Could IoT Allow Do-over for Privacy, Security — & Trust?

Posted on 13th September 2013 in communication, management, privacy, security

Expect to be reading a lot here about privacy and security between now and my panel on those issues at the IoT Summit in DC, Oct. 1 & 2, as I prep to ask the panel questions!

Here’s another, from Stacy Higginbotham (BTW, she does a great podcast on IoT issues!), based on a conversation with ARM CTO Mike Muller. It’s reassuring to see that this IoT-leading firm is taking privacy and security seriously. Even more refreshingly, theirs is a nuanced and thoughtful view.

Muller told Higginbotham that IoT vendors should learn from some of the missteps on privacy on the Web so far, and make amends:

“’We should think about trust as who has access to your data and what they can do with it. For example, I’ll know where you bought something, when you bought it, how often and who did you tweet about it.

“When you put the long tail of lots of bits of information and big data analytics associated with today’s applications we can discern a lot. And people are not thinking it through. … I think it’s the responsibility of the industry that, as people connect, to make them socially aware of what’s happening with their data and the methods that are in place to make connections between disparate sets of data (my emphasis). In the web that didn’t happen, and the sense of lost privacy proliferated and it’s all out there. People are trying to claw that back and implement privacy after the fact.”

Higginbotham adds that “… what troubles Muller is that today, there’s nothing that supports trust and privacy in the infrastructure associated with the internet of things.”

What struck me, as someone who used to earn his living doing corporate crisis management, is that one of the critical issues in trust (or lack thereof) is guilt by association may not be logically valid, but is emotionally powerful: if people’s preconception of IoT privacy and security standards is that they’re simply an extension of Internet ones, there’s likely to be trouble.

She goes on to differentiate between security, privacy — and trust.

“Trust is the easiest to define and the hardest to implement. It relies on both transparency and making an effort to behave consistently ….  When it comes to connected devices and apps, trust is probably most easily gained by explaining what you do with people’s data: what you share and with whom. It might also extend to promises about interoperability and supporting different platforms. Implicitly trust with connected devices also means you will respect people’s privacy and follow the best security practices….

“Privacy is more a construct of place as opposed to something associated with a specific device. So a connected camera on a public street is different from a connected camera inside your home. It’s easy to say that people shouldn’t be able to just grab a feed from inside your home — either from a malicious hack or the government (or a business) doing a random data scrape. But when it comes to newer connected devices like wearables it gets even more murky: Consider that something like a smart meter can share information about the user to someone who knows what to look for.

“So when thinking about the internet of things and privacy, it’s probably useful to start with thinking about the data the device generates….

(As for security:) “To protect privacy when everything is connected will require laws that punish violations of people’s privacy and draw lines that companies and governments can’t step over; but it will also require vigilance by users. To get this right, users should be reading the agreements they click through when they connect a device, but companies should also create those agreements, especially around data sharing transparent, in a way that inspires trust.

Governments and companies need to think about updating laws for a connected age and set criteria about how different types of data are transported and shared. Health data might still need the HIPAA-levels of regulations, but maybe looser standards can prevail for connected thermostats.”

Sounds to me as if there’s a role in these complex issues for all of us: vendors, government, and users.

But the one take-away that I have from Muller’s remarks is that IoT vendors must realize they have to earn users trust, and that’s going to require a combination of technical measures and unambiguous, plain-English communication with users about who owns their data and how it will be used. To me, that means not hiding behind the lawyers and agate-type legal disclaimers, but clear, easy-to-understand declarations about users’ rights to their data and companies’ need to directly ask them for access, displayed prominently, with the default being that the user completely denies access, and must opt in for it to be shared. 

What do you think?

