If you just so happen to be in the market for new things,
you may notice a trend in marketing - you can purchase things, or you can
purchase smart things. But what is it
that makes smart things smart? A thing becomes a smart thing with experience,
access to information, feedback, and a good memory. Thus, the Internet
revolution of the last few decades has allowed for our things to develop
intelligence modeled after our own. The Internet of Things (IoT) revolves
around this concept. To streamline and enhance the use of a particular product,
or to tap into a previously underutilized efficiency, we ought to grant new
senses to our lifeless things. We give our things a voice by allowing them to
communicate with databases of stored information, as well as allowing them to
communicate with each other, as in the case of Vehicle to Vehicle communication
(V2V). We give our things a sense of sight and touch in the forms of cameras
and sensors. Indeed, these things may have more refined senses and make better
judgements than we do as in a smart watch that monitors your pulse, blood
pressure, vital signs, and even sleep patterns, and then relays that
information with healthcare professionals when needed.
There are so many potential benefits of these communicative,
personalized and specialized products. In doing research for this project, I was
blown away at the products and ideas that are spurring innovation of the IoT,
and I encourage you to venture down the rabbit hole of these technologies when
you have some free time. The Internet of Things allows for gains in the ease of
use, efficiency, helpfulness, personalization, and a unique experience to be
made in technologies. Lights that turn on when you walk into the room with your
smartphone in your pocket, HVAC regulated based on whether you’re in your home
or not, a refrigerator that lets you know when you need to make your trip to
Smith’s as well as some recipes based on the food you have in store, and a
vehicle that knows how to fix its own problems much better than your
neighborhood wrench-turner are only the beginnings of the possibilities for
intelligent products. In all aspects, the goal is to streamline life as a
whole. However, in doing so we introduce ourselves to a myriad of privacy concerns,
which ought not to be simply cast aside to make room for our newer, smarter,
and cooler things.
What could be wrong with sharing hundreds of thousands of
data points1 collected from items around your home with corporate
databases and other devices you may ask? Vulnerability to hacking, the
collection of personal and financial information, and even the fear of physical
intrusion or harm are a few among many privacy concerns associated with the
IoT. Imagine, for example, a device that allows you to unlock your doors or
even open your garage door automatically based on either proximity of a
smartphone or a smartphone app. Were this device to be compromised by a hacker,
you may have a great deal of intrusion on seclusion on your hands. A rather
extreme example, possibly, one could just as easily throw a brick through a window.
But you can see how compromises of devices around your home and otherwise
presents a unique set of concerns. Let’s consider the less-drastic example of a
smart refrigerator. ISIS won’t be patrolling the swarms of smart refrigerators
in the country to make a blacklist of suspect individuals low on 2% milk. But
let’s say that your financial information is tied in with your refrigerator so
you can preorder groceries automatically. Your refrigerator can then become a
mode of entry for a hacker to obtain more pertinent and potentially destructive
information. Provided the case that individual products have strong security
functions built into them, there is a compounding chain effect when things are
linked with other things, in Machine to Machine (M2M) communication. It
therefore may possible to break the weakest link in the chain of things in
order to obtain access to information. While our things may learn more
efficiently than we humans do, they may not keep secrets as well. None of this
is not to say that your personal information cannot be obtained through other
ways or more easily in other cases, the IoT just provides more doors into your
personal life. And where there are more doors, shouldn’t there also be more
locks?
Naturally, the rise in the Internet of Things has led to
debate as to whether these things ought to be regulated by the government, or
whether businesses should be allowed to control privacy concerns on their own.
