iot information privacy and security issues
TRANSCRIPT
43312942 ISYS100 Final Essay: Question 7 1/06/2015
1
The internet has become central in the everyday lives of countless people
across the world. Our ability to access information and communicate has
been greatly enhanced by the internet, and as technology has evolved,
our abilities to take advantage of this has become easier and easier. The
internet has become a critical utility of the modern world, which people
have constant, quick access to through many devices such as laptops,
smartphones, and tablets. As this ability to communicate increases
alongside the data generated each day by ever-prevalent and constantly
developing technology at a greatly accelerating pace, the
interconnectedness provided by the internet’s ability to share and
distribute data becomes a critically important feature.
This increasing ability to generate and communicate data has given rise to
the prevalence of specialized devices which gather and share data on
numerous things, of which a growing sector has been personal and user
activity data. These devices, which use the internet to share specialized
real-world activity data between each-other and other smart devices, are
what is now commonly referred to as the Internet of Things, or IOT
devices. These span from personal fitness trackers and smart TV’s, to
connected automotive technology and beyond with countless other
previously unconnected tools and devices getting ‘smart’ redesigns which
connect them to the internet and to each-other to provide convenience
through automation for the user. Gartner estimates 4.9 billion IOT devices
are currently connected, and predicts that this will rise to 25 billion by
2020i. With this growing amount of IOT devices putting more and more of
our lives online, issues of information privacy become apparent.
IOT devices are categorized by David Rose (2014) into 6 broad areas:
Omniscience, Telepathy, Safekeeping, Immortality, Teleportation, and
Expressionii. These can be thought of as data & web assisted versions of:
Information Display, Social & Communicative Aids, Property Protection,
Health and Safety, Transportation, and Creative Tools. All of these aim to
provide digital solutions to physical problems. With devices such as FitBit
43312942 ISYS100 Final Essay: Question 7 1/06/2015
2
fitness tracking watches recording and transmitting our physical activity
and location data, and Apple TV’s monitoring our viewing habits to tailor a
personalized viewing experience, information from numerous personal
devices is constantly being transmitted across the internet, not only to
our own other devices, but to numerous corporate servers which are often
essential in providing the service. This means that as more of our lives go
online, the more information about ourselves is being given away to
corporations. This is then used to do things such as targeted advertising
campaigns, or provide demographic information to the company.
Although this seems harmless at first, as Consumerreports.org (2015)
outlines, the data that is sent to these corporations is often far beyond
what we may anticipate, and hidden in lengthy terms & conditions of use,
and privacy policies. It is also often shared and sold between companies,
with basic data such as name and gender retailing at an average of 10.7c
per personiii (Athena Information Systems, 2015), which when collected
across an entire user base, can amount to significant amounts of money,
creating a data sales economy between corporations. This means that
once your data is out there, you have very little control over who can see
it, or what it may be used for. Even if many consumers don’t take issue
with their data being collected and used, Consumerreports.org argues
“They need to have a choice, as it’s not always clear what information
stays on the device, and what goes out onto the internet” (Privacy tips for
the Internet of Things, 2015), and Haque agrees that “people should be
able to set policies governing which devices can talk to the devices that
they own, and what information is shared about them.”(cited in Bradbury,
‘How can privacy survive in the era of the internet of things?’2015). Along
with this, the information that is relayed between your devices and
corporate servers is often unencrypted, leaving it vulnerable to hackers
and other criminals being able to gather personal data, and with identity
theft the largest growing cybercrime (Week 6 Lecture), this leaves a
serious vulnerability for users of IOT technology to become victims.
43312942 ISYS100 Final Essay: Question 7 1/06/2015
3
It would seem that the only solution for the consumer to maintain privacy
would be to not purchase any of these internet connected devices,
however, in an age ruled by internet communications, it’s extremely
difficult to go without this technology for both the practical disadvantage
it would entail. As Christin, Engelmann and Hollick outline, “Such binary
choices … void potential benefit for both users and applications” (Usable
Privacy for Mobile Sensing Applications 2014) Smartphones and tablets
are an example of a technology which is ubiquitous enough within the
modern world so as to put non-users at an information processing
disadvantage as compared to the societal average. A 2012 study
conducted by Harris Interactive (cited in PTOI 2013) found that (despite
the retrospectively limited smartphone functionality of 2012), “The
average app usage per users amounts to 88 minutes of time saved a day
or 22 days of free time a year”iv (cited in PTOI, ‘Smartphone apps help
save 22 days of your time per year’ 2013), and a study by Kensington
Security (2015) found that between 2010 and 2015, the use of
smartphones and tablet devices allowed workers more flexible work
schedules, leading to 35% of respondents being able to work more hours
thanks to the ability to work away from the office, with a 21% increase of
workers completing the majority of their work from homev. Of this, most
respondents cited the biggest change to be reliance on smartphones and
other mobile devices allowing better remote access to services such as
email, allowing for an increase in overall productivityvi. With these
increases in productivity, those without these technologies are put at a
distinct disadvantage. However, this reliance gives smartphones and
tablets major privacy issues, especially since, unlike computer web
browsers, apps and other smartphone software often have severely
lacking, or no encryption or data security measures in place
(Consumerreports.org 2015, Thompson 2013). Now that our mobile
phones have consistent access to the internet, more technology is being
developed around them to integrate the functions of many other devices
into one, such as iOS Passbook, HealthKit, and Apple Pay. With this
43312942 ISYS100 Final Essay: Question 7 1/06/2015
4
amalgamation of device functions into a single, IOT connected device, the
information privacy risks of smartphones and tablets are extremely high.
