Good Paper by Mercatus on IoT Privacy and Security

Posted on 12th September 2013 in privacy, security

I’m politically on the liberal, not the libertarian side, but I’ve come to respect the libertarian Mercatus Center, in large part because of the great work Jerry Brito has done there on governmental transparency.

As part of my preparation to moderate a panel on security and privacy at the IoT Summit on October 1st in DC, I just read a great paper on the issue by Mercatus’ Adam Thierer.

In comments submitted to the FTC for its November workshop on these issues titled “Privacy and Security Implications of the Internet of Things,” Thierer says “whoa” to those who would have the FTC and others quickly impose regulations on the IoT in the name of protecting privacy and security.

Opposing pre-emptive, “precautionary” regulations, he instead argues for holding back:

“…. an “Anti-Precautionary Principle” is the better default here and would generally hold that:

“1. society is better off when technological innovation is not preemptively restricted;

“2. accusations of harm and calls for policy responses should not be premised on hypothetical worst-case scenarios; an

“3. remedies to actual harms should be narrowly tailored so that beneficial uses of technology are not derailed.”

He reminds us that, when introduced, such everyday technologies as the phone (you know, the old  on-the-wall kind..) and photography were opposed by many as invasions of privacy, but social norms quickly adapted to embrace them. He quotes Larry Downes, who has written, “After the initial panic, we almost always embrace the service that once violated our visceral sense of privacy.”

Rather than imposing limits in advance, Thierer argues for a trial-and-error approach to avoid unnecessary limits to experimentation — including learning from mistakes.

He points out that social norms often emerge that can substitute for regulations to govern acceptable use of the new technology.

In conclusion, Thierer reminds us that there are already a wide range of laws and regulations on the book that, by extension, could apply to some of the recent IoT outrages:

“…  many federal and state laws already exist that could address perceived harms in this context. Property law already governs trespass, and new court rulings may well expand the body of such law to encompass trespass by focusing on actual cases and controversies, not merely imaginary hypotheticals. State ‘peeping Tom’ laws already prohibit spying into individual homes. Privacy torts—including the tort of intrusion upon seclusion—may also evolve in response to technological change and provide more avenues of recourse to plaintiffs seeking to protect their privacy rights.”

Along the lines of my continuing screed that IoT manufacturers had better take action immediately to tighten their own privacy and security precautions, Thierer isn’t letting them off the hook:

“The public will also expect the developers of IoT technologies to offer helpful tools and educational methods for controlling improper usages. This may include ‘privacy-by-design’ mechanisms that allow the user to limit or intentionally cripple certain data collection features in their devices. ‘Only by developing solutions that are clearly respectful of people’s privacy, and devoting an adequate level of resources for disseminating and explaining the technology to the mass public’ can industry expect to achieve widespread adoption of IoT technologies.”

So get cracking, you lazy IoT developers (yes, you smirking over there in the corner…) who think that security and privacy are someone else’s business: if you don’t act, regulators may step in, and stiffle innovation in the name of consumer protection. You’ll have no one to blame but yourselves.

It’s a good read — hope you’ll check it out!

 

The Hill Publishes Op-Ed on IoT Security and Privacy

Posted on 11th September 2013 in privacy, security, US government

Earlier this week, The Hill, the highly-respected Capitol Hill newspaper, published an op-ed co-authored by Chris Rezendes of INEX Advisors and me on the ever-important topic of IoT privacy and security (or lack thereof!).

In it, we warned that “on the heels of the NSA scandal, news of security problems’ threat to privacy may cripple the IoT before it achieves its promise.”

We went on to explain that:

“The record on security and privacy is not reassuring.

“The Obama administration has almost entirely ignored the Internet of Things (by contrast, it’s frequently mentioned by the Chinese leadership, which has invested massive amounts in the technology) . The president has never mentioned it, and the FTC is the only federal agency that has begun to protect IoT privacy and security.”

We called for public-private collaboration to make IoT security and privacy a priority:

“Individual companies must make privacy and security a priority. Opaque user agreements such as Facebook’s letting the service provider remarket or redeploy user data won’t be acceptable. A recent INEX study of one multi-billion industrial market revealing 96 percent of industrial equipment owner/operators believe they own data from their machines, and access to it is theirs to determine — not the machine’s builder or service providers that connect it. Customers must legally own their online data, determine who has rights to what, and sharing must be “opt in”, with ZERO sharing as the default.

