Padlocks. Image courtesy of Shutterstock.
Naked Security Naked Security

Internet of Things is a threat to privacy, says FTC

Minimizing the amount of data collected is one way to mitigate risk, suggested FTC Chairwoman Edith Ramirez during a speech at the internet-enabled gadget-engorged Consumer Electronics Show.

Padlocks. Image courtesy of Shutterstock.The head of the US Federal Trade Commission (FTC) took to the floor of the mammoth Consumer Electronics Show on Tuesday to warn that the Internet of Things (IoT) – that front-door opening, smart plant-watering, mood-light-setting, recipe-suggesting world whirring away in Las Vegas this week – is a threat to our privacy.

Edith Ramirez, FTC chairwoman, wrote in her remarks for a speech at the show that the amount of information about us now being collected is heading toward shockingly intimate portraits of us all:

In the not-too-distant future, many, if not most, aspects of our everyday lives will be digitally observed and stored. That data trove will contain a wealth of revealing information that, when patched together, will present a deeply personal and startlingly complete picture of each of us - one that includes details about our financial circumstances, our health, our religious preferences, and our family and friends.

That’s certainly not news.

One of the more recent alarm bells was rung by HP Security Research, which in August came out with a report that found that smart TVs, webcams, thermostats, remote power outlets, sprinkler controllers, door locks, home alarms, scales and garage door openers were all flunking Security 101, with issues as bad as “Sure, go ahead, we consider ‘1234’ to be a perfectly acceptable password.”

Regardless of these issues not being breaking news, CES is certainly a good place to raise questions about privacy and security, as the makers of internet-enabled things gather to hawk their wares.

As it now stands, Ramirez said, the IoT could do a world of good:

The IoT could improve global health, modernize city infrastructures, and spur global economic growth.

But the potential risks to privacy are as immense as the potential benefits, she said, given that devices are collecting data from “currently intimate spaces” such as homes, cars, and even our bodies:

Connected devices that provide increased convenience and improve health services are also collecting, transmitting, storing, and often sharing vast amounts of consumer data, some of it highly personal, thereby creating a number of privacy risks.

Beyond the privacy implications of IoT vendors potentially selling or sharing personal data with data brokers/​prospective employers/​universities et al. (who could pigeonhole us socioeconomically for marketing purposes), inadequate security on smart devices present even more entry points for intruders to exploit (as if data breaches aren’t bad enough already), Ramirez said.

She suggested three solutions for the industry:

  1. Security by design
    Companies should bake in security by conducting a privacy or security risk assessment during the design process; testing security measures pre-launch; using smart defaults such as requiring consumers to change default passwords during set-up; considering encryption, particularly when handling sensitive information like health data; monitoring products throughout their life cycle; and patching known vulnerabilities when possible.
  2. Data minimization
    Much of the data collection is being done without clear reason, just in case it’s needed down the road. But all that data increases the potential impact of a data breach. If it hasn’t been collected in the first place, it can’t fall into the wrong hands.
  3. Notice and choice for unexpected uses
    We know that the smart thermostat is collecting data on our home-heating habits, and we know our our fitness bands are collecting data about our activity and health levels. But we probably wouldn’t be too happy with the notion that that data was being shared with data brokers or marketing firms. In cases such as these, consumers should be given clear, simple notices of what will happen with their data, along with a way to consent. By “simple and clear,” we’re talking not within a lengthy privacy policy or terms of use.

Those are good goals, and let’s hope that the IoT vendors were listening to Ramirez’s speech.

As it is, one friend who’s at the show reports back that security and protection of customer assets certainly doesn’t appear to be priority number one with IoT vendors he’s spoken to, many of whom just shrug when he asks how their stuff’s protected.

The IoT: it will bake our tortillas, control the household plant watering, release chemicals into our hot tubs, control locks and suggest recipes based on what’s in our refrigerators.

But is it poised to protect our security and privacy?

Let’s hope it can do a better job at it than we’ve seen so far.

As Ramirez said, there are billions of dollars in this growing industry.

The stakes are too high, she said, to gamble with consumer security and privacy.