As well as reliance on smart technology for productivity, users wishing to
maintain information privacy cannot simply abandon IOT devices, as
many are integrated into technologies that are not directly apparent with
their online functionality. The main example of this is in modern
automobiles. Mechanisms within modern cars are controlled by a series of
computers which communicate over a wired network. However, this
network is also connected indirectly to wireless internet networks via
Bluetooth, Cellular, WiFi and even Radio (Rubin 2011). These networks
are used for IOT device functions such as GPS, mobile connectivity,
distress signals, receiving and decoding digital radio broadcasts, and
collecting diagnostic information on the vehicle. Although considered
reasonably secure due to the short-range wireless capabilities of the
exploitable functions, recently, researchers have, through complex
software reverse-engineering, been able to make use of radio signals
themselves to exploit, disrupt, and gain access to the critical wired
network within the car, as well as the diagnostic and locations information
stored locally (Rubin 2011 & Corman 2013). This puts modern IOT
automobiles at not only information privacy risk, but also physical security
risk, with demonstrations being shown to be able to shut off critical
systems such as brakes and steering (Rubin 2011 & Corman 2013).
Physical security risks due to information privacy risks are now on the rise
with IOT devices controlling even more critical pieces of technology, with
medical IOT perhaps the most at risk for misuse. Implanted and external
machines such as pacemakers, insulin pumps, and cochlear implants
make use of wireless communication technologies for safety and
convenience purposes (Rubin 2011 & Corman 2013). This, however,
poses a more immediate threat to physical security, as the devices have
direct control over specific bodily processes. The information provided by
these devices can give key insights into the health status of a user, which
43312942 ISYS100 Final Essay: Question 7 1/06/2015
5
can be used for good (monitoring for medical emergencies), or bad (using
medical issues to one’s advantage). And along with this privacy risk, the
security risk of these devices being tampered with would result in serious
medical consequences for the users, up to and including death, making
murder and assassination via medical device hacking a real possibility
(Wadhwa 2012). Luckily, measures are being developed by medical
technology manufacturers to combat this security and privacy issue, with
“noise shields”, and “biometric heartbeat sensors” (Wadhwa 2012) some
attempts at creating medical cybersecurity. However, as Wadhwa points
out: “these developments pale in comparison to the enormous difficulty of
protecting against “medical cybercrime,” and the rest of the industry is
falling badly behind.” (Yes, You Can Hack A Pacemaker (And Other
Medical Devices Too) 2012).
Legal battles over the privacy of information have been plaguing big tech
companies since the advent of the information era, and with information
privacy concerns being brought to light to the consumer due to the
actions of Edward Snowden, Wikileaks, and a number of other
whistleblowers, big tech companies are being challenged legally by an
informed consumer base. This is evidenced with the legal disputes Google
faces globally, especially with a recent Anti-Trust lawsuit filed against
them by the European Union over SEO cookie concerns (Kottasova &
Goldman 2015). However, companies such as Apple have, supposedly,
taken steps to improve their image when it comes to their privacy policy,
announcing in 2014 that internet transmitted iOS 8 device data will be
encrypted with the user’s Apple passcode (Hill 2014). And various
information security practices are being developed to address the specific
issues regarding IOT privacy concerns, such as software protection from
data mining mechanisms known as Privacy Enhancing Technologies (or
‘PETs’) such as active bundle technologies or multi party computations
(Roman, Zhou and Lopez 2013). Although these policies and technologies
are moving towards securing information in IOT technology, Roman, Zhou
43312942 ISYS100 Final Essay: Question 7 1/06/2015
6
and Lopez stress that they are not perfect solutions, and rather than
relying upon these technologies to mitigate privacy concerns, “these
concepts should be extended in order to help users to become more
aware of how their surroundings capture and use their information” (On
the features and challenges of security and privacy 2013, 3.3.4.1).