On one hand, you have the argument in favor of business autonomy, after all,
businesses are incentivized to protect the privacy interests of their customers
by the concerns of customers themselves right? This may very well be, and this
has certainly contributed to the recent success of large companies with smart
technologies in the last several years. Your Nest smart thermostat may be a
rather secure device (they really are pretty cool), and it’s possible that the
developers really value your privacy and have installed ample safeguards to
keep things like location and personal information secure. But what happens
Best (not a real company) releases a competing thermostat 3 to 5 years from
now? Best might decisively not employ
the same safeguards as a way to cut costs and increase competitiveness in the
market. This is the problem of standardization, one raised by several privacy
experts2. Federal regulation of the IoT can help to solve this
problem. The FTC has contributed to the discussion around the IoT, especially
in their 2015 report on the Internet of Things3. They vocalized
support for policies such as the responsibility of companies to respect the
right to not be tracked, and to minimize collection and storage of data among
other concerns4. However, these have essentially taken the forms of recommended
“best practices” by the FTC and not legislative definition. While these recommendations
are certainly a step in the right direction, they fail to set clear precedent
and establish no consequences for a company’s failure to value the privacy
interests of individuals. The Electronic Privacy Information Center (EPIC)
among other privacy interest groups have petitioned Congress to employ and
enforce requirements with the intent of standardizing and enhancing security
and privacy. In a letter4 sent by EPIC, they maintain the position
that “Industry self-regulatory programs do not provide meaningful privacy
protections” and that “the NTIA should support a strong legal framework that
protects American
Internet users and promotes public safety”. I would have to
agree. I’m grateful that there are federal laws mandating the regulation of
seatbelts in automobiles and the ways in which they ought to be installed, and
I value my privacy enough that I believe federal legislation relating to the
IoT is imperative.
While we currently have a lot of expectations to privacy
within our own homes, I fear the IoT may slowly erode this expectation in many
instances. If we are to reap the benefits of an interconnected society, and the
consumer products it produces that help to streamline our lives, we must be
aware of and actively monitor the potential privacy threats that such devices
introduce.
References
1.
How the Internet of Things will affect security &
privacy (http://www.businessinsider.com/internet-of-things-security-privacy-2016-8)
2.
Security and
Privacy in the Internet of Things (https://ercim-news.ercim.eu/en101/special/security-and-privacy-in-the-internet-of-things)
3.
Internet of Things – Privacy and Security in a
Connected World (https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf)
4.
FTC Report on Internet of Things Urges Companies to
Adopt Best Practices to Address Consumer Privacy and Security Risks (https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices)
Additional Resources (If You’re
Interested)
Benson Hughland TEDx talk
Jordan Duffy TEDx talk
University of Georgia School of Law Case Study
Somewhat of an alarmist article, but shows some theoretical concerns
The Internet of Things – EPIC
I agree that there should be federal regulations that relate to the privacy concerns arising from the growth of the "Internet of Things." I think that the potential privacy invasions are too high to not have regulations to protect people and their privacy. Personally, I am wary of all of the "Smart" devices out there. Maybe I'm kinda old fashioned, but I don't really think it is that inconvenient to open the fridge to see what I need to buy when I go to the grocery store. Some of the technologies are cool, but I think a lot of them seem kinda overboard. Personally, I care more about my privacy than the conveniences that would come from a lot of these devices.
ReplyDeleteYou're right in that sense. There are plenty of "dumb" things out there that require very little extra effort over the use of "smart" devices. However, one thing to keep in mind is that in a decade you may not have the option to stay within the realm of unintelligent devices and products, or it may just be incredibly inconvenient to do so. Take for example cell phones today. Up until this January, out of general cheapness, I swear to you I used a phone with actual buttons. A flip phone. The things you use to break the window of your car when you lock the keys inside. And it was technically possible to do so, but as the years went on, it became more difficult and impractical. So when we consider the Internet of Things it's more than just small conveniences and novelties in the present we need to consider, but the real implications for regulation (or the lack thereof) in the future
DeleteThe conveniency and efficiency of these devices is incredible. I can see why people would desire such devices in a busy, fast-paced world. Like Christian and Hannah, I think federal regulations should be in place that address privacy concerns. Also, I believe that there should be federal regulations concerning government access to and use of the information available via these devices. These regulations need to happen quickly, though. There is no federal regulation on drones, but there is a list of "best practices," which gives me no sense of comfort because people have no motivation to follow these. Like smart phones, I'm sure some people would believe that the government should have access to smart devices in homes by arguing that it would benefit public safety while others would be wary due to individual privacy concerns. The concept of privacy is so messy and an agreement can't seem to be made about other digital devices. With the fast development of technology, the mess gets even bigger.
ReplyDeleteAgreed. One of the arguments against regulation of the IoT is that these technologies are in many cases in their infancy. However, we've seen just in the past 10 years a night and day shift in the Internet of People (or just the Internet). What better time to attempt to decrease privacy concerns than right now? It certainly won't be easier or more effective to enact policies five years from now, although who's to say bills initiated today may not still be in development five years from now.