“As for security, companies should explore Resilient Networking, a concept developed for the Department of Homeland Security framing new approaches to network/cyber security in more connected, distributed, automated, and dynamic digital networks.

“But individual efforts aren’t as important as collaborative ones, again, because of the data-sharing that is central to the IoT’s transformative power. We’re encouraged by formation of the IPSO Alliance and the IoT Consortium, which make security and privacy a priority.

“The president must also become involved in this issue. One reason is that the IoT will benefit government: cities worldwide are already applying the IoT, and it can make government in general more effective and responsive. Working closely with the private sector is a priority because 85 percent of the nation’s critical infrastructure, including the electric grid, pipelines and chemical plants, is in private hands, and is the focus of IoT initiatives such as a the “smart grid” to make them more interconnected and reliable – but also more vulnerable to a coordinated attack.”

That’s our opinion on this crucial issue. What’s yours?

P.S. A reminder that these issues will be front and center in  the panel on security and privacy that I will moderate at the IoT Summit, to be held October 1st and 2nd at the National Press Club in DC. Don’t miss it!

comments: Comments Off on The Hill Publishes Op-Ed on IoT Security and Privacy tags: , ,

I’ll moderate D.C. panel on IoT privacy and security!

Posted on 5th September 2013 in privacy, security, Uncategorized

Huzzah!  As you know, I’ve been repeating the mantra that, as technological barriers such as battery size disappear, the most important obstacle threatening full development of the Internet of Things is the linked issues of privacy and security.

That’s why I’m quite honored to announce I’ll be hosting a panel on those issues at the 2013 M2M and Internet of Things Global Summit, to be held October 1 and 2 at the National Press Club in DC! 

It’s an impressive panel:

Other panels at the summit will discuss a related issue, device security; actualizing the IoT’s benefits; financing the IoT; IoT devices in the 4G era; and global standards.

Major speakers include:

  •  Edith Ramirez, Chairwoman, FTC
  • Chris Vein, Chief Innovation Officer, The World Bank
  • Kevin Petersen, Senior Vice President, Digital Life, AT&T
  • Ed Tiedemann, Fellow and Head of Standards, Qualcomm
  • David Hoffman, Director of Security Policy and Global Privacy Officer, Intel Corporation
  • Alicia Asín, Co-Founder and CEO, Libelium
  • Chad Jones, VP Product Strategy, Xively
  • Chris Rezendes, President, INEX Advisors
  • Doug Merritt, Senior Vice President, Product, Solutions & Industry Marketing, Cisco

It should be a great conference. Sign up now! See you there!

PS: What questions do you think I should ask the panelists?

BABY MONITOR HACKED: MAKE-IT-OR-BREAK IT MOMENT FOR #IoT!!

Posted on 15th August 2013 in health, home automation, Internet of Things, privacy, security

I’m hitting on the same subject, privacy and security, for two posts in a row because now there’s been an incident that really could jeopardize the future of the IoT!

Call me an alarmist if you will, but I say ignore it at your peril…

As blogged by GigaOm, ABC News reported this week on an incident where a hacker got access to a — this is getting repetitious — IoT product with laughable security.

This time, it wasn’t the main-stream media reporting just a friendly wake-up call

Foscam Baby Monitor

(literally and figuratively…) from a reporter about a vulnerability, or a general warning about possible threats to home and car: it was a story guaranteed to strike a primal fear in the heart of every parent: a threat to their infant!

 

Here’s what happened, according to ABC:

“A Houston couple is still shaken after saying they heard the voice of a strange man cursing and making lewd comments in the bedroom of their 2-year-old daughter.

“When Marc Gilbert and his wife Lauren entered the room, the voice cursed them as well.

“The creepy voice — which had a British or European accent — was coming from the family’s baby monitor that was also equipped with a camera. A hacker apparently had taken over the monitor.”

Are you a parent? If so, don’t tell me that wouldn’t have your blood boiling!

Oh, BTW, ABC tossed in a reminder that baby monitors can be used by potential burglars

Once again, I’ll harken back to my days as a corporate crisis consultant to warn that this is precisely the kind of incident that is going to be repeated ad nauseum by privacy advocates and others to warn about the dangers of the IoT.

Even worse, those of who are immersed in the IoT 24/7 may not realize it, but I’d bet the majority of people worldwide still haven’t heard of the IoT. Is this the way we want them to find out about it???

