Even More Reason to Boost Internet of Things Security: Feds Spying

As if there wasn’t already enough reason to make privacy and security your top IoT priority (see what I wrote earlier this week), now there’s more evidence Uncle Sam may be accessing your IoT data as part of its overall surveillance efforts (MEMO to NSA Director: we notice the lights at the Stephenson household went on precisely at sunset. Was that a signal to launch Operation Dreadful Winter?).

The Guardian reports that US. Director of National Intelligence James Clapper told the Senate:

“In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.”

Shades of former CIA Director David Petraeus, who I noted several years ago was also enamored of smart homes as the motherlode for snooping:

“‘Transformational’ is an overused word, but I do believe it properly applies to these technologies,’ Petraeus enthused, ‘particularly to their effect on clandestine tradecraft.’ All those new online devices are a treasure trove of data if you’re a ‘person of interest’ to the spy community. Once upon a time, spies had to place a bug in your chandelier to hear your conversation. With the rise of the ‘smart home,’ you’d be sending tagged, geolocated data that a spy agency can intercept in real time when you use the lighting app on your phone to adjust your living room’s ambiance. ‘Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing,’ Petraeus said, ‘the latter now going to cloud computing, in many areas greater and greater supercomputing, and, ultimately, heading to quantum computing.’ Petraeus allowed that these household spy devices ‘change our notions of secrecy’ and prompt a rethink of’ ‘our notions of identity and secrecy.’”

Yikes!

Gathering data on spies, terrorists and other malefactors is always such a double-edged sword: I’m generally in favor of it if there’s demonstrable, objective proof they should be under surveillance (hey, I went to school with uber-spy Aldrich Ames!) but if and when the NSA and CSA start hoovering up gigantic amounts of data on our homes — and, even more questionably, our bodies [though Quantified Self devices] then we’ve got to make certain that privacy and security protections are designed in and tough, and that there is some sort of effective civilian oversight to avoid gratuitous dragnets and trump(ooh, gotta retire that word from my vocabulary)ed up surveillance.

Big Brother is watching … your thermostat!

No Debate: Protecting Privacy and Security Is 1st Internet of Things Priority

This just in: your Internet of Things strategy will fail unless you make data privacy and security the absolute highest priority.

I didn’t always think that way.

Long-time readers know one of my favorite themes is what I call the IoT “Essential Truths,” the key priorities and attitudinal shifts that must be at the heart of all IoT strategies. I’ve always ranked privacy and security the last on the list:

  1. Share Data (instead of hoarding it, as in the past)
  2. Close the Loop (feed that data back so there are no loose ends, and devices become self-regulating:
  3. Redesign Products so they will contain sensors to feed back data about the products’ real-time status, and/or can now be marketed not as products that are simply sold, but services that both provide additional benefits to customers while also creating new revenue streams for the manufacturer.
  4. Make Privacy and Security the Highest Priority, because of the dangers to customers if personal or corporate data becomes available, and because loss of trust will undermine the IoT.

No longer.

I’ve reversed the order: privacy & security must be the precondition for anything else you do with the IoT, because their absence can undermine all your creativity.

      Newsweek article about Shodan

Newsweek article about Shodan

The specific incident that sparked this reordering of priorities was a recent spate of articles about how Shodan (in mid-2013 I blogged about the dangers of having IoT data show up there — did you pay attention??) — the “search engine for the Internet of Things” — had recently added a new feature that makes it easy-peasy to search unsecured webcams for video of everything from sleeping babies to marijuana farms. According to CNBC:

“‘Shodan has started to grab screenshots for various services where the existing text information didn’t provide much information,’ founder John Matherly wrote in an email. ‘This was launched in August 2015 and the various sources for screenshots have expanded since then — one of those recent additions is for webcams.'”

I’ve written before that I feel particularly strongly about this issue because, unlike engineers who are hell-bent on getting their IoT products and services to market ASAP and at as little cost as possible, I have an extensive background before my IoT days as a crisis management consultant to Fortune 100 companies that had screwed up big time, l0st public trust, and now had to earn it back. As a result, I see IoT privacy and security threats differently.

As I’ve said, a lot of engineers — as left-brained and analytical as I am right-brained and intuitive — simply don’t understand factors such as the fear parents feel when their sleeping babies can be seen anywhere and creeps can yell obscenities at them. After all, fear isn’t factual, its emotional. However, that can no longer be an excuse.

