As far as Roy Smith is concerned, manufacturers of Internet of Things devices for consumers are doing a miserable job of clearly communicating what personal data their devices collect and, more importantly, how they use that information. But he also thinks this marks a business opportunity.
This week, Smith launched Privacynq, a service that aims to explain a product’s data-privacy policy in plain, concise English, rather than using longwinded legalese. This, he posits, will also help device manufacturers of IoT devices, such as fitness bands and Internet-connected home-security systems, to earn consumers’ trust and, therefore, business.
“The average consumer is more and more concerned or interested in what is going on” with their personal data, Smith says. “We think privacy and security will be marketing differentiators [for makers of IoT devices] in the near future.”
Whether or not that happens, manufacturers have other motivations for wanting to make consumers feel comfortable with their privacy policies and assuring them that their personal information and privacy remain secure. In January 2015, the Federal Trade Commission (FTC) expressed its concern that IoT devices do a poor job of protecting consumer data and safeguarding civil liberties, raising the specter of possible regulation. (The agency also issued a report detailing approaches that device manufacturers should be taking to safeguard data and privacy.)
Smith designed Privacynq as an easy-to-navigate interface—in desktop-, tablet- and smartphone-specific formats—that manufacturers can use to provide consumers with a clear description of its data-security and privacy practices. Smith’s vision is that as manufacturers begin using Privacynq, consumers will grow to rely on it as a way to quickly reference the privacy policies for each IoT product they purchase.
“We created a solution that would make this a drop-in for manufacturers,” Smith explains. “They will print the Privacynq overview of the product’s data-collection practices on the product packaging.” Consumers will also be able to access that same overview on their smartphone or home computer, he notes, via Privacynq’s website. As a manufacturer makes changes to its policies, these will be reflected on the electronic version of the Privacynq overview, along with the date they were updated.
The consumer interface—a mock-up of which is available here—starts with an overview of a given stock-keeping unit (SKU). It then lays out the feature’s consumer benefits. (The Privacynq website also includes a number of listings featuring actual products, such as Nest and Fitbit, but these are mock-ups based on publicly available information. Privacynq has not yet worked with these companies.) The next section gives a brief synopsis of what types of data the device collects, as well as how it is collected (for example, via an integrated camera or microphone, or by accessing a user’s calendar through an app). This section also conveys the manufacturers’ data-storage policy for each type of data collected.
The section after that shows a grid showing the types of third parties (such as ad networks or government agencies) that receive that collected data, along with how it is delivered (such as in encrypted form or anonymized).
The product’s Privacynq webpage provides an e-mail address that consumers will be able to use to opt out of data collection. And consumers who do not find the specific information they seek in the brief descriptions will also be able to click to read through the manufacturer’s full privacy policy and end-user license agreement.
Smith spun Privacynq out from PrivacyCheq, a company he founded to help online video game companies comply with the FTC’s Children’s Online Privacy Protection Rule, by creating a standard interface through which parents must grant permission for their kids to play certain games.
Smith also plans to implement a system by which consumers can agree to be notified directly by Privacynq if a product they own has suffered a security breach. “When you buy a product, the manufacturer often asks for your e-mail address so that they can communicate product information,” Smith states. “Most people say ‘no’ to this, or they give an e-mail address that they set up for junk.” But, of course, these same consumers do want to know when there is a security breach, so Privacynq would alert them to such breaches through an e-mail address that the consumer checks regularly. “So it would be like a trusted side channel,” he explains.
But first, Privacynq needs customers. Monthly pricing for startups and IoT incubators is $39 per product, while established manufacturers will pay $299. Educators will be able to use Privacynq for no charge. “A surprising amount of activity is happening around mobile games, apps and connected devices in the halls of academia,” Smith explains. “By making it painless for educators to show their students how to ‘design for privacy’ from day one, [the technology enables them to train] these kids for the future in which privacy will not be an afterthought.”
The first step is for the device maker to complete a survey related to each product it wants Privacynq to add to its database. Smith says Privacynq will then use the answers to that survey—which allow written elaborations on specific policies, rather than forcing a yes/no answer—and condense the policies into simple, short text blocks.
“Not every manufacturer is going to embrace this,” Smith concedes, suggesting that some companies issue 10-page privacy policies in legalize specifically because they do not want consumers to read them closely. “Those companies are not [likely to be] our customers. We’re going to attract companies that want to do the right thing—those that want to be white hats, so to speak.”