So my parting advice would be to go out today and buy a Foscam baby monitor (heck, they’re probably giving them away now — who the heck would buy one?) and put it in a place of prominence on your CEO’s desk as a reminder that if you don’t take privacy and security seriously, the media will be quick to remind you…

 

comments: Comments Off on BABY MONITOR HACKED: MAKE-IT-OR-BREAK IT MOMENT FOR #IoT!! tags: , ,

CRUCIAL: more media coverage underscores need for IoT emphasis on privacy & security

Posted on 12th August 2013 in privacy, security

Sorry to keep harping on it, but two recent articles in high-visibility publications — The NY Times and Forbesunderscore my contention that security and privacy issues threaten to derail the IoT revolution before it really gets going.

I say that because I spent a decade as an award-winning corporate crisis communicator — on more than one occasion saving the corporate bacon of Fortune 100 firms that didn’t understand that the public isn’t always scrupulously logical when it comes to their fears. Illogical linkages are nonetheless real ones.

The current example of that is the flap over NSA surveillance. The most recent comprehensive public opinion survey, by Pew, shows that a majority of Americans are now concerned that the surveillance has gone too far:

“Among other things, Pew finds that ‘a majority of Americans – 56% – say that federal courts fail to provide adequate limits on the telephone and internet data the government is collecting as part of its anti-terrorism efforts.’ And ‘an even larger percentage (70%) believes that the government uses this data for purposes other than investigating terrorism.’ Moreover, ‘63% think the government is also gathering information about the content of communications.” That demonstrates a decisive rejection of the US government’s three primary defenses of its secret programs: there is adequate oversight; we’re not listening to the content of communication; and the spying is only used to Keep You Safe™.”

So what’s that have to do with the IoT?

Plenty!

Consider the beginning of Forbes reporter Kashmir Hill’s article on the security vulnerabilities of home automation systems, with the eye-catching title “When ‘Smart Homes’ Get Hacked: How I Haunted a Complete Stranger’s Home Via the Internet“:

“‘I can see all of the devices in your home and I think I can control them,’ I said to Thomas Hatley, a complete stranger in Oregon who I had rudely awoken with an early phone call on a Thursday morning.

“He and his wife were still in bed. Expressing surprise, he asked me to try to turn the master bedroom lights on and off. Sitting in my living room in San Francisco, I flipped the light switch with a click, and resisted the Poltergeist-like temptation to turn the television on as well.

“’They just came on and now they’re off,’he said. ‘I’ll be darned.'”

I’m convinced that people who are already alarmed about the NSA surveillance will not be enthusiastic about home automation, or the IoT in general, when they read that! If not overt, their minds will at least make a subliminal connection between the two stories, and they’re going to be afraid!

Add in former CIA Director David Petraeus’ enthusiasm for the IoT as a new arrow in the quiver of spycraft, and you’ve got the potential for a really-spooked public.

Here’s a major part of the problem, based on my crisis management background: engineers, more likely than not, are left-brained and analytical. As a result, their immediate reaction will be to demonstrate — very logically — why the two issues are completely different, and the IoT shouldn’t be tarred with the NSA’s abuses.

Hogwash.

The majority of Americans aren’t engineers, and they’re scared, so deal with it, or the IoT will be crippled.

I’ve just drafted an op-ed that I hope to place this week that argues privacy and security must be just as much an #IoT industry priority as is innovative technology. It says that the emphasis of IoT consortia such as the IPSO Alliance and the IoT Consortium on collaborative approaches to security are critical, because the essence of the IoT is on sharing of data, and that the Obama Administration must become active as well.

It concludes:

“The Internet of Things has truly remarkable potential to improve the economy’s efficiency, improve health care, and make our lives more comfortable and enjoyable. But if it’s security and privacy standards aren’t a top priority for government and industry, all of those benefits may be squandered. “

Don’t say I didn’t warn you!

PS: the second article I mentioned at the top was a considerably less provocative one in today’s New York Times. The fact that The Gray Lady of American Journalism is now following this issue should be a significant concern.

 

 

 

More evidence U.S. lags dangerously behind EU on IoT privacy

There’s new confirmation that the U.S. remains dangerously behind the European Union on the twin issues of Internet of Things privacy and security. As I’ve warned before, especially in the context of the continued outrage over the NSA surveillance, if these issues aren’t solved collaboratively by the private sector and government, they threaten to derail the IoT express.

