October 13, 2019
Share this post:
Author: John Martin, Senior Security Architect, IBM New Zealand
A colleague was telling me recently that he and his wife had been idly viewing an open house on the weekend. It was a routine, everyday moment – but then something caught his attention.
The estate agent was using an iPad to allow visitors to register their interest in the property. The registration requested the usual information: name, address and contact details. There was no explanation or rationale for having to register, just a prompt to ‘Register here”. But what really got my colleague’s attention was the fact that the iPad’s camera was on.
His first thought was ‘why’? What purpose could there be for the camera to be enabled and turned on?
A simple explanation, or something more concerning?
When he explained the scenario to me, my thoughts went beyond just the immediate privacy concerns the camera posed. What if the iPad was listening to and recording the comments of people in the vicinity as well? Most people probably wouldn’t think of this possibility, or even put two and two together, but let’s consider the implications.
In this situation, with an open invitation to register, your picture is being taken, and any reactions during your visit are potentially being recorded. Plus, if the iPad is connected to a wireless network, your details could be immediately transmitted to the estate agent’s office for further follow-ups, or sent via the internet to anywhere in the cloud. And all this could take place without your knowledge, after being given no explanation for the need to register, apart from a simple request.
Factoring privacy into your everyday decisions.
So what is wrong with the aforementioned scenario? First of all, there’s no explanation of why you should register via the iPad, why its camera is turned on, whether recordings are enabled, or how and why the information is being collected and analysed.
By default, you have been ‘opted in’ to something without knowledge of how or why your details are being captured, what is being recorded, and where it is being stored or for how long.
Knowing all that, would you be a little hesitant? What would you do?
1) Ignore it – This is probably the typical reaction, and it’s understandable to just assume there’s nothing to be concerned about.
2) Request an explanation – Ask the estate agent what’s the purpose of the registration, why the camera is on, and whether recordings are taking place. If you like the property and say “I would like to live here”, could your recorded words be construed as a positive affirmation you would agree to buy the property? What are the implications? Does registering give the estate agent your permission to use the information any way they want to?
3) Ask them to erase your details – You can, but what if the estate agent is evasive? Do you report the incident to the Privacy Commissioner’s Office via their complaint scheme?
4) Turn off the iPad or cover its camera – This might not be a good idea, as you could be accused of criminal damage.
5) Ignore the registration or walk away – If you’re concerned about privacy, this is probably the best course of action.
My advice: if you suspect your information is being captured with no explanation given, ask questions. If you’re still uncomfortable, take a few photographs of the scene and report it. In New Zealand, you can lodge a complaint with the Privacy Commissioner’s Office via their complaint scheme here and in Australia you can lodge a complaint with the Office of the Australian Information Commissioner here.
And remember, the need to exercise the same privacy and cybersecurity vigilance in your business as you do in your personal life. If you’d like to learn how you can create an integrated and cohesive cyber resilience plan in your organisation, speak to the experts at the IBM Cyber Elite today.