Researchers at Carnegie Mellon University set out to create advanced smart sensors called Mites. The sensors were meant to collect 12 types of environmental data, including motion, temperature, and scrambled audio, in a more privacy-protecting and secure way than the existing infrastructure of the Internet of Things. But after they installed hundreds of the sensors around a new campus building, the project took an ironic turn when some students and faculty members accused the researchers of violating their privacy by failing to seek their consent first.
The debate that ensued within the Software and Societal Systems Department grew heated and complicated, and it highlighted just how nuanced questions around privacy and technology can be. These are issues that we all have to contend with as a ballooning amount of data is collected on us—inside our homes, on our streets, in our cars, in our workplaces and most other spaces. As we write in the piece, if the technologists whose research sets the agenda can’t come to a consensus on privacy, where does that leave the rest of us?
The story took us over a year to report. We tried to present different points of view about privacy, consent, and the future of IoT technology while acknowledging the very real roles that power, process, and communication play in how technologies are deployed.
One truth emerged clearly in the reporting: privacy is subjective—there is no clear set of criteria for what constitutes privacy-protecting technology, even in academic research. In the case of CMU, people on all sides of the debate were trying to advocate for a better future according to their own understanding of privacy. David Widder, a PhD student who focuses on tech ethics and a central character in our story, told us, “I’m not willing to accept the premise of … a future where there are all of these kinds of sensors everywhere.”
But the very researchers he criticized were also trying to build a better future. The chair of the department, James Herbsleb, encouraged people to support the Mites research. “I want to repeat that this is a very important project … if you want to avoid a future where surveillance is routine and unavoidable!” he wrote in an email to department members.
Big questions about the future were at the core of the CMU debate, and they mirror the same questions we all are grappling with. Is a world full of IoT devices inevitable? Should we spend our time and effort trying to make our new technologically enabled world safer and more secure? Or should we reject the technology altogether? Under what circumstances should we choose which option, and what mechanisms are required to make these decisions collectively and individually?
Questions around consent and how to communicate about data collection became flashpoints in the debate at CMU, and these are key issues at the core of tech regulation discussions today as well. In Europe, for example, regulators are debating the rules around informed consent and data collection in response to the pop-ups that have been cluttering the internet since the passage of the General Data Protection Regulation, the European Union’s data privacy law. Companies use the pop-ups to comply with the law, but the messages have been criticized for being useless when it comes to actually informing users about data collection and terms of service.
In the story, we similarly focus on the differences between technical approaches to privacy and the social norms around things like notice and consent. Cutting-edge techniques like edge computing may help preserve privacy, but they can’t necessarily take the place of asking people if they want to participate in data collection in the first place. We also consistently encountered confusion about what the project was and what data was being collected, and the communications about data collection that we reviewed were often opaque and incomplete.