Technical writers such as Webb similarly recommend awareness and
appropriate policy implementation with corporate responsibility, believing
“If designed responsibly, our devices will have no interest in world
domination, but rather in using their intelligence and communicative
capabilities to make our lives as troublefree as possible”, and that
“Putting in place the right controls today will protect our privacy
tomorrow” (Does the Internet of Things mean the end for Privacy? 2015).
This approach would ensure legal protections for the consumer’s
information regardless of the advance in technology required to keep up
with new IOT implementations, however the key flaw is that it offers no
protection from the illegal seizure of information by non-corporate
entities, such as hackers and scammers. Corman uses the metaphor of
“getting in the water with an apex predator” (Swimming with sharks -
security in the internet of things 2013) to describe the risks of using IOT
technology. In the increasingly internet connected world, Corman believes
that the apex predators are not technology corporations, but rather the
hackers and cybercriminals who do not operate via codes of conduct, and
are often outside the limits of legal culpability due to anonymizing
technology. Along with the aforementioned rise in identity theft, crimes
relating to remote access to IOT devices are prevalent, with the 2014
celebrity sextortion photo hack making use of Apple’s lack of security on
their iCloud interdevice photosharing service (Williams 2014) despite laws
in place to prevent this data collection. As well as this, countless IOT
webcams and security cameras have had their technical vulnerabilities
exploited to create ‘open access’ personal webcam streams online, where
anyone on the internet could access and illegally view people’s webcam
43312942 ISYS100 Final Essay: Question 7 1/06/2015
7
activity without their knowledge, leading to similar cases of sextortion
(Toor 2013, Corman 2013, Opentopia.com 2015). Hence, the legal and
social approach to securing IOT information privacy concerns is not
reliable in truly preventing information theft, as Kranenberg argues:
“Policies are no longer hacking it”(via Bradbury 2015) due to the dangers
of illegal parties having these capabilities.
The emergence of Internet of Things technology, driven by the
accelerating development of internet based technologies has brought the
online world into the physical. However, in doing so, information privacy
issues associated with these technologies have now too moved into the
realm of personal, physical data collection and communication. More IOT
technologies are being developed, and these technologies are becoming
further integrated as necessities in a modern society, often in
mechanisms whose internet connected nature is not immediately clear to
consumers. IOT devices are also performing more and more critical
functions, such as medical treatment devices. As these developments
continue, attempts to control the information privacy risks posed by these
technologies are being instituted by legal, political, and social forces, and
technologies are being developed to further secure these vulnerabilities.
However, these policies and technologies cannot keep up with the new
functionality of IOT technology, and cannot adequately ensure that
personal information is secure from cybercriminal activity. Information
privacy risks are inherent when dealing with IOT technology, and until
cybersecurity technologies advance enough, and until IOT developers
create a standard for information privacy and security, this risk can only
be mitigated by consumer awareness rather than prevented outright.
Appendix Over Next Page:
43312942 ISYS100 Final Essay: Question 7 1/06/2015
8
43312942 ISYS100 Final Essay: Appendix 1/06/2015
a
i Gartner IT 2014, ‘Gartner Says 4.9 Billion Connected "Things" Will Be in Use in 2015’, Press Release,
11 November, Barcelona, accessed via <http://www.gartner.com/newsroom/id/2905717> viewed
30 May
ii Rose, D 2014, Enchanted Objects: Design, Human Desire, and the Internet of Things, TEDx Talks,
YouTube, Boston MA, accessed via <https://www.youtube.com/watch?v=I_AhhhcceXk> viewed 28
May. Picture via: <http://enchantedobjects.com/wp-content/uploads/EnchantedObjectsPoster.png>
43312942 ISYS100 Final Essay: Appendix 1/06/2015