In her Stanford Masters thesis, I believe Mailyn (sic) Fidler accurately summarizes the US’s stance:

“The IoT in the United States is characterized by late but strong entry of companies to the market and by recent, but minimal, interest from the federal government. Specifically, the federal government views the IoT largely as part of the ongoing privacy and security discussion in Washington, D.C. Complicating analysis of the IoT in the United States is that the “Internet of Things” is not a generally recognized term. In the U.S., the IoT is viewed as a natural evolution of American innovation rather than as a unique field.”

http://m3.licdn.com/mpr/mpr/shrink_80_80/p/2/000/0dc/3bd/392d2fe.jpgFidler contrasts this lack of concern by the government to the EU, which, while also

Mailyn Fidler

viewing IoT privacy in the broader context of general privacy policy, has made IoT personal privacy and security a priority — more about that in a future post about the “Butler Project” report):

“The IoT has been a political priority for the European Union. Even with the recent recession, interest and funding in IoT enterprises has not slowed, and the EU has invested 70 million Euros in at least 50 research projects since 2008. In addition to the EU’s hopes that the IoT will bring economic benefits, particularly to small businesses and public institutions, the EU’s interest in the IoT reflects its concerns about who controls emerging technologies. Indeed, EU officials have stated an ambition to build an IoT ‘that will bring about clear advantages for Europe.’

However, despite the EU’s investments, a lack of legislative clarity, slow technical progress, and pressure from international strategic interactions threaten to slow EU efforts to develop a globally competitive, European-centric IoT.

The EU considers privacy a societal priority and has a history of regulating technologies to prevent privacy risks, as its Data Protection Directive indicates. The IoT is no different. The privacy risks the IoT presents, however, are discussed in the context of ongoing data protection reform in the EU. EU officials are debating how to author broad, technology-neutral guidance while, at the same time, many officials seem convinced that technology-specific guidance will be necessary. The EU’s political prioritization of the IoT fuels attempts at lobbying for IoT-specific regulation, as the myriad, overlapping attempts at IoT guidance demonstrate. The IoT’s advancement, then, is mired in this larger debate about the future of technology policy.”

Even with this greater focus, Fidler says the EU hasn’t made as much progress as might be hoped. Only 1 of the 33 2010 Cluster of European Research Projects on IoT explicitly investigated security, and, in a study the same year of IoT standards, only 2 or 175 explicityly investigated security — and none have addressed IoT cybersecurity.

In other words, they ain’t great, but we’re worse (in fact, among US agencies, only the FTC seems to give a fig about the IoT). Pathetic.

Fidler’s report also covers China. You can bet that privacy and security aren’t high on their priority list, LOL.

The EU, while perhaps lagging behind on IoT technology, may get the last laugh on the privacy and security issues. As we’ve seen with successful suits against Microsoft and Google on other Internet issues, the EU has prevailed in the past on questions of privacy and security, and, according to Fidler, it may happen again:

“The EU, faced with the IoT approaches of the United States and China—arguably the leading centers of technological innovation—may stand behind its social parameters and emphasis on new international governance mechanisms as a way of asserting alternative power. With such laws and institutions, economic activities involving the EU and the IoT would have to conform to EU-based standards. The EU, thus, compensates for technological disadvantages in innovation through social and governance parameters. Similarly, the United States and China are seeking to maintain or create their technical edge in new cyber technologies by encouraging unique standards regimes or more aggressive development environments.”

If so, I say bully for them! Someone has to stand up for the individual in this brave new world, and it looks as if the Obama Administration isn’t taking the challenge. Shame!

Fidler concludes that the geopolitical competition among the U.S., E.U., and China may have negative effects on the IoT’s overall growth if it results in incompatible standards:

“This geopolitical competition at such an early stage of the IoT’s development could create international interoperability problems, with negative political, economic, and social consequences. How governments and societies navigate the technological and political aspects of the emergence of the IoT will determine if the IoT’s benefits will be ubiquitously available or if the Internet’s foray into the realm of things will be interrupted.”

FADE TO Youngbloods singing “Get Together”…..

comments: Comments Off on More evidence U.S. lags dangerously behind EU on IoT privacy tags: , , , , ,

Shodan: maybe this will get people to take IoT privacy/security seriously!

