Conducting Pattern of Life (POL) Analytics on Big Data generated by the IoT.
Every so often a buzzword or phrase in information security discourse surfaces from the infosec jargon din into broader public consciousness. One such buzz phrase is “pattern of life” analytics (POL). POL, to vastly simplify the definition, is a computerized data collection and analysis method used to establish a subject’s past behavior, determine its current behavior, and predict its future behavior. The number and type of data points that go into this analysis, particularly as it pertains to humans as the subject, have been increasing exponentially over the last decade. The technique can but does not necessarily involve artificial intelligence (AI) and machine learning. The implications of this predictive analytical method in the context of the Internet of Things (IoT) are far-reaching for both governments and businesses. With the recent estimates of IoT financial impact being in the trillions of dollars, Big Data is getting exponentially bigger and data analytics is becoming increasingly important and complex. The privacy/data protection aspects of POL bear closer examination because the laws and regulations are rapidly-changing. POL analytics sounds, well, analytical. It is essentially another term for “profiling”. But the data points available to create POL profiles now are increasingly numerous and intimate than older forms of profiling (thanks in large part to IoT proliferation), the data analytics are far more sophisticated, and the uses to which POL analytics.
Deeper Dive: POL Analytics
POL analytics is an imprecise term that was first used in social sciences including psychology and anthropology. The term has been used in data analytics for decades or more, primarily in the context of spatial analytics, including location analytics. Pattern of life data analytics didn’t go truly mainstream until September 2013, when The Guardian headlined how NSA’s “Marina” metadata application “offers the ability to export the data in a variety of formats, as well as create various charts to assist in pattern-of-life development.” On the same day The Guardian released that report, Tech Dirt, Slash-Gear and The Register discussed The Guardian’s report of that data mining technique. The next week and sporadically thereafter, scores of other publications followed suit. Most recently, in late May, POL analytics again made headline news, when The Intercept published an article about the also-published NSA document, “Medical Pattern of Life: Targeting High Value Individual #1,”. That document discusses data analytical methods being used to track Osama Bin Laden. Also in May, it discussed the NSA SKYNET program, which as defined in the Snowden-leaked document trove, included the NSA document entitled SKYNET: Applying Advanced Cloud-based Behavior Analytics, which discusses how the SKYNET program “applies complex combinations of geospatial, geotemporal, pattern-of-life, and travel analytics to bulk” DNR (phone) data to identify patterns of suspect activity”. By its description, XKEYSCORE, another NSA program, also performs POL analytics, but on internet (DNI) data.
POL and IoT
POL analytics is not restricted to military applications, although the recent uses of the term generally derive from military documents, specifically those of the NSA . As mentioned, the closest, most popular analogous term is “profiling”. The first highly-publicized incident of commercial application of computerized consumer profiling was Target, Inc.’s use of collected and (allegedly) purchased information about customers, first reported by the 2012 New York Times. The reported incident was about use of the information to focus marketing efforts on women it had identified as likely to be pregnant. Based on its data analytics, Target had sent pregnancy-related information to a high-school girl at her residence, also the residence of her parents. The angry father complained to Target, and then followed up with his daughter, about whom he had not yet been informed that she was indeed pregnant. That incident is an early, classic case of POL intelligence that illustrated the point that consumers do not welcome evident invasions of their privacy. This Target case could be considered to be classic POL analysis, or profiling. The private corporate and individual aspects of profiling and business/privacy have not, as is well-publicized, been lost on the legal community. Thousands of articles, both scholarly and mainstream, have been written on the topic. This discussion has intensified as a result of the IoT and the massive privacy challenges it raises. The Intercept’s article about “medical pattern of life” highlights in an odious way one of the key targets of IoT developers and inflames one of the deepest concerns of the public. In an IoT/consumer privacy survey released this week, 45% of the surveyed consumers had a low level of trust in companies that collect IoT, and 35% trusted those companies only “somewhat”.
The privacy aspects of the IoT have also been the subject of too many governmental and organization reports to begin to mention. The following are some highlights. This paper by the Electronic Privacy Information Center (EPIC), submitted during the Federal Trade Commission’s 2013 hearings on the IoT and privacy, details numerous privacy problems raised by the IoT, including wireless radio technologies (WiFi, Bluetooth, RFID and others) as well as the new internet protocol, IPv6 , and GPS communications. In January of this year, the FTC issued its report, Internet of Things: Privacy and Security in a Connected World. The FTC also published a business guide, Careful Connections: Building Security in the Internet of Things. Privacy (referred to in Europe as data protection) is still governed by the antiquated (1995) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Directive). All interested parties recognized that it was time for a change. In 2012, the European Commission issued a Proposal for a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, or GDPR), which is still being negotiated. When passed, the GDPR will replace the Directive and be self-implementing. That is, unlike the Directive that required national laws to be effective, the GDPR becomes directly binding. Article 20 of the GDPR specifically governs profiling, including in Article 20, profiling that impacts the legal rights of, or results in discrimination against, “data subjects”. Article 20 also tasks the European Data Protection Board to issue guidelines, recommendations and best practices in connection with profiling. In September 2014 the Article 29 Working Party (an independent advisory board established by the Directive) issued Opinion 8/2014 on the on Recent Developments on the Internet of Things. In March 2015 the European Commission initiated the creation of the Alliance for Internet of Things Innovation (AIOTI). The Digital Single Market (DSM), was adopted in May 2015, a move the Commission believes “leads Europe a step further in accelerating developments on IoT.” But beware: the FTC and the European Data Protection Supervisor (EDPS) still have their sights firmly set on data protection, and on July 9, 2015, the EDPS declared its intent to focus on business models whose fuel is represented by the collection and the profiling of personal data.”
Businesses can expect the intense governmental scrutiny on and governance of data analytics (whether it is called “profiling” or POL) and legal compliance to intensify even more in the months ahead.