Blog | Faruki PLL

"Alexa: Please Conduct a Personal Privacy Impact Assessment"

Written by Scot Ganow | January 6, 2017

We in the privacy profession have long used a tool called the Privacy Impact Assessment, or "PIA." The use of PIAs is a long-standing best practice in properly reviewing and assessing what, if any, impact a change in a business practice or product may have on the collection, use and sharing of personally identifiable information ("PII"). Forward thinking businesses and even government agencies, like Department of Homeland Security, have used them for years. A simple example is adding a consumer chat feature to an existing company website. In doing so, a company might want to know what personal information is being collected, is it free text, who will have access to it, how long will it be stored after the chat is over, and will it be linked to other data the company has? All reasonable, common sense questions that should be asked to ensure the company's privacy promises (in posted policies and agreements) are not being undermined by the implementation of the new chat feature. In effect, a PIA serves as the voice of reason and "once over" for any change before it is implemented and "breaks something." Furthermore, the use of PIAs serves to support a company's due diligence should its practices ever come into question in litigation or perhaps an enforcement action. Cautionary tales of when a PIA might have been helpful abound. For example, I wondered if a PIA was conducted in the development of Pokémon Go!, including whether such characters should be placed within the bounds of people's personal property was a good idea or accessing one's Gmail without full disclosure.

Or, as we recently saw in the news, Amazon's Echo product's audio recording of events within one's house might actually be used in a criminal investigation. If you do not know, Amazon's Echo, like Google Home, is a device that allows you to orally command the product to access the Internet and provide you information or complete a transaction for you. To do this, the product has to record your voice, and that recording is prompted by the word, "Alexa" or "Amazon." You have seen the funny and very cool commercials on the way such a product can benefit you. But how do such products work? More importantly, what information is being collected, used and retained by the product, or the servers to which it is connecting? The answers to such questions are available in a variety of places online and are not the purpose of this article. No, as we kick off the New Year and draw near to Data Privacy Day (1/28), I think the better question is whether those answers are available and whether people are actually looking for them before using such a product. Indeed, as the Echo story shows (as well as confusion over the facts of what the product does or does not do) it is more important than ever that all parties (businesses, third parties, consumers) to any smart device transaction do their own privacy impact assessment.

More specifically, in the age of the Internet of Things, citizen consumers have to make their privacy values a priority in conducting their own, personal PIAs. Just as you would review the operator's manual or even the quick start-up guide for a new computer, drone or car, you need to understand what these convenient and very cool products are doing with your personal information. In conjunction with Data Privacy Day, I will find myself giving many talks to school groups, parents groups, and anyone who is interested in privacy and online security. A staple of that talk is while there are laws, technology and market standards in place to protect your personal information and provide redress, the first and BEST line of defense is YOU.   Indeed, I have written a brief miniseries on how one person's efforts not only protected her privacy but expedited the apprehension of the very person that attempted to steal her identity. No one knows your privacy value nor cares about it as much as you. So, now, more than ever, each of us should take a breath before using a new product and service and do a once over to make sure it will perform in line with our privacy expectations.

If you want to get a cheaper deal on car insurance, make sure you know what you are giving up in any monitoring device you install or carry in your car. If you want remote camera access to the interior and exterior of your house, evaluate the security of such cameras and what tools you have to make sure those cameras aren't used against you. Always ask yourself and the company what information is going back to any company that supports a smart device in your home, office or car. You should know. More importantly, any company worth its salt should proactively tell you and publish such information for your review in advance.

So, by all means, resolve to go to the gym more, get more sleep, and eat better this year. You can even resolve to be more patient and kind in 2017.  Just extend some of that patience to taking some time and reviewing a product or service's privacy practices before you share your personal information.