Regulators and product makers need to do more to protect consumer data in the Internet of Things (IoT), as the rapid proliferation of web-connected devices is leading to the potentially irreversible erosion of our personal privacy. That is among the key findings of a new research report, Privacy and the Internet of Things: Emerging Frameworks for Policy and Design, published by the UC Berkeley Center for Long-Term Cybersecurity in partnership with researchers from the Internet of Things Privacy Forum.

“From fitness trackers that detect your heartbeat to personal home assistants like Amazon Echo that capture conversations in the background, a growing number of internet-connected devices are quietly monitoring our behavior within and outside the home,” says Steven Weber, Faculty Director of the UC Berkeley Center for Long-Term Cybersecurity. “This report not only exposes the privacy risks inherent to the IoT, but it outlines potential steps that policymakers and product designers can take to ensure consumers’ privacy is not leaked as part of these devices’ normal operations.”

The researchers who authored the report—Gilad Rosner, Founder of the IoT Privacy Forum, and Erin Kenneally, who works with the U.S. Department of Homeland Security’s Science & Technology Directorate—based their findings on a series of workshops and interviews with scholars, regulators, industry practitioners, and other experts, as well as a robust review of existing scholarship about privacy and the IoT. The resulting report provides an overview of some of the key privacy issues resulting from the expansion of the IoT, as well as emerging frameworks that could help policymakers and corporate leaders reduce potential harms through regulation and product design.

Following an introduction to the IoT, the report lays out some of the key privacy risks and challenges that are accompanying the proliferation of web-connected devices. It also details a variety of options available to protect consumer privacy, including enabling greater user management and control, improving notification procedures, and advancing a robust policy framework.

Among the findings outlined in the report.

As ‘smart’ becomes the new default setting for devices, consumers are losing the ability to monitor and control the data collected about them, and they often have little awareness of what is done with their data downstream. The risks are not always clear, particularly as companies can combine data from different sources to infer an individual’s habits, movements, and even emotions.

The IoT has the potential to diminish the sanctity of spaces that have long been considered private, and could have a ‘chilling effect’ as people grow aware of the risk of surveillance. Yet the same methods of privacy preservation that work in the online world are not always practical or appropriate for the personal types of data collection that the IoT enables.

Several frameworks have emerged for addressing the privacy issues that the IoT presents. Some focus on giving users more meaningful, granular control over the data that is collected, when data is collected, and how it is shared, while others focus on the accessibility and correct timing of privacy notices.

Policymakers should take steps to regulate the privacy effects of the IoT before mass sensor data collection becomes ubiquitous, rather than after. Omnibus privacy legislation can help regulate how data is handled in the grey areas between sectors and contexts.

Makers of IoT products and services should employ a variety of standard measures to provide greater user management and control, as well as more effective notification about how personal data is captured, stored, analyzed, and shared.

To download the report, Privacy and the Internet of Things: Emerging Frameworks for Policy and Design, please visit https://cltc.berkeley.edu/IoTprivacy. A more detailed version of the report, entitled Clearly Opaque: Privacy Risks of the Internet of Things, can be found at https://www.iotprivacyforum.org/clearlyopaque.