Closing the Privacy Gap in the OWASP IoT Top Ten
My last article on the subject, “How to Test the Security of IoT Smart Devices,” used the OWASP IoT Top Ten as a starting point to help application and network security experts reapply their skills to the fast-evolving domain of smart devices. However, the same article also identified three areas where the OWASP IoT Top Ten list needed help:
This article follows up on the first of three topics – “Privacy Concerns” – where security experts will need more guidance than what is provided in the current edition of the OWASP IoT Top Ten list.
Weakness of OWASP IoT I5 – Privacy Concerns
When security experts think about “privacy,” they often take the perspective of an adversary. For example, “how would a hacker subvert these security controls to steal user information?”
However, the general population of end users and consumers we all serve are just as concerned about the types of information collected and the duration it is retained as they are with the security of their devices. The fact that most consumers think security is the same as privacy only underscores the disconnect between the way that we approach security and consumers approach privacy.
Unfortunately, the OWASP IoT Top Ten list reflects this disconnect as well by simply focusing on a subset of technical controls affecting privacy. For example:
- “Ensuring only data critical to the functionality of the device is collected.”
- “Ensuring any data collected is properly protected with encryption.”
- “Ensuring the device and all of its components properly protect personal data.”
Solid Foundation in FTC’s 2015 “Privacy and Security” Report
A consensus source for IoT privacy evaluations remains elusive, but a solid foundation can can be built from the (US) Federal Trade Commission (FTC)’s 2015 IoT “Privacy and Security” report.
This report layers expert IoT analysis on top of an existing framework called the “Fair Information Practice Principles” (FIPPs), which covers consumer-focused concepts such as notice, choice, access, accuracy, data minimization, security, and accountability. In particular, the FTC’s report focuses on security, data minimization, notice and choice, as we will explore below.
FTC Privacy Concept: Security
The FTC’s concept of security is what you would expect it to be, and it fits nicely with the OWASP’s limited definition of privacy. It specifically calls for designs “minimizing the data they collect and retain” and “encryption for sensitive information.” It also covers a lot of other areas better covered by the OWASP IoT Top Ten, such as access controls.
However, since the FTC’s technical controls constitute a good fit with the OWASP IoT Top Ten, we will concentrate on the other two concepts (“data minimization” and “notice and choice”) to flesh out possible areas of improvement in the OWASP IoT Top Ten.
FTC Privacy Concept: Data Minimization
As defined by the FTC, data minimization is the “concept that companies should limit the data they collect and retain, and dispose of it once they no longer need it.” According to the FTC, data minimization guards against at least two significant privacy risks:
- “Larger data stores” that make attractive targets to criminals.
- That “data will be used in a way that departs from consumers’ reasonable expectations.”
FTC: Failure to Minimize Could Attract Legal Attention
Lest it be accused of departing too far from dollar-based risk assessment, the FTC also raises the spectre of legal action when it mentions “potential harm to consumers” with regard to theft of “larger data stores.” This is surely a reference to the large fines assessed after credit card, health information and other information security breaches involving stolen data stores. The FTC’s use of the phrase “reasonable expectations” also invokes a similar legal reaction, because the “doctrine of reasonable expectations” is a key concept in civil torts (i.e., whether or not you could be sued).
FTC Data Minimization Recommendations
Fortunately, the FTC follows up its veiled threats with some concrete guidance. Here is what the FTC recommends and what you should concentrate on as a security expert.
- Examine and/or develop a data practice policy that imposes “reasonable” limits on the collection and retention of consumer data.
For each type of data you collect, pick one or more of the following rules:
- collect only minimally necessary data to the product or service being offered
- collect only less sensitive data
- de-identify (a.k.a. “anonymize” or “aggregate”) collected data
- If your data collection policy does not fit the rules listed above, ask for the “consumers’ consent” before proceeding.
In a nod to reality, the FTC report acknowledged the limits of technology and provided a positive example of a company who anonymized 15,000 patient records such that an outside team was “only” able to identify “0.013% of the individuals” (2 people). However, it also recommended that companies retain “enforceable contracts in place with any third parties with whom they share the data, requiring the third parties to commit not to re-identify the data.”
