The Internet of Things. We’re starting to hear this phrase more and more. But haven’t there always been things on the Internet? Well, that’s not exactly what this term is referring to. Let’s take a closer look at what the Internet of Things actually is, some of the many different current and future applications, how it will affect our lives, and how it’s already been making its way into legislation.
Brief Explanation of the Internet of Things.
The Internet of Things generally refers to the infrastructure that allows various devices to connect to the internet and to each other. These connected devices — examples include FitBit, Alexa, Nest — collect, transmit and process data to perform functions aimed at improving our overall quality of life. Devices that are considered part of “IoT” are not usually full-fledged computers, but rather purpose-built technologies which have computing power, sensors of some kind, and the ability to communicate with other systems or devices. On the consumer side, these devices tend towards collecting personal data and are unintrusive, though there are many other potential applications.
When you think about the Internet of Things, or IoT, and how it is the “next big thing”, you need to think even bigger. Very few people can actually conceptualize exactly how big of a role IoT will play in our future. First, there are many, many definitions and terms that mean more or less the same thing when it comes to IoT; terms like ambient intelligence, ubiquitous computing, cyber physical systems and machine-to-machine (M2M) are all related to the IoT and to the technology and applications behind it.
Let’s Go on a Little Hypothetical Trip in the World of IoT
Imagine a world where your whole entire house is “smart”. This means everything from beds to closets to fridges to countertops is a connected device. In a normal morning, your bed would take into account when you fell asleep, how well you slept and your normal morning habits to wake you up when you are in your lightest level of sleep, so you wake up refreshed but have enough time to do everything on your morning agenda.
Your closet then picks out your exercise clothes for the morning and steams and lays out your work clothes for after. You go to the kitchen and eat your last banana, which your countertop senses and puts bananas on your grocery list (which will be delivered later that day, via drone). Your water bottle is already waiting for you, poured to the perfect temperature and the thermostat in your gym is set to keep you from passing out from overheating. You have your favorite show to run to on, set to the perfect volume and playing when you enter your gym where you left off last.
Your house knows how long you take at the gym, so the water for your shower has already been heated to the appropriate temperature and is ready for you to jump in – no more waiting for the water to warm up. You get out of the shower and have a reminder waiting on your mirror that you have twenty-five minutes to get ready if you want to catch your train. After you go through your morning checklist, get dressed and grab your already ready for you coffee, your smartwatch buzzes telling you the sensors in the concrete on the bridge on the way to the train indicate ice. As you approach the bridge, your car automatically slows down to navigate the dangerous terrain safely. You enter the parking garage and hop out to get on the train while your car parks itself or perhaps drives off to fetch another commuter. You walk into the train and your seat has a sensor that picks up your ID and knows you have a pass so there is no need to check your ticket. Just another day in the life!
Okay Now We Have a General Idea, What Potential Concerns do People Have Regarding IoT?
I sat down for an interview with Dr. Gilad L. Rosner, Founder of the Internet of Things Privacy Forum, and had a very, very interesting conversation about the future of IoT and concerns we should keep in mind around privacy and security. I have listed my questions and paraphrased his answers for clarity and length.
Q: What are the biggest issues you face with your overall company mission of reducing privacy risk with IoT?
It is hard because we are in the early days of IoT, many people haven’t even heard of IoT, nevertheless consider the privacy concerns associated with the new technologies. The major goal is to move the discussion surrounding privacy and IoT from small conversations within the privacy community to larger, more diverse conversations with the general public and the industries making this stuff. We need to get these conversations to the people who will be making product design choices soon.
There are two different major issues, economic and structural, when it comes to security. Structurally, figuring out how to lock down the data collected IoT from theft is very difficult. These devices can also be used as a platform to attack. The Dyn Attack in October of 2016 proved connected devices could be hacked and used for attack. Pretty much what happened is hackers used something called a distributed denial-of-service (DDoS) attack by requesting a large number of DNS lookups from tens of millions of IP addresses. Devices acted as the botnet (connected devices running one more bots infected and controlled by a common type of malware) and were able to infiltrate and infect many devices connected to the internet like: printers, IP cameras, residential gateways and baby monitors with the Mirai malware.
Economically, the problem of security is hard to address. Better security usually costs more and if a consumer cannot perceive benefits of security or if the benefits are not clearly communicated, consumers will buy the cheaper version. These are complicated topics, part of the challenge is the complexity of it all. At times, it is difficult to articulate privacy harms and address the strong discourse around the idea of people trading their personal data for convenience, services and products. This is a gross oversimplification of what is actually going on. People are being actively encouraged to share as much as possible, but for many reasons don’t necessarily have a sense of what a world would like with less sharing or where what they share is kept under better care.
