Privacy and the Internet of Things

Managing Partner, IMECS, LLC

The Internet of Things (IoT) is essentially a construct where machines (cloud and data center-based apps) and common devices (such as watches, toasters, thermostats, body monitors and cars) are connected to each other via the public internet. Within the IoT, common devices are controlled and monitored remotely using wireless networks for the most part, while data flows between the cloud and traditional data centers for analysis and manipulation.

While this may suffice as an appropriate technical definition, it is hardly appropriate in respect to how the consumer must understand the IoT and specifically how it will directly affect their personal privacy. In this regard, the worst-case scenario is one where the consumer forfeits all of their privacy due to ignorance or complacency, and then has every detail of their personal lives made available to anyone who wants to pay for this information from the app provider or one of the many data brokers who will dominate the secondary market for IoT data. Many of these perpetrators will then target these same consumers with specific adverts and offers, as well as performing behavioral experimentation, usually without the consumer’s knowledge, much less specific consent. For further insights on these types of scenarios, see my previous privacy corner postings on data brokers and social experimentation.

privacy and iot.jpgThe potential for such ubiquity (billions to trillions of devices) of the Internet of Things seems like a foregone conclusion at this point. But there are multi-dimensional privacy challenges which must be surmounted if this truly is going to become a reality. To get ahead of these challenges the privacy engineering community (via The National Institute of Standards and Technology) is currently involved in intense discussions as to how to “engineer in” the right privacy regime, which will provide users (consumers) with direct control over a wide range of their own personal privacy settings as well as creating auditing and measuring schemes to ensure compliance with both user settings as well as regulatory mandates.

Privacy engineering is a very real challenge, and there are multiple paths in the IoT where a privacy regime must be monitored and maintained:

  • The device (data generator, data receiver and aggregation point)
  • The internet (multi-directional data transport)
  • The cloud (data manipulation and aggregation point)
  • The machine (application services, big data repositories, analytics and more)

Each path requires appropriate privacy protections to be engineered into it, with user control wherever appropriate (device, machine and others) while being maintained along its entire length (virtual and physical). High levels of encryption, redundancy and security will be necessitated to counter threats in flight as well as at the endpoints. There will also be regulatory controls and adherence monitoring, which must be facilitated along these same pathways. Most of these will fall under the auspices of the FTC (US), the Data Privacy Act (EU) and other regulatory bodies and statutes across the world.

In parallel with the need for comprehensive privacy, security and compliance capabilities, the IoT is entirely predicated on new business models, which disrupt conventional solutions. An enabler of this disruption is the cost model component, which dictates low inherent costs in the devices, and all other components of the value chain. These cost models will not be conducive to “out of band” controls via bolt on solutions. Engineering-in privacy as part of the device and other pathway structures will be the only path to success in which cost efficiencies are maintained while compliance is assured along the way.

The Internet of Things extends the “Zone of Privacy Vulnerability” for consumers to the innermost reaches of their lives. They will be monitored (and potentially manipulated) every second of every day, no matter where they are (unless completely off the grid) or what they are doing (awake or asleep). No longer is there a buffer zone in the form of endpoints such as PC’s, tablets or mobile phones. In the world of the IoT, devices are attached to the consumer and embedded in everything around them, streaming data (and secrets) continuously to a variety of benign and potentially nefarious recipients and third parties. It is paramount that we take this into account as we develop a privacy strategy for the Internet of Things.

There are indeed many complexities and challenges for the Internet of Things to overcome if it is to be successful. Follow along with my posts on all things privacy here on the Hub and let me know what you think about the progress of privacy in relation to new technologies, services and challenges.