No more Mr. Nice Guy! you must make privacy and security a priority on the first day you brainstorm your new IoT product or service, or you risk losing everything.

As cyber-security expert Paul Roberts says:

“The Internet of Things means that the impact of cyber attacks will now be felt in the physical world and the cost of failing to security IoT endpoints could be measured in human lives, not simply zeroes and ones.
“Like any land grab, the rush to own a piece of the Internet of Things is chaotic and characterized by the trampling of more than a few treasured and valued principles: privacy, security, accountability. As companies clamor to develop the next Nest Thermostat or simply to whitewash aging gear with a web interface and companion mobile app, they’re conveniently forgetting the lessons of the past two decades.”
The key is “security by design.”As Gulio Corragio puts it:
“the principle of data protection by design requires data protection to be embedded within the entire life cycle of the technology, from the very early design stage, right through to its ultimate deployment, use and final disposal. This should also include the responsibility for the products and services used by the controller or processor….
The benefits include:
  • “limit the risk that Internet of Things devices are deemed not compliant with privacy laws avoiding sanctions that under the new EU Privacy Regulation will reach 5% of the global turnover;
  • reducing the potential liabilities deriving from cybercrimes since data breaches have to be reported to privacy regulators only if the data controller is unable to prove to have adopted the security measures adequate to the data processing and
  • exclude liabilities in case of processing of data that are not necessary for the provision of the service also through the usage of anonymization techniques which is relevant especially for B2B suppliers that have no relationship with final users.”

Privacy and security are never-ending requirements for the IoT, because the threats will continue to evolve. Making it a priority from the beginning will reduce the challenge.


I’ll speak on this subject at SAP’s  IoT 2016 Conference, Feb. 16-19, in Las Vegas.

Free Citywide IoT Data Networks Will Catapult IoT Spread to Hyperspeed!

One of the truly exciting things about viral digital phenomena is how rapidly they can take hold, outstripping the slow, methodical spread of innovations in the pre-digital era.  I suspect we may be on the verge of that happening again, with an unlikely impetus: the crowdsourced global movement to create free citywide IoT data networks.

We’re been there before, with the movement to open real-time public access to city data bases, beginning when CTO (and later US CIO) Vivek Kundra did it in DC in 2008, then sponsored the Apps for Democracy competition to spark creation of open-source apps using the data (bear in mind this was at a time when you had to explain to many people what an “app” was, since they, and smart phones, were so new).  From the beginning, Kundra insisted that the apps be open source, so that hackers in other cities could copy and improve on them, as they have — worldwide.

I was doing consulting for him at the time, and remember how incredibly electric the early days of the open data movement were — it inspired my book Data Dynamite, and led to similar efforts in cities worldwide, which in turn set the stage for the “smart city” movement as the IoT emerged.

As detailed in my last post, we’re now launching a crowdsourced campaign to make Boston the first US city, and second worldwide (following Amsterdam) to have a free citywide IoT data network — and plan to up the ante by setting of goal to cover the neighborhoods too — not just the downtown.

The Things Network guys plan to build on their accomplishments, announcing this week that they will advise similar crowdfunded networks on five continents (including our Boston project). They place a major emphasis on grassroots development, to avoid subscription-based infrastructures that could be controlled from above and which would limit l0w-cost innovations, especially on the neighborhood scale.  According to founder Wienke Giezeman:

““If we leave this task up to big telcos, a subscription model will be enforced and we will exclude 99% of the cool use cases. Instead, let’s make it a publicly owned and free network so businesses and use cases will flourish on top of it.”

I’ve been a fan of mesh networks back to my days doing disaster and terrorism because they’re self-organizing and aren’t vulnerable because there isn’t a single point of failure. But it’s as much philosophical as technological, because you don’t have to wait for some massive central authority to install the entire system: it evolves through the decisions of individuals (we’re already finding that in Boston: it turns out that our system will be able to tap a number of LoRaWAN gateways that several companies had already installed for their own uses!) The Amsterdam guys share that perspective. Tech lead Johan Stokking says:

“We make sure the network is always controlled by its users and it cannot break at a single point. This is embedded in our network architecture and in our governance.”

