IoT Security

Privacy Implications of the Internet of Things

Daniel Dimov
November 14, 2013 by
Daniel Dimov

Introduction

The term "Internet of Things" refers to the use of the Internet for monitoring, tracking, controlling, and interconnecting everyday objects. For example, home appliances can be connected to the Internet to facilitate household activities. In this context, it is worth mentioning that refrigerators that allow the users to access the Internet are already commercially available.

Learn IoT Security

Learn IoT Security

Learn how ethical hackers exploit the growing number of internet-connected devices and become a Certified IoT Security Practitioner.

According to ABI Research, a technology market intelligence company, there are more than 10 billion wirelessly connected devices in the market today. The company expects that the number of these devices will reach 30 billion by 2020; 60% of these 30 billion devices will be node or sensor type devices. The other 40% will include hub devices, such as smartphones, tablets, and laptops. A recent report by Intelligence Unit of the Economist, based on a survey of 779 senior business leaders from 19 different industries around the world, stated that 75% of businesses are already exploring the field of the Internet of Things.

While the Internet of Things will certainly facilitate the life of people, it may also bring new privacy threats. In 2008, the U.S. National Intelligence Council published a report that warned it would be difficult to deny "access to networks of sensors and remotely controlled objects by enemies of the United States, criminals, and mischief makers." According to the aforementioned report by the Economist, 60% of the interviewed business leaders believe that concerns about data privacy are "hampering consumer uptake" of the Internet of Things.

Below, I discuss the following privacy threats related to the Internet of Things: unlawful surveillance (Section 2), active intrusion in private life (Section 3), and data profiling (Section 4). Finally, a conclusion is drawn (Section 5).

1. Unlawful Surveillance

The Internet-connected modules installed on various objects, such as cars, toys, and home appliances, can be used for unlawful surveillance. The Internet-connected modules will allow criminals to receive far more information than they currently can. For example, criminals may be able to monitor children through cameras installed in their toys, monitor people's movements through Internet modules installed in their shoes, and monitor when a person enters or leaves his/her home by connecting to an Internet-connected door lock. Such threats are not merely speculative. Yoshi Kohno, an associate professor at the University of Washington, has found "real vulnerabilities" in several Internet-connected modules installed in cars, medical devices, and children's toys.

Moreover, in 2013, the Federal Trade Commission (FTC) filed a complaint against TRENDnet Inc., a producer of wireless cameras that can be installed wherever people need a video feed. The wireless cameras produced by TRENDnet can send motion-captured video to computing devices, such as iPhones or laptops. The complaint stated that TRENDnet failed to provide reasonable and appropriate security for the wireless cameras, which resulted in hacking attacks. The hackers posted Internet links to compromised feeds for nearly 700 wireless cameras. The FTC described the outcome of the hacking attacks as follows:

"Among other things, these compromised live feeds displayed private areas of users' homes and allowed the unauthorized surveillance of infants sleeping in their cribs, young children playing, and adults engaging in typical daily activities. The breach was widely reported in news articles online, many of which featured photos taken from the compromised live feeds or hyperlinks to access such feeds. Based on the cameras' IP addresses, news stories also depicted the geographical location (e.g., city and state) of many of the compromised cameras."

Subsequently, the FTC entered into a settlement agreement with TRENDnet. As a first-time offender, TRENDnet was not sanctioned with any financial penalties, which otherwise can amount to $16,000 per violation. Pursuant to the terms of the settlement, TRENDnet cannot misrepresent its software as "secure" and should receive an independent assessment of its security programs once a year over a course of 20 years. The complaint against TRENDnet was FTC's first action against a seller of Internet-connected everyday products.

The TRENDnet incident indicated the need to regulate the Internet of Things. As a response to the incident, the FTC will hold a public workshop in November 2013 in Washington. The purpose of the workshop will be to explore consumer privacy and security issues posed by the Internet of Things. Jeff Chester, executive director of the Center for Digital Democracy, stated in relation to the workshop and FTC's action against TRENDnet: "The FTC is trying to get ahead of the curve here as our lives are further transformed by the ubiquity of digital data collection and gathering."

2. Active Intrusion in Private Life

The Internet-connected modules will allow criminals not only to passively monitor their victims, but also to actively intrude in their private lives. The reason is that many of the Internet-connected modules are installed in objects that can be remotely controlled. For example, a criminal may be able to remotely stop the refrigerator, start the heater, and unlock the door.

Security researchers have already found security vulnerabilities allowing criminals to hack various devices connected to the Internet. Daniel Crowley, a consultant with security firm Trustwave Holdings Inc., has recently hacked an automated toilet made by a Japanese company. Crowley was able to make the hacked toilet flush or play music.

Seungjin Lee, a security researcher and doctoral student at Korea University in Seoul, stated that he can take over a Samsung TV set by using virus-laden emails or websites. The hacked TV set beams images of what is happening in front of it to a computing device located elsewhere. The hacked TV set can send images even when it appears to be turned off.

Hacked and remotely controlled household appliances may cause severe distress for the victims. For a victim of hacking attack on Internet-connected household appliances, the attack may resemble the phenomenon "poltergeist." Popular in folklore studies, the poltergeist phenomenon refers to the unexplained appearance of noises or movement of objects.

3. Data Profiling

Data profiling can be defined as "the gathering, assembling, and collating of data about individuals in databases which can be used to identify, segregate, categorize and generally make decisions about individuals known to the decision maker only through their computerized profile (Belgum, 1999)." The anonymized information submitted by the Internet-connected modules can be used for a creation of detailed profiles of the users of those modules. In turn, the profiles can be used for targeted advertising.

