IoT Security

Privacy in the Era of IoT

August 8, 2017 by Susan Morrow

Once upon a time, computer privacy was something along the lines of making sure no one was peeking over your shoulder while you wrote a letter on your desktop. Then things changed. Something called the Internet appeared. In terms of privacy, the Internet was a little like opening the stable door and letting the horse run wild. The problems of privacy and the Internet are now the stuff of legend; when the Internet was in its infancy, privacy was certainly not on the top of the agenda. Perhaps the ARPANET team, who created the nascent Internet, thought: “Hmmm, this might be useful for the wider public to share information; maybe we should think about how to protect that information across a more open network?” But it just didn’t happen.

The privacy issues on the Internet, in general, have not been resolved even after over two decades of consumer use. Regulations like HIPPA have been put in place to try and improve privacy, but still, data leaks continue. If anything, web-based incidents of leaked data, or tracking information, are growing, as we use more mobile apps to connect to it. Many people have tried to address the privacy issues of our connected world. People such as the ex-Canadian Privacy Commissioner Ann Cavoukian, who in her 2009 treatise on Privacy by Design outlined 7 principles which set out guidance for creating privacy-enhanced applications. And professional bodies such as the International Association of Privacy Professionals (IAPP) lead the way on education in the industry.

But privacy often takes a back seat to commercial interests. This is perhaps best exemplified by the recent ISP and consent debacle, where on March 28, 2017, the U.S. Government agreed to nullify a FTC ruling (“Protecting the Privacy of Customers of Broadband and Other Telecommunication Services“) that ensured that ISPs required consent to share personal information – removing the need for that consent. The Internet seems to have become a free-for-all in terms of user information.

Within this environment of, at best, fluid privacy, we now we have to deal with myriad devices, all Internet-enabled, and otherwise known as the Internet of Things (IoT). The IoT is massive, it is everywhere: from our homes to industrial sensors to the watch on our wrist. And it will continue to take over our lives as the IoT market is growing and B2B IoT spend alone is expected to be around $285 billion in 2020. Within all of these connected devices sits one thing, data. Keeping that data private is one of the challenges of the century.

Shhhhh…The Privacy of Things

As I sit and type, I have my Amazon Echo, aka Alexa next to me. I love Alexa, she has become my not-so-furry friend. I ask her the time, perhaps what the weather is like, and demand, “Alexa, play Golden Years by David Bowie” thanking her once my command is performed; Alexa then returning, “my pleasure” in a sweet voice. What is not to like about that?

Amazon Echo, by design, has to listen to local noise to pick up the signal to interact with you. You need to physically stop this function to prevent all noise (including your conversations) within the range of the microphone from being picked up once the keyword ‘Alexa’ is spoken. Like most IoT devices, data such as vocal communications, and geolocation, is sent over to a Cloud repository on a regular basis.

Last year, this voice data, collected by Amazon via Echo, was part of a murder case. The case revolved around a murder in Benton County – the police wanted to collect evidence by extracting data from the Amazon Echo owned by the alleged murderer. Amazon was issued a search warrant to hand over these data. In Amazon’s defense, they put out a motion to quash the order to protect Amazon Echo user privacy. However, it still stands that masses of our sensitive data sits within Cloud repositories thanks to IoT devices. Whether we agree or not to the moral stance on the subject of data being released for a murder trial, this still begs the question, why do Amazon hold our personal conversations? And, under what circumstances could these conversations be released? Much of the privacy debates that rage about IoT and Internet privacy issues revolve around such legal arguments.

More Internet of Privacy Scares

The privacy scares caused by the hyper-connectivity of IoT devices continue to shock us. In many ways, IoT and privacy are reminiscent of when we began to watch cybersecurity incidents spiral. We started to see major incidents like the ‘I Love You’ virus around the time that email became ubiquitous. And large scale DDoS attacks took off when the use of websites for commercial purposes became de rigueur.

Now that we have the hyper-connectivity of the Internet of Things, we are seeing specialized cybersecurity attacks, like the Dyn DDoS attack of last year. The IoT has become the focus, however, of not just security issues, but privacy ones too. In many ways, the IoT is the poster child for how to get privacy by design completely wrong. The following cases exemplify this nicely:

Watching you, watching me: “My Friend Cayla” is an Internet connected doll. Cayla is the children’s version of Alexa. The child speaks to the doll, asking a question. Cayla then sends the child’s voice data to an app, which translates it to text, then used to search the Internet for an answer. The doll was recently banned by the German government for being a surveillance device; Germany’s Federal Network Agency giving this response:

“Items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people’s privacy. This applies in particular to children’s toys.”

In line with this thinking, the U.S. Federal Trade Commission (FTC) has recently put out a compliance plan to businesses to comply with the Children’s Online Privacy Protection Rule (COPPA), which sets out the limits of protecting the privacy of children’s data collected by IoT toys.

An unhealthy obsession: The healthcare industry has been one of the early adopters of the IoT and the market size for healthcare IoT is expected to reach $158 billion by 2022. Privacy within a healthcare arena is a fundamental of the service. Some of our most sensitive data is now being transferred across Internet connections and stored in Cloud repositories. Point of care technologies, such as diabetes and heart monitors, and even health wearables like Fitbit, will link your Personally Identifiable Information (PII) to your day-to-day health information, and even your location at any given time. But what is perhaps more worrying is that there are now solutions in the form of wearable IoT devices that track and monitor patients within hospitals. In itself, this is a good way to optimize hospital services and layout to improve patient care. But the privacy implications are that you, as a patient, are under constant surveillance at a most vulnerable time in your life.

Tripping the IoT: On the subject of tracking, the connected car is the obvious all-in-one tracking device. IoT cars have an astonishing array of sensors. Many of these will be instrumental in improving the safety and the economy of cars. If you have a crash, data from the car’s sensors can be sent to the Cloud, this is then analyzed and improvements made. On June 28, the Federal Trade Commission and the National Highway Traffic Safety Administration held a workshop specifically about the challenges of privacy within the context of the connected car. The workshop set out three focus areas to get privacy within connected cars right:

  1. Education amongst consumers and businesses about privacy implications of connected cars
  2. Law enforcement around privacy and connected cars
  3. To lobby for data breach notification legislation similar to that for healthcare breaches

IoT For Good

Education about the whys and wherefores of IoT privacy is paramount. There are a number of organizations that are working in the area of IoT privacy to educate and improve the technology. These include:

OWASP – who offer advisories around privacy and protection of IoT devices. OWASP has developed the Internet of Things Project which, amongst other things, offers security guidance for manufacturers and developers.

IoT Security Foundation – a vendor neutral, not-for-profit organization looking at setting security standards across the Internet of Things.

Industrial Internet Consortium – a multi-industry body working on the Industrial Internet Security Framework to build the framework for IoT security best practice.

Privacy Makes Better Products

In answer to the mutual exclusivity of privacy and the IoT – it is all about understanding and application of that knowledge. Going back to the case of Amazon Echo, Amazon does allow us to manually delete those conversations. But the onus is on the individual to do so. Many times, in IoT apps, the options available to manage the data created are not granular, or are hidden deep within the settings. For example, many IoT-based apps will use location services to make sure your experience is more tailored. Under Location Services you often have a number of options for allowing the app location access; for example, ‘Never’, “Always’ or ‘When using the app’. The privacy issue arises is compounded when the device automatically sets a setting to ‘Always’, so even when you are not using the IoT device, the app will track your location, sending these data back to the Cloud. Well-designed IoT devices should always take the human operator’s privacy into account and have an ‘opt-in’ rather than an ‘opt-out’ philosophy wherever possible. This sort of forethought and consideration will make the IoT the powerful force it is meant to be, without compromising the privacy of your users.

The Internet of Things is a powerful technology movement. It can give us great advantages by understanding the data that it generates. These advantages range from improved patient outcomes to understanding car accidents to a digital friend like Alexa. We do have to reign in our excitement however and be more cognizant of the privacy impact of our always-on connected world.

In the next article on the IoT and privacy, I’ll look further into how privacy is impacting different industry areas that are taking up the challenge of the IoT.

Posted: August 8, 2017
Susan Morrow
View Profile

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure. Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.