The “Internet of Things” has become a favored buzzword of consultants and tech journalists. But beware, there be dragons that neither regulators nor privacy advocates can vanquish.
In an early salvo against the manufacturer of a connected device that is part of the Internet of Things, the Federal Trade Commission brought an action against TRENDnet, a developer of web-enabled video cameras that failed to live up to the security claims that the company had made to users: in 2012, hackers found a flaw that exposed users’ private video feeds without their knowledge. The settlement imposes a twenty-year security compliance audit program on TRENDnet and potential fines for future violations. Thus, for security vulnerabilities in their connected cameras, TRENDnet joins the likes of Google and Facebook, which are subject to similar settlements and privacy audits for past violations of users’ online privacy.
The promise of the Internet of Things needs to be weighed against the potential threat to privacy and security. Consultants are enamoured by the promise of connected devices that can monitor and interact with their environment, and collect data to be analyzed by consumers, companies, or governments. According to McKinsey, the Internet of Things “promise[s] to create new business models, improve business processes, and reduce costs and risks.” By allowing companies to track inventory (and consumer behavior) with increasing precision, helping doctors and insurers to track patient health and treatment compliance, and enabling consumers to manage devices like cars and connected houses, the Internet of Things will supposedly revolutionize our economy and increase efficiency. And this will all happen soon – Cisco predicts that there will be 50 billion connected devices by the year 2020.
Many consumers already participate in the Internet of Things: Apple’s iPhone and smartphones powered by Google’s Android operating system now represent over half the cell phones in the United States. These connected and sensor-rich platforms (which carry GPS, cameras, microphones, and accelerometers), which often log data in the background and back it up to a computer, and are now being used by retailers, and potentially the NSA, and possibly others to track users.
While the FTC’s action tries to send a message to companies developing products for the Internet of Things, this episode highlights how challenging it will be to regulate this new industry. The FTC doesn’t have the power to regulate privacy or security; it pursued the action against TRENDnet on the basis of misstatements of the security of their cameras. The settlements against Google and Facebook are an attempt to “hack the law,” by bringing those companies’ privacy practices under the FTC’s jurisdiction.
Though the Google and Facebook settlements serve as examples to other online services that collect user data, the same strategy of enforcement will not work for the manufacturers of connected devices. First, the FTC’s action was slow, coming almost twenty months after the security flaw was disclosed by hackers, an eternity in the computer security world. Google and Facebook are large, well-known entities, in part because the “network effect” makes them useful (the more friends you have using them, the better the sites are). Internet of Things manufacturers are different, and are likely to be more distributed, at least at the beginning, when small companies will be vying to innovate with new applications to new technologies. Suing a company like TRENDnet is a less effective deterrent than forcing Google into a settlement, and does little to increase the net security of devices.
Due to the complex nature of connected devices, their integration with other services, and the general insensitivity of hardware engineers to security issues, security is a technical and a cultural problem that regulators have little power to directly enforce. In a recent piece in Harvard Business Review’s blog, I advocated that companies adopt an approach that combines both technical and cultural tools. By training engineers to apply existing systems-engineering tools to security threats, using modular hardware and software designs and open security standards, and by encouraging a skeptical culture, developers can learn to tackle the challenge of securely connecting physical devices to the internet–rather than adding security as an ad hoc afterthought. This approach also helps developers think like users because providing secure devices to consumers involves crafting sensible defaults, like requiring users to set a password.
While privacy violations cannot be brushed aside, cameras can only observe (and occasionally broadcast audio). Compared with connected houses, cars, electronic locks (where flaws in one such design have been used to burglarize hotel rooms), and wireless medical equipment, an insecure camera’s effect on users is limited. Rather, the ability to hack cars and open doors directly affects users’ physical safety. As more devices become connected, they will provide an increasing set of features (like integration with Facebook, social media accounts, and apps), creating a larger and increasingly vulnerable attack surface for hackers to exploit. The ongoing integration of connected devices into our lives and the security challenge inherent in these devices pose threats that should temper the excitement of Internet of Things evangelists. To make matters worse, even though the FTC recognizes the problem, it can do little to protect consumers as the Internet of Things grows.
As originally published in Forbes.
“Here Be Dragons” by Kelly Lee