I recently decided to reread Dante’s The Inferno. One would not expect guidance on IoT privacy and data security (IotPDS) from a 700 year old text, but The Inferno, particularly Canto III, provides significant direction on consumer IoTPDS issues. So,
“Abandon All Hope, You Who Enter Here.”
Perhaps the most chilling sentence in all literature, portending what Dante was to observe in Hell. Yet this is cautionary, not destiny.
One needs to understand what IoT is before you can figure out how to protect IoT devices and collect and use information appropriately. A definition we find helpful for what constitutes IoT is the use of at least one sensor (human or electronic) for the collection of data, aggregation and storage of the data, communication of the data, an external utility for processing the data, a transformation of the data to produce a summary or actionable conclusions, and a decision engine or trigger which acts upon the summary or actionable data conclusions. Whew! In short, IoT links network, application, mobile, and cloud technologies into a single framework – interoperability challenges abound. Connected consumer products, already common in homes, cars, toys, health aids, and fitness wearables, are expected to triple in the next few years. Business IoT applications are exploding as well.
Remember security issues do not emanate merely from an IoT device; concerns exist in data to the device. The recent intrusion on internet service provider Dyn, which affected such companies as Twitter, Amazon, and Netflix, was caused in part by a botnet DDoS attack on consumer IoT devices. On a micro level, home IoT security system testing revealed numerous and significant vulnerabilities and one may be safer with no security system. HP Security Research recently tested 10 IoT home security systems and found an average of 25 vulnerabilities per device. That tests the definition of irony.
It is vital to determine which laws, regulations, regulators/enforcers, guidance, and trade association best practices are applicable to the particular IoT device. Depending on the IoT device, many legal land mines exist at user connectedness and at each stage in data communication. HIPPA, GLB, COPPA, FTC Section 5 and state equivalents, state and federal laws dealing with general data security standards, and the NIST Cybersecurity Framework may come into play in some fashion. That means some combination of the FTC, FCC, bank regulators, health regulators, consumer regulators, elected officials, the Department of Justice, and state attorneys general will be watching and likely communicating with each other about your IoTPDS.
All this is in addition to actually having a product (and the hardware, software and others products and services enabling connectedness) work as intended. Even the Consumer Product Safety Commission (“CPSC”) is also starting to weigh in on IoT – see the CPSC’s Staff Report, Potential Hazards Associated with Emerging and Future Technologies, January 18, 2017. While the CPSC has seemingly disclaimed privacy and data security as “outside its jurisdiction”, it expressed significant concerns about products and software not working as intended and note safety challenges such as hacking, data collection and aggregation, and failed software updates – which all sound a lot like privacy and data security concerns.
“Now sighs, loud wailing, lamentation …I too began to weep.”
Too be clear, there will be crying, sighing, wailing, and lamenting when dealing with IoTPDS issues. The real question is whether you want it to be of limited duration or sempiternal (or, perhaps a 20 year supervisory decree – which, while sounding like Hell, is probably more in the province of Purgatorio).
Having determined what legal issues might apply, you need to insure the IoT device complies and will comply with applicable data protection standards and develop appropriate policies, procedures, and agreements for the collection, transmission, use, sharing, storage, destruction, etc. of the data. IoT devices compel broad and advanced thinking on these issues. The device itself and transmission from the device are the most vulnerable points in the system. This stands to reason as often (and certainly in the past) rudimentary software and hardware placed in the IoT devices, particularly consumer devices, are not capable of processing data security or anti-virus applications. You will not find the types of firewalls, encryption, and malware and virus protection in a wearable or “smart” refrigerator as you will in a network system (or even your home laptop or phone). It is clear these vulnerabilities, at/in/to/from the IoT source, are the most significant concern. Think through…heavily…connection, prevention, detection, and response vulnerabilities in hardware, software, applications, and network connection when developing, testing, operating, patching, updating, and upgrading IoT devices. Regulators have told us so and legislatures are beginning to do so – for instance, California SB 327. To paraphrase the FTC – Privacy and Security IN Design. “[H]ere must all cowardice be slain.” Let’s start by taking IoTPDS seriously and doing it correctly. From “cool” to life altering and everything in between, IoT has emerged from infancy. Continued growth will only occur if privacy and data security concerns are soundly addressed. No more off-the-shelf hardware or lousy software that does not allow for appropriate protection, expansion, and improvement. IoT manufacturers must demand more from partners. If you must install the “shoddy stuff”, perhaps that IoT device should not be brought to market. Think about how the device operates with everything it is intended to; and nothing it should not. Deliberate the necessity of having THAT information (whatever THAT is). This analysis will initially be harder, but will both foster the IoT revolution (or at least your contribution) and minimize your risk. If you don’t, you can expect legislation and regulation by consent decree. Now there’s a killer app.
In addition to the above concerns, think about what the reasonable consumer would and should expect – how they think the IoT device protects privacy and what information they think is being collected, used, and shared being two biggies. Be honest and fair. Undermining consumer confidence is another sure way to hinder the IoT market. Be bold and be brave. Now for something a bit more positive from Dante’s Paradiso:
“…[A]ll things created have an order in themselves, and this begets the form…
Observe well how I pass along this way to the truth you seek, so that in time you may know how to ford the stream alone.”