IoT privacy must be built around the individual
Juan Carlos Zuñiga, InterDigital
A couple of years ago, Europe told Google to allow people to opt out of their search results, striking a blow for privacy. It was an important step, writes Juan Carlos Zuñiga, the principal engineer at InterDigital, but the increasing role of internet technology in our daily lives makes the broader matter of privacy more important than ever – and one that is growing in importance. The Internet of Things raises unique challenges.
Olaf Kolkman, the CTO of the Internet Society, was visiting an incubator in Nairobi when one of the experts asked whether people would be able to opt out from the Internet of Things – a very interesting question. His response was that it may indeed not be possible, because in smart cities in the future, sensors are going to track our movements, recognise our faces and hear our voices.
In all likelihood, this future cannot be changed. But it can be made better if we actually try to implement and think of internet privacy from the beginning, and from the design point of view. Recently I was invited to Washington, DC to deliver a keynote at the ETAP (Experts in Technology and Policy) Forum on Internet Governance, Cybersecurity and Privacy organised by the IEEE Internet Initiative, where I discussed that very thing.
Standards organisations such as IETF, IEEE 802 and W3C are working on internet protocols and web standards, and they are collaborating in an orchestrated manner to come up with solutions for the Internet privacy problems that are being identified.
The first component of internet security is to focus on individuals. We have to defend the actual individual, not the organisation behind the manufacturing of the device, not the device itself, not the corporation that may be profiting from the device or the services, but the actual individual that is attached or can be bound to the device.
And this is not only the individual that owns the device. In the Internet of Things, it can be an individual that can be surrounded by devices that don’t necessarily belong to him.
With that as a start-point, we can look at privacy and security. Security is really about securing the data, the transport of data and the storage of data in devices. In this case, what we want to avoid is exposing an individual to threats that may harm his being. I say this from the technical point of view – our role as engineers is not to get into the politics of the matter, which would be fruitless: a cellular or Wi-Fi device is generally going to be used in multiple countries under multiple legal frameworks that sometimes even contradict each other.
Identification is a key privacy threat, as we know from some previous examples like this well-known case of the London garbage bins that were tracking users. But users, without necessarily connecting to the system, can be tracked just by the fact that they carry a device that has a unique identifier, and this unique identifier is broadcast in a pervasive manner. And once you’re tracking, you’re able to profile users with time, movements, location, age range, likely income and others.
We concentrate on the personally-identifiable information (PIIs) such as credit cards and medical records. But now, with the internet of things, are we generating PIIs from our protocols?
A simple light bulb that is completely impersonal can generate PIIs. If a light bulb is turned on always at the time when a user arrives at the home and that light bulb is sending an internet message, it’s exposing some information about the user. If a microwave turns on, it exposes some information. If a trash bin is open at the same time in the week, we know that the user is at the specific location.
There are privacy by design principles, and we embrace these principles that are being used in several places nowadays. But the challenge is to try to apply them to internet protocols. What are the keys?
- Privacy must be the default setting so that users don’t have to become experts. Non-tech savvy users are also protected, even though they may not be touching any settings.
- End-to-end security with full lifecycle protection from the moment we generate private information or identifiable information.
- Transparency so that users know exactly what type of information is generated about them, what it is used for, and enabling them to opt out of that service or opt into a new service.
- A user-centric approach: Business success and great devices are important, but security and privacy starts with the individual, not with institutions or companies.
The Internet of Things will transform the world we live in. It will transform our lives, to the same – or possibly an even greater – degree that mobile technology has transformed it. Like all technology, we’re hopeful the vast majority of those changes will be for the better. As we develop those enabling technologies, keeping our eye on the privacy ball is essential.