Critical Privacy Challenges for Kiosks & Smart City

Consider what ATMs did for banking. But with that flood of consumers interacting with these kiosks routinely, there is a powerful temptation to leverage all of that data and to try and monetize it–or to just sell it to others who will try and monetize it.
Critical Privacy Challenges for Kiosks & Smart City
Like

Kiosks are wonderful devices, which can make useful everyday tasks so much easier for customers.

Introduction

Consider what ATMs did for banking. But with that flood of consumers interacting with these kiosks routinely, there is a powerful temptation to leverage all of that data and to try and monetize it–or to just sell it to others who will try and monetize it.

In many instances, such a business move can prove fruitful and should be attempted. That said, in 2022, there are a flood of new privacy rules and consent litigation that go well beyond compliance rules. Companies using kiosks would be well-served to be familiar with those rules, have a handle on what those rules will likely look like in a few years and what data-uses are worth the risk and which ones are not.


Cybersecurity Implications

Beyond privacy rules, data-retention and re-use can also have material cybersecurity implications, which brings its own compliance and litigation risks. The first cybersecurity fear is an attack–possibly cyber, possibly physical–on the kiosk directly. That could include breaking into the machine to steal data immediately or to plant a trojan to steal data later and continuously. Or they could repurpose an old ATM tactic and replace your frontplate with theirs, allowing them to grab the data the instant it is typed in. And sometimes it is the POS till (see Doom on McDonalds).

The second cybersecurity fear involves the thieves stealing the data after it leaves the kiosk, either from your systems or from the system of someone with whom you have shared the data. It’s the external partners/vendors where things can catch business people offguard.

It is clear that when an attacker breaks into your system and steals data, bad consequences will happen. But what happens when the break in happens at your cloud provider, your backup company, your disaster recovery firm, the personal laptop of your employee who was working at a local coffee shop or even the company that is paying you to leverage your kiosk data?

Where Does Liability Start?

When the attack happens at any of those places, the data liability will invariably come back to the point where the data was initially entered: one of your kiosks. When the authorities find that the data includes some sensitive information (maybe PII) about a consumer. The consumer is then asked where they shared such data and if that brings authorities to your kiosk, you are likely going to be held responsible. After all, you hired that backup company, cloud server or employee. Their sloppiness becomes your liability.

Another danger area is when your kiosk is quietly retaining and sharing data without your knowledge. This speaks to where you are getting your kiosk from and how thoroughly are you examining the software before you deploy it. There are many less-than-reputable vendors out there–especially overseas–and it’s important to carefully screen them. Our team is always at your disposal for such matters, given how well we know the companies out there.

Privacy compliance (HIPAA, PCI, GDPR, CCPA, ADA, etc.) can seem overwhelming and the rules change depending on vertical, geography and the nature of your users. But there are some simple guidelines that will help avoid privacy compliance headaches most of the time.

Privacy Guidelines

The rules often focus on notification and permission. Getting users to opt-in on all data-retention or data-reuse efforts is a terrific first step. Companies often get into compliance trouble when they add some data efforts and forget to go back and get opt-in permission from all users.

To truly be safe–or at least safer–create a mechanism for users who opt to not agree to the new data use to continue to use the site, with the system knowing to not use their information at all. Some regulators are starting to crack down on companies who deny access to anyone refusing to opt-in, arguing that such a demand makes the opt-in not entirely voluntary. If an incident gets to caught, you may regret forcing everyone to opt-in on data use or else be blocked from using the kiosk. In short, that terms and conditions screen needs to have a “no thanks” button that still lets people in.

Another issue is meaningful consent. Is the wording in your opt-in form clear to the average user of your self-checkout kiosk? Is it explicit about all of the data uses you have in mind, current and future? If it can be reasonably argued that your wording was confusing or not sufficiently specific, you may have regulator issues.

What data use plans should you have? This gets tricky. The best scenario hypothetically is to generate revenue from the kiosk use itself and leave data-monetizing to others. That is the safest route. That said, there is going to be a lot of business pressure to try and monetize user data and the dollars can look quite attractive.

This forces the first decision: Are you looking to try and monetize the data directly or is your plan to sell the data to a broker or some other third-party and let them do the monetization? Both approaches can be successful, but remember that a third-party may not limit themselves to doing what they told you. And given that the data is from your users and obtained via your kiosks, responsibility and liabilities stay with you. So–How much do you really trust that data broker?

Protecting User Data

Yet another concern is cybersecurity protections of your data. We mentioned earlier the various ways–physical and virtual–that a thief can attack your kiosk. One popular tactic is to encrypt, tokenize or mask your data, on the hope that it will make the data useless to the bad guys. Locking the system down with software is another.

That is an excellent idea and it will later help to demonstrate to regulators that you invested in ways to try and protect user data. But remember that all encryption and related systems only hello after the data has been changed. If the thief can grab the data before the encryption does its magic, you’re in trouble. Other than the false front methods discussed earlier, attackers could do something as simple as planting a video camera so that it is focused on the screen and the keyboard, capturing credentials for full access.

Biometric Authentication

Regarding authentication, biometrics–especially facial recognition–is becoming quite popular. It is another excellent technique, but a lot depends on your setting choices. You have two choices: have more false negatives (people who are legitimate but that the system denies access) or more false positives (users who are fraudsters but they get approved anyway.) The security argument is to opt for strict settings, but the convenience for users argument is to opt for lenient
settings.

Choose your poison.

For more information email info@kioskindustry.org


Part 2 of Privacy — next time Evan will expand into verticals  (healthcare?)