Higginbotham concludes that “we need to stop freaking out about the dangers of connected devices and start having productive discussions about implementing trust and security before the internet of things goes the way of the web. Wonderful, free and a total wild west when it comes to privacy.” Hopefully, that’s what will happen during our October 1st panel.

comments: Comments Off on Could IoT Allow Do-over for Privacy, Security — & Trust? tags: , , , , , ,

Good Paper by Mercatus on IoT Privacy and Security

Posted on 12th September 2013 in privacy, security

I’m politically on the liberal, not the libertarian side, but I’ve come to respect the libertarian Mercatus Center, in large part because of the great work Jerry Brito has done there on governmental transparency.

As part of my preparation to moderate a panel on security and privacy at the IoT Summit on October 1st in DC, I just read a great paper on the issue by Mercatus’ Adam Thierer.

In comments submitted to the FTC for its November workshop on these issues titled “Privacy and Security Implications of the Internet of Things,” Thierer says “whoa” to those who would have the FTC and others quickly impose regulations on the IoT in the name of protecting privacy and security.

Opposing pre-emptive, “precautionary” regulations, he instead argues for holding back:

“…. an “Anti-Precautionary Principle” is the better default here and would generally hold that:

“1. society is better off when technological innovation is not preemptively restricted;

“2. accusations of harm and calls for policy responses should not be premised on hypothetical worst-case scenarios; an

“3. remedies to actual harms should be narrowly tailored so that beneficial uses of technology are not derailed.”

He reminds us that, when introduced, such everyday technologies as the phone (you know, the old  on-the-wall kind..) and photography were opposed by many as invasions of privacy, but social norms quickly adapted to embrace them. He quotes Larry Downes, who has written, “After the initial panic, we almost always embrace the service that once violated our visceral sense of privacy.”

Rather than imposing limits in advance, Thierer argues for a trial-and-error approach to avoid unnecessary limits to experimentation — including learning from mistakes.

He points out that social norms often emerge that can substitute for regulations to govern acceptable use of the new technology.

In conclusion, Thierer reminds us that there are already a wide range of laws and regulations on the book that, by extension, could apply to some of the recent IoT outrages:

“…  many federal and state laws already exist that could address perceived harms in this context. Property law already governs trespass, and new court rulings may well expand the body of such law to encompass trespass by focusing on actual cases and controversies, not merely imaginary hypotheticals. State ‘peeping Tom’ laws already prohibit spying into individual homes. Privacy torts—including the tort of intrusion upon seclusion—may also evolve in response to technological change and provide more avenues of recourse to plaintiffs seeking to protect their privacy rights.”

Along the lines of my continuing screed that IoT manufacturers had better take action immediately to tighten their own privacy and security precautions, Thierer isn’t letting them off the hook:

“The public will also expect the developers of IoT technologies to offer helpful tools and educational methods for controlling improper usages. This may include ‘privacy-by-design’ mechanisms that allow the user to limit or intentionally cripple certain data collection features in their devices. ‘Only by developing solutions that are clearly respectful of people’s privacy, and devoting an adequate level of resources for disseminating and explaining the technology to the mass public’ can industry expect to achieve widespread adoption of IoT technologies.”

So get cracking, you lazy IoT developers (yes, you smirking over there in the corner…) who think that security and privacy are someone else’s business: if you don’t act, regulators may step in, and stiffle innovation in the name of consumer protection. You’ll have no one to blame but yourselves.

It’s a good read — hope you’ll check it out!

 

comments: 2 » tags: , , , , , , , ,

Why collaboration must replace zero-sum game for IoT profitability

Posted on 3rd September 2013 in collaboration, Essential Truths, Internet of Things, strategy

I guest blogged today @ INEX Advisors today on one of my favorite Internet of Things principles: how thinking collaboratively has to replace I-win-you-lose-zero-sum-game thinking if companies want to really profit from the IoT.

As before, I cited GE as one of the few big companies that’s seizing a strategic advantage in the IoT world by practicing this approach.

comments: Comments Off on Why collaboration must replace zero-sum game for IoT profitability tags: , , , , ,

Fewer, faster, finer: good values for #IoT innovators!

Posted on 18th July 2013 in Internet of Things, management, manufacturing, marketing, strategy

Just had a great conversation with a brilliant consultant, Michael Woody, the president and founder of International Marketing Advantages, Inc (he and I have the same wonderful literary agent, Michael Snell).