b
iii Athena Information Solutions 2015, Privacy and Security in a Connected Life, accessed via
Multisearch & ProQuest
<http://search.proquest.com.simsrad.net.ocs.mq.edu.au/docview/1669890772?accountid=12219&t
itle=Privacy and Security in a Connected Life> viewed May 27
NOTE: AMOUNT SHOWN IS IN RUPEES, TOTAL AMOUNT of GENDER + NAME CONVERTED TO USD
= 10.7c
iv Press Trust of India 2014, Smartphone apps help save 22 days of your time per year, NDTV Gadgets,
accessed via <http://gadgets.ndtv.com/apps/news/smartphone-apps-help-save-22-days-of-your-
time-per-year-371724> viewed May 30
v & vi Kensington Computer Products Group2015, ‘Productivity Trends Report 2015’, pp. 1 – 12,
Report, accessed via: <http://www.kensington.com/us/us/6786/kensington#.VWrb5M-qqkr>
viewed May30
43312942 ISYS100 Final Essay: Reference List 1/06/2015
i
Reference List:
1. Athena Information Solutions 2015, Privacy and Security in a Connected Life, accessed via
Multisearch & ProQuest
<http://search.proquest.com.simsrad.net.ocs.mq.edu.au/docview/1669890772?accountid=
12219&title=Privacy and Security in a Connected Life> viewed May 27
2. Bradbury, D 2015, How can privacy survive in the era of the internet of things?, The
Guardian, accessed via
<http://www.theguardian.com/technology/2015/apr/07/howcanprivacysurvivetheinterneto
fthings> viewed May 27
3. Burnett, C A 2015, Welcome to the Internet of Things. Please check your privacy at the door.,
IT World, accessed via <http://www.itworld.com/article/2906805/welcome-to-the-internet-
of-things-please-check-your-privacy-at-the-door.html> viewed May 26
4. Caruana, A n.d, Privacy and the Internet of Things, CSO Australia, accessed via
<http://www.cso.com.au/article/559985/privacyinternetthings> viewed May 27
5. ConsumerReports.org 2015, Privacy tips for the Internet of Things, accessed via
<http://www.consumerreports.org/cro/magazine/2015/06/privacy-tips-for-the-internet-of-
things/index.htm> viewed May 27
6. Corman, J 2013, Swimming with Sharks – Security in the Internet of Things, TEDx Talks,
YouTube, Naperville IL, accessed via <https://www.youtube.com/watch?v=rZ6xoAtdF3o>
viewed 28 May
7. Cusanelli 2015, Kensington Survey: Mobile Devices Increase Productivity, Working Hours, The
VAR Guy, accessed via <http://thevarguy.com/business-smartphone-and-tablet-technology-
solutions/033015/kensington-survey-mobile-devices-increase-productivity-> viewed May 30
8. eMarketer 2014, 2 Billion Consumers Worldwide to Get Smart(phones) by 2016, accessed via
<http://www.emarketer.com/Article/2-Billion-Consumers-Worldwide-Smartphones-by-
2016/1011694> viewed May 27
9. Essers, L 2013, Google trial to continue to Italian supreme court, PCWorld, accessed via
<http://www.pcworld.com/article/2035387/google-video-trial-to-continue-to-italian-
supreme-court.html> viewed May 31
10. Gartner IT 2014, ‘Gartner Says 4.9 Billion Connected "Things" Will Be in Use in 2015’, Press
Release, 11 November, Barcelona, accessed via
<http://www.gartner.com/newsroom/id/2905717> viewed 30 May
11. Hill, K 2014, Apple And Google Will Force A Legal Battle Over The Privacy Of Your Passcode,
Forbes, accessed via <http://www.forbes.com/sites/kashmirhill/2014/09/19/apple-and-
google-privacy-of-your-passcode/> viewed May 30
12. Information Age 2012, Privacy, smart meters and the Internet of Things, Information Age,
accessed via
<http://www.informationage.com/technology/informationmanagement/2113628/privacys
martmetersandtheinternetofthings> viewed May 27
13. Kensington Computer Products Group2015, ‘Productivity Trends Report 2015’, pp. 1 – 12,
Report, accessed via: <http://www.kensington.com/us/us/6786/kensington#.VWrb5M-
qqkr> viewed May 30
14. Kosman, J 2015, Microsoft the big winner in Google antitrust lawsuit, New York Post,
accessed via <http://nypost.com/2015/04/15/microsoft-the-big-winner-in-google-antitrust-
lawsuit/> viewed May 31
43312942 ISYS100 Final Essay: Reference List 1/06/2015
ii
15. Kottasova, I & Goldman, D 2015, Google Under Siege: Europe Wants Blood, CNN Money,
accessed via <http://www.pcworld.com/article/2035387/google-video-trial-to-continue-to-
italian-supreme-court.html> viewed May 31
16. Mayer, C 2013, Don’t Be Dumb About Smartphone Privacy, Forbes, accessed via
<http://www.forbes.com/sites/nextavenue/2013/03/05/dont-be-dumb-about-smartphone-
