ICFE eNEWS #16-31 - September 7th 2016
Using The Internet of Things (IoT) or Privacy:
A Tough Choice
By Yan Ross, Director of Special Projects,
True to the long-standing observation that security and convenience
are at opposite ends of the spectrum, the advent of the "Internet
of Things" (IOT) has caused consumers and businesses alike
to make difficult decisions. As much as people generally say they
value their privacy, in practice it is often the case that applications
of the latest "whiz-bang" technology often overcome privacy
concerns. To date, most of these applications are based on mobile
communications technology, usually in the form of smartphones.
However, connectivity with the internet using less obvious but
more ubiquitous devices is quickly becoming the highest growth sector
in consumer technology. With this phenomenon comes the sometimes
reckless abandonment of privacy concerns. Somehow the convenience,
and even demonstration of being up to date appears to have overcome
concerns for privacy about the transmission, storage, access, and
distribution of highly personal and sensitive information.
examples include the popular Echo from Amazon, Nest thermostats
and other home system control devices, automobile information and
control modules, and even "wearables" - devices that are
worn, not carried, and report many personal activities and characteristics,
including medical data.
The interoperability of these internet-connected devices present
both convenience and security challenges. The value of monitoring
and controlling medical devices, such as an insulin pump for a diabetic,
is certainly of great value to both patient and healthcare provider.
But it's also an opportunity for identity thieves and others with
ulterior motives to access sensitive information, abuse medically
confidential data, and even control the device.
Although there is no statistically sound way of assessing the
implementation of encryption or other means of securing the information
flow of such devices, there has to date been no credible assurance
of the security, and thus privacy, of these systems. As fast as
bugs are discovered and reported, manufacturers work to fix them
- but in the meantime, new issues appear to arise on a regular basis.
Indeed, media reports abound regarding such intrusions as hacking
the computer control systems of late-model automobiles, pirating
the camera and microphone programs on desktop, laptop and tablet
computers, and even interfere with internet-enabled televisions
and kitchen appliances.
That describes the illicit hacks of IoT
devices, but there are also privacy implications for users who willingly
permit what appear to be unintended uses. A notable example is the
for these devices. Without accepting these End User Agreements,
they just don't work. But the terms can place the consumer in a
disadvantageous position with respect to privacy concerns.
For example, interactive speakers such as the Echo, are able
to record and report to the sponsoring server all of the requests
of the user. As the information in these requests is logged in,
it is analyzed for preferences, products and service interests,
and other indicia to create targeted advertising that comes back
to the user in subtle and blunt forms. It may come in pop- up ads
on relate or unrelated web sites, e-mail prospecting, or even robo-calls.
It is not a long leap to see how such collection, analysis, sale,
and use of such information could be used for political as well
as commercial purposes. Remembering that political phone calls are
exempt from the federally-mandated Do Not Call list, is it likely
that the intention of the user is to give the electoral candidates
a candid peek into the most personal preferences?
The purpose of this article is not to cripple or create obstacles
to the use of the Internet of Things. To be sure, that is unlikely
in any case. Rather, we seek to raise awareness of consumers in
the acquisition and use of the interface devices that may subject
them to unwanted invasions of their valued privacy, especially in
cases where they inadvertently give permission for such incursions.
ICFE continues in its mission to educate and assist consumers
in the issues and challenges that face them as they integrate technological
solutions into their daily lives.
Ross is ICFE's Director of Special Projects, and the author of the
Certified Identity Theft Risk Management Specialist ® XV CITRMS®
course. As an accredited educator for over 20 years, he has addressed
Identity Theft Risk Assessment and management for consumers, organizations
holding personally identifiable information, and professionals who
work with individuals and organizations who are at risk of falling
victim to identity thieves.