Privacy of Things: Which Security Requirements to Consider for the Smart Devices’ Manufacturing
On September 28, 2018, the state of California approved the bill regulating privacy and security issues in one of the leading sectors of the tech industry — the Internet of Things or, simply said, smart devices. While progress-minded appliance makers talk about the magic benefits of the smart fridge, the IoT law will regulate its “black” side — the use and protection of the data collected by the IoT devices.
With the fast grow (according to the predictions, the total IoT market will double by 2021, reaching $520 billion worldwide) will come some challenges for this industry. Yet, the big question is whether we should adopt specific laws, like the Californian one, or leave it for the already existing regulations on cybersecurity and personal data protection. However, it is out of the question that there are responsibilities for smart devices manufacturers to take into account.
What Is It and Why Should It Be Regulated?
Simply put, a smart device is any thing that is connected to the Internet and collects the data around it through the sensors. The Internet of Things, accordingly, constitutes a network of smart devices jointly collecting and combining the data around them.
It is considered that the first IoT device was created back in 1989 by John Romkey, the American technologist. It was a toaster that could be turned on and off over the Internet. Thank to cheap microchips today, smart devices are becoming commonplace in our everyday life. Everything around us can now be connected to the world wide web — fridges, doorbells, speakers, vacuum cleaners, and even outlets.
On the one hand, connecting devices to the web gives people all benefits of the Internet in anything around them. It makes possible to leave a substantial part of daily routine for such devices, thanks to remote control over them and the data they collect. Fridge automatically orders milk when necessary. Doorbell records any action around the entrance door and sends it directly to the owner’s phone, using facial recognition for better security. Smart speaker or, as they call it, home assistant, like ALEXA, is connected to all these home appliances and helps its owner to handle all routine in the automated and centralized way, doing all monotonous work instead of him/her. The only thing the person has to do is to adjust the work of the IoT according to his/her daily schedule.
People were used to thinking that the online world remains inside the computers and smartphones. Now things are changing, and the frontier between the online and offline is blurring. Connected devices are becoming widespread inside our homes. Most of the time the connected home appliances are turned on, sometimes with no option to turn the internet connection off. They are collecting the data about peoples’ behavior and habits, processing, analyzing, and sending it to the servers. In combination with other technologies, like speech or face recognition, smart devices add the additional value to the data, giving substantial benefits to consumers.
Besides the user customization, the devices provide benefits to its manufacturers – the data collected by the smart device can be used to improve the work of the IoT. Furthermore, the data can be shared with advertisers, allowing them to learn from the users’ consuming preferences.
On the other hand, such a convenience creates the risks to end users they may even not figure out. The work of the connected devices entirely depends on their connection to the World Wide Web, the quality of their sensors and the data they collect through the sensors. Moreover, IoT devices are designed in a way that makes difficult to manually control or adjust their functioning, on the contrary to the classic PC or smartphones. These features lead to the two main problems of the connected devices: cybersecurity, or security from unauthorized access to them, and users’ privacy — the protection of the data collected about the user.
Cybersecurity, cyberthreats, cyberattack — all these categories are existing in the invisible area of people’s everyday life. It makes cybersecurity no less important, however. Since everything today is connected to the web, the very nature of crimes is changing. Frauds do not need physical access to assets any more — they can steal by merely getting unauthorized access through the online connection. Like cybersecurity specialists like to say, no system is safe. It is easy to prove with the help of the latest cybersecurity news — there is plenty of data breaches every day, from notorious Facebook breaches to Pentagon employees’ data leak.
Since smart devices are connected to the Internet, they are no exception for the breaches. Users understand the connected devices as typical home appliance, forgetting about simple safeguards for the computer’s security. The same applies to the IoT manufacturers — because of the limited functionality, they usually decide not to uphold appropriate security standards; therefore, the situation even gets worse.
As a result, the security threshold for access to such devices is low, giving an opportunity to interfere into their work to anybody with basic knowledge of network security. Certain surveys suggest that most of the professionals (over three-quarters of respondents) working in the IoT industry believe that their devices will be breached in the next two years. The number can even be increased by those who don’t know the risks or don’t want to admit the data leaks.
The consequences of unauthorized access can be divided into two categories. The first category results from the possibility to control connected devices distantly. Because of the passwords’ simplicity (such as “pass1234” or “12345678”), their absence or the low level of cybersecurity, it is relatively easy to take control over the IoT device. The further actions fully remain on the hacker discretion. For example, in 2016, cybercriminals shut down the whole temperature and pressure management system of the apartment building in Finland. Eventually, its residents were left without water supply for one week, simply because of the firewall protection absence.
The BrickerBot attack in 2017 represented the excellent example of the passwords-by-default risks. The BrickerBot malware was able to connect to any IoT device with their default usernames and passwords — “often easily found on the internet” — and simply “kill” the device. The malware was hitting devices so severely that it required the entire replacement of the hardware.
The second category of risks is implied in the massive scales of data collecting by smart devices. These data can be precious for cybercriminals — security system work principles, geolocation data or user’s daily habits are often the key information to plan a high-quality fraud. There is no need to collect it legally since they can just connect to the IoT device and steal all you need. Last spring, hackers took a casino’s high-roller database using a connection to the thermometer in the casino’s lobby. The more vulnerabilities the IoT system has, the more accessible is its data.
