The term Internet of Things (IoT) generally refers to scenarios where network connectivity and computing capability extends to objects, sensors and everyday items not normally considered computers, allowing these devices to generate, exchange and consume data with minimal human intervention.
The Internet of Things (IoT) is an emerging topic of technical, social, and economic significance. Consumer products, durable goods, cars and trucks, industrial and utility components, sensors, and other everyday objects are being combined with Internet connectivity and powerful data analytic capabilities that promise to transform the way we work, live, and play.

Projections for the impact of IoT on the Internet and economy are impressive, with some anticipating as many as 100 billion connected IoT devices and a global economic impact of more than $11 trillion by 2025.

At the same time, the Internet of Things raises significant challenges that could stand in the way of realizing its potential benefits. Attention-grabbing headlines about the hacking of Internet-connected devices, surveillance concerns, and privacy fears have already captured public attention.

Technical challenges remain and new policy, legal and development challenges are emerging.


When something is private to a person, it usually means that something is inherently special or sensitive to them. The domain of privacy partially overlaps with security, which can include the concepts of appropriate use and protection of information.

Privacy may also take the form of bodily integrity. The right not to be subjected to unsanctioned invasions of privacy by the government, corporations, or individuals is part of many countries’ privacy laws, and in some cases, constitutions.

Information privacy is the right to have some control over how your personal information is collected and used.


As individuals will have their daily activities and behaviours measured, recorded and analyzed, there is a pressing need for developers and policy-makers to turn their minds to informing consumers and citizens as to who collects what kind of personal information, how it is then stored, used and disclosed to whom and for what purposes.

Privacy principles dictate that users should be able to keep control of their data as well as to be able to opt-out of the “smart” environment without incurring negative consequences. How will this unfold, and will traditional privacy principles be addressed?

Before we too readily endorse smart devices and sensors that can send information about many personal aspects of our daily lives into the cloud, it is essential to have an informed discussion about the implications of the Internet of Things and to plan the integration of privacy principles and safeguards into the conception and implementation of the many smart environment components.

Information collected by sensors within objects that are connected can yield a tremendous amount of data that can be combined, analyzed and acted upon, all potentially without adequate accountability, transparency, security or meaningful consent.



In some instances, device tracking is said to involve aggregate, anonymized, or de-identified information. Broadly speaking, aggregate information can be thought of as “compiled or statistical information that is not personally identifiable.” Even aggregate information, however, could lead to an identifiable individual, as research has shown.

While some have argued that the information at issue in the Internet of Things environment is anonymous or pseudonym zed, there are difficulties with anonymizing information in this context. As the Article 29 Working Party (US-based Law on Technology) has noted, even pseudonym zed, or anonymized data, may have to be considered personal information.

While tracking in the Internet of Things involves the tracking of a device, the motivation is to understand the behaviour of the individual behind the device. Indeed, value is derived from rich information about the individual, their activities, their movements, and their preferences. When inferences are made about the owner of a device, it raises the question of whether it is the device being tracked or the individual.

A report from the European Commission found that objects in the Internet of Things can become like extensions to the human body and mind with enhancements such as embedded intelligence and knowledge.

In addition, long-term patterns of location data attributed to a particular device can potentially reveal information about where a device is located at certain times of the day or night, which could potentially identify work or home locations.


Accountability is a key principle in privacy law. To be accountable, an organization needs to be able to demonstrate what it is doing, and what it has done, with personal information and explain why. This may be easier said than done in the Internet of Things environment where there is a multitude of stakeholders, such as device manufacturers, social platforms, third-party applications and others.

Some of these players may collect, use or disclose data, and can have a greater or lesser role in its protection at various points, though where to draw the line between them can be challenging at the best of times. For example, who is ultimately responsible for the data which the smart meter broadcasts?

The homeowner who benefits from using the device, the manufacturers or power company that provided it, the third-party company storing the data, the data processor who crunches the numbers, all of the above, or some combination thereof? And to whom would a privacy-sensitive consumer complain? Should privacy be breached, where do the responsibility of one party end and another begin?

Mapping dynamic data flows and setting out the responsibilities and relationships between various actors could help clarify how information flows among the parties and can help inform the basis of an organization’s privacy management program.

In the case of “machine-made” decisions, developers and owners of the underlying algorithms, systems and products may find it even more challenging to demonstrate accountability.

In addition to this vexing issue, the legal and ethical responsibilities in the case of errors or accidents are far from clear. The scope of privacy management programs and the level of accountability organizations are expected to demonstrate, will be complex in the Internet of Things environment.


Access and correction rights are squarely related to accountability and transparency. How will an individual know to ask for their information and challenge its accuracy, if they never become aware that it was ever collected? Similarly, how will individuals determine what organization they should seek out to gain access to and, where necessary, correct their personal information?

Canada’s privacy laws in both the public and private sectors are heavily reliant on the complaint process as a mechanism for helping individuals challenge organizational decisions made about them. This model works well when there is an obvious organization to contact or a list of information banks, but breaks down when the collecting organization is difficult to pinpoint.

