What is the “Internet of Things”?
As technology progresses, and connected devices get cheaper and smaller, a new kind of Internet enabled device has emerged. Formerly the realm of computers and cell phones, now everything from your washing machine, your television, to even your car, is connected to the Internet. Collectively, these devices are referred to as the “Internet of Things”. Connecting these devices to the Internet allows users to collect data and issue commands to them remotely. As I will explain, the Internet of Things can be a powerful force for good, with potential to save money, time, or even extend our lives. However, like most innovations, with it there comes potential misuse, and we ultimately must ask ourselves how these devices must be regulated.
The Benefits of the Internet of Things:
The benefits of the Internet of Things are incredibly far reaching and diverse. Nest, a recent acquisition by Google, provides an IoT enabled thermostat that is designed to adapt to your schedule. After a few days of use, it will automatically start changing the temperature in your house according to your routine. It’s also internet enabled, allowing you to control your thermostat remotely. Other systems provide a centralized control point for all of your IoT devices, allowing the savvy user to create custom relationships between the huge amount of data your IoT devices collect. You could program it to unlock your door when your car enters the driveway, turn on your lights at a specified time, or even send an E-Mail, with attached photos from your cameras, if it detects unauthorized movement. And since there are IoT versions of a huge number of household objects, from lightbulbs, to outlets, to coffee makers, the combinations are astronomical.
The IoT realm doesn’t exist exclusively in the home, however. Internet enabled cars have become incredibly common, becoming a 47 billion dollar market in 2015. Today's cars can provide data on road conditions, vehicle diagnostics, and even get updates to the car’s software “over the air”, through cell phone networks. Tesla has even in the past improved the performance of their cars through these over the air updates, increasing the acceleration of their P85D models. Recently, through these updates, Tesla has implemented a feature called “Summon”, which allows you to call your car to your location from a parking lot.
On top of all the convenience, the IoT has the potential to improve our health. St. Jude Medical released a pacemaker known as the Accent, which broadcasts metrics from a patient’s body over the internet to their doctor. The FitBit and Jawbone wristbands track our heart rate to help us better exercise. The Internet of Things has huge potential to enrich our lives through data. But unfortunately, it also has huge potential for invading our privacy.
The Drawbacks of the Internet of Things
In its FTC Staff Report on the Internet of Things, the Federal Trade Commission outlined several potential risks that threaten consumers when use of IoT technology becomes sufficiently prevalent. For example, typically we give consent (either implicitly or explicitly) when data about us is collected through some terms of service. However, IoT devices are often small and don’t have screens, complicating this. In some cases, we might not even be aware of the data even being collected. Another thing that the FTC was particularly worried about when it comes to IoT collected data was the potential that “companies might use this data to make credit, insurance, and employment decisions”. Advocates of IoT data in insurance claim that it would provide more accurate coverage, better matching a person’s insurance premiums to their risk level. I would argue that setting a precedent to turn over this kind of data is dangerous. If the Third Party Doctrine stays as it is, then having insurance companies require citizens to turn over their IoT data gives law enforcement functionally warrantless access to a person’s driving and other habits. This concept applies not only to the data you might turn over to an insurance company, but even to the companies that collect the data. Law enforcement would no longer have to get a warrant to track your vehicle, they could just subpoena that information from your car maker (presuming the car maker tracked and kept this information). They would no longer need to post a security detail to determine when you come and go from your home, they could simply request the information from Nest.
Even ignoring the potential for government overreach, the concept of companies collecting and storing data from your IoT devices is uncomfortable. Even if this data was released in an “anonymous” format, studies have shown that it doesn’t require very much work to link an anonymous dataset back to an individual. For example, in an MIT study researchers were able to link anonymous cell phone metadata to specific users with 95% accuracy, using only 4 known location-time data points. Researchers at the University of Austin were able to partially de-anonymize a dataset of netflix ratings by cross referencing the ratings with IMDB. If this is possible for location history and movie ratings, imagine what sort of findings could be derived from the massive amounts of IoT data that has the potential to be collected.
While the potential uses for collecting data is uncomfortable, the potential for IoT devices to be insecure is dangerous. Using SHODAN, a search engine for unsecured devices connected to the internet, a savvy user can access any number of things, from security cameras, to HVAC and power controls, to even security system controls. There have been documented examples of hackers gaining access to baby monitors and security systems for malicious purposes, and some manufacturers are failing to respond when asked to patch the issue. These risks aren’t just restricted to the home, either. In July, two hackers revealed that they were able to remotely control a 2014 Jeep Grand Cherokee, gaining access to everything from the windshield wipers and radio, to the transmission and brakes. All this access was remote, and could be done to any vehicle across the country. Another hacker revealed a device which, if hidden near a car accessed through GM’s OnStar app, could allow him to take control of the vehicle. Finally, a team of hackers was able to gain access to a TrackingPoint self aiming rifle. After gaining access to the rifle, the team was able to modify the targeting computer to keep the rifle from firing, or even to change the rifle’s target.
Potential Legislation, and My Opinion.
