Could Privacy and Security Scandals Scuttle the IoT’s Many Benefits?
I yield to no one in my optimism about the Internet of Things’ potential to improve every aspect of business and our personal lives. However, I’m beginning to join those who worry that the growing number of IoT device companies’ questionable data practices may end up forcing businesses and consumers alike to turn our backs on some amazing corporate and personal advances because we finally decide the benefits aren’t worth the risks.
The heart of the IoT is collecting, analyzing, and acting on real-time data documenting how assembly lines, products in the field, and even our own bodies are working (or not….), so the issue of data privacy is at its heart.
While the IoT is still in its adolescence, that data has already produced benefits ranging from smart devices to monitor our sleeping babies to smart electrical grids to reduce global warming and increase reliability.
But, flipping the coin with the exact same devices, it has also already produced shocking privacy and security violations, ranging from baby monitoring devices hacked by creeps all the way up to malware planted by both the US and Russia in each other’s smart grids that could cripple the global economy and even lead to war. IoT companies can’t hype the benefits without taking responsibility for the dangers.
I will never forget when David Petraeus headed the CIA and could hardly contain his enthusiasm for the IoT's potential to hoover up private data. As reported by Wired in an article chillingly titled “We’ll Spy on You Through Your Dishwasher,” the general contrasted the old days when spies would have to get a court order to plant a bug in your house to the IoT’s potential for eavesdropping:
"Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters – all connected to the next-generation internet using abundant, low-cost, and high-power computing," Petraeus said.
All of this takes place in the context of growing government and personal concern about Silicon Valley’s lack of attention to privacy and security and its impacts. Just in the past few months, the revelations of actions that the companies defend but raise questions about their commitment to privacy and security are widespread and troubling:
- Amazon and Google both admitted hiring contractors to listen to anonymized user audio clips to improve their devices’ capabilities.
- Amazon didn’t tell owners of its Ring video doorbell, but it shares the footage from their doors with more than 400 police departments, using it at least partially as a marketing tool (i.e., to get police to recommend Ring to homeowners).
- You can delete voice recordings so Amazon can't listen to your conversations with Alexa anymore, but Amazon still keeps text records of those conversations.
Perhaps most alarming is a just-released academic study of 81 different IoT devices, including ones from Google and Amazon, which found that “most of the devices routinely collected and shared data including users’ IP address, device specs (like MAC address), usage habits, and location data. That data is then shared with a laundry list of third parties, regardless of whether the user actually has a relationship with those companies.”
As someone who interacts frequently with angry and perturbed consumers citing anything from concerns about their phone’s privacy to fears about Russia tampering with our elections, I can tell you the level of public paranoia is increasing and they are conflating every kind of privacy and security violation into an amorphous fear. I suspect the same is true for a growing number of corporations worried about widespread distribution of corporate data. But don’t take my word for it: the FTC reported that privacy complaints rose 14% in 2018.
Because I spent many years as a corporate crisis manager, I see another risk in this lack of emphasis on privacy and security that many engineers in the field may ignore because of their single-minded focus on designing the devices themselves. My work then taught me there’s a major potential barrier to technology adoption if companies and people start to lose faith in that tech and fear it. Yes, fear may be irrational, but that doesn’t mean that it isn’t deeply felt by people and it can alter their decisions.
It is starting to spark a backlash. Witness the $5 billion fine the FTC recently levied on Facebook and The Internet of Things (IoT) Cybersecurity Improvement Act of 2019, the bi-partisan legislation filed in both the Senate and House to regulate IoT devices for the first time.
There is a possible answer.
In Europe, greater sensitivity to privacy and security because of its own checkered past on the issue has led the EU to declare there’s a fundamental human right to privacy. It demands a variety of measures as part of the General Data Protection Regulation (GDPR) that was issued last year to protect that right, plus mega-fines for companies such as Google and Facebook that flaunt those protections.
There’s no excuse for U.S. companies not to follow those guidelines, because the EU helpfully convened a task force that issued a “privacy by design” handbook. It guides companies in new approaches to facilitate designing privacy and security protections into the whole array of IoT devices and services from the earliest stages of design, rather than having to bolt the protections on as an afterthought after the fun part of designing the devices is completed. That approach creates a hopeless need to catch-up.
The authors of the pending U.S. IoT legislation follow a similar tack, emphasizing the “privacy by design” approach rather than prescriptive ones that might have inhibited innovation.
Companies and individuals can’t afford to abandon the IoT: the benefits and technological inevitability are simply too great. However, the escalation of the US/Russia cyberwar efforts to infiltrate each other’s smart power grids, and their potential for economic ruin and/or shooting wars as a result, plus the growing signs of public distrust due to shoddy privacy protections, mean that Congress and the private sector must work together now to craft flexible, evolving regulatory protections based on the EU ones that will assure security while at the same time not inhibiting innovation.
It can, and must be, done.
W. David Stephenson, principal of Stephenson Strategies (Millis, Massachusetts), is an IoT consultant and thought leader. His The Future Is Smart (HarperCollins Leadership), was one of the first books on IoT strategy.