This article by William Wetzel was the best entry in the 2017 VueVille Future Technology Scholarship winning $1000 towards his college education.
Looking at the most ubiquitous IoT device, there are 204 million smart phones in use in the United States((Anderson, M. (2015, October 19). Technology Device Ownership: 2015. Retrieved January 25, 2017, from http://www.pewinternet.org/2015/10/29/technology-device-ownership-2015/)). Apple is highly credited with releasing the first modern smart phone in 2007. Over the next 10 years dozens of companies invested significant R&D into the security of their customers mobile data((Campbell, M. (2015, October 28). Apple R&D spending hit $8.1B in 2015, suggests continued work on massive project. Retrieved January 26, 2017, from http://appleinsider.com/articles/15/10/28/apple-rd-spending-hit-81b-in-2015-suggests-continued-work-on-massive-project)). Despite the billions spent, there have been dozens of hacking cases involving these relatively secure devices((Watercutter, A. (2016, May 26). Watch Edward Snowden Teach Vice How to Make a Phone ‘Go Black’. Retrieved January 26, 2017, from https://www.wired.com/2016/05/snowden-vice-cell-phone-hack/))((N. (2013, July 13). Phone hacking: David Cameron announces terms of phone-hacking inquiry. Retrieved January 25, 2017, from http://www.telegraph.co.uk/news/uknews/phone-hacking/8634757/Phone-hacking-David-Cameron-announces-terms-of-phone-hacking-inquiry.html))((N. (2016, April 22). San Bernardino phone hack ‘cost FBI more than $1m’ Retrieved January 25, 2017, from http://www.bbc.com/news/technology-36110236)). Along with the consumer data collection that the companies who produce these phones take part in((Chen, B. X. (2011, April 21). Why and How Apple Is Collecting Your iPhone Location Data. Retrieved January 25, 2017, from https://www.wired.com/2011/04/apple-iphone-tracking/)), these devices with their audio, video, and GPS sensors allow for data to be collected on someone in real-time.
It is estimated that there will be fifty billion objects on the IoT in just three years((Evans, Dave (April 2011). “The Internet of Things: How the Next Evolution of the Internet Is Changing Everything” (PDF). Cisco. Retrieved 15 February 2016)). We must realize, that an IoT device doesn’t need all the functionality of a cell phone to be a serious privacy challenge. James Lyne the global head of security research at Sophos claims that:
IoT devices are coming in with security flaws which were out-of-date ten years ago you wouldn’t dream of seeing on a modern PC
While an IoT large-scale data breach has not yet occurred, we have already seen these devices be hijacked on a large scale. The DDoS attack which overwhelmed the DNS for most of the Eastern United States was done with a botnet consisting of IoT devices, primarily digital cameras, DVRs, and routers((Newman, L. H. (16, October 21). What We Know About Friday’s Massive East Coast Internet Outage. Retrieved January 26, 2017, from https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/)).
Unfortunately if history is any indicator, it seems to be a question of when and not if there will be a large IoT data breach. To date, reputable tech companies such as Yahoo, Tumblr, eBay and Daily Motion have lost the personal information of billions of users in hacks((N. (2016, December 13). World’s Biggest Data Breaches. Retrieved January 27, 2017, from http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/)). These are companies, which deal solely in creating technology platforms. With such a high data loss to date, will the public be able to trust manufacturers of smart fridges, smoke detectors, cars, watches, etc., to protect their personal data from malicious actors?
Of course protecting peoples privacy not only relies on stopping the bad guys, it also requires informed consumers. There is a $125 billion market involving collecting and analyzing consumer’s personal data((Press, G. (2014, December 11). 6 Predictions For The $125 Billion Big Data Analytics Market in 2015. Retrieved January 25, 2017, from http://www.forbes.com/sites/gilpress/2014/12/11/6-predictions-for-the-125-billion-big-data-analytics-market-in-2015/#29bdc1ef2b20)). If a consumer buys a smart fridge that tracks all of their purchasing and knows their most intimate dietary habits, the company which manufactures this fridge could have the option to sell this information to a third-party. A study by MeasuringU predicts at a maximum, 8% of users actually read a software EULA((Sauro, J. (2011, January 11). DO USERS READ LICENSE AGREEMENTS? Retrieved January 25, 2017, from http://measuringu.com/eula/)). There needs to be a more transparent option to identify company’s data policies, few people will have the initiative to read and comprehend hundred page documents for every IoT product bought.