Takes me back to my callow youth in the 6o’s: let a thousand apps bloom! (and, BTW, the great Kevin Kelly made this point in his wonderful Out of Control, back in the mid 90’s, especially with his New Rules for the New Economy (I’m going to take the liberty of posting all the rules here, because they are so important, especially now that we have technology such as LoRaWAN that foster them!):

1) Embrace the Swarm. As power flows away from the center, the competitive advantage belongs to those who learn how to embrace decentralized points of control.

2) Increasing Returns. As the number of connections between people and things add up, the consequences of those connections multiply out even faster, so that initial successes aren’t self-limiting, but self-feeding.

3) Plentitude, Not Scarcity. As manufacturing techniques perfect the art of making copies plentiful, value is carried by abundance, rather than scarcity, inverting traditional business propositions.

4) Follow the Free. As resource scarcity gives way to abundance, generosity begets wealth. Following the free rehearses the inevitable fall of prices, and takes advantage of the only true scarcity: human attention.

5) Feed the Web First. As networks entangle all commerce, a firm’s primary focus shifts from maximizing the firm’s value to maximizing the network’s value. Unless the net survives, the firm perishes.

6) Let Go at the Top. As innovation accelerates, abandoning the highly successful in order to escape from its eventual obsolescence becomes the most difficult and yet most essential task.

7) From Places to Spaces. As physical proximity (place) is replaced by multiple interactions with anything, anytime, anywhere (space), the opportunities for intermediaries, middlemen, and mid-size niches expand greatly.

8) No Harmony, All Flux. As turbulence and instability become the norm in business, the most effective survival stance is a constant but highly selective disruption that we call innovation.

9) Relationship Tech. As the soft trumps the hard, the most powerful technologies are those that enhance, amplify, extend, augment, distill, recall, expand, and develop soft relationships of all types.

10) Opportunities Before Efficiencies. As fortunes are made by training machines to be ever more efficient, there is yet far greater wealth to be had by unleashing the inefficient discovery and creation of new opportunities.”

If you really want to exploit the IoT’s full potential, you gotta read the whole book.

Equally important, the Obama Administration announced it will boost smart city app development with a new $160 million smart cities initiative:

“Among the initiative’s goals are helping local communities tackle key challenge such as reducing traffic congestion, fighting crime, fostering economic growth, managing the effects of a changing climate, and improving the delivery of city services. As part of the initiative, the National Science Foundation will make more than $35 million in new grants and the National Institute of Standards and Technology will invest more than $10 million to help build a research infrastructure to develop applications and technology that ‘smart cities’ can use.”

The LoRaWan gateways used in the Amsterdam project are already low cost: only 10 of the $1,200 units covered the downtown area. However, The Things Network hopes to crowdsource an even cheaper, $200 version through a Kickstarter campaign.  If that happens, even small cities will be able to have their own free citywide IoT data networks, and when that happens, I’m confident the IoT will shift into hyperdrive worldwide!

Are you on board?


 

Oh yeah, did you say what about the risks of privacy and security violations with such a large and open system? The Amsterdam lads have thought of that as well, reaching out to Deloitte from the get-go to design in security:

“To make this initiative grow exponentially, we have to take cyber security and privacy into account from the start of the development. Therefore, we have partnered with Deloitte, who is not only contributing to the network with a Gateway, but will also be the advisor on the security and privacy of the network.

“’We translate technology developments in the field of Digital, Data and Cyber Security into opportunities and solutions for our clients. We are therefore happy to support the Things Network as Security & Privacy advisor’ Marko van Zwam, Head of Deloitte Cyber Risk Services.”

Give It Up, People: Government Regulation of IoT Is Vital

Could this be the incident that finally gets everyone in the IoT industry to — as I’ve said repeatedly in the past — make privacy and security Job 1 — and to drop the lobbying groups’ argument that government regulation isn’t needed? 

I hope so, because the IoT’s future is at stake, and, frankly, not enough companies get it.

I’m referring to the Chrysler recall last week of 1.4 million Jeeps for a security patch after WIRED reported on an experiment in which two white-hat hackers remotely disabled a Jeep on an Interstate from miles away, exploiting a vulnerable link between its entertainment and control systems.  Put yourself in the place of reporter Andy Greenberg, then tell me with a straight face that you wouldn’t be out of your mind if this happened to you:

“As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.

Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.

“You’re doomed!” Valasek [one of the hackers] shouted, but I couldn’t make out his heckling over the blast of the radio, now pumping Kanye West. The semi loomed in the mirror, bearing down on my immobilized Jeep.”

