Smart glasses and data protection
Overview of the main implications for data protection of smart glasses on occasion of the publication of the first Technology report (“Smart glasses and data protection”) by the European Data Protection Supervisor.
Whereas smart glasses may be deemed as the next step for technology-disruptive devices and they have a high potential to make people’s lives easier, their use also involve high risk for individuals’ data protection rights where the privacy by design principle is not properly implemented.
When it comes to smart glasses and data protection, some features like image and video recording, collection and storage of metadata, sensors, WiFi, connection with internet and other IoT devices and facial recognition can undermine the privacy of individuals, both users and non-users. A lack of security in smart glasses and data protection would not only affect users, whose personal information might be spied or stolen, but also individuals in their proximity, which data might be collected without their consent.
Article 29 Data Protection Working Party analysed the security aspects of IoT/wearable devices in its Opinion on the Internet of Things and came up with some of the main threatens:
-Lack of data control by users and specially non-users.
-Intrusive analysis of behaviour and profiling.
-Lack of anonymity due to the high identifiability of the information being processed.
-The processing of special categories of data, which requires special safeguards.
-The security risks inherent to mass market products.
Not only the regular use of smart glasses poses privacy threat, but they are also vulnerable to hacking attacks. In 2013 and 2014, researchers demonstrated that it is possible to replace the operating system in Google Glass, plus they found that they could craft malformed QR codes that when photographed crashed glass, encrypted the device’s communications or directed it to a malicious website designed to take full control of the device. Physical security might be the target for Google Glass hackers too, as they could access data recorded at users’ houses.
Google Glass has effectively disappeared from the consumer market, but other companies have launched their own version of the product, like Snap, Inc. and the glasses “Spectacles”, targeted to young audiences and priced below 200 €. Smart glasses are expected to be widely available within a decade, which brings to light the need of Regulation beyond GDPR and ePrivacy, or at least the completion of the revised data protection framework, as when it comes to smart glasses and data protection it involves specific risks for privacy that require particular solutions, as for example:
-Ban camera features except for services in charge of security and safety.
-Design them to be easily distinguishable from non-smart glasses.
-Local storage implications (as opposed to say cloud storage)
-Data breach reports.
-Training for users. A survey presented by Snap, Inc demonstrated that most consumers do not perceive smart glasses can threaten their privacy and data protection, thus privacy concerns do not significantly impact their adoption intention.
Data protection legislation (among others) is fully applicable to smart glasses, but several privacy concerns have to be evaluated in their application and appropriate measures have to be applied in every different context due to the particular nature and features of smart glasses, which make them different from other IoT devices.