Q: What types of issues have you ran into spreading the word about where IoT is going and how important understanding the future and their roles as it pertains to our lives and privacy?
The major questions to pose to people are, What else do the devices bring along with them aside from their obvious benefit of providing more data for more informed decisions? Who is looking out to ensure sure people cannot break into devices and use it?
Giving consumers the maximum degree of choice for deciding how tech works and what information is shared is pivotal.
An example of choice is the “wake word” for Alexa. Alexa is “always listening” for the wake word and then after it hears “Alexa” then it actively starts listening and transmitting. This “wakeup” is a design choice. What are the pressure points on manufacturers to ensure they implement these types of controls on their new devices even if the public does not know to ask for them? The ideal world is where products are designed in such a way that one person can choose to share all their information, another person chooses to share only a couple things and someone else shares practically nothing . Standardizing how these devices protect privacy and enable selective sharing before they become unremarkable is important. IoT is an evolution, not a revolution; they’re simply evolved devices and another wave of computing.
Gilad has been working with his research partner over the last year interviewing stakeholders and holding workshops to figure out the “freshest thinking” on this issue and where to go in the future. Here is a talk Gilad recent gave.
When it Comes to the Bills and Trends.
Privacy is a very compelling space when it comes to legislation. Dr. Rosner had some interesting insight into the fact that most of the privacy legislation is done at the local and state level, not the national level. That said, let’s start by looking at the national level first.
Think of past privacy frameworks, like the Consumer Privacy Bill of Rights, proposed by the Obama administration back in 2012. Since then, a few different privacy bills have been proposed but not enacted. Doesn’t protecting citizens’ privacy seem like a no-brainer?
Although there are many different moving parts to what could affect IoT in legislation, one emerging trend is legislators separating explicit IoT legislation from privacy legislation.
An intriguing national bill is the Black Box Privacy Protection Act. This act would require manufacturers to disclose to consumers the presence of event data recorders, (black boxes) on new automobiles, motorcycles and autocycles. It would also require manufacturers to provide the consumer with the option to enable and disable devices on future automobiles, motorcycles and autocycles.
The Cyber Privacy Fortification Act of 2017, similar to data breach acts, would amend the federal criminal code to provide criminal penalties for intentional failures to provide required notices regarding security breaches of computerized data if there is reason to believe the breach resulted in improper access to specified sensitive, personally identifiable electronic or digital information. Although you can think of this more as a tool to punish something like the Equifax breach, it could be applied to IoT-related data too.
US S1691 was introduced in August of 2017, titled the Internet of Things (IoT) Cybersecurity Improvement Act. This bill seeks to address vulnerabilities in IoT devices, which experts have long warned poses a threat to global cybersecurity. To do this, the bill requires vendors who provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities.
Another interesting bill, SPY Car Act of 2017 Security and Privacy in Your Car Act of 2017, to protect consumers from security and privacy threats to their motor vehicles. This act is expected to play a critical role in creating a fully secure in-vehicle cybersecurity system, currently non-existent. This bill also will force automakers to develop a “Detection, Reporting, and Responding to hacking” measure.
Data Security and Breach Notification Act of 2015 would have required certain commercial entities and non-profit organizations that use, access, transmit, store, dispose of, or collect unencrypted nonpublic personal information to restore the integrity, security and confidentiality of their data systems following the discovery of a security breach. This means they would have had to notify: affected U.S. residents when there is a reasonable risk of identity theft, economic harm or financial fraud, the Federal Trade Commission (FTC) and the U.S. Secret Service and consumer reporting agencies (if more than 10,000 people were affected), but the bill failed.
The good thing is that about 40 states already have this type of data security legislation in place, here is a list of different state’s laws. And below is a list of IoT related bills introduced in the states this year:
Conclusion
It’s easy to get swept up in the promise and excitement of this new technology. We’ve been promised “smart homes” for years, for decades even, but it seems the technology may have finally arrived. But we can’t afford to lose sight of the risks of this technology as well. I think Dr. Rosner is right to want to establish good practices and norms now, while the technology is still young and inchoate. The right balance between cost and benefit for security and privacy features may not yet be obvious, but we should be demanding thoughtful policies as the number of these devices, and the information they are gathering, explodes. Experts, companies, consumers, and the government all have important roles to play as we hurtle into our highly connected future.
Photo by Joshua Sortino on Unsplash
About BillTrack50 – BillTrack50 offers free tools for citizens to easily research legislators and bills across all 50 states and Congress. BillTrack50 also offers professional tools to help organizations with ongoing legislative and regulatory tracking, as well as easy ways to share information both internally and with the public.