OK: calm down, get a cool drink, and, when your Apple Watch says your heart beat has returned to normal, read on….

But, dear reader, our industry’s leaders, assumedly knowing the well-publicized specifics of the Chrysler attack, had the hubris to still speak at a hearing of the Internet Subcommittee of the House of Representatives Judiciary Committee last week and claim (according to CIO) that that government regulation of the IoT industry wasn’t needed.

CEA CEO Gary Shapiro said in calling for government “restraint”:

“It’s up to manufacturers and service providers to make good decisions about privacy and security, or they will fail in the marketplace….. Industry-driven solutions are best to promote innovation while protecting consumers.”

Sorry, Gary: if someone dies because their Jeep got spoofed, the survivors’ attorneys won’t be content with the company’s failure in the marketplace.

There are some important collaborative efforts to create privacy and security standards for the IoT, such as the AllSeen Alliance. However, as I’ve written before, there are also too many startups who defer building in privacy and security protections until they’ve solved their technology needs, and others, most famously TRENDnet, who don’t do anything at all, resulting in a big FTC fine.  There are simply too many examples of hackers using the Shodan site to hack into devices, not to mention academics and others who’ve showed security flaws that might even kill you if exploited.

One local IoT leader, Paddy Srinivasan of LoMein, gets it, as reported today by the Boston Globe‘s Hiawatha Bray:

“‘I think it is a seminal moment…. These new devices need a fresh approach and a new way of thinking about security, and that is the missing piece.'”

But it’s too late to just talk about self-policing.

Massachusetts’ own Ed Markey and his Connecticut counterpart, Richard Blumenthal, have called the associations’ bluff, and filed legislation, The Security and Privacy in Your Car Act (AKA SPY Car, LOL)  that would require the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure cars and protect drivers’ privacy. It would also create a rating system — or “cyber dashboard”— telling drivers about how well the vehicle protects drivers’ security and privacy beyond those minimum standards. This comes in the wake of the Markey study I reported on last Winter documenting car companies’ failure to build in adequate cyber-hacking protections.

Guess what, folks?  This is only the beginning.  Probably the only thing I’ve ever agreed with Dick Cheney on (ok, we agree it’s cool to have been born in Wyoming and that Lynne Cheney is a great writer), is that it wouldn’t be cool for the Veep to have his pacemaker hacked, so you can bet there will be legislation and regulations soon governing privacy and security for wearables as well.

As I’ve said before, I come at this issue differently from a lot of engineers, having earned my keep for many years doing crisis management for Fortune 100 companies that bet the farm by doing dumb things that could destroy public trust in them overnight. Once lost, that trust is difficult, if not impossible, to regain.  Even worse, in this case, cavalier attitudes by even one IoT company, if the shock value of the results is great enough, could make everyone in the industry suffer.

So, if you’re arguing for no regulation of the IoT industry, I have just one suggestion: shut up,clean up your act and take a positive role in shaping regulations that would be performance-based, not prescriptive: the horse has already left the barn.

Now I have to check my Apple Watch to see when my heart rate will get back to normal.

 

comments: Comments Off on Give It Up, People: Government Regulation of IoT Is Vital tags: , , , , , , , , ,

Every IoT office needs this graphic on privacy and security

Long-time readers know that I frequently rant that privacy and security are Job 1 when it comes to the IoT.  

No apologies: it’s because I spent many years in corporate crisis management, and I learned the hard way that public trust is hard to earn, easy to lose, and, once lost, difficult or impossible to regain.

That’s why I was so glad to see this really informative, attractive, and scary infographic from Zora Lopez at Computer Science Zone, because it lays everything out so vividly.  Among the key points:

  1. (seen this before, but it still astounds me) In 2011, 20 typical households generated as much data as the entire Internet did as recently as 2008.
  2. the number of really-large (on scale of e-Bay, Target, etc.) data thefts grow annually.
  3. the bad guys particularly go after extremely sensitive data such as health, identity and financial.

