McAfee’s Jonathan Fox (left) and Tyson Macaulay
McAfee’s Jonathan Fox (left) and Tyson Macaulay

The question has been posed: Privacy and the Internet of Things (IoT), can they coexist? However, a better question is: Can privacy and IoT thrive together?

The answer is a resounding Yes! Together, they bring unparalleled value, opportunity, efficiency, service, and connectivity. But, for privacy and IoT to thrive there needs to be commitment, discipline, imagination, respect and restraint, by those who work and exploit in the personal information ecosystems that IoT is creating.

There are different definitions of privacy. In this discussion, we are talking about data privacy, which can be defined as the fair, legitimate and authorized processing of personal information.   

IoT includes devices that are manipulated by people (smartphones, desktops, tablets), devices that support very limited interfaces (point-of-sale and medical tools), and devices that communicate with other devices in the process of observing or managing the physical world (remote sensors, location trackers, meters, industrial controls) in automated or semi-automated manners. It all sits on a common network technology, like internet protocol (IP), or behind a gateway sitting on an IP network. One way or another, most of these networks are connected.

"Privacy needs to
be thought of as
a functional requirement..."

For privacy and IoT to thrive, here are a few pre-requisites: There needs to be adoption and formalization of the notion of privacy engineering so that devices, sensor and networks that form the IoT are designed, built and managed to ensure that personally identifiable information (PII) is flagged early in the design process, and privacy is built-in and not bolted-on.  

Privacy needs to be thought of as a functional requirement and not just a quality attribute. In order to do this, one must look at the components of privacy as articulated by such things as the Fair Information Practice Principles (FIPPs) and The Generally Accepted Privacy Principle (GAPP), and apply them to the data and functions of what is being created throughout data's lifecycle.

A shift in perspective is also needed around privacy policy from being a document linked to a web page that delivers boring but necessary notices about data practices to becoming a strategic document that's essential and highly valued. The privacy policy  must inform and guide use cases, business data models and user requirements in a more articulate way than just “meet privacy compliance.”

Be prepared to be more expansive and less narrow as to what is PII. The definition must move beyond standalone datasets that include individual identity and activities to include the notion of being able to link and correlate identity and activity across infobases. 

Finally, the corporation must be strong, willing, able and supportive. It must recognize trust and respect and abide by the notion that users of IoT are its customers and not its inventory.

There is and always has been a tension between privacy, technology and innovation. IoT is not the first example of this tension. With each challenge we have learned to not merely co-exist, but thrive. IoT will be no different. In fact, good privacy engineering will help the IoT accelerate and thrive.


At McAfee, part of Intel Security, Jonathan Fox is director of data privacy and Tyson Macaulay is global VP of telecommunications strategy within the office of the CTO.