This article by William Wetzel was the best entry in the 2017 VueVille Future Technology Scholarship winning $1000 towards his college education.
Looking at the most ubiquitous IoT device, there are 204 million smart phones in use in the United States. Apple is highly credited with releasing the first modern smart phone in 2007. Over the next 10 years dozens of companies invested significant R&D into the security of their customers mobile data. Despite the billions spent, there have been dozens of hacking cases involving these relatively secure devices. Along with the consumer data collection that the companies who produce these phones take part in, these devices with their audio, video, and GPS sensors allow for data to be collected on someone in real-time.
It is estimated that there will be fifty billion objects on the IoT in just three years. We must realize, that an IoT device doesn’t need all the functionality of a cell phone to be a serious privacy challenge. James Lyne the global head of security research at Sophos claims that:
IoT devices are coming in with security flaws which were out-of-date ten years ago you wouldn’t dream of seeing on a modern PC
While an IoT large-scale data breach has not yet occurred, we have already seen these devices be hijacked on a large scale. The DDoS attack which overwhelmed the DNS for most of the Eastern United States was done with a botnet consisting of IoT devices, primarily digital cameras, DVRs, and routers.
Unfortunately if history is any indicator, it seems to be a question of when and not if there will be a large IoT data breach. To date, reputable tech companies such as Yahoo, Tumblr, eBay and Daily Motion have lost the personal information of billions of users in hacks. These are companies, which deal solely in creating technology platforms. With such a high data loss to date, will the public be able to trust manufacturers of smart fridges, smoke detectors, cars, watches, etc., to protect their personal data from malicious actors?
Of course protecting peoples privacy not only relies on stopping the bad guys, it also requires informed consumers. There is a $125 billion market involving collecting and analyzing consumer’s personal data. If a consumer buys a smart fridge that tracks all of their purchasing and knows their most intimate dietary habits, the company which manufactures this fridge could have the option to sell this information to a third-party. A study by MeasuringU predicts at a maximum, 8% of users actually read a software EULA. There needs to be a more transparent option to identify company’s data policies, few people will have the initiative to read and comprehend hundred page documents for every IoT product bought.
As it stands, if you read every user agreement and only bought products that didn’t track data, and were able to guarantee you were never hacked – government agencies would still potentially have access to your personal information. Many countries such as the United States and Sweden, have laws which allow government agencies to monitor all internet traffic coming through their country. Today, anytime you use Skype, Facebook, or a service based in the US, the NSA has access to the data you’ve transmitted.
Let’s pretend a US company started selling millions of smart espresso makers all around the world. The espresso makers contain a camera, microphone, and remember all of your past coffee habits. Under PRISM, all your data use on that espresso maker could be recorded and viewed by the US government if it were transmitted through a US server. This means if you live in Norway and use your espresso maker to video chat your friend in Iran, because your call could be routed through a US based server, that call could be monitored. Later if the United States (or any other country) created or altered a secret law such as the Patriot Act, one can only imagine the potential to collect information about an individual just because they purchased a specific product.
While there are many potential privacy pitfalls with the coming IoT, there is evidence that regulatory agencies are looking at ways to tackle them. The United States Federal Trade Commission has made recommendations to protect consumer choice and ownership of data. A resolution passed by the US senate states the need to create a national policy on IoT data security and management, and the National Highway Traffic Safety Administration is preparing cyber security recommendations to make soon to arrive autonomous cars more secure.
In addition to governmental regulation, we can only hope companies are sufficiently motivated to adopt sufficient cyber security and ethical standards. Yahoo is estimated to have lost 1 billion dollars of its market cap after their massive data hack in 2016, and data breaches are costing consumer service companies on average $174 per record stolen as of 2016. Once again, the consumer has the potential to play a huge role. Currently data breaches have little effect on company stock prices. It will take consumers caring about their data, and fiscally punishing institutions who violate their trust to alter the current IoT landscape.