DeleteI agree. There should be some standard that the companies of smart technology must follow, to keep information secure. If they only create a recommended best practice, the companies should at least be required to reveal how secure their devices are. I can see smart devices 'taking over' and replacing the old ones, despite some people not wanting a smart fridge or other smart devices. The expansion of technology should come with new regulations that maintain the security of that information.
ReplyDeleteExactly, and though there are recommendations by the FTC that companies respect customer's wishes to not be involved in data mining and tracking, there will come a point when these suggestions are viewed as nothing more than suggestions. If speed limits on the roads were the Department of Transportations "best practice" guidelines, I can tell you right now I would speed 100% of the time I was in my car.
DeleteMost of the devices that I think of when someone says "The Internet of Things" are smart toasters and refrigerators. As I take a moment to think about the full scope of "Things" however, I realize that very few "things" exist still that don't collect information from you. These technologies are sneaked into places you'd never expect they were necessary: the flashlight app we all use on our phones to get around in the dark with, the toaster that makes marginally better toast than the toaster you had before. Regulations would help to ensure that personal data collected from you is safe, and that the data that's collected is only what's needed for the purpose of the device.
ReplyDeleteI agree that we need to be wary and regulate the data collection power of the Internet of Things. The market for the Internet of Things is growing faster than the market for Smartphones. And it makes sense, as computers get so small and cheap why not install one into everything. The non-commercial possibilities for the IoT are also astounding, from things like smart roads to micro-computers in catheters. All of these things will inevitably collecting our data and it is imperative to out privacy that this data is regulated and non-invasive. If we do not then privacy will essentially be dead as almost everything we do will be recorded by smart devices.
ReplyDeleteI agree that the growing market of the "Internet of things," poses a new threat to personal privacy. Now your kitchen appliances record more data on you than the government did a long time ago. As we have talked about before there have to be sacrifices to make your everyday life more comfortable. Apps and technology have allowed us to make complicated process super fast and efficient but it means giving up some of your privacy. For example if you want to get an Amazon Eco to help you get information fast in your home, it will also be recording information about you. I think that the government should make sure that there are regulations about disclosure. I mean that there should be laws that make sure companies tell you exactly what information their smart products collect and what they do with any information they find. Then it should be up to the consumer to decide to bring that device into their home. If some company wants to make a robot that does everything for a person but has to know everything about that person then they should still be able to sell it, people should just have the right to say no and understand what they are doing when they buy it.
ReplyDeleteI agree that there should there should be a standardized legal framework that applies to the IoT and safeguards our privacy. Of course, businesses should be able to run their enterprises without government interference, but that doesn't mean they can't comply with a certain set of privacy regulations. I think that Congress needs to take action now instead of "moving" in the right direction. The IoT is expanding at a rapid pace, and we need to keep up with it. To give some perspective, there are two "Alexa's" in my parent's house, my whole family has smartphones, and we have a smart TV. The IoT is becoming an integral part of our lives, and we need to seriously consider our privacy along with their prevalence.
ReplyDeleteI thought you made a good point in mentioning that seat belts in cars have standard safety regulations on them, so there should be some sort of standard on smart devices, too. Even though the consequences of not having privacy protection on one's smart devices may not be as glaringly dangerous or obvious as the consequences of not wearing a seat belt in a car, privacy is still a component of safety in the modern age. People don't always recognize privacy's value, so I think the government would do well to provide some standard regulation regarding smart devices' privacy settings.
ReplyDeleteThe Internet of Things devices are becoming more and more popular, and I do believe that it will become more and more difficult to avoid using them in the future. Even though it will become a greater inconvenience to avoid these devices in the future I still believe that it should be up to the consumer to decide whether or not the privacy standards offered by the device are acceptable or not. I don't believe that there needs to be regulation made by the federal government to create these standards. Instead I believe that industry "best practices" should be used. I also feel that self-regulatory agencies are better equipped to understand the industry and make those standards. Self-regulatory agencies such as FINRA regulate brokerage firms that handle the trillions of dollars that are traded on the markets and directly effect people's livelihoods. I believe, rather than having Congress creating standards, a self-regulatory agency should create these standards, and that individuals should decide for themselves how private they want their lives to be.
ReplyDeleteOn a high level, I agree with you. Consumers should have the final choice, and if someone wants to buy a very-cheap-but-insecure Thing, they should be allowed to do so. The problem is most people are not in a position to assess how secure any given thing is because:
DeleteOften a company don't advertise what it is doing in terms of security. If it does, it is often in hand-wavy terms that doesn't contain much information. I have never seen a smart device with enough published information to make an assessment of whether it is secure or not, which brings me to my second point...
Most people are not in a position to judge whether a device is secure. Even the majority of computer science majors I know wouldn't know what to look for to determine whether a device was more or less likely to be compromised.
So while I agree that specific regulations are unworkable - as any legal framework would not be able to track the speed at which these technologies are moving - more loose regulations to ensure companies are putting in a good-faith effort wouldn't be a terrible idea.
The other small problem with relying on companies to do their part is that, most of the time, these devices are not updatable by the consumer. Even if the company does the best job possible securing their device today, every major project has flaws. I would be in favour of smart device companies being required to issue security updates "for a reasonable amount of time" so that people aren't required to throw away and buy a new slew of devices every couple of years.
DeleteIt is already clear that we can't rely on corporate goodwill to push this. Smartphone software updates are in an appalling state where people are realistically forced to buy a new device every year or two or leave their digital lives proverbially flapping in the wind.
Yes, there should definitely be regulations put into place concerning the IoT. There are so many murky areas concerning privacy and these technologies, and it could resolve and prevent many future issues if there are some initial restrictions made now.
ReplyDeleteThese sorts of emerging technologies are the same as any other innovation: you will eventually be unable to avoid them, and there is a risk of privacy loss involved. Take social media for example; you have to give up some amount of privacy to LinkedIn in order to have a much better chance of getting a job. Any of these creature comforts we take for granted anymore, and will take for granted in the future, such as smart fridges and automatically regulated HVAC systems, therefore, should have some kinds of regulations attached so that the streamlining of our lives doesn't mean even more privacy sacrificed. Because sacrificing our privacy could mean potentially sacrificing our safety as well.
ReplyDeleteSetting aside my above comment and assuming every smart device is insecure and any consumer who doesn't mind that is welcome to buy them, there is a second problem with a lack of some kind of "best-effort" regulation.
ReplyDeleteInsecure smart devices are becoming very popular "slaves" for so-called Distrubuted Denial of Service attacks (DDoS). Various insecure devices have been used for years (un-updated or virus-infected home computers), but where previously it might have been a bit of effort for a hacker to find such a device, the recent uptick in internet-connected, highly compromisable devices has vastly increased the size and decreased the cost of executing DDoS attacks.
Where previously only Grandma's PC (complete with 7 different spyware browser toolbars) might have unwillingly been part of an attack, now her PC, her fridge, your toaster, and your parents' showerhead are participating.
We are already seeing DDoS attacks so massive that the core network that makes up the Internet is slowing down (Just Google "DDoS attack slows down internet". I'll put a few examples at the end of the post) and even big companies who specialize in mitigating such attacks are being taken down.
To be honest, I don't expect any kind of regulation of this nature to pass, and time will tell if I'm wrong, but I suspect we will see some kind of major reckonings in the next few years, and I hope I'm just not caught in the crossfire!
Here are a couple examples of recent massive DDoS attacks:
https://www.occupycorporatism.com/the-largest-ddos-attack-in-history-slows-internet-takes-down-websites/
https://www.theguardian.com/technology/2016/oct/21/ddos-attack-dyn-internet-denial-service
I think the IoT should be regulated by the government to some extent but still let businesses control their own privacy plan. I think that the government should set a bare minimum as to what can or can't be sold. For example, say a credit card company wants to know what their customers spend the most money on, the government would say follow your own privacy statement but you can't connect a social security number to the purchase and sell it to the data brokers. By putting a small regulation, I think it will still allow businesses to grow and compete while also protecting the privacy of citizens.
ReplyDeleteI am going to take an unpopular opinion in this class and say that there doesn't need to be federal regulations for the IoT. I don't see the need for them. If the responsibility ultimately falls on the consumer as to how their privacy is maintained, the consumer should just choose the product that does that the best for them. Eventually businesses will catch on and create the product that the consumers need and want. Right now everyone is saying that the privacy of the consumer needs to be protected, and the best way for that is to buy a non-smart refrigerator. It is probably cheaper too. But this is not the way that most consumers are. They don't think about privacy concerns until it is too late. Then they blame the producer for not telling them. Maybe it is a smart idea to have set regulations, which could be industry controlled. I still don't think that the government needs to set them.
ReplyDelete