IoT and data privacy

It's nearly Data Privacy Day, but can you trust all the IoT players to respect privacy and safeguard your data?

IoT Internet of Things privacy security

This week on January 28 we will celebrate Data Privacy Day, which has a theme of "Respecting Privacy, Safeguarding Data and Enabling Trust." We'll get back to that...

IoT First Response Bluetooth smart-enabled pregnancy test First Response

Qualcomm reportedly partnered with First Response to develop "the world's first smart pregnancy test, which connects through a mobile device to alert clinicians a patient is pregnant."

It's just the first such home test to "capture electronically" and "then transmit that data to the clinicians," Chief Medical Officer Dr. James Mault told CRNtv. He added that for IoT to do well in medical verticals, it will "require connectivity infrastructure that can enable the data capture from a variety of devices and diagnostics and therapeutic instruments and allow that data to flow into the hands of clinicians of any type."

The First Response Bluetooth smart-enabled pregnancy test comes with an app, which on Google Play, requires the following permissions:

First Response tracker app Church & Dwight Co., Inc.

Personally, I would have less of a problem with app permissions if a company were giving me a product for free. With IoT devices, which are not inexpensive, they are practically worthless without an app to control them. Yet most have overreaching permissions—such as accessing camera, microphone, reading your contacts or calendar—that are not actually needed for the app to function. It's like paying twice, as StaySafeOnline pointed out when prepping for Data Privacy Day, your "personal information is like money. Value it. Protect it."

First Response said "it's not sharing your information with anyone but you." In the case of the pregnancy app, Church & Dwight's privacy policy discusses the possibility of opting-out of some of the ways it uses and discloses your information, but opt-in means your personal info is shared "with third parties for third party marketing purposes." It also includes a security disclaimer as it would be silly to guarantee that "sensitive personal information" will be "absolutely safe from intrusion by others, such as hackers."

I'm not picking on the app, as it was just one of many examples of connected health products announced at CES. It seems like everyone is in a rush to develop IoT devices, and too often security is not a developer's priority in that rush to get the product and app to market. That is likely the reason so many IoT devices are easy to attack, although it's not nearly so easy to find out who is to blame for the loss of your data, explained The Scotsman.

If your smart TV tells your thermostat to kick on the heat in the middle of July, or if a hacker bypasses your phone's encryption and steals your personal information, who is to blame? If a smart device malfunctions, and it is automatically talking to other devices, who is liable? The Scotsman even asked, was the machine acting on your behalf? IoT devices are everywhere, in your home, in your car, on your wrist and "all other areas of a customer's life," providing "a consolidated x-ray view of consumer data." Not only does that raise privacy concerns, but from a security standpoint "there's plenty of evidence to indicate IoT devices are particularly vulnerable to vindictive attack."

Yet we bravely march on toward "smart" apartments outfitted with smart devices and available for renters; biometrics are thrown into the IoT mix, and auto manufacturers want to add iris scanners, fingerprint sensors, and wearables that could monitor health info and talk to a car. Gary Strumolo from Ford Research and Advanced Engineering explained, "Wearable technology integrated with the vehicle allows for more accurate biometric data to stream continuously and alert active driver-assist systems to become more sensitive if the driver shows signs of compromised health or awareness."

An article on the IoT council stated that, "in 2016 an operational definition of Internet of Things (IoT) is the seamless data flow between BAN (body area network): the ambient hearing aide, the smart t-shirt, Glass; LAN (local area network): the smart meter as a home interface; WAN (wide area network): Telematics, ITS, Connected Car; and VWAN (very wide area network): the smart city as e-gov services everywhere no longer tied to physical locations."

Kate Bevan added:

Whoever ensures traceability, sustainability and security linking up the gateways is able to offer the best possible feedback on physical and mental health, the best possible household decisions based on real time monitoring for resource allocation, the best possible decision making based on real time data and information from open sources and the best possible alignments of local energy providers with the global potential of wider communities.

Where does "Respecting Privacy, Safeguarding Data and Enabling Trust" come in? After all, Greg Shannon, formerly chief scientist at Carnegie Mellon University's Software Engineering Institute, and currently assistant director for cybersecurity strategy at the White House Office of Science and Technology Policy, told MIT Technology Review that it could take "two decades" to fix our infrastructure. Anyone following security knows our infrastructure is woefully insecure, so can all the players in IoT be trusted to respect privacy and safeguard our data?

Shannon, who is working on the draft for a national cybersecurity strategy to be released early this year, told Technology Review:

The emergence of an Internet of things—interconnecting billions of devices—provides an opportunity to do things correctly from the start. Networked devices in cars and homes, and wearable devices, could introduce a multitude of new attack vectors, but if we get things right with these devices and cloud-based technologies, we can make sure the next generation of technology will have security built in.

That's a great thing to hope for, but IoT isn't's here. Let's hope it's not too late for our privacy in regard to those billions of Internet-connected devices.

Copyright © 2016 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.