The expansion of the Internet is moving beyond end-user computing and communications devices to include consumer devices that can sense and respond, from televisions and refrigerators to cars, buildings and fitness monitors.
Arising in the business sectors of manufacturing, energy, transportation, healthcare, defense, safety and architecture, the Internet of Things (IoT) has created a wild burst of activity in the pre-regulatory scene. Policy-makers and regulatory bodies are outlining the risks to consumers and possible solutions, hopefully voluntary but, if not, then compulsory.
The beginning of frameworks are starting to emerge to help both consumers and companies get a handle on the vast number of potentially new connected devices, the information that will be generated by these devices and the privacy concerns this collection will raise. And with legal complaints being filed, regulatory actions undertaken, Congressional investigations started and state laws being proposed, it shows that it is truly “game on” for the IoT in 2015.
In a January speech by U.S. Federal Trade Commission (FTC) Chairwoman Edith Ramirez, the stage was set for the looming importance of IoT, with estimates of 25 billion Internet-connected devices by year's end. This quantity of online devices with varying degrees of computing power will mean significant challenges for consumer privacy, of course.
In her speech, Ramirez raised three risks and their potential solutions:
For the privacy risk of ubiquitous data collection of personal information across time and in sensitive areas like homes and human bodies, she recommended that companies engage in data minimization and de-identification.
For the privacy risk of unexpected uses of consumer data leading to adverse consequences, she advised increased transparency and notice and choice for any unexpected data uses, despite the limited consumer interfaces available with many of these devices.
For the privacy risk of increased security risks due to hackers, she suggested security by design. Security by design includes risk assessments, testing security before product launch, smart defaults, encryption and patching vulnerabilities, although it was acknowledged that the limitations of these devices in computing power could make it more difficult using current security methods.
The FTC staff followed the Ramirez speech later in January with a report, Internet of Things—Security & Privacy in a Connected World. From workshops the FTC held, additional security risks were identified from the expected trillions of sensors that may be online within the next decade. Besides unauthorized access to and misuse of personal information, IoT may facilitate attacks on consumers' home or car networks or DDoS attacks on other systems, or it could create risks to consumers’ personal safety via bad-actor tampering with health devices or car navigation systems. The FTC staff did not believe that it is time for IoT-related legislation, but instead that industry self-regulatory security and privacy programs should be implemented, laid over a foundation of broad-based national privacy and data breach legislation.
In Europe, UK communications industries regulator Ofcom in January summarized the input it received from stakeholders in Promoting Investment and Innovation in the Internet of Things. The responses pointed to data privacy as the leading IoT concern but also included as concerns the adequacy of network security and resilience using traditional telecom security approaches.
Ofcom intends to work closely with the UK Information Commissioner’s Office on IoT privacy. This follows on from the Article 29 Working Party’s IoT opinion in September 2014, focusing on privacy and security issues with home automation, wearable devices and monitoring oneself. The issues included not being able to control the vast amount of data generated; the difficulty in getting user consent; repurposing of data collected; intrusive profiling of one’s private life; the difficulties in remaining anonymous, and the trade-off of device security versus device efficiency, e.g., battery life. It also recommended privacy assessments, data minimization and deletion, Privacy by Design and default, user empowerment and consent.
To remain in compliance with EU data protection safeguards, recommendations were made for the various IoT stakeholders, including manufacturers, developers and data recipients/publishers.
In February, U.S. Sen. Edward Markey (D-MA) released a report, Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk. Looking at responses to Markey's questions from 16 major automobile manufacturers, the report’s findings included:
- While most cars now have wireless capabilities, the security of wireless technologies in cars were inconsistently available;
- Most wireless systems in cars did not have real-time methods to identify hacking; large amounts of data was being gathered unknown to the car consumer;
- The data was being sent to third-party data centers for the auto manufacturers not utilizing effective security measures;
- The collected data’s usage and retention policies varied widely, and
- Customers cannot opt out of this data collection by car manufacturers without disabling features such as navigation.
In late February, the Electronic Privacy Information Center (EPIC) filed a complaint before the FTC against Samsung Electronics alleging its televisions were recording private conversations. The complaint alleges the voice-recognition feature on Samsung smart televisions captures all spoken communications made in front of the sets and transmits them to a third-party service to translate the spoken words to text. It also alleges these TVs do not encrypt all such voice communications captured and transmitted and Samsung takes no responsibility for the privacy and data security practices of the third-party voice-to-text service provider.
EPIC believes that these actions to collect and distribute subscribers’ personally identifiable information without consent violates the Cable Communications Privacy Act; that the interception of communications violates the Wiretap Act, are deceptive or unfair practices violating the FTC Act, and violates the Children’s Online Privacy Protection Act. This complaint follows on the FTC’s initial IoT complaint and settlement with TRENDnet over lax security practices on its Internet-attached home security/monitoring cameras.
In March, the National Institute of Standards and Technology also released an early discussion draft of its framework for cyber-physical systems (CPS), the term it uses to mean IoT and other related concepts such as smart cities. CPS “integrate computation, communication, sensing and actuation with physical systems to fulfill time sensitive functions with varying degrees of interaction with the environment, including human interaction.” The CPS framework reference architecture looks across industry domains like manufacturing, healthcare, transportation and energy at how such devices should work, how they should be made and how to prove they are working as expected. This includes a number of aspects, including how the CPS perform, how data interoperates and how to manage the cybersecurity and privacy risks that CPS entail. The cybersecurity challenges include the need for CPS resilience if under cyber-attack, and the privacy challenges include that breaches of personal information can lead to real-world impacts by changing physical systems people interact with. The CPS risk-management approach will need to balance between safety, reliability, privacy, security and resilience.
And as of April, California Assembly Bill 1116 was working its way through the legislature. This bill would prohibit TV manufacturers from selling TVs that offer voice-recognition technology that records or transmits the captured audio—including conversations—to the manufacturer or a third party, except for specific voice-recognition commands and only then when the voice-recognition technology is enabled by the consumer. This would allow the state itself, not individuals, to take action to enforce the proposed restrictions.
Expect additional legal and regulatory actions in the coming weeks and months as regulators globally try to balance the needs of consumers with encouraging the growth of this market across industry sectors. Privacy will be paramount among those needs as vast amounts of new information are collected by devices not having the traditional security mechanisms.
If you want to comment on this post, you need to login.