It concludes with a particularly sobering reminder (you may remember my comment on the enthusiastic guys who presented at Wearables + Things and cheerfully commented that they would eventually get around to privacy and security — NOT!):

The barrier to entry in tech has never been lower, leaving many new organizations to later grapple with unsatisfactory security.” (my emphasis)

So: print a copy of the following for every employee and new hire, and put it on the cube’s wall immediately (here’s the original URL: http://www.computersciencezone.org/wp-content/uploads/2015/04/Security-and-the-Internet-of-Things.jpg#sthash.c6u2POMr.dpuf)

IoT Privacy and Security, from Computer Science Zone

comments: Comments Off on Every IoT office needs this graphic on privacy and security tags: , , , , , ,

Exploiting full potential of iBeacons for Internet of Things

One of the most exciting aspects of the Internet of Things is seeing how, when more people are exposed to one of its technologies, they find uses for it that the inventors might not have visualized.  I give you … the iBeacon.

The Apple protocol (again, my obligatory disclaimer that I work part-time at an Apple Store, but have no inside information or any obligation to hype their tech) is used in Bluetooth low-energy transmitters (“beacons”) that broadcast their location to nearby devices so they can perform actions such as social-media check-ins or push notifications while near the beacon.  They’re most frequently used in marketing to offer targeted bargains, and primarily have been used by the biggest retailers and sites such as major-league ballparks, but, as you’ll see, not always.

At the Re-Work Internet of Things Summit I met two young entrepreneurs, Justin Mann and Ben Smith  of Beacons in Space, a Boston startup that would allow new apps to leverage existing installed iBeacons — typically installed by large retailers and closed to others —  instead of having to add more beacons in a given space. This would be done through a subscription model with a simple API on top of a beacon rental marketplace. It would allow smaller developers can scale their developments and projects without having to invest in a redundant iBeacon array.

But I was particularly interested in how some clever developers are applying iBeacons outside retail settings.

One is at the Zoom Torino Biopark in Cumiana, Italy. iBeacons around the zoo trigger an app including an interactive map that helps visitors move around the park by giving their exact location and showing where other attractions are located.

“As visitors discover the six different habitat environments of the park, they will be able to unlock specific details, facts and suggestions throughout their journey thanks to hidden Bluetooth transmitting beacons, which trigger relevant content on a visitor’s smartphone based on their location.

“Users will also benefit from alerts on their mobile device informing them of special events during their visit, like meeting animals or presentations. By engaging with the app, visiting certain locations within the park and answering quiz questions, visitors can also earn promotional items and discount coupons for use within the park.”

installing iBeacon on Bucharest trolley to guide visually-impaired

Best of all,  Romania is using them in a very clever system, The Smart Public Transport (SPT) solution, to give visually-impaired riders audio clues through their smartphone about Bucharest’s bus system, a joint project of the Smart Public Transport project and Romania’s RATB trolley buses. Onyx Beacon, a Romanian company, is installing 500 Beacons on the city’s most heavily used public transportation vehicles (the project, incidentally, was funded by Vodafone under its “Mobile for Good” program, encouraging use of technology for social programs and to solve specific problems of those with special personal needs).

All of these projects show the utility — provided there are privacy and security provisions built in, and the systems are opt-in, of iBeacons for giving hyper-localized information and offers. If the Beacons in Space concept takes off, to eliminate the need to deploy more iBeacons for every new app, the concept might really become an important part of the IoT, whether for retail or civic uses.

comments: Comments Off on Exploiting full potential of iBeacons for Internet of Things tags: , , , ,

Smart Cities: opportunity … and danger if security isn’t a priority

Smart cities are one of the Internet of Things’ most promising areas — as well as one of the most potentially dangerous.

As this list of smart city initiatives shows, The IoT can reduce energy consumption, cut operating costs, and improve the quality of life. However, if hacked, it could also potentially paralyze an entire city and plunge it into darkness and/or create traffic gridlock.

As in so many other IoT areas, which scenario wins out will rest increasingly on making security and privacy in smart cities an absolute priority from Day 1, not an afterthought.

A recent New York Times article brings the issue to the foreground again, through the work of Cesar Cerrudo, an Argentine security researcher and chief technology officer at IOActive Labs, who showed what happens when idiots (so sue me…) decide not to make security a priority:

” (he) demonstrated how 200,000 traffic control sensors installed in major hubs like Washington; New York; New Jersey; San Francisco; Seattle; Lyon, France; and Melbourne, Australia, were vulnerable to attack. Mr. Cerrudo showed how information coming from these sensors could be intercepted from 1,500 feet away — or even by drone — because one company had failed to encrypt its traffic.

“Just last Saturday, Mr. Cerrudo tested the same traffic sensors in San Francisco and found that, one year later, they were still not encrypted.”

Even worse, Cerrudo found the same failure to bake in obvious security measures such as encryption in a wide range of other smart city devices and software.

