Should IoT devices tell you how they’re messing with your privacy? Or is privacy an illusion anyway?
IBM has formed an entire business unit around it, Cisco says that there will be 50 billion devices connected to it, and governments are quietly grumbling about the privacy implications of it. Welcome to the Internet of Things.
The IoT may or may not change the way we live and work. Those people selling it imagine a utopia of smart devices, ranging from buildings through to gas pumps, and everything in between. With everything speaking to everything else, and with a river of big data flowing into non-relational databases, we’ll be living our lives with an unprecedented level of connectedness. Technology will tell us what we need to know before we know that we need to know it. Or so the rhetoric goes.Are you ready for this? Because as it turns out, a lot of people aren’t. Trend Micro worked with the Ponemon Institute this spring to measure peoples’ attitudes to the IoT. One in four of the 1903 people surveyed said that the benefits don’t outweigh the privacy concerns. 14% weren’t sure. And half of all those surveyed were worried about the privacy implications of the IoT.
That’s understandable; governments are worried too. Back in January, the FTC issued a report raising privacy concerns about the IoT. It warned that consumer-focused IoT devices alone could collect enough data to pose privacy concerns. It called for Federal data privacy legislasation in the US (which currently doesn’t have any, but wants some) to help set a baseline.
Up here in Canada, we do have PIPEDA, but not much has been said about how it relates to the IoT. After all, when PIPEDA was introduced in 2004, the Internet was a very different place. The Privacy Commissioner did call for more understanding of the IoT in its latest Contributions Program, though, which funds independent privacy research.
A Standard for IoT Privacy?
As yet, there’s no real standard for governing privacy in the IoT. What kinds of things might it address, should one emerge?
The Ponemon report said that respondents would like to receive information about the devices that they are using. Some security and privacy experts have envisioned a kind of label, providing a simplified view of what information a device communicates about its user, and how, and who it is sent to. We could look to similar initiatives in the nutrition and sustainability spaces to see how this would fly. Would we end up with the privacy equivalent of greenwashing? How much could this information be simplified for non-technical consumers?
Others have suggested that this information could even be traded. The Ponemon survey found that 56% of respondents would sell their information to companies. On average, people wanted around $60 for information about their health conditions – that’s $16 less than they’d want for their passwords.
All this ignores an important factor about IoT data, though: you don’t know how it’s going to be used, because big data processing sucks in vast amounts of the stuff and then jumbles it together in unexpected ways. Something as innocuous as the number of steps you took in a day (and perhaps where you took them) could be married with other data sets – real time and otherwise – in ways that you might not anticipate.
Rob van Kranenberg, the founder of the IoT Council, which consults on IoT issues, also co-ordinates part of the IoT research cluster at the EU Commission. He isn’t that worried about privacy issues, because he doesn’t think privacy exists.
“You’re already living in this fishbowl,” he says, arguing that we’re only complaining about it now because we’re aware of it. “The moment that tools appear to help you start thinking about privacy, we get all this stuff in media telling people that they should be worried about their privacy and security,” he scoffs.
Instead, let’s embrace the IoT as something that can empower us, he suggests, arguing that many companies providing online services – not to mention public sector orgnisations – have driven inefficiencies and opacity into the system. It’s time to shine a light on that, he says, suggesting that the IoT could help. He would rather that people use the data that the IoT it generates for themselves.
“Look at all these things that are happening to empower ordinary citizens and bring a lot more transparency to the situation,” he says. “The Internet was about empowering people and giving them agency. The Internet of Things will do this even more, and it will give me personal agency over my own home, my energy allocation, and my own health. And I’ll be able to see far more clearly how resources are allocated.”
That’s a utopian ideal of its own, of course. It needs a population that understands how to make that happen, and to avoid repeating the privacy mistakes that we all made with the original Web, and with mobile devices.
It also suggests that we’ll be able to made the Internet of Things secure enough to avoid consumers being pwned by the thousands, having their cars or smart meters hacked. And as Mark Stanislav and Zach Lanier demonstrated at SecTor last October with their Internet of Fails presentation, building an IoT of secure devices is going to take a fair bit of effort.