Woody helps small, innovative companies successfully compete with China, using a simple formula: fewer, faster, finer.

  • Fewer: think of China’s Foxcom, and its huge factory complexes and huge production runs. By contast, “American Dragon” companies ” lower minimum order sizes; the lower a minimum order size, the better. If a product can be customized, even better still.”

  • Faster: think about how far away China is, and how long it takes to ship products: “In today’s business environment of tighter margins, it is likely that your U.S. customers currently buying from China favor low inventory levels and just in time delivery. Given these conditions, short production lead times and physical proximity of supply chain partners becomes more critical.”
  • Finer: “…means not only that your product is of the highest quality, but also that it is safe. Overseas manufacturers, particularly those in China, have little to no understanding of the product safety regulations in the United States. Even large multi-national corporations, some based in the U.S, who have outsourced manufacturing to China are learning that lesson the hard way. These tougher regulations are your friend, so use them to your advantage.”

Check out the American Dragon site, and think hard on how to apply these principles in conjunction with your innovative Internet of Things product design, and I think you’ve got the formula for manufacturing success!

 

comments: Comments Off on Fewer, faster, finer: good values for #IoT innovators! tags: , , , ,

GE Eggminder: could this simple product build IoT awareness?

Posted on 17th July 2013 in home automation, Internet of Things

As someone who spends much of his time introducing the Internet of Things to people who’ve never heard of it, much less thought about how it might improve their lives, I think there might be something to the logic of this Fast Company article about the GE Eggminder.

The article points out that the IoT still provokes blank stares from most people, a fact that those of us who are immersed in it every day may tend to forget. As the subhead said, “EGG MINDER MIGHT BE DUMB PRODUCT DESIGN, BUT AS A PIECE OF MASS COMMUNICATION ABOUT WEB-CONNECTED PRODUCTS, IT JUST MIGHT BE GENIUS.”

GE Eggminder

The Eggminder doesn’t do much — tells you, via the app, how many eggs you have left in your fridge, but it’s the kind of simple-to-understand example of the kinds of connectivity possible through the IoT that is likely to make a lot of people say “Now I get it!”

It’s not life-changing, as the article points out, and maybe even dumb: “(How dumb? To quote Quirky’s own product evaluation video, ‘it’s a pain in the ass,’ ‘superfluous,’ ‘really silly,’ and ‘the height of laziness.’).  BTW: am I right in guessing that this might have been one of the award winners in the contest that GE, Quirky and Electric Imp held to find fast-to-market IoT products. which I praised as an example of the kind of collaboration it will take to capitalize on the IoT?

My personal favorites in terms of IoT products that are easy to understand are the SmartSlippers that can alert a caregiver when a frail senior is likely to fall, or the onesie that alerts parents that their baby has stopped breathing — in time to avoid SIDS. But you get the point: until people see something that could simplify their life — or save it, they may not understand exactly how revolutionary the IoT is.

So let’s have more Eggminders — simple products that will result in more “aha moments” — and speed public adoption of the IoT!

GE Eggminder
comments: Comments Off on GE Eggminder: could this simple product build IoT awareness? tags: , , , ,

Shodan: maybe this will get people to take IoT privacy/security seriously!

Posted on 11th July 2013 in government, Homeland Security, Internet of Things, M2M, management, manufacturing, privacy, security

Wired has an article this week about Shodan, the “IoT search engine,” which I hope scares the bejesus out of enough companies and government officials that they’ll finally realize how absolutely critical it is that we make security and privacy THE top public policy/corporate management priorities regarding the IoT.

Shodan’s homepage proudly proclaims that it will let you “EXPOSE ONLINE

Shodan

DEVICES: webcams, routers, power plants, iPhones, wind turbines, refrigerators (there’s that meme again!), VoIP phones.” Anyone out there who isn’t covered by that list? If so, stay in your cave!

