IoT, Privacy, and Security: Innovation Vs. Regulation
“If we had computers that knew everything there was to know about things—using data they gathered without any help from us—we would be able to track and count everything, and greatly reduce waste, loss and cost,” remarked Kevin Ashton in the RFID journal back in 1999 and this notion couldn’t have been more relevant in today’s world. Internet of Things (IoT) has emerged as a powerful tool that compliments the statement that Ashton made long back. From ovens to medical devices, from watches to jet engines, all devices are connected to the internet through IoT. According to a report published by Cisco, there were about 25 billion devices connected to the internet in 2015 and is expected to grow up to 50 billion by 2020. More and more businesses are switching to IoT devices to maximize their business efficiency.
While we celebrate the progress that we have made by embracing IoT, it creates a dystopia in the hindsight where each every individual’s personal data is monitored every moment making privacy a distant dream, and exposing users to constant threats. All IoT device demands constant monitoring –either a user’s GPS location or the amount of electricity or fuel used or image feed from a security camera. All these monitoring activities collectively generate Zettabytes of data, which may turn out to be treasure trove for cybercriminals. Beyond doubt, IoT is proliferating vicariously and its importance too cannot be denied; however it is imperative that we keep an open eye and don’t ignore privacy and security concern.
Privacy in IoT Devices
Transmission of data always puts privacy at risk. For instance a report by CNN money states that hackers stole customer’s mobile payment information through Starbucks mobile app and used it to drain their bank accounts. This is an example where using an IoT device had dwarfed the security of user data. Researchers have delineated that everything from medical device to vehicles can be hacked, exposing the user to personal and cyber threat.
“Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it's digital cameras or satellites or just what you click on, we need to have more explicit rules—not just for governments but for private companies,” commented Bill Gates, the Co-founder of Microsoft. Gates rightly pointed out the role of organizations in curbing the menace of cyberthreats and this approach should be adopted to strengthen security measure.
On the other hand, the huge amount of data collected by organizations can be useful in determining user trends and behavior. Most organizations prefer to preserve personal data and leverage it later to deliver better customer service. Connected devices are assisting companies to offer cutting-edge solutions, however IoT is still in its infancy and prevarication from privacy and security concern will damage the benefits that can be reaped.
How to contain the risks in IoT devices?
In early 2015 FTC issued a report on IoT – ‘The Internet of Things: Privacy and Security in a Connected World’, which addressed the issue of security and privacy along with risks of data collection through IoT. The report suggests a two-fold approach toward data security in IoT environment:
1. Through Data Minimization companies limit the data collected from the user and dispose data that are not useful from business standpoint. If personal data is collected, then de-identification of that data set should be done without delay, wherever possible.
2. Notice and Choice should be given to the user informing them how their data is going to be used and with whom it will be shared. Although the report states that such implementation will be difficult for devices that do not have a user interface, however giving the consumer prerogative of reviewing security preferences and policies will go a long way in averting security threats.
Government intervention in regulating security principles has been hitherto minimal, leaving it for the organizations to formulate security policies. However, vast differences in security policies across organizations have created a lot of confusion. A vital step toward ensuring security in IoT realm has been taken by the European Union. As per EU’s Data Protection Directive, personal data can be garnered strictly for legitimate purposes. Furthermore, the law mandates the organization or individual collecting the data to protect it from misuses and threats.
Containing the risk in IoT devices can be a daunting task and still remains a major concern. However, with deployment of powerful security measures, organizations can make best use of IoT technology. To leverage IoT successfully, organizations need to move abreast the fast paced technology world without capsizing privacy and security concerns.