In a global rush to promote the Internet of Things (IoT) products and services, the industry is falling behind on building consumer trust, warns the US Federal Trade Commission’s privacy advocate, Edith Ramirez.
This address acknowledges that the IoT will impact on many different service delivery and communication channels. These span healthcare, hospitality, transport, infrastructure, education and frontline social services.
The pervasiveness of IoT devices and big data bring privacy concerns into sharper focus, observed Commissioner Ramirez. This is increasing so as consumers are often unaware about the use of their personal information.
The trade in consumer data is one of the fastest-growing sectors. Moreover, there are an estimated 25 billion connected devices worldwide, factoring in all kinds of connected devices and this market remains one of the most bullish.
The IoT will improve global health, modernise city infrastructures, and spur global economic growth, Commissioner Ramirez said. “To be sure, these potential benefits are immense, but so too are the potential risks.”
Personal data goes public
Connected devices offering more convenience and improved services also collect, transmit, store and often share vast amounts of consumer data. “Some of it highly personal, thereby creating a number of privacy risks.”
The core risks revolve around a ubiquitous collection of data, the unexpected or unplanned uses of consumer data and heightened security risks involving globally-connected devices.
“These risks to privacy and security undermine consumer trust. And that trust is as important to the widespread consumer adoption of new IoT products and services as a network connection is to the functionality of an IoT device,” Commissioner Ramirez said.
She observed that strengthening security and privacy is critical to building consumer trust. Among the remedies, companies need to adopt “security by design” strategies, engage in “data minimisation” programs and improve their transparency road-map.
Consumers also need better notices and choices around the unexpected use of their data, outside of the existing parameters or perceptions about how this personal information is being shared or will be used.
The digital trail
Among the concerns, there is a ubiquitous collection of personal information spanning national and international boundaries. These include the real-time tracking of habits, location or physical movements.
“In the not too distant future, many, if not most, aspects of our everyday lives will leave a digital trail,” noted Commissioner Ramirez.
“That data trove will contain a wealth of revealing information that, when patched together, will present a deeply personal and startlingly complete picture of each of us – one that includes details about our financial circumstances, our health, our religious preferences, and our family and friends.”
Moreover, sensors and devices are entering the more personal space, including homes, cars and human bodies. This tracking presents new challenges and increases the sensitivity of the data that is being collected.
“Connected devices are effectively allowing companies to digitally monitor our otherwise private activities. Moreover, the sheer volume of granular data that a small number of devices can generate allows those with access to the data to perform analyses that would not be possible with less rich data sets, providing the ability to make additional sensitive inferences and compile even more detailed profiles of consumer behaviour.”
Too many choices
Without the right checks and balances, the industry risks inundating consumers with too many choices as connected devices and services proliferate.
“The question is not whether consumers should be given a say over unexpected uses of their data; rather, the question is how to provide simplified notice and choice.”
The industry can apply the same ingenuity, design acumen and technical knowhow around privacy or security as it does around product development.
Some observers have argued that because the IoT is in its early stages, the industry can wait to see how it evolves before addressing privacy and security issues. "But I believe we have an important opportunity to ensure that new technologies with the potential to provide enormous benefits develop in a way that also protects consumer information," Commissioner Ramirez said.
Concerns around big data
“Will the data be used solely to provide services to consumers? Or will the information flowing in from our smart cars, smart devices, and smart cities just swell the ocean of “big data,” which could allow information to be used in ways that are inconsistent with consumers’ expectations or relationship with a company?”
In future, a smart TV and tablet may track whether people watch the history channel or reality television. “But will your TV-viewing habits be shared with prospective employers or universities? Will they be shared with data brokers, who will put those nuggets together with information collected by your parking lot security gate, your heart monitor, and your smart phone?”
The industry cannot continue down the path toward pervasive data collection without thinking hard about the privacy and security concerns, commissioner Raimrez said.
"For example, any device that is connected to the Internet is at risk of being hijacked. “Like traditional computers and mobile devices, inadequate security on IoT devices could enable intruders to access and misuse personal information collected and transmitted by the device.”
As consumers purchase increasingly more smart devices, this uptake opens up the number of entry points that an intruder may exploit. This risk potentially breaches physical safety including driving cars, receiving medical care or inside homes.
Security integral to design
Security in an IoT world presents unique challenges. “As an initial matter, some of the developers entering the IoT market, unlike hardware and software companies, have not spent decades thinking about how to secure their products and services from hackers.”
The small size and limited processing power of many connected devices may inhibit encryption and other more robust security measures.
“Moreover, some connected devices are low-cost and essentially disposable. If a vulnerability is discovered on that type of device, it may be difficult to update the software or apply a patch – or even to get news of a fix to consumers.”
In this dynamic environment, companies need to prioritise security and build security into their devices from the outset. Specifically, they must conduct a privacy or security risk assessment as part of the design process.
Companies need to test security measures before products’ launch and leverage smart defaults such as requiring consumers to change default passwords during the set-up process.
Encryption around the storage and transmission of sensitive information comes into play. The life-cycle of products needs closer monitoring together with an upfront patching of known vulnerabilities.
Follow Shahida Sweeney on Twitter: @ShahidaSweeney