ENS
  March 12, 2019 - South Africa

Eavesdropping: The Privacy Myth
  by Wilmari Strachan and Jessica Steele

The pervasiveness of the Internet of Things has spawned a recent fear that the devices are listening to the conversations of their users. For instance, the My Friend Cayla doll talks to children and answers their questions by connecting to the internet and using a combination of voice recognition software and Google searches to provide these responses. She has the potential to record children’s conversations and also uses an unsecured Bluetooth device hidden inside her to connect to the internet via an application on a nearby mobile phone.

Similarly, The “OK Google” function is another example that has this potential. Users have been warned that once the functionality has been switched on, personal conversations may be recorded. Certain models of smart TVs also come with an explicit warning to users that their living room conversations may be recorded.

Of late, “eavesdropping” devices have come under the spotlight due to their seeming invasion into our privacy. The truth is that this is a misnomer. Most tech companies are recording and processing personal information lawfully, because we consented to this in order to use their products.

There are exceptions, of course. The most recent example is the FaceTime hack. Only recently did Apple release the software fix to a bug that reportedly allowed hackers to access and listen to conversations on Group FaceTime. Apple said in a statement that; “the software update fixes the security bug in Group FaceTime. We again apologise to our customers and we thank them for their patience”. In another example, a consumer watchdog in the United States has reportedly laid complaints alleging that the My Friend Cayla doll has been recording conversations had with children, which can be forwarded, without the consent of parents. German authorities have reportedly gone so far as to ban the toy, citing security concerns after it was shown that the doll was capable of being hacked.

While section 14 of South Africa’s Constitution entrenches the right to privacy, and various statutory requirements have been put in place to ensure the protection of this right, we continue to voluntarily waive our right to privacy. If your immediate response was, “no, I do not”, then ask yourself the following questions:

  • do you have social media accounts and have you read the terms and conditions?
  • how many applications do you have on your phone and have you read their terms and conditions?
  • do you have Bluetooth enabled on your phone and allow applications to send information to you?
  • are the location settings on your phone activated and do you allow applications to track you?

 

Despite our blind acceptance of terms and conditions, there is legislation that attempts to secure our privacy a little more. The Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 prohibits the interception of communications, unless a person who is a party to the conversation has given consent in writing to such interception, or the conversation is intercepted under an interception directive (with some exceptions). The Protection of Personal Information Act, 2013 also lays down broad requirements for how personal information may be collected (for example; with consent).

In terms of current South African legislation, the My Friend Cayla doll would be unlawful if it failed to obtain consent from a parent to record and store conversations of minors. However, when installing the application (with which the doll works), it requires the user (parent) to grant the following permissions on his or her mobile device to:

  • record audio;
  • write to external storage;
  • modify the current configuration;
  • open network sockets;
  • connect to paired Bluetooth devices;
  • discover and pair Bluetooth devices;
  • modify global audio settings;
  • access information about networks;
  • access information about WiFi networks;
  • prevent processor from sleeping or screen from dimming.

 

These permissions make it completely lawful for the doll to record audio and store it. It even allows her access to your WiFi network; and she never sleeps.

Similarly, the users of technology such as smart TVs and OK Google appear to have their data processed lawfully. The lawfulness stems from the consent that is directly obtained from such users through their acceptance of terms and conditions.

The hype around privacy and recording of conversations then mostly only serves to alert users of the potential invasion of their privacy, to which they have agreed. However, it may encourage consumers to take a closer look at the privacy policy and terms and conditions of the products they use. It is important that these terms are comprehensive to ensure statutory compliance. Our consumer laws also require that user terms be drafted in plain language, so that users can understand what the risks are and what consent they are granting. Various legislation requires prior written consent from users, whether it is to process their information in a certain manner or to record conversations. In order to be effective, such consent should be obtained correctly.

ENSafrica’s TMT team has extensive experience in smart technologies and the Internet of Things. We can assist you to draft appropriate privacy and other notices and terms.

Jessica Steele is a candidate attorney in ENSafrica's TMT department.

 

Wilmari Strachan

technology, media and telecommunications director [email protected] cell: +27 82 926 8751