The advent of internet enabled ever-connected smart devices in our everyday lives has led to a large-scale proliferation of the Internet of Things into every aspect of our modern lives. It has now become more important than ever to understand the security and privacy risks associated with connected devices. With smart home devices, office tools, home automation systems, children’s toys and even medical devices becoming an integral part of our digital lifestyles, becoming technology aware and understanding the key implications of technology in personal privacy and security should be a key priority for every individual. The advent of internet enabled ever-connected smart devices in our everyday lives has led to a large-scale proliferation of the Internet of Things into every aspect of our modern lives. It has now become more important than ever to understand the security and privacy risks associated with connected devices. With smart home devices, office tools, home automation systems, children’s toys and even medical devices becoming an integral part of our digital lifestyles, becoming technology aware and understanding the key implications of technology in personal privacy and security should be a key priority for every individual.
What is IoT?
The Wikipedia article on The Internet of Things (IoT) defines it as:
- A system of interrelated computing devices, mechanical and digital machines,
- That are provided with unique identifiers (UIDs) and
- The ability to transfer data over a network
- Without requiring human-to-human or human-to-computer interaction.
IoT as a concept is still in a state of relative infancy in society, as are the regulations that accompany it. At its core, IoT involves the collection, classification and use of data captured by the sensors, which is processed in the cloud and is used to inform decision making and actions driven by the device logic.
What is Privacy?
In the age of connected devices it can become tricky to define what is privacy – Is privacy a fundamental human right? Is it a right to be left alone? While talking about privacy in the context of information technology and the Internet of Things we tend to focus more towards Information Privacy. However, it isn’t always as simple as just maintaining secrecy. It is also about the right to have some degree of control over how our personal information is collected and used.
Privacy isn’t really about keeping things private, it’s not about secrets, it’s about choice.
Privacy refers to the ideology that individuals should have the freedom, or right, to determine how their digital information, mainly that pertaining to personally identifiable information, is collected and used.
Impact of IoT on Privacy
Surrounded by a world full of sensors talking not just with us but also with the internet, where data about our everyday activities, our likes, our dislikes, our views and our beliefs is stored in the cloud, the implications of the advent of the age of IoT has serious implications on privacy and security. The potential for such data to be packaged and sold for a variety of purposes is in turn converting us to the product as opposed to being the consumer. While using a lot of free to use services, we might not be paying for using the service with money, but rather with our data, which might not be intended for sharing with anyone
Because a host of convenient smart devices now continuously collect, dissect and process data to make our lives more convenient, they have also magnified the threats to data privacy.
Our ability to collect and process data has overwhelmed our ability to protect that information. Our smartphones, fitness trackers, smart TVs, and even smart appliances generate a massive amount of sensitive information, from browsing habits to purchasing patterns to real-time location and personal health information.
It’s no longer just our photos and emails, but also our heart rate, respiration rate, location, what we eat and even how we sleep. We are left with no more personal spaces since we give service providers the permission to sell our data while accepting the Terms & Conditions for free services. The privacy and attention we’re trading for our “free” services and content is now much more personal. Particularly where sensitive data is concerned, IoT can put the privacy of individuals at risk.
Implications of Identity Management and Data Ownership with IoT
The issue with this deluge of data leads to the problems of identity management and data ownership. Is the collected data really anonymous? Who owns the data being collected by connected devices to make these devices smart? The footprint our devices leaves on the Internet tells a story. How much of our personal narrative are we willing to trade off for the sake of convenience? The biggest issue while dealing devices like personal assistants that are always listening, is the concern around controlling the narrative around this story.
Even though it might seem counter intuitive, data privacy does not necessarily mean keeping our data private. Rather it focuses upon taking charge of what we choose to divulge about ourselves. With every smart device that we acquire, we leave an ever increasing trail of data. With an increase in the number of smaller and smarter devices, service providers can paint highly detailed portraits of almost everything we do. As such, connected devices deserve a healthy dose of skepticism when it comes to information security and data privacy.
The GDPR – A ray of hope?
For over three decades we have debated over privacy in the internet, with not much success. The internet of things is however still in its infancy. Since regulation moves at a snail’s pace, it’s still mostly up to CEOs, executives, and employees to reject projects that put profit over privacy.
IoT devices do provide many benefits, from convenience in the home, to tracking health and well-being. However, consumers are often blind to the risks associated with the sharing of personal data, until a big breach of that data occurs. IoT and connectivity are growing rapidly, so more and more potential vulnerabilities may be introduced if no security strategy was applied during the design phase.
It is thus the responsibility of technology organisations and governments to come together to educate society about the value of their personal data and be more transparent about the way in which they process the data.
The European Union’s General Data Protection Regulation (GDPR) is a step in the right direction; however, other nations need to adopt similar rules to ensure the privacy of individuals is protected.
Enterprise responsibilities for data privacy
Managing the risks associated with data collection begins with making the gathered data more secure. It’s high time to look into what privacy truly requires.
- Accountability and Transparency: Service providers handling consumer data need to be accountable for its privacy and security. Inclusion of IoT-specific language in data privacy agreements with clear, concise and transparent policies around data handling and protection is of utmost importance.
- Privacy focussed Lifecycle design: Objects need to be designed for privacy by default and manufacturers need to look at the implications of the data that they want to collect. There’s a need for an effort to look at the whole lifecycle of a smart device and go beyond the GDPR. From design to manufacture to eventual disposal, there’s a need for an effort to make more ethical design choices. Manufacturers should ensure that security keys and IoT device provisioning procedures comply with security and privacy data management guidelines. Architecture and data storage should be designed in such a way that enables GDPR compliance.
- Inclusion of new levels of security and privacy provisions: To make IoT solutions secure and enable privacy, manufacturers need to include security features for data protection at early phases of architecture design. Integration with third-party services have the potential to introduce new concerns, so it is crucial to check that all components comply with stringent policies and guidelines to provide interfaces that are secure. Inclusion of security and privacy monitoring components into the IoT ecosystem would be highly beneficial from a service provider as well as consumer point of view.
Privacy is something that comes from within us. Whether we realize it or not, we are responsible for posting a lot of our own private data. We need to be conscious about privacy, and if we are not then we pay the price one way or the other. It’s high time for us to take our privacy seriously. Irrespective of whether we are a developer or a consumer we need to be aware about our choices and make conscious decisions around our personal privacy rather than just focussing on convenience.