Vending machines are about to become your closest friends, according to one vision.
They will recognize you on approach from the location-based signals from your smart phone, back office systems will check your buying patterns linked to the handset’s mobile wallet used to pay for items, display a greeting on a screen with your name and when you buy an item offer a coupon if you buy something else.
That picture was painted at an M2M conference Wednesday in Toronto, and it might make retailers very happy.
But it also illustrates a point that a privacy expert at the conference made: Machine-to-machine communication applications will often have more than metric points.
“We don’t want to dampen the enthusiasm,” over M2M, Michelle Chibba, director of policy for Ontario’s privacy commissioner told the conference organized by the Canadian Wireless Telecommunications Association (CWTA) , “but there’s a lot of data that will be personally identifiable.”
Organizations creating M2M applications have to think about the privacy of customer data, she said.
“Our motto is ‘Privacy is good for business — do it up front.'” Â And, she added, organizations can incorporate privacy into apps and achieve business objectives. “Give the individual notice of what you’re doing and give them the choice.”
She said the Ontario privacy commissioner’s urges a policy of “Privacy By Design”, which says organizations need to think about privacy early in the creation of apps (or company policies) – in research, software design, business requirements, business analytics, implementation and monitoring.
She also suggested that organizations drop into provincial or federal privacy commission offices for some free advice. Ontario’s Hydro One utility worked with her office over possible privacy issues before implementing smart meters across the province, she said by example. People in the province barely raised objections.
By contrast, she said, in British Columbia there’s a large lobby fighting smart meters. In California, she added, the state has given citizens the right to opt out of having smart meters on their homes.
For Canadian organizations her office has a few reports organizations looking at M2M apps can consider, she said. One is a 2011 report on the unintended privacy consequences of using existing wired and wireless architectures in new ways noted that MAC addresses, once used neutrally for supporting device communications, become privacy problems when they are used as location identifiers that get linked to individuals. Other reports deal with privacy and near-field communications (NFC) and telematics.
(Read the commissioner’s report on privacy and mobile location analytics)
Organizations have to ask the purpose of the data collected, does the individual know what it’s being used for, is the data secure.
But sometimes, she said, organizations don’t think of all the risks. For example she noted that recently LG brought out a smart TV collected personal data that could be transmitted to the manufacturer. The software allowed the capability to be turned off. It didn’t matter — the data leaked anyway.
Similarly, in a home video monitoring service didn’t educate buyers on how to properly password protect the video stream, which could be easily hacked. And a Canadian methadone clinic that had a wireless camera inside the facility was stunned to learn the signals were being picked up by the backup camera in a car outside the building.
Encrypting data is usually a good protection, Chibba said.
She also noted that the Ontario privacy commissioner has ruled that bytes that can be reconstructed into a recognizable image meets the definition of a personal “record” under provincial legislation. Organizations covered by the privacy law are required to protect records. “You can’t assume it’s just a bunch of numbers.”
In an interview Chibba said that although Ontario’s privacy law only applies to the public sector, the commissioner’s office is often consulted by the private sector before embarking on projects. Asked if it should be done it more, noted organization’s aren’t required to consult. But, she added, if they’re looking for specific expertise in understanding privacy by design, “we are the experts.”