This article is courtesy of TechRepublic Premium. For more content like this, as well as a full library of ebooks and whitepapers, sign up for Premium today. Read more about it here.
The Internet of Things will complicate security, redefine privacy, and require new laws. Both business and government must rise to the challenge — and they need to get started right now.
The Internet of Things (IoT) is arguably the most disruptive technological development on the horizon, raising a host of security, legal, and regulatory questions. This article examines the cybersecurity risks and privacy concerns in an IoT paradigm, the main legal issues for the enterprise, federal regulation, and proposed IoT best practices for business. It argues that business leadership and effective government action will both be essential to gaining the full benefits of IoT and ensuring consumer privacy.
A roadmap for the Internet of Things
Tech research firm Gartner defines the Internet of Things (IoT) as "the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment." It predicts that the number of devices will reach 26 billion by 2020. Networking equipment giant Cisco takes that even further: 50 billion objects by end of this decade. Both estimates are larger than the population of the planet. What a global network of connected devices on such a scale will mean to society is unclear at present. But it is safe to say that the Internet of Things will be very big — and very disruptive.
Many of the questions about IoT are focused on two pressing areas: data security and consumer privacy. To provide much needed answers, consumer groups, government agencies, and legislatures will need to act. Business leadership, moreover, is imperative. Executives and IT decision makers may be paying more attention to marketing and implementing networks of connected devices. But in a world where billions of devices are silently collecting and transmitting data, businesses will have to assess and manage the risks to individual privacy and information security and be prepared for potential litigation and regulatory action.
The list of IoT devices is impressive and goes beyond consumer products: embedded medical devices like pacemakers and insulin pumps; "smart" cars logging miles on public roads and cars with devices in security and braking systems; residential and commercial security; utilities deploying smart grid technologies; and municipalities building networked infrastructure. The benefits of IoT include better healthcare and environmental monitoring, faster shopping and improved customer experiences, and enhanced security. As of now we can't project the full range of benefits stemming from large streams of data from cyber-physical devices that did not previously exist.
Enjoying this article?
Download this article and thousands of whitepapers and ebooks from our Premium library. Enjoy expert IT analyst briefings and access to the top IT professionals, all in an ad-free experience.Join Premium Today
When it comes to privacy, what will the "new normal" look like when IoT comes into full force? How will consumers be given clear notice, and give consent to data sharing, when so many networked devices touch their lives, many of which they may be unaware of? What will businesses that collect and share consumer data have to do in the future? If consumer trust is a necessary element of fully reaping the benefits of IoT, as I believe it is, what should businesses voluntarily do to self-regulate? It is still unclear how strongly the law will support individual privacy in the IoT era or even what privacy will mean.
IoT is big and will only get bigger. There are far more questions that answers — even security professionals are struggling to understand all the implications and possibilities. The time for business leaders to start seeking answers, however partial and provisional, is now.
IoT security concerns
The risks to privacy and personal security in an IoT world sound like the stuff of science fiction and spy thrillers... except that they are real. Some have already been documented and reported. The Washington Post reported in October 2013 that doctors of former Vice President Dick Cheney ordered the network functionality of his new pacemaker disabled. The reason? A possible assassination attempt by hacking. In July 2014 The Economist reported on credible risks to carriers of connected insulin pumps. Security researcher Jay Radcliffe discovered that a hacker could alter the doses that the pump administers, making them potentially fatal.
While BYOD (bring your own device) has created new security and privacy concerns for organizations, IoT will produce a far greater number of connected devices, extending security concerns beyond traditional endpoints. It is safe to say that the potential risk to sensitive and confidential data has never been greater. Criminal interests will target networks of IoT devices for the rich mine of information they can yield. Tens of billions of networked devices thus increase the chances that businesses will make mistakes that open the door to litigation and government sanctions.
Given the potential risks, many manufacturers of IoT devices do not have sufficient expertise in cybersecurity. That needs to change and quickly: The public and private sectors as well as consumer groups have to see to it.
Security researchers have found that large data sets, from multiple sources, can be re-identified even after attempts are made to anonymize them. In essence, hackers can triangulate the data and assemble personally identifiable information (PII) and locational data from them.
The potential for accessing real-time and situational data about individuals and organizations also exists. Video streams from networked cameras, biomedical readouts, the location of someone's car — even whether a house's doors are locked — are all possibilities.
The context of what is "identifiable" information in an IoT world is taking on ever-larger proportions. Businesses have to provide the innovations and practices to answer the need for privacy, and federal and state governments will need to enact and apply the safeguards for consumers.
Main IoT legal issues
The list of potential IoT privacy leaks is long, even frighteningly so. The National Institute of Standards and Technology (NIST) defines personally identifiable information (PII) as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information."
Without user interfaces on many connected devices, traditional privacy policies and guidelines, such as notice and consent, will have to be adapted to an IoT paradigm. Questions that businesses and their legal counsel will need to address include what consumer data should be collected and to what extent, when selling or sharing user data will be permissible, and how they will handle security breaches and legal discovery in regard to informing consumers and relevant entities.
The IoT privacy paradigm is going to be different, perhaps even radically so. All the players involved — executives, IT managers, and lawyers — must realize that the legal environment is going to be highly disrupted by the Internet of Things. Plan early, plan often.
Who will own the data collected by billions of devices that interact with each other and generate vast amounts of data — information that can be analyzed and monetized? The answer in part will depend on the user agreement, or the opt-in selections when someone purchases a device. Some expect the manufacturer will own the data. It is also possible that data ownership battles will be ongoing in an IoT world. At present there is no answer: The issues have not been tested in the courts and no comprehensive legislation exists. But we will need, sooner rather than later, a legal framework for IoT device operation and data ownership.