privacy/> viewed May 30
17. Naccache, D & Sauveron, D (eds.) – Preneel, B 2014, Lightweight and Secure Cryptographic
Implementations for the Internet of things (Extended Abstract), pp. XIII – XIV, Kasper, T,
Oswald, D, Paar, C 2014, Sweet Dreams and Nightmares: Security in the Internet of Things
(Abstract), p. XV, Christin, D, Engelmann, F, Hollick, M 2014, Usable Privacy for Mobile
Sensing Applications, pp. 92- 107, in ‘Information Security Theory and Practice’, WISTP,
International Federation for Information Processing, Springer, accessed via Multisearch &
Springer <http://www.springer.com/us/book/9783662438251> viewed May 27
18. Nicholls, J 2015, Google alleged privacy violations ‘merit a trial’, Computer Business Review,
accessed via <http://www.cbronline.com/news/cybersecurity/business/google-alleged-
privacy-violations-merit-a-trial-4542123> viewed May 31
19. Opentopia 2015, Opentopia: Free Live Webcames, accessed via
<http://www.opentopia.com/hiddencam.php> viewed May 31
20. Povoledo, E 2009, Google executives on trial in Italy, The New York Times, accessed via
<http://www.nytimes.com/2009/02/03/technology/03iht-google.4.19904181.html?_r=0>
viewed May 31
21. Press Trust of India 2014, Smartphone apps help save 22 days of your time per year, NDTV
Gadgets, accessed via <http://gadgets.ndtv.com/apps/news/smartphone-apps-help-save-
22-days-of-your-time-per-year-371724> viewed May 30
22. Press, G 2014, Internet of Things By The Numbers: Market Estimates and Forecasts, Forbes,
accessed via <http://www.forbes.com/sites/gilpress/2014/08/22/internet-of-things-by-the-
numbers-market-estimates-and-forecasts/> viewed May 30
23. Roman, R, Zhou, J, & Lopez, J 2013, ‘On the features and challenges of security and privacy in
distributed internet of things’, Computer Networks, vol. 57, no. 10, pp. 2266 – 2279,
accessed via Multisearch &
ScienceDirect<http://www.sciencedirect.com/science/article/pii/S1389128613000054>
viewed May 27
24. Rose, D 2014, Enchanted Objects: Design, Human Desire, and the Internet of Things, TEDx
Talks, YouTube, Boston MA, accessed via
<https://www.youtube.com/watch?v=I_AhhhcceXk> viewed 28 May
25. Rubin, A 2011, All Your Devices Can Be Hacked, TEDx Talks, YouTube, Washington D.C,
accessed via <https://www.youtube.com/watch?v=metkEeZvHTg> viewed 28 May
26. Steel, E, Locke, C, Cadman, E, Freese, B 2013, How much is your personal data worth?,
Financial Times, accessed via <http://www.ft.com/intl/cms/s/2/927ca86e-d29b-11e2-88ed-
00144feab7de.html#axzz3bchVxdtT> viewed May 30
27. Thompson, C 2015, Here’s how much thieves make by selling your personal data online,
Business Insider Australia, accessed via <http://www.businessinsider.com.au/heres-how-
much-your-personal-data-costs-on-the-dark-web-2015-5> viewed May 30
28. Thompson, G, Gould, M, Christodoulou, M 2013, In Google We Trust, Four Corners,
Australian Broadcasting Corporation, Sydney,
<http://www.abc.net.au/4corners/stories/2013/09/09/3842009.htm> viewed May 31
43312942 ISYS100 Final Essay: Reference List 1/06/2015
iii
29. Toor, A 2013, Creepstreams: an interactive map of insecure webcam feeds, The Verge,
accessed via <http://www.theverge.com/2013/1/22/3902698/trendnet-security-camera-
streams-mapped-out> viewed May 31
30. Wadhwa, T 2012, Yes, You Can Hack A Pacemaker (And Other Medical Devices), Forbes,
accessed via <http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-
pacemaker-and-other-medical-devices-too/> viewed May 31
31. Webb, G 2015, Does the Internet of Things mean the end for privacy?, ABC Technology and
Games, accessed via
<http://www.abc.net.au/technology/articles/2015/04/24/4223019.htm> viewed May 27
32. Weber, R H 2010, ‘Internet of Things – New Security and Privacy Challenges’, Computer Law
& Security Review, vol. 26, no. 1, pp. 23 – 30, accessed via ScienceDirect
<http://www.sciencedirect.com/science/article/pii/S0267364909001939> viewed May 27
33. Williams, O 2014, This could be the iCloud flaw that led to celebrity photos being leaked, The
Next Web, accessed via <http://thenextweb.com/apple/2014/09/01/this-could-be-the-
apple-icloud-flaw-that-led-to-celebrity-photos-being-leaked/> viewed May 31
34. Wind River 2015, ‘Security In The Internet Of Things’, Report, accessed via
<http://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-
the-internet-of-things.pdf> viewed May 30