Kaivan Karimi, Atmel VP and GM of Wireless Solutions, explores the ongoing privacy issues around the Internet of Things.
When it comes to the Internet of Things (IoT), most people use the security and privacy issues of IoT as a two-in-a-box item that go hand-in-hand. This means, if you don’t have security, you cannot have privacy and vice versa, right? Well, yes and no. There is a lot being said and done to secure the end-to-end IoT systems via advanced policy-driven private and public keys, and threat management systems. More needs to be done, and we will have to figure it out. That is, until someone finds a vulnerability and the technology race starts over with new best practices being promoted. I plan to blog on some of the pitfalls we are experiencing in security technology rollouts in the future. But, for this specific blog, I will only focus on the privacy issues of IoT, since privacy issues can only be resolved through strong legislation and enforced by governments (aided by privacy and security technologies).
Today, I am promoting Privacy by Design (PbD). In the U.S., I am less hopeful that we will get real privacy legislation correct. As an IoT evangelist, my issue with the privacy requirements of IoT is not with the governments collecting meta data for fighting terrorism, but more so with private sectors having access to my personal data. Specific to this angle, my views are very similar to Blackberry CEO John Chen, who articulated his views here. (My hats off to John for a piece well done on this topic.)
A couple of years ago, I talked about my privacy concerns of private sectors having access to my personal data at a Gigaom conference. The Internet of People is the Wild Wild West. Today in the Internet of People, any time someone is surfing the web, there are over 200 private entities shadowing you. Unfortunately, our laws in the U.S. support “Opt Out,” meaning you have to opt out of a “service” in order to get out of it — unlike in most European countries that have implemented “Opt in” policies. In the U.S., companies have made it extremely difficult to opt out of this intrusion with methods that are still entirely legal. So in my humble opinion, the American government didn’t get it right when it came to the privacy of its citizens on the Internet of People. The government caved in to special interest groups who advocated for “Opt Out” policies in their own interest to use one’s data to advertise goods and service. While for the Internet of People, our government failed us, we all know that for the Internet of Things, the stakes will be much higher.
With IoT on the cusp of rapid growth, and intelligent sensors being integrated into every aspect of one’s lives, without sound privacy laws there will be a few thousand “intruders” following you, via your homes, cars roads, at work, in school, and more. Add your contextual compute platforms (smart devices) along with local and remote data analytics engines to the mix, and the “intruders” would know everything about you — even better than you do. Are you comfortable with that? Not to mention what criminal elements would do with that data.
Among the many benefits of IoT, I believe the healthcare industry will be revolutionized through discoveries on many scientific parallel fronts and the evolution and convergence of disciplines that are disjointed today (e.g. biogenetics, data analytics, sensor fusion, database linkages, etc.). One such technology is the impact that wearables with integrated biometric sensing will have on the future of healthcare. This new category of wearables will put the focus on prevention versus disease management, but new privacy laws need to be in place so that people are not turned off by their “fitness” data (politically correct with the new FDA ruling – subject of another blog) in the hand of these “intruder-advertisers.” Here’s a link to one of my talks on “healthcare revolution,” which includes the required privacy laws, from Toronto’s Smart Week 2014 held last October. The talk starts at 2:55:00 here.
A couple of years ago, I wrote a blog entitled “The need for Internet of Things (IoT) Consumer Bill of Rights.” There, I talked about the privacy and security concerns of IoT and posted a link to What your Telco knows about you: six months of data visualized.
If you click on the link and press the “play” button below the map, you will see how cell phones are being tracked by various towers and all that data is available through your wireless operators. Die Zeist (which means “The Time” or “Times”) is the most widely read and highly-accredited German weekly newspaper. This paper is not a news outlet from the fringes of sanity. In this paper, you can see ‘black-and-white’ how easily your center of universe (your smart phone) is allowing you to be tracked. Nothing new here, but It has a different effect when you can actually visualize it in black and white. With the Internet of Things, this would be the tip of the iceberg.
Regarding opting out, when you are using a screened device (your computer or smart device) and have no clue how to “Opt out,” how are you expected to “Opt out” through a ‘headless’ (screenless) device or sensor? The only way is to enforce privacy laws through legislation.
Due to these scenarios and (the lack of) privacy of our web, I have been keenly following FTC’s hearings and positions on IoT privacy issues. The first FTC conference on IoT was held in November 2013, a time when there was lot of talk around IoT privacy — especially after FTC’s 2012 Privacy Report — where it defined a number of categories deemed to be ‘sensitive’ data. One of the more fascinating talks at that conference was the keynote by Mr. Vint Cerf, Vice President and Chief Internet Evangelist of Google. For those of you who don’t know, Mr. Cerf was a lead engineer on the Army’s early 1970s Internet prototype, ARPANET, hence a celebrity around the web and one of the pioneers of the Internet.
During the keynote, Mr. Cerf mentioned: “Privacy is something which has emerged out of the urban boom coming from the industrial revolution. [Therefore] privacy may actually be an anomaly [and not the norm].” In fact, this is a creation of the industrial age. He basically promoted the idea that privacy rules of the Internet of Things should be as hopeless as the privacy laws for the Internet of People. I was amazed at the cavalier approach displayed with that keynote by Mr. Cerf at the FTC event, making the wrong impression on the FTC officials who were considering making policy choices.
The topic surfaced again at CES this year during a keynote by FTC Chairwoman Edith Ramirez discussing the three privacy challenges of IoT including:
- The ubiquitous data collection of personal information, habits, location and physical condition over time
- The unexpected uses of consumer data flowing from smart cars, smart device and smart cities
- The heightened security risks of the Internet of Things
According to Ramirez, “In the not-too-distant future, many, if not most, aspects of our everyday lives will be digitally observed and stored. That data will contain a wealth of revealing information that, will present a deeply personal and startlingly complete picture of each of us when patched together.” She promoted the ideas of security by design, minimizing and anonymizing data for privacy, and increasing transparency by companies as key steps that need to be taken.
It was a brilliant speech and you can find it here. There is an array of hope for all individuals who want to accelerate the adoption of IoT technologies and the benefit these technologies can bring to society. Ramirez’s views on the privacy laws required for the IoT is a stark contrast to the laws in the book protecting the privacy of individuals in the Internet of People. For a few days I was grateful, and hopeful that the lobbyists wouldn’t bully the legislators into a meaningless version of Ramirez’s speech.
Since CES, several legislators have come out against Ramirez’s speech, stating that legislating privacy of IoT will suppress innovations. They’ve continued to argue against Ramirez’s view and stating that the report issued after that was “without examining costs or benefits… encourages companies to delete valuable data…primarily to avoid hypothetical future harms.” These legislators have also argued that the FTC hasn’t done enough economic analysis to issue industry guidelines or legislative proposals for what he called the “still-nascent Internet of Things.” I have seen this movie before, and it seems again as if the interest of a handful of very large advertising companies strong-arming the legislators will be taking precedence over promoting sound IoT privacy laws.
With the recent talk on Capitol Hill chastising Ramirez’s speech, I am now not very hopeful that the IoT privacy laws in the U.S. are going to be any better than our privacy laws for the Internet of People here. Hence I stand my ground and effectively promote the Privacy by Design principals, as the next best thing to strong privacy laws.