Americans' have a 'right to eavesdrop' on what our IoT devices say about us

Are your ears burning? They should be because your Internet of Things devices are talking ABOUT you and you have a right to 'eavesdrop' and know what they are saying.

Internet of Things data privacy
MattysFlicks (Creative Commons BY or BY-SA)

Somehow I never imagined writing about the “right to eavesdrop,” nevertheless supporting that right. But data privacy is a big deal so now I am because the group which should be empowered with the right to eavesdrop is us – you and me. And what are we eavesdropping on? The data being collected by our Internet of Things devices; data that is stored – perhaps forever – and shared or sold to the dreaded Third Party; data that – over time – paints an intricately detailed portrait of you.

The Internet of Things is “likely to touch every American personally,” wrote Politico's M. Scott Mahaskey. FitBit is a cool device that “tracks your calories burned, your heart rate, even how you sleep. Then it records the data and sends it … where?”

Mahaskey added:

To the same Internet that also networks your new home thermostat, your DVD player, your car, the global traffic in shipping containers and your health-insurance company. And it’s even more complicated than that: Numerous third-party handlers see all the data along the way. Meanwhile, somewhere in Nebraska, a driverless tractor plows fields that are being monitored by soil-moisture sensors, and a pilotless drone watches livestock. Down the road, networked solar panels automatically react to power-demand information being routed by new smart power grids, and where do they get their data? We’re back at your new home thermostat.

Far faster than we realize, the objects around us are being embedded with sensors and intelligence that let them talk to one another, make decisions, talk about us. “This isn’t in the future — it’s in the past. It has already happened,” says Sanjay Sarma, an MIT engineer who helped lay the groundwork for the system. The near future is even more dramatic: “The Internet won’t just be something you use. The Internet will be inside you,” says Dave Evans, former chief futurist at Cisco. This, too, is already possible: The FDA has approved a networked “smart pill” that can track medication in your body after you swallow it.

Right to eavesdrop on what our IOT devices say about us

Politico’s Keith Winstein suggested “that policymakers should consider granting a new consumer right: ‘the right to eavesdrop on what our Things are saying about us’.” Yet IoT “communications transparency,” aka “eavesdropping on what our devices are saying” won’t solve all the problems. Winstein added:

The growing power of machine learning means that companies can infer things about us even if nothing tells them straight out, just by looking for patterns across a whole population of customers. That’s a real concern as data become more pervasive and get saved forever. Meanwhile, the algorithms used to analyze that data will only get more sophisticated over time.

This is part of a much larger battle going on, about the power and perils of Big Data and the cloud: Do the makers of these products really need the ability to collect data from the households of all the device owners and hold on to it? Voice, video, everything I ever put in my fridge — you can learn a lot about me from recording all that and saving it forever. Something I said in my TV’s presence in 2015 could be used against me in 2025.

Winstein, a man who was once put in charge of one the first Coca-Cola machines on the Internet, warned that there’s “a pretty good argument that the Internet of Things is going to be a security and privacy disaster.”

It’s not just paranoia — it’s more of a business reality. It is a software truism that anything connected to the Internet needs to be patched regularly, or else it becomes vulnerable to vandals. The lack of regular fixes is already a problem with a $500 smartphone; the maker typically loses interest in supporting it and patching it after maybe 18 months. It’s going to be a much bigger problem with a $50 device or a $5 device that lingers in your house for years. Inevitably, bad guys will have their way with them. So somebody far away will be able to turn on your oven when you’re on vacation. Your lawnmower will be part of a botnet sending spam. The fridge of the future will offer to reorder your preferred groceries, because it’s been scanning the barcodes on everything you put inside. That’s great, until bad guys figure out how to read the barcodes off bottles of antiretroviral drugs and learn who has HIV.

When it comes to the technical side of securing the devices, Winstein mentioned that Stanford, the University of California at Berkeley and the University of Michigan are collaborating on the Secure Internet of Things Project. Although the group doesn’t yet have the answers for “how to build and enforce a system of communications transparency,” and there are numerous problems that can’t be solved just by eavesdropping on what our devices are saying, Winstein said “policymakers can start to think about what best practices in the industry might look like.”

He asked, “Should there be an ‘Underwriters Laboratories’ that audits the software on Internet of Things devices for prudent security and privacy practices? What should happen when a manufacturer stops supporting a networked device that’s in 30 million homes?”

As our policies evolve, it’s important to remember that communications transparency — or the “right to eavesdrop” — has been a big part of the practical success of PCs, smartphones and the Web. Knowing what is being said about you is one of the major checks against security and privacy problems. This ought to be preserved as Internet-connected devices become even more intimately wound into our lives. An Internet of Things where your fridge is telling mobsters about the medicine you just put inside, and you don’t even know about it, would make for a scary future. Let’s not head there.

Copyright © 2015 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations