improvement in algorithms. This includes both correlation between many information sources as well as the emergence of algorithms that can identify people based on electrocardiograms, vibration patterns of a walking gate, voice recognition, genetic information, and much more.
- “Moore’s Law” – the inexorable, well-known, ongoing increase in electronics compute capacity.
And while Moore’s Law continues to change what’s possible in data processing, the data itself – physical data like vibration, temperature, motion, sound and light waves – is not essentially changing. For example, the human capacity for hearing has not changed in over 50,000 years; thus, processing audio data digitally was challenging 20 years ago, technology advances over time have made it absurdly easy to process digital audio data today. The same is happening with visual and video data. Software recognition of a face in a crowd from a photo will be many times easier two years from now than it was two years ago. What was not PII before may well be PII today.
Policy makers need to come to grips with the reality that PII data in the private sector is exploding. We need a new set of questions and responses to how we define and protect privacy in a realistic way:
- When does an individual enter and exit the non-private realm?
- What are the implicit “opt-in” points for sharing private data publicly?
- What constitutes illicit sharing of private data vis-à-vis algorithms? (How can one possibly enforce limitations on photo, video, audio sharing as pattern recognition improves?)
- How might we separate PII “master data” from raw data? Can this provide a basis for moving forward?
There are obviously many more questions that will need be answered by policy makers as technology advances rapidly. Fortunately, privacy is a much more converged topic today, than it was 20 years ago.