The article goes on to cite a variety of very real cybersecurity threats to cities and critical infrastructure (don’t forget that about 85% of the nation’s critical infrastructure is in private ownership) including a break-in at a utility’s control network by a “sophisticated threat actor” that just guessed a password.

Among the measures Cerrudo suggests that cities take to reduce their vulnerability:

  • think of cities “as vast attack surfaces that require security protection just as a corporate network might.”
  • encrypt data, use strong passwords, and patch security holes
  • create computer emergency response teams (CERTs), for rapid response
  • restrict data access and monitor who does have it.
  • “Finally, he suggests that cities prepare for the worst, as they would for a natural disaster.”

He concluded:

“When we see that the data that feeds smart city systems is blindly trusted and can be easily manipulated — that the systems can be easily hacked and there are security problems everywhere — that is when smart cities become dumb cities.” (my emphasis)

Let me be blunt about it: whether in smart cities or any other aspect of the Internet of Things, if your attitude is “we’ll get around to security” after concentrating on product development, you’re irresponsible and deserve to fail — before your irresponsibility harms others.


BTW, here’s a great way for you to have a role in shaping tomorrow’s smart cities. IBM (who would have thunk it?  I suspect this is reflects Ginni Rometty’s change in direction and attitude at the top) has created People for Smarter Cities, a new site to crowdsource ideas for how to make cities smarter. It’s a great example of democratizing innovation, one of my IoT Essential Truths. I plan to contribute and hope you will as well!

comments: Comments Off on Smart Cities: opportunity … and danger if security isn’t a priority tags: , , , , ,

The Internet of Things’ Essential Truths

I’ve been writing about what I call the Internet of Things’ “Essential Truths” for three years now, and decided the time was long overview to codify them and present them in a single post to make them easy to refer to.

As I’ve said, the IoT really will bring about a total paradigm shift, because, for the the first time, it will be possible for everyone who needs it to share real-time information instantly. That really does change everything, obliterating the “Collective Blindness” that has hampered both daily operations and long-term strategy in the past. As a result, we must rethink a wide range of management shibboleths (OK, OK, that was gratuitous, but I’ve always wanted to use the word, and it seemed relevant here, LOL):

  1. First, we must share data. Tesla leads the way with its patent sharing. In the past, proprietary knowledge led to wealth: your win was my loss. Now, we must automatically ask “who else can use this information?” and, even in the case of competitors, “can we mutually profit from sharing this information?” Closed systems and proprietary standards are the biggest obstacle to the IoT.
  2. Second, we must use the Internet of Things to empower workers. With the IoT, it is technically possible for everyone who could do their job better because of access to real-time information to share it instantly, so management must begin with a new premise: information should be shared with the entire workforce. Limiting access must be justified.
  3. Third, we must close the loop. We must redesign our data management processes to capitalize on new information, creating continuous feedback loops.
  4. Fourth, we must rethink products’ roles. Rolls-Royce jet engines feed back a constant stream of real-time data on their operations. Real-time field data lets companies have a sustained dialogue with products and their customers, increasingly allowing them to market products as services, with benefits including new revenue streams.
  5. Fifth, we must develop new skills to listen to products and understand their signals. IBM scientists and medical experts jointly analyzed data from sick preemies’ bassinettes & realized they could diagnose infections a day before there was any visible sign. It’s not enough to have vast data streams: we need to understand them.
  6. Sixth, we must democratize innovation. The wildly-popular IFTTT web site allows anyone to create new “recipes” to exploit unforeseen aspects of IoT products – and doesn’t require any tech skills to use. By sharing IoT data, we empower everyone who has access to develop new ways to capitalize on that data, speading the IoT’s development.
  7. Seventh, and perhaps most important, we must take privacy and security seriously. What responsible parent would put an IoT baby monitor in their baby’s room after the highly-publicized incident when a hacker exploited the manufacturer’s disregard for privacy and spewed a string of obscenities at the baby? Unless everyone in the field takes privacy and security seriously, the public may lose faith in the IoT.

There you have ’em: my best analysis of how the Internet of Things will require a revolution not just in technology, but also management strategy and practices. What do you think?

Apple ResearchKit will launch medical research paradigm shift to crowd-sourcing

Amidst the hoopla about the new MacBook and much-anticipated Apple Watch, Apple snuck something into Monday’s event that blew me away (obligatory disclaimer: I work part-time at The Apple Store, but the opinions expressed here are mine).