As it stands, if you read every user agreement and only bought products that didn’t track data, and were able to guarantee you were never hacked – government agencies would still potentially have access to your personal information. Many countries such as the United States and Sweden, have laws which allow government agencies to monitor all internet traffic coming through their country((T. (Director). (2013, October). How the nsa betrayed the world’s trust time to act [Video file]. Retrieved January 25, 2017, from https://www.ted.com/talks/mikko_hypponen_how_the_nsa_betrayed_the_world_s_trust_time_to_act)). Today, anytime you use Skype, Facebook, or a service based in the US, the NSA has access to the data you’ve transmitted.
Let’s pretend a US company started selling millions of smart espresso makers all around the world. The espresso makers contain a camera, microphone, and remember all of your past coffee habits. Under PRISM, all your data use on that espresso maker could be recorded and viewed by the US government if it were transmitted through a US server((Gellman, B. (2013, June 7). U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program. Retrieved January 26, 2017, from https://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html?utm_term=.966eb220b38a)). This means if you live in Norway and use your espresso maker to video chat your friend in Iran, because your call could be routed through a US based server, that call could be monitored. Later if the United States (or any other country) created or altered a secret law such as the Patriot Act, one can only imagine the potential to collect information about an individual just because they purchased a specific product.
While there are many potential privacy pitfalls with the coming IoT, there is evidence that regulatory agencies are looking at ways to tackle them. The United States Federal Trade Commission has made recommendations to protect consumer choice and ownership of data((“The ‘Internet of Things’: Legal Challenges in an Ultra-connected World”. Mason Hayes & Curran. 22 January 2016. Retrieved 23 October 2016.)). A resolution passed by the US senate states the need to create a national policy on IoT data security and management((Lawson, Stephen (2 March 2016). “IoT users could win with a new bill in the US Senate”. MIS-Asia. Retrieved 23 October 2016)), and the National Highway Traffic Safety Administration is preparing cyber security recommendations to make soon to arrive autonomous cars more secure((Pittman, P. (2016, February 2). Legal Developments in Connected Car Arena Provide Glimpse of Privacy and Data Security Regulation in Internet of Things . Retrieved January 25, 2017, from http://www.lexology.com/library/detail.aspx?g=fd6bc26e-dd20-4c4f-897a-5d62484d37ba)).
In addition to governmental regulation, we can only hope companies are sufficiently motivated to adopt sufficient cyber security and ethical standards. Yahoo is estimated to have lost 1 billion dollars of its market cap after their massive data hack in 2016((Fuscaldo, D. (2016, December 27). Verizon Likely to Complete Yahoo Buy Despite Hacks. Retrieved January 26, 2017, from http://www.investopedia.com/news/verizon-likely-complete-yahoo-buy-despite-hacks/)), and data breaches are costing consumer service companies on average $174 per record stolen as of 2016((Bradley, B. (2016, October 1). What is the True Cost of a Data Breach? It May Not Be that Easy. Retrieved January 26, 2017, from https://digitalguardian.com/blog/what-true-cost-data-breach-it-may-not-be-easy)). Once again, the consumer has the potential to play a huge role. Currently data breaches have little effect on company stock prices((Kvochko, E., & Pant, R. (2015, March 31). Why Data Breaches Don’t Hurt Stock Prices. Retrieved January 26, 2017, from https://hbr.org/2015/03/why-data-breaches-dont-hurt-stock-prices)). It will take consumers caring about their data, and fiscally punishing institutions who violate their trust to alter the current IoT landscape.