All children know that, at this time of year, Santa has a network of Elves who keep an eye out for naughty children and report back to Santa. What children, and more to the point, their parents, may not know is that some of the gifts Santa might deliver to the good children may have more features than they bargained for, possibly leading to Elf redundancies in future.
To demonstrate this the Mozilla Foundation have published a guide (1) to the security features of toys and gadgets which are on sale this Christmas. Some of them are potentially quite scary. For instance, the Adidas miCoach Smart Soccer ball which has a camera, microphone and is able to track location. Then there is Edwin the Duck – a connected rubber duck which can track location but (thankfully) does not have a camera or microphone. The app does not require the user to set up an account, but does allow parents to download lullabies and sleep sounds to comfort a baby. Or even Sphero SPRK – a programmable robot which has, according to Mozilla, a camera and microphone. The app similarly, does not require the user to set up an account.
It seems, therefore, that Santa might be about to deliver some interesting and fun devices to unsuspecting homes. Some of these devices will be gathering information about the users from the moment they are switched on.
The question I would pose is: “Is this legal?”
May 2018 sees the implementation in the UK of the General Data Protection Regulations (GDPR). A summary of the GDPR can be found on the website of the UK Information Commissioner’s Office (ICO) (2).
The ICO gives additional guidance on consent for the collection and processing of data under the GDPR (3). This includes the following extract.
Consent means offering individuals genuine choice and control.
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.
- Explicit consent requires a very clear and specific statement of consent.
- Keep your consent requests separate from other terms and conditions.
- Be specific and granular. Vague or blanket consent is not enough.
- Be clear and concise.
- Name any third party controllers who will rely on the consent.
- Make it easy for people to withdraw consent and tell them how.
- Keep evidence of consent – who, when, how, and what you told people.
- Keep consent under review, and refresh it if anything changes.
- Avoid making consent a precondition of a service.
So this begs the question: how can consent be obtained for the processing of data gathered by these, and many similar, devices?
In the case of toys, or other items commonly given as gifts, that may be a tricky question for the data processor to answer. As many of these gifts seem destined for the American market, the first line of defence probably will be that the data is processed out of the jurisdiction of the GDPR, effectively outside Europe. But where consent is required, how can that be obtained?
Could it be built into the contract for the sale of the device? Possible, yes, but unlikely. The contract for the purchase of goods is usually between the retailer and the purchaser. The retailer is most unlikely to be the organisation collecting and processing the data. Further, given the requirements for positive consent, it is not really feasible for the retailer to supply the level of information necessary to achieve informed consent before the item is purchased. There is another obvious stumbling block to consent at the point of purchase, and that is the fact that many of these, and similar items bought as gifts, will not be purchased by the end user. They may have been purchased by parents, grandparents, uncles, aunts or family friends. It is difficult to see how they could be said to consent on the part of the recipient end user.
A slightly more practicable option is that the end user (or their parent or guardian) are required to set up an account to make the toy or other type of gadget work. This would give an opportunity for the data processor to introduce the level of information necessary, and the opt in, to obtain valid consent. The process, presumably, would only proceed to completion if the consent was positively given. However, there are difficulties with this approach. The first, and most obvious is, what if the end user or their parent did not give consent? Would they then have a toy or gadget that did not function correctly or as advertised. The second is, if a parent did consent, what of any other children playing with the toy or device who was not covered by the consent? The girl or boy next door.
According to the BBC (4), the German Federal Network Agency, who is the regulator of such matters in that country has banned smart watches which have children as their target market citing privacy fears and the fact that the watches can be used to track a child. It is said that the watches could also be hacked to provide a false location for the wearer. In the same report, it is claimed that parents have used the watches to listen to teachers in class.
This ban comes some nine months after the BBC (5) reported that the same German regulator banned a doll known as ‘My Friend Cayla’ following concerns that the Bluetooth connectivity of the doll could be hacked to allow people to eavesdrop on children at play.
The harvesting of data from such devices as gadgets and toys may also soon give rise to civil actions for damages by aggrieved users. It is reported (6) that a former director of “Which” magazine in the UK, Richard Lloyd, is leading a claim against Google. It focuses on allegations that Google unlawfully harvested information from 5.4 million UK users by bypassing privacy settings on their iPhones. The allegation is that Google used cookies to collect information from devices in order to deliver targeted advertisements. It seems that for several months in 2011 and 2012 Google placed ad-tracking cookies on the devices of Safari users which is set by default to block such cookies.
If the action is successful, it may pave the way for similar actions by consumers affected by the unwanted, or even unknown, collection of data. That could prove expensive for the device manufacturers and data collectors/processors.
This is unlikely to be the end of the story.
References.
- https://advocacy.mozilla.org/en-US/privacynotincluded (Accessed 03 December 2017)
- https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation- gdpr/ (Accessed 03 December 2017)
- https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation- gdpr/lawful-bases-for-processing/consent/ (Accessed 03 December 2017)
- http://www.bbc.co.uk/news/technology-42030109 (Accessed 04 December 2017)
- http://www.bbc.co.uk/news/world-europe-39002142 (Accessed 04 December 2017)
- http://www.bbc.co.uk/news/technology-42166089 (Accessed 04 December 2017)