My Heart Counts app

Four years after I proselytized about the virtues of democratizing data in my Data Dynamite: how liberating data will transform our world book (BTW: pardon the hubris, but I still think it’s the best thing out there about the attitudinal shift needed to capitalize on sharing data), I was so excited to learn about the new ResearchKit.

Tag line? “Now everybody can do their part to advance medical research.”

The other new announcements might improve your quality of life. This one might save it!

As Senior VP of Operations Jeff Williams said in announcing the kit,  the process of medical research ” ..hasn’t changed in decades.” That’s not really true: as I wrote in my book, the Quantified Self movement has been sharing data for several years, as well as groups such as CureTogether and PatientsLikeMe. However, what is definitely true is that no one has harnessed the incredible power of the smartphone for this common goal until now, and that’s really incredible. It’s a great example of my IoT Essential Truth of asking “who else could use this data?

A range of factors cast a pall over traditional medical research.

Researchers have had to cast a broad net even to get 50-100 volunteers for a clinical trial (and may have to pay them, to boot, placing the results validity when applied to the general population in doubt).  The data has often been subjective (in the example Williams mentioned, Parkinson’s patients are classified by a doctor simply on the basis of walking a few feet). Also, communication about the project has been almost exclusively one way, from the researcher to the patient, and limited, at best.

What if, instead, you just had to turn on your phone and open a simple app to participate? As the website says, “Each one [smartphone] is equipped with powerful processors and advanced sensors that can track movement, take measurements, and record information — functions that are perfect for medical studies.” Suddenly research can be worldwide, and involve millions of diverse participants, increasing the data’s amount and validity (There’s a crowdsourcing research precedent: lot of us have been participating in scientific crowdsourcing for almost 20 years, by installing the SETI@Home software that runs in the background on our computers, analyzing data from deep space to see if ET is trying to check in)!

Polymath/medical data guru John Halamka, MD wrote me that:

“Enabling patients to donate data for clinical research will accelerate the ‘learning healthcare system’ envisioned by the Institute of Medicine.   I look forward to testing out Research Kit myself!”

The new apps developed using ResearchKit harvest information from the Health app that Apple introduced as part of iOS8. According to Apple:

“When granted permission by the user, apps can access data from the Health app such as weight, blood pressure, glucose levels and asthma inhaler use, which are measured by third-party devices and apps…. ResearchKit can also request from a user, access to the accelerometer, microphone, gyroscope and GPS sensors in iPhone to gain insight into a patient’s gait, motor impairment, fitness, speech and memory.

Apple announced that it has already collaborated with some of the world’s most prestigious medical institutions, including Mass General, Dana-Farber, Stanford Medical, Cornell and many others, to develop apps using ResearchKit. The first five apps target asthma, breast cancer, cardiovascular disease, diabetes and Parkinson’s disease.  My favorite, because it affects the largest number of people, is the My Heart Counts one. It uses the iPhone’s built-in motion sensors to track participants’ activity, collecting data during a 6-minute walk test from those who are able to walk that long. If participants also have a wearable activity device connecting with the Health app (aside: still don’t know why my Jawbone UP data doesn’t flow to the Health app, even though I made the link) , they are encouraged to use that as well. Participants will also enter data about their heart disease risk factors and their lab tests readings to get feedback on their chances of developing heart disease and their “heart age.” Imagine the treasure trove of cardiac data it will yield!

 A critical aspect of why I think ResearchKit will be have a significant impact is that Apple decided t0 make it open source, so that anyone can tinker with the code and improve it (aside: has Apple EVER made ANYTHING open source? Doubt it! That alone is noteworthy).  Also, it’s important to note, in light of the extreme sensitivity of any personal health data, that Apple guarantees that it will not have access to any of the personal data.

Because of my preoccupation with “Smart Aging,” I’m really interested in whether any researchers will specifically target seniors with ResearchKit apps. I’ll be watching carefully when the Apple Watch comes out April 24th to see if seniors buy them (not terribly optimistic, I must admit, because of both the cost and the large number of seniors I help at The Apple Store who are befuddled by even Apple’s user-friendly technology) because the watch is a familiar form factor for them (I haven’t worn a watch since I got my first cell phone, and most young people I know have never had one) and might be willing to use them to participate in these projects.