What would be an effective way to map dynamic data flows and make them explicit and transparent for all to see so that individuals could more meaningfully exercise their access and correction rights?


Ethics is based on well-founded standards of right and wrong that prescribe what humans ought to do, usually in terms of rights, obligations, benefits to society, fairness, or specific virtues.


Applicable ethical norms which can act as guidelines, as well as instruments of measurement, must be formulated to address these ethical issues. The following forms can be distinguished: truth, freedom and human rights.


Fig: How are Ethics related to the Privacy Risks?

As per the above-mentioned definitions, morals and ethics refer to social behaviour standards in the IoT field. Most of the ethical debates are about property rights, accessibility, private use of information.  Ethical behaviour requires enforcing the following:

1.      Privacy of Information

2.      Access to Information

3.      Integrity of the information

It follows that ethical issues in the IoT field have appeared, such as:

  • Author Identification:

The correct identification of the author of the data collected in a typical IoT system will be hard to determine. There is also a concern about using the data without the patient’s permission.

  • Public and Private borderline:

IoT omnipresence will make the borderlines between private and public life virtually transparent, in the absence of defined boundaries for user’s information.

  •  Peoples’ life attacks: 

Hackers or virus attacks in typical computer systems may cause either data loss or physical loss of the computer system. In the IoT attacks, the loss will not stop at this point, it will exceed to the point that it will directly affect people’s lives.

For example, if an attacker can log into a typical IoT medical application, a small change in a patient’s information may result in the wrong medication, which will affect the patient’s life.


Companies can take these five steps to prepare for the introduction of IoT-based systems to ensure the security risks do not outweigh the business benefits.

1.    Encrypt Data

Regulations like Payment Card Industry Data Security Standard (PCI DSS) and the updated Markets in Financial Instruments Directive (MiFID II) recommend that all digital data transmitted over the internet should be encrypted, which means that if someone manages to access sensitive data, they won’t be able to read it.

Organizations should consider encrypting data using firewalls to protect IoT web applications, wireless protocols with built-in encryption and the Secure sockets layer networking protocol (SSL) for online tools.

2.    Improve Data Authentication Processes

Often, the most significant issues with IoT security are not linked to the devices or tools themselves, but to the passwords and authentication methods that employees use to access their accounts.

Improving Authentication processes can be one of the best mitigating factors.

3.    Manage Software and Hardware

Security for IoT needs to be implemented on multiple levels. From a hardware perspective, it is important to store devices securely by keeping them locked away, for example, and limiting the number of employees that can access them.

From a software perspective, organizations need to remember that IoT implementations need to be upgraded over time. 

4.    Isolate IoT devices

For the safety of enterprise networks and personal information, it is often a good idea to isolate IoT devices. “This means that if someone hacks into an IoT device, they won’t necessarily be able to access the entire business technology stack and related personal information.”

Some of the underlying architecture models available for IoT implementations include:

  • Device to device: The IoT applications in the same network connectivity via protocols such as Bluetooth.
  • Device to cloud: The IoT devices in an enterprise network connect directly to the cloud and transfer data accordingly.
  • Device to gateway: IoT devices relate to a digital system through a portal, translating protocols, filtering data, and encrypting information at the same time.

Most of the security practices involve taking a multi-layered approach to protecting connections and devices.

5.    Invest in mobile monitoring

By far, one of the most effective IoT security services that any business can invest in is mobile device monitoring. “While end-to-end encryption and soiled networks are essential, there’s nothing more crucial than knowing the current status of all your IoT devices in real-time.


As individuals’ activities and behaviours are measured, recorded and analyzed, there is a pressing need for developers and policy-makers to turn their minds to informing consumers and citizens as to who collects what kind of personal information, how it is then stored, used and disclosed to whom and for what purposes.

If transparency concerning tracking by devices in the world of the Internet of Things is significant for our relationship with the private sector, it is equally important in our relationship with the government.

It should not be surprising that the richness of information gleaned from the Internet of Things collected for commercial purposes might attract the interest of law enforcement agencies and governments.

Technological development in the context of the Internet of Things has not been matched by an equivalent evolution of overarching privacy governance models.

Not much consideration has been given as of yet to the many privacy implications of having an extraordinary amount of data points that could be collected, aggregated across devices and analyzed not only by the device owners but also by other third parties unknown to the individual.

One key challenge is that, as these technologies become ubiquitous, we may have little or no warning or awareness that they are even in place; they simply become part of the backdrop of our daily lives.

How, then, can citizens who may or may not want to use this technology ensure that someone is held accountable for its use? How will they be able to challenge how the information is used, and how will they be able to give any kind of meaningful consent?

The full impact of the Internet of Things on our privacy may become more evident when its capabilities are combined with other innovations shaping our world today that track not only our activities, movements, behaviours and preferences but our emotions and our thoughts.