As for everyone else, maybe you’d be more properly attracted by the CNN story about Shodan several months ago: “Shodan: the scariest search engine on the Internet.” Got your attention yet?

Here’s what Shodan can do, according to CNN:

“It’s stunning what can be found with a simple search on Shodan. Countless traffic lights,security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.

Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.”

Command and control systems for nuclear power plants? Sheesh!

Reminds me that while the Obama Administration remains abysmally ignorant of the IoT (and, remember, I’m a fan of them in general …) one official who was all in was former CIA Director David Petraeus:

“‘Transformational’ is an overused word, but I do believe it properly applies to these technologies,’ Petraeus enthused, ‘particularly to their effect on clandestine tradecraft.’

All those new online devices are a treasure trove of data if you’re a ‘person of interest’ to the spy community. Once upon a time, spies had to place a bug in your chandelier to hear your conversation. With the rise of the ‘smart home,’ you’d be sending tagged, geolocated data that a spy agency can intercept in real time when you use the lighting app on your phone to adjust your living room’s ambiance.

‘Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing,’Petraeus said, ‘the latter now going to cloud computing, in many areas greater and greater supercomputing, and, ultimately, heading to quantum computing.’

Petraeus allowed that these household spy devices ‘change our notions of secrecy’ and prompt a rethink of’ ‘our notions of identity and secrecy.’ All of which is true — if convenient for a CIA director.”

Sufficiently alarmed yet?

Let me be clear: I am convinced that security and privacy are the two issues that have the greatest potential to stop the Internet of Things dead in its tracks — and I felt that way even before Edward Snowden was a household name.

Snowden, ooops, Shodan, has revealed shocking indifference to security on the part of countless organizations (and, BTW, don’t forget that 85% of the U.S.’s critical infrastructure — power plants, pipelines, chemical factories, etc., is in private hands):

“A quick search for ‘default password‘ reveals countless printers, servers and system control devices that use  ‘admin’ as their user name and ‘1234’ as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.

In a talk given at last year’s Defcon cybersecurity conference, independent security penetration tester Dan Tentler demonstrated how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.

He found a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with a click of a button. A city’s entire traffic control system was connected to the Internet and could be put into ‘test mode’ with a single command entry. And he also found a control system for a hydroelectric plant in France with two turbines generating 3 megawatts each.

This is as scary as the Vanity Fair article last year about how a miscreant could use an iPhone to kill you!

The 85% of critical infrastructure in private hands number should be a stark reminder: the only way we can possibly address IoT privacy and security is through collaborative government/private sector action — with strong involvement by you and me.

If you are involved in the IoT in any way, you simply can’t duck this issue!

 

comments: 7 » tags: , , , , , , ,

My presentation tonight on human communication and the IoT

Posted on 18th June 2013 in human communication, Internet of Things, M2M, management, manufacturing

I just uploaded my presentation to tonight’s Boston/New England IoT Meetup, which will be held in Providence beginning at 5:30.

I’ll be speaking about what’s often overlooked in the introduction of exciting new technologies — and the IoT is no exception: the human communication possibilities and challenges that it introduces.

In the case of the IoT, all of the attention on automatic, non-human mediated  machine-to-machine communication obscures the fact that the IoT will have profound implications for human communications as well.

More than anything, it’s the fact that, for the first time, we’ll be able to share critical data on a real-time basis among co-workers, our supply chains, our distribution networks, and our customers. IMHO, that changes everything: workers will be able to do their jobs better because they’ll know exactly what’s happening at the time, and we’ll be able to make better decisions because everyone with a valuable perspective will be able to chime in at the same time: reducing the chance that some critical aspect of the issue will go ignored. That’s going to be amazing!

I’ll also talk about Chris Rezendes’ concept of “ground truth,” i.e., that one of the things we’ll be able to share in making those better decisions is “device intelligence,” real-time data from “smart things.” Hopefully this will lead to fact-based decision making (OK, maybe I’m a Pollyanna!) .