N0w, if you’ll excuse me, I just downloaded the My Heart Counts app, and must find out my “heart age!”


 

Doh!  Just after I posted this, I saw a really important post on Ars Technica pointing out that this brave new world of medical research won’t go anywhere unless the FDA approves:

“As much as Silicon Valley likes to think of itself as a force for good, disrupting this and pivoting that, it sometimes forgets that there’s a wider world out there. And when it comes to using devices in the practice of medicine, that world contains three very important letters: FDA. That’s right, the US Food and Drug Administration, which Congress has empowered to regulate the marketing and research uses of medical devices.

“Oddly, not once in any of the announcement of ResearchKit did we see mention of premarket approval, 510k submission, or even investigational device exemptions. Which is odd, because several of the uses touted in the announcement aren’t going to be possible without getting the FDA to say yes.”

I remember reading that Apple had reached out to the FDA during development of the Apple Watch, so I’m sure none of this comes as a surprise to them, and any medical researcher worth his or her salt is also aware of that factor. However, the FDA is definitely going to have a role in this issue going forward, and that’s as it should be — as I’ve said before, with any aspect of the IoT, privacy and security is Job One.

 

 

FTC report provides good checklist to design in IoT security and privacy

FTC report on IoT

FTC report on IoT

SEC Chair Edith Ramirez has been pretty clear that the FTC plans to look closely at the IoT and takes IoT security and privacy seriously: most famously by fining IoT marketer TrendNet for non-existent security with its nanny cam.

Companies that want to avoid such actions — and avoid undermining fragile public trust in their products and the IoT as a whole — would do well to clip and refer to this checklist that I’ve prepared based on the recent FTC Report, Privacy and Security in a Connected World, compiled based on a workshop they held in 2013, and highlighting best practices that were shared at the workshop.

  1. Most important, “companies should build security into their devices at the outset, rather than as an afterthought.” I’ve referred before to the bright young things at the Wearables + Things conference who used their startup status as an excuse for deferring security and privacy until a later date. WRONG: both must be a priority from Day One.

  2. Conduct a privacy or security risk assessment during design phase.

  3. Minimize the data you collect and retain.  This is a tough one, because there’s always that chance that some retained data may be mashed up with some other data in future, yielding a dazzling insight that could help company and customer alike, BUT the more data just floating out there in “data lake” the more chance it will be misused.

  4. Test your security measures before launching your products. … then test them again…

  5. “..train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization.” This one is sooo important and so often overlooked: how many times have we found that someone far down the corporate ladder has been at fault in a data breach because s/he wasn’t adequately trained and/or empowered?  Privacy and security are everyone’s job.

  6. “.. retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers.”

  7. ‘… when companies identify significant risks within their systems, they should implement a defense-in -depth approach, in which they consider implementing security measures at several levels.”

  8. “… consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network.” Don’t forget: with the Target data breach, the bad guys got access to the corporate data through a local HVAC dealer. Everything’s linked — for better or worse!

  9. “.. companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.”  Privacy and security are moving targets, and require constant vigilance.

  10. Avoid enabling unauthorized access and misuse of personal information.

  11. Don’t facilitate attacks on other systems. The very strength of the IoT in creating linkages and synergies between various data sources can also allow backdoor attacks if one source has poor security.

  12. Don’t create risks to personal safety. If you doubt that’s an issue, look at Ed Markey’s recent report on connected car safety.

  13. Avoid creating a situation where companies might use this data to make credit, insurance, and employment decisions.  That’s the downside of cool tools like Progressive’s “Snapshot,” which can save us safe drivers on premiums: the same data on your actual driving behavior might some day be used become compulsory, and might be used to deny you coverage or increase your premium).

  14. Realize that FTC Fair Information Practice Principles will be extended to IoT. These “FIPPs, ” including “notice, choice, access, accuracy, data minimization, security, and accountability,” have been around for a long time, so it’s understandable the FTC will apply them to the IoT.  Most important ones?  Security, data minimization, notice, and choice.

Not all of these issues will apply to all companies, but it’s better to keep all of them in mind, because your situation may change. I hope you’ll share these guidelines with your entire workforce: they’re all part of the solution — or the problem.

comments: Comments Off on FTC report provides good checklist to design in IoT security and privacy tags: , , , ,
http://www.stephensonstrategies.com/">Stephenson blogs on Internet of Things Internet of Things strategy, breakthroughs and management