EU-høring om internettilkoblede produkter og personvern
Public consultation: Internet-connected radio equipment and wearable radio equipment
Høring igangsatt av Kommisjonen 9.8.2019
På bakgrunn av blant annet en norsk undersøkelse av Forbrukerrådet i 2016 om internettilkoblede leker, har Kommisjonen igangsatt en høring om tilkoblede gjenstander. Formålet er å vurdere om EU bør ta skritt for å sikre at personvernreglene overholdes.
Bakgrunn
BAKGRUNN (fra Kommisjonens veikart av 28.1.2019 )
Context
Large numbers of radio equipment are used on a daily basis, not only by adult consumers or professional users, but also by vulnerable users and children. For the latter users, in December 2016, the Norwegian Consumer Council looked at the terms and the technical features of selected radio-connected toys [1]. The findings show a possible lack in the protection of children’s rights to privacy and security. These toys are "smart" and can interpret speech, making them capable of interacting with the child. They may also record not only photos, videos, geolocalisation data, data linked to the play experience, but also heartrate, sleeping habits or other biometrical data, according to the integrated sensors. To enable these new features, these products are equipped with speakers, and microphones and other sensors, and they can be connected to phones/tablets or directly to the internet. The ability of these products to record, store and share information raises concerns about safety, security, privacy and social development.
In the same way, some smart wearable devices allow to use an application to keep in touch with and/or track the location of the users. A specific example of these products are smartwatches intended for children. These devices may also contain a SIM-card, allowing children to connect to the Internet through mobile-networks or a Wi-Fi connection. In its most basic form, the smartwatch functions as a mobile phone or a tablet attached to the wrist, which connects to the parents’ phones through an app. The use of a combination of GNSS and Internet data can also allow real-time location tracking and direct communication. They can also store names, photos and geolocation data.
Problem the initiative aims to tackle
Through a few simple steps, as shown in the report of the Norwegian Consumer Council, a stranger can take control of the watch without having physical access to it, and eavesdrop on and communicate with the child. They might be able to track the child as it moves or fake the location of the child. The report also shows that some of these toys can also advertise products when interacting with the child, which may not be in line with the expected transparency of this kind of products. For this reason, its outcome has become part of a call for action from the European Consumer Associations [2].
However, connected toys and smartwatches are just a part of a broader sector, which may present similar risks. Baby monitors, smart appliances, smart cameras and a number of other radio equipment are also example of equipment at risk of hacking and of privacy issues. In 2016 in EU28, there were nearly 125 mobile phone subscriptions per 100 inhabitants3. Mobile phones and other devices connect to the Internet via a mobile network using a SIM card. The later include certain laptops, dongles, alarm systems, home automation systems. Many other smart products connect to the Internet using Wi-Fi (e.g. home automation centrals, web cameras, TV sets, etc.).
Consumers, experts and international organizations are concerned about the ways in which personal information and data are collected and shared4 and how these data may be used for illicit practices. Also EU Member States have highlighted to the Commission that given the increasing risks in the area of cyber security due to the increase of connected products, it would be beneficial to apply a minimum level of security to all radio equipment directly or indirectly connected to the internet5. This would imply requirements that such radio equipment supports the protection of personal data and privacy and prevents loading incompatible or malicious software.
Manufacturers of internet-connected devices, most of which are expected to be part of the Internet of Things (IoT) are being requested to minimize data collection, perform privacy assessments, and implement privacy and security standards and/or certify them, on top of the traditional product safety. In fact, the IoT development brings the need for improved digital security not only for individual users but also for society as a whole. This initiative will consequently focus on (1) wearable radio equipment and (2) internet-connected radio equipment, i.e. radio equipment intended to be
(i) connected (directly or indirectly) to or
(ii) controlled through the internet.
Numerous Member States and Consumer Associations raised the attention to these issues to the EU Institutions and also to the members of Telecommunications Conformity Assessment and Market Surveillance (TCAM) Committee as well as the TCAM Working Group.
[1] https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws/
[2] http://www.beuc.eu/publications/beuc-x-2018-017_cybersecurity_for_connected_products.pdf
[...]
Context
Large numbers of radio equipment are used on a daily basis, not only by adult consumers or professional users, but also by vulnerable users and children. For the latter users, in December 2016, the Norwegian Consumer Council looked at the terms and the technical features of selected radio-connected toys [1]. The findings show a possible lack in the protection of children’s rights to privacy and security. These toys are "smart" and can interpret speech, making them capable of interacting with the child. They may also record not only photos, videos, geolocalisation data, data linked to the play experience, but also heartrate, sleeping habits or other biometrical data, according to the integrated sensors. To enable these new features, these products are equipped with speakers, and microphones and other sensors, and they can be connected to phones/tablets or directly to the internet. The ability of these products to record, store and share information raises concerns about safety, security, privacy and social development.
In the same way, some smart wearable devices allow to use an application to keep in touch with and/or track the location of the users. A specific example of these products are smartwatches intended for children. These devices may also contain a SIM-card, allowing children to connect to the Internet through mobile-networks or a Wi-Fi connection. In its most basic form, the smartwatch functions as a mobile phone or a tablet attached to the wrist, which connects to the parents’ phones through an app. The use of a combination of GNSS and Internet data can also allow real-time location tracking and direct communication. They can also store names, photos and geolocation data.
Problem the initiative aims to tackle
Through a few simple steps, as shown in the report of the Norwegian Consumer Council, a stranger can take control of the watch without having physical access to it, and eavesdrop on and communicate with the child. They might be able to track the child as it moves or fake the location of the child. The report also shows that some of these toys can also advertise products when interacting with the child, which may not be in line with the expected transparency of this kind of products. For this reason, its outcome has become part of a call for action from the European Consumer Associations [2].
However, connected toys and smartwatches are just a part of a broader sector, which may present similar risks. Baby monitors, smart appliances, smart cameras and a number of other radio equipment are also example of equipment at risk of hacking and of privacy issues. In 2016 in EU28, there were nearly 125 mobile phone subscriptions per 100 inhabitants3. Mobile phones and other devices connect to the Internet via a mobile network using a SIM card. The later include certain laptops, dongles, alarm systems, home automation systems. Many other smart products connect to the Internet using Wi-Fi (e.g. home automation centrals, web cameras, TV sets, etc.).
Consumers, experts and international organizations are concerned about the ways in which personal information and data are collected and shared4 and how these data may be used for illicit practices. Also EU Member States have highlighted to the Commission that given the increasing risks in the area of cyber security due to the increase of connected products, it would be beneficial to apply a minimum level of security to all radio equipment directly or indirectly connected to the internet5. This would imply requirements that such radio equipment supports the protection of personal data and privacy and prevents loading incompatible or malicious software.
Manufacturers of internet-connected devices, most of which are expected to be part of the Internet of Things (IoT) are being requested to minimize data collection, perform privacy assessments, and implement privacy and security standards and/or certify them, on top of the traditional product safety. In fact, the IoT development brings the need for improved digital security not only for individual users but also for society as a whole. This initiative will consequently focus on (1) wearable radio equipment and (2) internet-connected radio equipment, i.e. radio equipment intended to be
(i) connected (directly or indirectly) to or
(ii) controlled through the internet.
Numerous Member States and Consumer Associations raised the attention to these issues to the EU Institutions and also to the members of Telecommunications Conformity Assessment and Market Surveillance (TCAM) Committee as well as the TCAM Working Group.
[1] https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws/
[2] http://www.beuc.eu/publications/beuc-x-2018-017_cybersecurity_for_connected_products.pdf
[...]