Internet of Things and cloud raising 'unsettling' questions over online privacy and security, warns expert

Christopher Millard, Professor of Privacy and Information Law at Queen Mary University of London, argues legislation needs to be updated for the connected world

The emergence of the Internet of Things (IoT) and the means with which it exchanges data with cloud services is set to raise unsettling questions about online privacy and security, an expert has warned.

Christopher Millard, Professor of Privacy and Information Law at Queen Mary University of London was speaking at The Royal Society as part of a discussion on the question "Can our online lives be private?"

"We are on cusp of cloud meeting IoT and having to tackle how to make sense of IoT and cloud using existing technology and legal concepts," he told the audience.

"There are already more things connected to the internet than people. There will soon be many times as many things connected than there are people on the planet," Millard said. "That could be a game changer as to whether our online lives can be private."

Millard described cloud computing as "unsettling" because its proliferation into our everyday lives - be it for document storage or social media - creates a number of issues for consumers and businesses alike.

"It unsettles legislators and regulators who are trying to apply current trade legal and regulation principles to what happens in the cloud," he said.

The reason, he explained, is because in many instances, the Internet of Things and cloud technologies don't make it simple to manage privacy options, that is if they even do at all.

"There are lots of actors to consider when you evaluate how private you can be in the cloud. Can you control the way your data might be collected, seen and used? And do you use the controls you already have?" Millard asked, before arguing that there is plenty of evidence to suggest that people tend to be careless with online privacy settings.

"My anecdotal observation is most people don't take even the most trivial and basic care of their privacy. Popular passwords are 'admin' and 'password'. Buy an internet-enabled camera or baby monitor, there's no password set, or if there is, it's ‘password'," he said, before adding that companies "shouldn't be selling kit that is by design open to anyone who want to try to look into it".

Last November, it was reported that a Russian website run by hackers allowed access to British webcams and baby monitors.

Millard told the Royal Society audience that there are a lot of options for improving safeguards "but most people don't even use simple options like setting strong passwords". He suggested imposing two-factor authentication on Internet of Things connected devices would go some way to preserving privacy.

"Friends and relatives say it's a pain, but it hugely increases security of services like that," Millard said.

"But laws don't specify what technology you should use and we may get to the point where it's not enough to have random weak passwords, but we need to force people to use some other form of authentication," he said. But then Millard questioned who could be trusted to do that.

"[Can] you can trust cloud service providers with data - given they're not terribly good at looking after data in the first place," he said, referencing high-profile cloud data breaches such as last year's celebrity iCloud hack.

Ultimately, Millard suggested, the law is "a mess". He argued that "regulators used to know where data was," but now they're still using out of date legislation from the 1970s and applying it to 21st century technologies, creating a "bureaucratic nightmare" that will only get worse.