As the world grapples with the effects of COVID-19, many governments and communities are turning to contact tracing, biometric identity management and face mask recognition technologies as a means to help track, trace and curb the spread of the virus. However, as with any mass data collection effort, contact tracing raises ethical questions and concerns about data, such as what types of data are being collected, how much, and where the data will be stored and who can access it.
There’s no denying the world as we know it has changed in a short amount of time. COVID-19 will certainly go down in history as one of the greatest disruptors ever. As governments, organizations and individuals have reacted and adapted, much of our daily routines, tolerances and values have changed. Good or bad, the way we live has been transformed.
But media headlines reflect that Americans are reluctant to adapt such technologies; we’ve seemingly become accustomed to the deluge of alerts of IoT device hacks and data breaches. Naturally, Americans would have safety concerns about the devices — such as thermometers, surveillance cameras and body temperature monitors — that are being used to monitor our movements during the times of COVID. The way we move in and out of our offices, as well as restaurants, barber shops and everything in between, has the potential to be traced.
How do we ensure contact tracing efforts are not only ethical and private, but also leverage the use of secure IoT devices that are rigorously tested and secure?
The importance of IoT security
In order to successfully launch a local or nationwide tracing effort, it’s imperative that IoT and surveillance devices used for the effort undergo rigorous and regular product certification and testing to ensure they do exactly what the manufacturer claims. In addition, manufacturers must ensure that these devices are used only their intended purpose, and that they don’t capture any additional or personally identifiable data.
To provide consumer trust in IoT products that may be leveraged for track and trace efforts, manufacturers should perform an in-depth assessment of how the product has been specified, developed, tested and verified. In addition, the analysis must be supported by a detailed examination of the appropriate information controls required to secure associated data to ensure the privacy of any personally identifiable information.
The right to privacy is quickly becoming mandated across the globe. With GDPR being enacted in Europe two years ago, the California Consumer Privacy Act and, most recently, Brazil’s LSPD, consumers rightfully expect their personally identifiable information to be protected and not shared without permission. Therefore, it’s imperative that a contact tracing effort is transparent and reassures people that their data is secure.
While penetration testing is an important part of this process, it’s only when combined with these other assessment practices that trust in the app or device can be assured. Ultimately, any manufacturer developing an IoT product should be able to answer these four key questions:
- Will it work as it is intended?
- Will it be safe?
- Will it be secure?
- Will it remain safe, secure and operate as intended throughout its intended lifespan?
Any manufacturer developing connected products, especially ones that may be leveraged for contact tracing, should have security as an essential part of the design process. It’s critical to verify compliance with IoT security design guidelines.
However, claiming appropriate protection and security measures are taken is only the start. Independent verification that the technology is processing and deleting the information properly will provide a greater degree of confidence and trust that consumers are increasingly demanding.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.