Warning: your shower is spying on you!

Nortal HQ

When you flush the toilet, do you ever stop to wonder what this reveals about yourself to your water provider? In his master’s thesis, Mihkel Kasepuu, a Java developer at Nortal, shows that maybe you should.

It’s not news that free apps or wearables that monitor our daily activity collect data that people leave behind with almost every step they take. In theory, this data can be used to provide personalized advertisements or services. But free apps or wearables are not the only means of collecting data.

Studying at Tallinn University of Technology, Kasepuu became interested in the Internet of Things (IoT) and had the opportunity to gather data from homes with smart water meters. Through the course of his research he came to the conclusion that frequently displayed domestic data can reveal sensitive personal information.

“The end user might not often understand what kind of information he or she is revealing,” Kasepuu says, explaining how smart water meters can deliver indications that reflect a person’s health, activities, or whether the person is at home. “Analyzing this data may indicate how many people live at a particular household, how much they sleep on average or whether they have some kind of health problem.”

Kasepuu’s thesis was supervised by Lauri Ilison, Head of Big Data and Machine Learning at Nortal, who sees this as an excellent example of the problems IoT is bringing to the world. He says that at first sight it might seem nice to live in a world where everything is measured, tracked and made easy to understand.

“Until we become aware that the data can also be interpreted in a different context, revealing information that we’d rather not share with strangers,” Ilison explains. “If our water consumption is measured every five minutes, this data can be used to know when we come down with a food bug, for example. I’m pretty sure this is information we’d prefer to keep to ourselves.”

He believes IoT is facing a serious challenge in terms of how to offer personalized data-based services and goods without revealing sensitive intimate information. The debate has been going on for a few years already, and has on several occasions made it into the international news. Like the case in 2014 when New York City released data about 173 m individual taxi trips, making it inadvertently “trivial” to find the personally identifiable information on every trip in the dataset.

“Companies have not actually understood what the data they have gathered can tell them and what the actual implications are,” Kasepuu adds. “Perhaps the most important aspect is that the data can be used to guide companies to understand the implications for the end user.”

Kasepuu’s research is even more compelling in light of the European Union’s new General Data Protection Regulation (GDPR) that will be enforced from the end of May 2018. In light of the GDPR, companies are faced with the challenge of pinpointing where personal data is stored and processed in their organization and which business processes require the processing of personal data and why.

“Companies need to consider whether the way they gather and process data will still be legal at the end of next year and whether alternative solutions could be used to bypass these concerns,” Kasepuu says.