Evaluation of Technical Data Minimization Controls
From the perspective of a security auditor or evaluator, the FTC’s policy recommendations suggest that you should look for some complementary technical controls in your IoT technology and their supporting services. These would include:
Data Collection Controls
- Settings to control which data is collected and retained.
- Evaluation of actual data collected and retained (as opposed to the types of data mentioned in the vendor’s policy).
Data Retention Controls
- Settings to control how often data is deleted or archived.
- Controls to clear out current and archived data.
- Automatic deletion of data upon service cancellation.
FTC Privacy Concept: Notice and Choice
The FTC’s guidance on notice and choice is more subtle than its guidance on security and data minimization. The key principle it revolves around is that “companies should not be compelled to provide choice before collecting and using consumer data for practices that are consistent with the context of a transaction or the company’s relationship with the consumer.”
For example, if a consumer buys a smart furnace that is connected to an app that allows a consumer to set the temperature remotely, the manufacturer of the smart furnace might reasonably use the customer’s data to improve the usability of the app without asking the consumer for additional permission.
“No Ask” Exception for Anonymous Data Usage
The FTC also carved out an exception for a use case that “de-identifies…data immediately and effectively.” According to the FTC, companies providing this service, “need not offer choices to consumers about this collection.”
For example, if a consumer buys a smart water softener that is connected to an app that allows a consumer to set the salt level remotely, the manufacturer of the water softener might reasonably use the customer’s data and those of several hundred other customers to inform utilities of aggregated usage patterns without asking the consumer for additional permission.
The following graphic summarizes the FTC’s current guidance with respect to both the “consistency” and “anonymization” rules.
When and How to Obtain Consent
All this permissiveness is balanced by the FTC’s requirement that company’s privacy choices are “clear and prominent” and, of course, a requirement that companies get consumer’s consent for collection and use of data that “would be inconsistent with the context of the interaction (i.e., unexpected)”.
To inform consumers and get consent, the FTC acknowledged several technical models as legitimate. These included:
- Choices at point of sale
- Codes on a device (e.g., QR code leading to a web page)
- Choices during set-up
- Privacy menus
- Behavioral or transitive settings (e.g., learned behavior or importing from other devices)
Many of these boil down to privacy controls being a part of the “install wizards” people are used to running, or the “user profile” settings people are used to opening on their cloud-based accounts.
Evaluation of Notice and Choice Controls
The FTC’s policy recommendations on notice and control should cause you to look for related controls in your IoT technology and their supporting services. These would include:
- A clear privacy notice. (Easy to find and more readable than a legal document.)
- Consent to collect and process data not related to daily use of device.
- Installation and/or “profile” settings to adjust information collected.
To compensate for the privacy gap in the 2014 OWASP IoT Top Ten, information security practitioners should follow the advice of the US FTC and perform the following privacy evaluations on their IoT technology in addition to those recommended by the 2014 OWASP IoT Top Ten.
Data Minimization (Policy)
Have a data practice policy that imposes “reasonable” limits on the collection and retention of consumer data. Allowed collection rules include:
- Only minimally necessary data to the product or service being offered.
- Only less sensitive data.
- Deidentify (a.k.a. “anonymize” or “aggregate”) data.
- Ask for consumers’ consent before proceeding with non-conforming rules.
- Use contracts to ensure third parties keep shared data anonymous.
Data Minimization (Technical Controls)
Evaluate control over data collection.
- Selection of types of data collected.
- Evaluation of actual data collected (vs. claimed in policy).
Evaluate control over data retention.
- How often data is deleted or archived.
- Manual clean out of current and archived data.
- Automatic deletion when service is cancelled.
Notice and Choice
- Make your data collection policy clear to consumers.
Understand if your data collection deviates from the consumer’s expectations of what would normally be part of a transaction or your company’s relationship with them.
- If it does, you MUST ask the consumer for permission.
- If it does not, you do NOT need to ask the consumer for permission.
- If you only anonymize or aggregate data, you do NOT need to ask for permission.
Notice and Choice (Technical Controls)
- An accessible and non-legalese privacy notice.
- Permission to use more data that would be needed to operate the device.
- Set-up and run-time controls to choose which information is shared.