As a result, we see a gap in the regulation of IoT manufacturing. The existing laws on the cybersecurity are dealing only with certain issues concerning the use of smart devices, such as the personal data protection or provision of essential public services (e.g., energy or telecom sector). There are few specific regulations on the IoT around the world, like the Californian one, so far. As proved by the numerous cyber attacks on smart devices, however, there should be a minimum level for their security, including requirements for the passwords, firewalls, and other protection techniques.
Speaking of data, using smart devices in people’s everyday life is significantly expand the collection of our personal data. Fitness trackers, smart toys, connected vehicles, and all other things in our personal use collect massive amounts of information about us. In fact, the connected devices can receive the data about us 24/7, often without our actual knowledge and consent. Moreover, all this massive data collection is not necessary for the provision of device services, most of the time.
Under the modern data protection regimes, like the European General Data Protection Regulation, the strict requirements on personal data collection and its further use are imposed. To collect the data lawfully, IoT provider shall ensure the appropriate level of users’ privacy. This includes the obligation to inform users about the collection of their personal information, receive a consent to do so in certain cases, the data minimization obligation, the same cybersecurity measures discussed afore, and many more. Literally, users’ privacy must be implemented by design, considering data protection on the very early stages of development. Unfortunately, most smart devices are not privacy-designed.
Most of IoT devices can only receive the information, not provide it. Because of it, IoT providers (un)intentionally fail to inform users about the data flow. Consequently, users do not know, who exactly processes the data, in which ways the data is being used, which third parties have access to it, and how users may exercise their information rights. Furthermore, the IoT providers don’t bother collecting a consent to use the data concerning our health or beliefs. In such cases, however, the consent to use the data is the core and usually the only lawful ground for the processing.
Therefore, our personal data start to be collected silently, by default, with no assurance of their safety. Such a situation allows the data controllers to use collected information in any way they want. The cases of data misuse vary vastly, from creating and selling social profiles to politicians to selling financial accounting data to data brokers. Although the mentioned cases do not concern the IoT data collection, the same scheme applies to them as well.
Another critical issue to consider is the failure to minimize the data collected by the IoT devices. The “data minimization” principle means that the company may collect the data only necessary to provide the functionality of the device. Any data collection, which is not related to the provision of the device features, is prohibited.
As a recent example, the French data protection authority — The Commission nationale de l’informatique et des libertés (CNIL) — has publicly enforced the “minimization” principle. On 20 November 2017, the CNIL issued a formal notice to the company that was using speech recognition technology in the toys. The smart toys were equipped with a microphone and speaker and were connected to a mobile application. To make the speech recognition work, the toy sent all the records to the servers in China, where they were processed by the Artificial Intelligence software, with no guarantees on their security. Such large amounts of the data collection in the child toy do not satisfy the “minimization” principle, especially in connection with the lack of security measures. There was no necessity to send them to China to provide the users with the toy’s features.
Moreover, anybody with Bluetooth in their device was able to connect to the toy and listen and record the talks between the child and the toy or any conversation taking place nearby. This toy’s feature is at odds with the mentioned cybersecurity practices.
After receiving the formal notice, the company implemented appropriate measures. The toys imported to France are no longer equipped with the speech recognition technologies, and the data are not being transferred to the servers. Therefore, the company does not “process the data” within the meanings of data protection laws.
As a result, the CNIL closed the formal notice procedure on 20 July 2018. Nevertheless, there is still a question with unprotected access to the toy by Bluetooth. The issue was readdressed to the French consumer protection authority.
Ironically, one of the first fines under the European General Data Protection Regulation was also issued because of the data minimization principle. The Austrian entrepreneur has installed a CCTV camera in front of his office. The camera also recorded a large part of the sidewalk. Unfortunately for the entrepreneur, the Austrian supervisory authority considered that even recording the street in front of the office constitutes a large-scale monitoring of public places. In combination with the absence of CCTV public privacy notice, such use of cameras does not comply with Austrian Data Protection laws. Therefore, the Austrian authority issued a fine of EUR 4,800. To comply with the data protection requirements, the company may collect only the minimum information necessary for its purpose, in a clear and transparent way.
How to Comply
As was mentioned above, we are not accustomed to understanding the home appliance as a subject to cybersecurity threats. Consequently, the providers of IoT usually do not include the proper technical and organizational safeguards against the cyberthreats and especially privacy violations. Moreover, intentionally or not, they violate the users’ privacy as well.
However, with the rise of specific regulation for IoT manufacturing and strict rules for the personal data protection, it is not likely to continue in such a manner. To be on the safe side, there are some basic steps to ensure the security of a device.
First of all, it’s transparency: notifications on data collection and their further processing should be provided to every end user before (or while) the devices started collecting the data.
Secondly, it’s consent: when dealing with the sensitive data or using the data for the advertisement purposes, an IoT provider must obtain the specific consent from the user first.
Thirdly, it’s minimization: although it may be hard to uphold at times, device owner/provider may collect and process data required to maintain the device functionality.
And last but not least, it’s security and limited access: IoT devices shall be protected by the technical measures, such as safe connections, firewalls, and passwords. The access to the collected data must be limited to only those employees who maintain the device’s operation.
DISCLAIMER: Some minor changes were made to the text in order for it to comply with the requirements of the lawless.tech editorial board, such as formal requirements for lists, headings, or hyperlinks. The rest, including the author’s personal style, wording and orthography, remained intact. The views expressed herein are those of the author, and do not necessarily reflect those of the lawless.tech editorial board.