In its 2015 report, the FTC believed that legislation specifically pertaining to the IoT was “premature”, and rather encouraged the implementation of “self-regulatory programs“, relying on the companies to self police in order to prevent security breaches. However, the FTC also called for “strong, flexible, and technology-neutral federal legislation to strengthen (the government’s) existing data security enforcement tools“. On the privacy front, the FTC also recommended, instead of targeting the IoT specifically, there should be “baseline privacy standards” (likely based around the Fair Information Privacy Principles outlined in our reading) that apply to all technology. I tend to agree with the FTC. I believe that the problems brought up the the IoT are simply just extensions of existing problems within the technology industry. There is already a massive amount of data collected about us by online services such as facebook and Google, which I would argue poses the same risks as IoT data. The Target and Home Depot data breaches show us that a lack of data security is not a concept that exclusively impacts the IoT. Rather than waste time trying to fix the problems of a subset of the technology industry, I think that time would be better spent trying to fix the problems of the industry as a whole.
What do you think? Should there be laws specific to the IoT, or should they be left up to more general laws, or even just left to self regulation?
Okay, my first comment is that "Summon" is creepy. Way creepy. It reminds me of that Stephen King book "Christine" where the car was possessed by supernatural forces and went around running everyone over. I know that's not the intention of summon, or any other kind of IoT car, but I feel like with skilled hackers that could totally be a reality.
ReplyDeleteSecond, I don't feel like there should be laws specific to the internet of things. I agree with you in that it's just a portion of technology, and technology as a whole needs to have more direct accountability and boundaries. There are plenty of sites and companies collecting personal information on people, and I don't think it is necessary or fair to single out one type of tech.
I agree with Josh in that the issues of security brought up by IoT should be dealt with when creating the technology rather than legislating as a kind of afterthought. I hadn't thought about the risk of government overreach and the example that Josh gave of using the current Third Party Doctrine to obtain sensitive information without a warrant scares me but the IoT is going to expand regardless which is why technology needs to be designed with privacy in mind rather than trying to regulate privacy after the fact.
ReplyDeleteI really like the idea of having many aspects of my home being connected to the Internet. Having used the Nest, I can agree that it's super convenient and it can same a lot of money from your energy bills by smartly adjusting your home's thermostat. However, I agree that the ability for hackers to hack these devices is very high. Like what Josh mentioned, I think it is up to the companies to actively update their software and patch any exploits that comes up. What Josh mentioned about the Third Party Doctrine is really interesting because technically we don't expect to have control over the data we give to their parties. I think the Internet of Things and further advancements in technology should lead to a revision of the Third Party Doctrine to accommodate for modern day technology.
ReplyDeleteI find the concept of IoT to be very, very interesting. I feel that the idea of having smart devices all synced with each other is "the future" and is what has represented "the future" in television, movies, etc.. Ultimately, as shown by this article, that's where society is headed. In terms of regulation, I think it's an important aspect, especially considering the current state of the Third Party Doctrine. We've already talked in class about how this needs to be revisited and fixed to properly fit in with the 21st century, but I think that all this information about IoT and where we are headed only solidifies that point. There needs to be solid, definite regulation in place specific to the type of technology that is being developed and implemented in these devices. I think this is extremely important. Without specific regulation, I could imagine that finding loopholes and exploiting them would be in our future. It's also paramount that these softwares and hardwares are updated and constantly screened for potential bugs and protected against hackers. Josh's citations about accessing cars and rifles is alarming and should be a warning sign of the potential problems we could face down the line.
ReplyDeleteI also feel that an extensive internet of things will be the future of industrialized society, freeing up time, money, and human capital. To ensure that this future is not an oppressive or dangerous one, however, two things will be necessary. First, producers will need to ensure the security built into any particular device is relational to the degree the device is invasive in one's life, or the device's potential to cause harm. The more data a device can record about an individual, the more secure it needs to be from hackers. Similarly, the more dangerous a device can be when hacked into (ie. an automobile), the more extensive its security must be. Second, I do believe legislation pertaining to loT will be necessary. The extent of such legislation, however, should be limited to the safeguarding of macro data against state and police abuse. An actual panopticon is not something with which I want to live. Past ensuring against these risks, however, I believe the internet of things will be an incredible asset to society and everyday life, and should be encouraged as such.
ReplyDeleteI agree with Josh and Tara that IoT security concerns should be addressed in creating the technology, however I believe that there should be legislation addressing privacy concerns after the fact. One thing that needs to be addressed is requiring companies to “patch” holes in the security of their devices. Enacting legislation to this end would provide legal recourse against companies who leave consumers unprotected, whether unintentionally or not. A second thing to be addressed by legislation is the use of the Third Party Doctrine in accessing the records for these devices. Perhaps one solution is not only requiring a subpoena for the company, but also a warrant as you could consider the data (especially car tracking, similar to US v Jones, although data is collected after the fact) as a search. A third thing to be addressed would be data storage and security – where is the data stored, for how long, where, etc. IoT is expanding rapidly, and will likely continue such expansion in the coming years, so preemptively legislating for this technology would provide regulation for this growth and protect consumers in future years.
ReplyDeleteReading this makes me want to freak out because the machines are going to take over and enslave us. More realistically though I can see the blatant privacy concerns that come with this new tech. I think that as far as the police go that this is an instance of the law being behind the tech curve. Just because we are not watching and tracking ourselves now and the information is easy to get at does not mean that police should obtain it without a warrant. As far as hackers are concerned I would agree with what a lot of people are saying, that this tech is premature. This is something that involves public safety, I don't think that it would be inappropriate to implement laws for safety testing and standards to this new tech.
ReplyDelete