IoT privacy in New Zealand: What CIOs need to know

Consumer adoption of internet of things (IoT) devices is at its infancy in New Zealand, but as usage grows, attitudes to privacy will help inform the technical roadmaps that local CIOs will create and deploy.

Erika Pearson and Esther Jaspers of Massey University researched New Zealand consumer behaviour as it relates to IoT devices, as part of a Privacy Good Grant from the Office of the Privacy Commissioner. Their paper ‘Domestic Internet of Things: Aotearoa New Zealanders’ Privacy Concerns and Behaviours’ was released at the NetHui conference recently, and many of its findings and recommendations have direct application for corporations looking to create consumer IoT applications.

The study is based on a survey of 930 New Zealanders aged between 16 and 87 years, with 12 in-depth interviews with early adopters of IoT devices. Of those surveyed, only 397 people owned any IoT devices, and these users were “younger, more frequently male, more highly educated, and had higher incomes compared to nonusers.”

Government’s role in protecting data privacy

While the survey shows that users believe companies pose more of a threat to people’s privacy in the collection of data than the government, “the state is viewed as an important monitoring force in relation to global information flows.”

A concern raised by the early adopters interviewed is where data is stored and, if it is housed in overseas data centres, what that means for New Zealanders’ privacy. “Several of the interview respondents had looked at their network traffic and noted the amount of information going to overseas services and sites. This concern is partly in response to the jurisdiction of data. These tech-savvy users realise that once their data leaves the country, it may be subject to different standards and rights, and that is a source of mild concern,” the authors note.

The new Privacy Act, which comes into effect on 1 December 2020, has provisions for cross-border data, which could allay users’ fears. The new law makes its clear that a New Zealand organisation can only disclose personal information overseas if that agency has a similar level of protection to New Zealand, or if the individual is fully informed and authorises the disclosure. It also has an ‘extraterritorial effect’, meaning an overseas organisation may be treated as carrying on business in New Zealand even if it doesn’t have an office here.

“However, in order to allay user concerns, this localisation of privacy standards will need to be seen in action and enforced,” the authors note.

The new regulations don’t impact on cloud storage, as the Privacy Commission explains on its website. A business or organisation may send information to an overseas organisation to hold or process on their behalf; this will not be treated as a disclosure under the Privacy Act. “A typical example of this is an overseas company providing cloud-based services for a New Zealand organisation. The New Zealand organisation will be responsible for ensuring that their agent—the overseas company—handles the information in accordance with the New Zealand Privacy Act.”

Another concern raised by respondents in the IoT privacy report is the length of time that data is kept, and the authors note that expiry dates on data may be an area for future study.

Understanding the privacy vs. functionality trade-off

While consumers are generally aware of the trade-off between providing data in return for services in a social media context, the nature of many IoT consumer devices mean they are situated inside homes and are required to be on alert for voice commands and queries (for example, the Amazon Echo and Google Assistant). AI technology enables devices to learn user behaviour to provide a better experience—such as understanding the Kiwi accent—but how corporations share that data was raised as a potential concern in the IoT privacy report.

“For respondents, whether the information is directly or indirectly acquired by companies outside the device ecosystem, the impact and erosion of their trust and comfort is the same. Distribution of personal data is acceptable in return for the functionality of the data, but only to a point,” the study authors note.

A particular area of concern was the collection of data from minors, and many respondents with IoT devices either don’t have them in children’s spaces or are more vigilant about understanding what happens to data collected from these devices.

Privacy policies a turn-off for consumers

Trusted brands are more likely to get traction with IoT users when it comes to adoption. But that only extends so far.

A real turn-off for consumers is when privacy policies are constantly changing. “Some fatigued users also comment on often-changing privacy and data policies that users are required to agree to in order to continue to use sometimes very expensive devices. Respondents even link their level of trust in the company to the frequency of privacy updates they receive,” the authors note.

So would users be prepared to pay more to have their privacy guaranteed with little or no pesky policies, a kind of privacy premium? The survey respondents were split—some were willing to pay a small premium, while others “see privacy as an, if not extinct, at least dying concept not worthy of financial investment.”