A lot of people, myself included, have been warning of the risks that the explosion in connected devices pose to privacy and security. More and more devices are listening in to our daily lives, either explicitly (like TVs and the slew of home automation hubs sprouting up on the market) or implicitly through providing data collection that can be collated with other information to provide insight into our lives (such as mobility solutions, surveillance cameras, smart retail stores and so on).
The recent flurry of hand-wringing over the WikiLeaks disclosures of CIA (and GCHQ) sources hacking tools aimed at personal surveillance through IoT and other connected devices is a great example of the risks we run when these kinds of connected technologies are created and deployed faster than we can figure out how to secure them. While much of the current commentary is (rightly) expressing shock over the existence of advanced hacking tools aimed at these devices, and concern over the risk that they might be made available to the hacking world in general, the dialogue is, I would argue, about the wrong things.
If we’re this concerned about government agencies potentially deploying a small number of highly advanced hacking tools at targeted devices, why aren’t we more worried about the general trend of lightly secured devices hitting the market? Especially when considering how the pervasiveness of these devices may open up a far greater number of us to surveillance by all kinds of third parties, ill-defined corporate partnerships and, of course, criminals.
This is the real problem. At the moment it feels a bit like complaining there’s too much ice in my whiskey while ordering drinks on the Titanic. The unsecured IoT, in all its depressing predictability, has arrived, and we’re busy unboxing it and plugging it in right now.
To get a feel for just how huge this is, take a look at Shodan, a search engine that enables you to “discover which of your devices are connected to the internet, where they are located and who is using them.”
While Shodan itself is not malicious in nature, it highlights the very simple truth: that the scale of IoT is outstripping even our limited capability to safely absorb new technology. No single approach will fix this problem, because there are simply too many new parts, too many new players and it’s all moving too fast.
So it falls to those people who care about privacy and security and IoT (that’s you and me by the way) to start switching the conversation to one that is centered on the real risks, not just the headlines, and to offer up meaningful solutions to a problem that is currently vague, threatening and of colossal scale.
This conversation mustn’t allow headlines or sensationalism to drive the agenda. We must focus on the real problems, and the real risks to the things we care about. That said, diving into security issues that are unique to IoT first requires a step back to look at the bigger picture. In order to fully grasp the challenge, we first need to understand and agree upon the expectations for privacy and security. Most importantly, we mustn’t let this become a conversation about technology. It’s not. It’s not about the things, or the network, or what kind of encryption is used, or even where the data is stored. Rather, IoT will demand of us clear thinking about what privacy means, and what are the rights and responsibilities of various stakeholders, including citizens, governments, technologists and businesses, when it comes to information that pertains to each of us.
These devices, unsecured or not, will gather unimaginable amounts of data. Even more significantly, they will contribute to an even larger, ocean of information that can be used to form insight into our lives that is far beyond even the most dystopian worldview the likes of George Orwell.
We’ve had several years to talk about this and to think about the problems of IoT privacy and security. Most importantly, we’ve seen that the scale of the problem is growing even more rapidly than we could have guessed. It’s one thing to worry that your smart fridge will spend its evenings acting as a spam server (that’s the email, not the meat product), and quite another to discover that the devices you talk to are being subpoenaed in court, your children’s toys are reporting back what they hear to hackers, and your TV is watching you for the government’s dubious benefit. Well, maybe the last one isn’t so much of a surprise after all.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.