A 2014 consumer consolidation survey by the Acquity Group contains a telling statistic. Nearly 90 percent of consumers have no clear concept of what the so-called “Internet of Things” is. That should not be a total surprise. Even though the IoT has been discussed for years and companies are rapidly implementing IoT components, its definition is nothing more than a loose architectural vision that varies vastly depending on who is describing it.
The reality of IoT today is a collection of discrete devices such as smartwatches, phones, appliances, health monitors and home environmental systems that interact and from which data is collected. Visionaries imagine a world in which thousands of such invisible, embedded devices permeate where we work, sleep and play. These will include medical devices, home energy systems, transportation systems, geolocation sensors, parking meters, vending machines and even toothbrushes.
Implications to Personal Privacy and Security
Just as no one was able to predict how the advent of the PC and the Internet changed how we worked and communicated with one another, so the IoT is suffused with unforeseen significance regarding our personal privacy and safety. In the context of advanced abilities to collect, correlate and analyze huge data streams, the side effects of IoT data acquisition are impossible to predict. The availability of massive amounts of personal information could easily mean that everyone loses some control over their life.
The potential for increased, detailed surveillance of individuals cannot be ignored. Furthermore, the ubiquity of IoT devices broadens our personal security attack surface to those who may have nefarious purposes. Such devices could provide a gateway to other connected devices containing sensitive information. Even if such data collection were intrinsically benign, would you want to live in a world where your personal habits and activities are continually quantified sold to third parties?
The Incentives to Diminished Security
Despite such real concerns, the history of technology adoption by consumers demonstrates that most people are willing to sell out their privacy to one degree or another. Just like the data collected on us via our web browser, the data coming from the IoT has value beyond a device’s primary application to those able to analyze it. These data have monetary value that could allow manufacturers to practically give them away with the expectation of reaping the value of these data. Additionally, since most IoT capabilities will be built-in as secondary components to larger appliances, cars or environmental systems, most consumers will have scant choice but to accept their presence.
Methods to Protect IoT Privacy and Security
End users should have control over which data are collected and how they are shared directly or indirectly. For instance, they should be permitted to define groups such as family, friends and professionals with specific sharing policies. To be truly effective, this step requires preference standards to be applied across all devices. Such standards could be outlined by government regulatory bodies and implemented in detail by industry groups.
IoT device makers should adhere to a policy of data minimization aimed at collecting the smallest amount of information required for device operation. Such a policy must include spatial and temporal minimization as well that dictates where and for how long such information is stored.
Consumers must be made aware of which data are collected, transmitted and stored by embedded IoT devices. This information should include specific data formats, communication protocols and which other devices are capable of communicating with the device. The usage and sharing policies of anyone acquiring these data must be disclosed.
The degree to which technology containing IoT devices meets the above protections could be represented by standard, condensed privacy or security ratings. Not only does this provide consumers insight into how a device potentially impacts their privacy but manufacturers could use such “seals of approval” to competitive advantage.
The advent of the Internet of Things poses potential hazards to every individual’s privacy if guidelines, policies and designs do not mitigate these threats. Past experience is rife with unforeseen privacy threats resulting from technology advances. The obvious complexity and data collection capabilities arising from the IoT should give consumers and device makers equal pause to consider how to build in safeguards starting now. To not do so now will assuredly have a negative impact on the IoT’s usefulness and potential for growth.