Wired has an article this week about Shodan, the “IoT search engine,” which I hope scares the bejesus out of enough companies and government officials that they’ll finally realize how absolutely critical it is that we make security and privacy THE top public policy/corporate management priorities regarding the IoT.

Shodan’s homepage proudly proclaims that it will let you “EXPOSE ONLINE

Shodan

DEVICES: webcams, routers, power plants, iPhones, wind turbines, refrigerators (there’s that meme again!), VoIP phones.” Anyone out there who isn’t covered by that list? If so, stay in your cave!

As for everyone else, maybe you’d be more properly attracted by the CNN story about Shodan several months ago: “Shodan: the scariest search engine on the Internet.” Got your attention yet?

Here’s what Shodan can do, according to CNN:

“It’s stunning what can be found with a simple search on Shodan. Countless traffic lights,security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.

Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.”

Command and control systems for nuclear power plants? Sheesh!

Reminds me that while the Obama Administration remains abysmally ignorant of the IoT (and, remember, I’m a fan of them in general …) one official who was all in was former CIA Director David Petraeus:

“‘Transformational’ is an overused word, but I do believe it properly applies to these technologies,’ Petraeus enthused, ‘particularly to their effect on clandestine tradecraft.’

All those new online devices are a treasure trove of data if you’re a ‘person of interest’ to the spy community. Once upon a time, spies had to place a bug in your chandelier to hear your conversation. With the rise of the ‘smart home,’ you’d be sending tagged, geolocated data that a spy agency can intercept in real time when you use the lighting app on your phone to adjust your living room’s ambiance.

‘Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing,’Petraeus said, ‘the latter now going to cloud computing, in many areas greater and greater supercomputing, and, ultimately, heading to quantum computing.’

Petraeus allowed that these household spy devices ‘change our notions of secrecy’ and prompt a rethink of’ ‘our notions of identity and secrecy.’ All of which is true — if convenient for a CIA director.”

Sufficiently alarmed yet?

Let me be clear: I am convinced that security and privacy are the two issues that have the greatest potential to stop the Internet of Things dead in its tracks — and I felt that way even before Edward Snowden was a household name.

Snowden, ooops, Shodan, has revealed shocking indifference to security on the part of countless organizations (and, BTW, don’t forget that 85% of the U.S.’s critical infrastructure — power plants, pipelines, chemical factories, etc., is in private hands):

“A quick search for ‘default password‘ reveals countless printers, servers and system control devices that use  ‘admin’ as their user name and ‘1234’ as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.

In a talk given at last year’s Defcon cybersecurity conference, independent security penetration tester Dan Tentler demonstrated how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.

He found a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with a click of a button. A city’s entire traffic control system was connected to the Internet and could be put into ‘test mode’ with a single command entry. And he also found a control system for a hydroelectric plant in France with two turbines generating 3 megawatts each.

This is as scary as the Vanity Fair article last year about how a miscreant could use an iPhone to kill you!

The 85% of critical infrastructure in private hands number should be a stark reminder: the only way we can possibly address IoT privacy and security is through collaborative government/private sector action — with strong involvement by you and me.

If you are involved in the IoT in any way, you simply can’t duck this issue!

 

FTC to hold a workshop on #IoT privacy and security implications!

Posted on 17th April 2013 in Internet of Things

Bravo! I’ve been critical of the President’s silence on the IoT, especially in light of how frequently the Chinese premier mentions it — and  spends money on it.

Now the FTC has broken that silence, with announcement of a Nov. 21st workshop in DC on the Internet of Things’ implications for privacy and security.

Specifically, they are looking for comment on the following questions:

  • What are the significant developments in services and products that make use of this connectivity (including prevalence and predictions)?
  • What are the various technologies that enable this connectivity (e.g., RFID, barcodes, wired and wireless connections)?
  • What types of companies make up the smart ecosystem?
  • What are the current and future uses of smart technology?
  • How can consumers benefit from the technology?
  • What are the unique privacy and security concerns associated with smart technology and its data?  For example, how can companies implement security patching for smart devices?  What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
  • How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve health-care decisionmaking or to promote energy efficiency? Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances?

The commission is requesting written comment on these and other issues by June 1st.

Bravo!

comments: Comments Off on FTC to hold a workshop on #IoT privacy and security implications! tags: , ,
http://www.stephensonstrategies.com/">Stephenson blogs on Internet of Things Internet of Things strategy, breakthroughs and management