IoT concerns. Episode 1: privacy and security

The Internet of Things has been on everyone’s minds lately, and as new applications are being developed, new revenue streams identified, and new audiences attracted into the faster, more convenient and less wasteful paradigm, the question remains: can we make it work? Apart from the technology issue (you know, that little detail of data becoming too Big to handle), there are plenty of concerns voiced by various commentators.

The ethics of owning and handling personal data are brought up frequently, as courts have yet to rule on what is and what is not private data, but also whether that data, when automatically flowing between devices, can be transactioned by parties not involved in producing it. A few things the public is already aware of:

  • The big guys will always be on the lookout for Big Data. Says the White House: “Big data technology stands to improve nearly all the services the public sector delivers”. All state departments are working on building comprehensive databases using data that has not been signed off by its rightful owner/source: the FBI is working on a facial recognition database, the Treasury Department recently launched a program to scan several government databases, the Defense Department is considering mining commercial databases; even the Education Departments is using more than $500M in grants to build longitudinal databases to track student performance across schooling levels and geographies;
  • Commercial lists have been around for a while, but interconnectivity will make it easier for separate entities to compare and combine notes. New mining models make it harder for the individual to identify where and how their data are being stored, which means some of the responsibility of handling privacy of data produced through IoT mediation may need to fall on the IoT actors involved in the transaction.

Security

Too many IoT startups are not dedicating enough “time, effort, energy, priority, scope, schedule or budget” into securing their devices, networks, or transient data. There are several reasons for that: trying to drive the device costs down, moving launch deadlines, the development hassle in trying to stay ahead of the black hats. On the consumer side, the user doesn’t know much about security, and doesn’t care, either, even if caveat emptor is still the rule of the day.

That being said, in general, security for IoT is multilayered and hard to implement, as it needs to manifest concomitantly on three separate levels (which, in addition, need to speak to each other fluently).

  • First, there’s physical security. The device itself needs to be secured with locks, tamper-proof housings, alarms, or out-of-reach placement. Physical security is a primary problem with IoT. Devices that are easily stolen or broken into pose the biggest threats.
  • Then, network communications need to be secured, either through VPN or some other form of encryption. The problem with encrypted communications over the entire data path is that extracting immediate value from the data being processed may be slow and defeating the purpose.
  • Lastly, data security. Whether we talk about the information stored on the device (data-at-rest) or what happens to data as it transits between devices and data centers, security poses a problem as well, maybe the biggest of all. Device locations, network topology, server names, and even usernames and passwords can all be prejudiced if all data is not encrypted.

The question is, will the IoT players start to design new and secure devices, networks and transfer protocols, or will they try to improve the existing, as to save on cost and development times?