When an IoT device produces and reports incorrect or misleading data, how will the manufacturer or operator be held liable? Incorrect readouts and locational data and even faulty biomedical information could all have serious consequences. Companies will have to accurately represent their products and the services associated with them and be vigilant about flaws that come to light. IoT device makers may not face greater risk than GPS manufacturers, but since IoT is still new and rapidly evolving, it is still too early to know.
Federal regulation of IoT
Regulators are starting to examine Internet of Things privacy and security issues. In the absence of comprehensive federal legislation, the Federal Trade Commission (FTC) is taking a leading role in regulating IoT. The FTC Act gives the commission both investigative and enforcement authority; section 5A prohibits unfair or deceptive acts or practices in the realm of commerce. The Commission asserts broad authority to regulate privacy and security practices regarding IoT under this provision, in addition to the authority granted by other statutes. The FTC's right to do so has been challenged, but its actions have not yet been curtailed.
In September 2013, the FTC took its first action against an IoT manufacturer. Its complaint against TRENDNet, a maker of networked home video cameras, alleged that lax security allowed anyone with the camera's web address to access live video and audio feeds. TRENDNet's products enable consumers to monitor their home via a web browser or mobile app. The FTC found that TRENDNet "failed to use reasonable security to design and test its software, including a setting for the cameras' password requirement." The action resulted in a settlement.
FTC privacy framework
In March 2012, the FTC released a report to US businesses detailing best practices for consumer privacy and greater control over personal data. In the report "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers," the Commission calls on Congress to enact privacy, data security, breach notification, and data broker legislation.
"If companies adopt our final recommendations for best practices — and many of them already have — they will be able to innovate and deliver creative new services that consumers can enjoy without sacrificing their privacy," said Jon Leibowitz, FTC Chairman, in the press release for the report.
The FTC recommends the following practices to companies collecting and using consumer data:
- Privacy by Design. "Companies should build in consumers' privacy protections at every stage in developing their products. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy."
- Simplified Choice for Businesses and Consumers. "Companies should give consumers the option to decide what information is shared about them, and with whom. This should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities."
- Greater Transparency. "Companies should disclose details about their collection and use of consumers' information, and provide consumers access to the data collected about them."
A new privacy paradigm
In conjunction with a public workshop about the Internet of Things held by the Federal Trade Commission in November 2013, the Future of Privacy Forum (FPF) published a whitepaper titled An Updated Privacy Paradigm for the "Internet of Things" [PDF].
Written by FPF co-chairs Jules Polonetsky and Christopher Wolf, the paper argues that in a world where connected devices are ubiquitous, the Fair Information Practice Principles (FIPPs) as they are currently applied will have become outmoded. They advocate a balance between consumer privacy and technological progress.
The authors write, "Rather than focusing on how information is collected and communicated, we should rely on how personally identifiable information is used," and they propose the following six principles to achieve that aim:
- Use anonymized data when practical. This decreases the risk that PII will be used for unauthorized or criminal purposes. "When data sets are anonymized and stored properly, re-identification is no easy task."
- Respect the context in which personally identifiable information is collected. This should not focus only on what consumers reasonably expect; unexpected new uses of information could enable social advances or product innovations. "Rigidly and narrowly specifying context could trap knowledge that is available and critical to progress."
- Be transparent about data use. Organizations making decisions that affect individuals should disclose the criteria they use. This will help ensure that inappropriate factors such as ethnicity or political affiliation will not be considered. "Insurance companies, for instance, could disclose that they determine premiums solely by reviewing driving habits, location, driving history, and other permissible data categories."
- Automate accountability mechanisms. These could be developed to determine how PII is used and whether those uses abide by established polices. "As data flows become more and more complex, it will become more and more difficult for individuals to monitor and enforce privacy compliance... organizations should develop and implement automated systems that can monitor and assess the myriad uses and transmissions" of PII.
- Develop codes of conduct. Such codes can help erect frameworks enabling individuals and parents to indicate usage preferences with connected devices and how third-party devices would communicate with them. "Self-regulatory codes of conduct will be the most effective means to honor these preferences and others in the rapidly evolving landscape of the Internet of Things."
- Provide individuals with reasonable access to personally identifiable information. Business should allow access to PII, with the added benefit of promoting consumer trust and engagement with IoT. One way would be to "offer tools that allow users to add, tailor, or featurize data, perhaps by allowing access via third-party application programming interfaces. The more effectively that data is anonymized, the less the need and the ability to provide detailed access."
The Internet of Things is only just beginning to change the way people live and work in the United States and around the world. The possibilities and potential benefits are immense; likewise the answers that businesses and governments provide to security and privacy questions can have a profound impact on how well and how quickly society reaps those benefits. Consumers — and taxpayers — should expect and demand accountability from both the private and public sectors.
Individual privacy in an IoT world will be secure only if the devices and networks are secure and effective mechanisms are in place for updating and improving their security capabilities. The harsh consequences to privacy and even personal safety should be reason enough for all parties involved to be vigilant. All of us will be subject to those risks once tens of billions of devices globally are in operation.
Regarding privacy, we need to keep asking what the "new normal" will be in the coming IoT paradigm. Our notions and practices regarding privacy will undoubtedly change. Some assert they should even be relaxed. Others foresee quite dark, even Orwellian elements in the near future. Both the benefits and the risks are in that future — only real leadership and continual vigilance will give us more positive than negative outcomes.