I conclude with my argument that, to fully take advantage of this real-time data flow, we need new management styles, including a “Buckyball Management” organizational chart in which every member of the organization is an important, value-creating “node” and every member can communicate with every other member when its relevant.

Hope you can make it tonight!

comments: Comments Off on My presentation tonight on human communication and the IoT tags: , , , , , ,

Hallelujah! The Internet of People launches

Posted on 13th June 2013 in environmental, government, health, Homeland Security, human communication, Internet of Things, M2M, management, manufacturing, marketing, mobile, privacy, security, transportation

Most readers of this blog probably already know Rob van Kranenburg, arguably THE leading European Internet of Things theorist. What you may not  know is that, for the past year, he and a core group of IoT leaders have been planning creation of a UK-based global IoT consultancy, “The Internet of People.”

Unfortunately, one of the victims of that effort was a planned collaborationinternet_of_people_small
between Rob and me on an article about the IoT for the Harvard Business Review, but now I’ve got Dave Evans of Cisco as a writing partner, so I ain’t complainin’!

At any rate, there’s glorious news today: The Internet of People has officially launched, and there are more than 100 of us consultants who are already in the fold!

This is going to be an all-star team, so if you’re in need of IoT strategy and other consulting services, I hope you’ll contact us!

comments: Comments Off on Hallelujah! The Internet of People launches tags: , , , ,

Nice long NPR piece on Stantander

Posted on 4th June 2013 in cities, government, Internet of Things, transportation

One of my sons turned me on to this long NPR piece this morning about Santander. Thought it did a good job of covering the mix of top-down (the city’s installations of sensors) and bottoms-up (the active involvement of citizens through apps to report potholes, etc.) that a make up a robust IoT program.

comments: Comments Off on Nice long NPR piece on Stantander tags: , , , ,

Xively: LogMeIn launches first Internet of Things public cloud

Posted on 14th May 2013 in Internet of Things

At last week’s 2nd Boston/New England IoT Meetup, LogMeIn officials hinted at a big announcement today.

No kidding! The news was that they’ve teamed with ARM, the mobile chip giant, to launch the “Xively  (Xively? Where, pray tell, do they come up with these names ??) Jumpstart Kit” to accelerate the launch of commercial projects on the IoT:

“…a rapid prototyping-to-production bundle that significantly reduces the cost, complexity and learning curve required to bring IoT-based connected products and solutions to market.”

The kit combines:

  • the first public cloud for the Internet of Things
  • ARM mbed™, “a platform for rapidly building connected devices using ARM-based microcontrollers.”

The combination of services will allow developers of any size to quickly move from prototypes to IoT commercial services.

According to LogMeIn CEO Michael Simon:

“The Internet of Things signifies the next major wave of the Internet, one that we believe could even eclipse both the web and mobile waves combined, and presents a massive opportunity for businesses that want to create a new generation of compelling connected products.  In order to make this happen, they need a simple, affordable way to experiment and innovate through a platform that will enable them to seamlessly move from prototype to commercial product, and then scale as demand grows. By working together with leading vendors like ARM, a company that’s been a driving force in the enablement of the IoT, we can deliver a powerful, easy way for companies to jumpstart their IoT-based connected products and turn them into reality.”

Analyst Glenn Allmendinger, CEO of Harbor Research, said the service is one of three factors that will accelerate growth of the IoT:

“We are seeing real traction in the Internet of Things market. Three forces are converging: connectivity, innovative new device designs and a new generation of technology tools that let manufacturers focus on their core product innovation instead of on building Internet of Things infrastructure from scratch. This can be a hundreds of billions of dollars opportunity.  Xively Cloud Services organizes a true end-to-end chain of tools, support, partners, and infrastructure for smart systems on the IoT.”

Xively is the latest evolution in what began as Usman Haque‘s pioneering Pachube platform.

 

comments: 3 » tags: , , , , , , , , , , ,
« Previous Next »
http://www.stephensonstrategies.com/">Stephenson blogs on Internet of Things Internet of Things strategy, breakthroughs and management