The term "targeted advertising" refers to placing advertisements in such a way as to reach consumers based on various behavioral, demographic, and psychographic attributes. For example, consumers who put a large quantity of milk products in a refrigerator that has been programmed to sense what kinds of products are being stored inside will receive more advertising about milk products than consumers who do not put any milk products in that refrigerator.

The targeted advertising may constitute a threat to personal autonomy. The consumers may not want to receive ads related to their preferences. For example, a consumer who has recently decided to reduce the consumption of chocolate may not want to receive online advertisements related to chocolate despite the fact that he/she used to eat a lot of chocolate in the past. However, the company collecting data from the Internet refrigerator of that user may decide that the user has a high potential to buy chocolate and will therefore send him/her many advertisements related to chocolate.

Profiling can be based on anonymized data. For example, a company may collect non-personally-identifiable data from all users of Internet refrigerators. The collected data may include only statistics related to the preferences of the users. In this regard, it should be noted that most data protection legislation does not apply to anonymized data. This means that a person whose anonymized data is collected for profiling has no means to find out about the profiles created on the basis of his/her data.

4. Conclusion

The trend toward using ever more Internet-connected modules is evident. The Internet of Things has drawn a lot of attention from the media, the industry, and research institutions. This is not without a reason. The Internet of Things may soon touch every aspect of our lives. According to International Data Corporation (IDC), the Internet of Things connectivity drive will create a market worth up to $8.9 trillion by 2020.

However, the promise of the Internet of Things should be weighed against the potential threat to security and privacy. This article has shown that Internet-connected modules may be used not only for passive monitoring, but also for an active intrusion in the private life of people. Moreover, the targeted advertising based on information collected through Internet-connected modules may drastically infringe on personal autonomy.

The aforementioned privacy threats demonstrate the need for regulating the Internet of Things. By decreasing the privacy risks, such a regulation will allow the Internet of Things to fully bloom into a paradigm that will improve various aspects of people's lives. In this context, Elgar Fleisch, deputy dean of ETH Zurich, stated: "People will use a technology if the perceived benefit is larger than the perceived risk."

It should be noted, however, that too much regulation may hinder innovation. As Adam Thierer, a senior research fellow at the Mercatus Center at George Mason University, states: "All new technologies and innovations involve risk and the chance for mistakes, but experimentation yields wisdom and progress. A precautionary principle for the Internet of Things, by contrast, would limit those learning opportunities and stifle progress and prosperity as a result." Therefore, striking the right balance between regulation and innovation is of an utmost importance for the future development of the Internet of Things.

Learn IoT Security

Learn IoT Security

Learn how ethical hackers exploit the growing number of internet-connected devices and become a Certified IoT Security Practitioner.

References

  1. AbiResearch, "More Than 30 Billion Devices Will Wirelessly Connect to the Internet of Everything in 2020," May 9, 2013. Available at https://www.abiresearch.com/press/more-than-30-billion-devices-will-wirelessly-conne .
  2. Belgum, K., "Who Leads at Half Time? Three Conflicting Versions of Internet Privacy Policy," Richmond Journal of Law and Technology 6 (1999): 8.
  3. Clearfield, C., "Why the FTC Can't Regulate The Internet of Things," Forbes, September 18, 2013. Available at http://www.forbes.com/sites/chrisclearfield/2013/09/18/why-the-ftc-cant-regulate-the-internet-of-things/ .
  4. Davis, W., "FTC To Examine Whether 'Internet Of Things' Poses Privacy Concerns," MediaPost, June 4, 2013. Available at http://www.mediapost.com/publications/article/201797/ftc-to-examine-whether-internet-of-things-poses.html .
  5. Dembosky, A., "FTC targets 'internet of things' amid privacy fears," September 4, 2013, Financial Times. Available on http://www.ft.com/cms/s/0/1eb3b2ca-15ac-11e3-b519-00144feabdc0.html#axzz2jWj4qWX1 .
  6. FTC Complaint against TRENDnet INC. Available on http://www.ftc.gov/os/caselist/1223090/130903trendnetcmpt.pdf .
  7. Hersent, O., Boswarthick, D., Elloumi, O., "The Internet of Things: Key Applications

    and Protocols," John Wiley & Sons, 2011.

  8. Howard, B., "Internet of Things" May Change the World," National Geographic, 30 August 2013. Available on http://news.nationalgeographic.com/news/2013/08/130830-internet-of-things-technology-rfid-chips-smart/ .
  9. Kerr, D., "FTC and TRENDnet settle claim over hacked security cameras," cnet.com, 4 September 2013. Available on http://news.cnet.com/8301-1009_3-57601430-83/ftc-and-trendnet-settle-claim-over-hacked-security-cameras/ .
  10. Metz, R., "More Connected Homes, More Problems," MIT Technology Review, August 13, 2013. Available on http://www.technologyreview.com/news/517931/more-connected-homes-more-problems/ .
  11. Rubin, P., Lenard, T., "Privacy and the Commercial Use of Personal Information," Springer 2002.
  12. "Six Technologies With Potential Impacts on US Interests Out to 2025," National Intelligence Council, April 2008. Available at http://www.fas.org/irp/nic/disruptive.pdf .
  13. "The Internet of Things Business Index: A Quiet Revolution Gathers Pace," the Economist Intelligence Unit, 2013. Available at http://www.arm.com/files/pdf/EIU_Internet_Business_Index_WEB.PDF .
  14. "The Internet of Things Is Poised to Change Everything, Says IDC," BusinessWire, 3 October 2013, Available at http://www.businesswire.com/news/home/20131003005687/en/Internet-Poised-Change-IDC .
  15. Yadron, D., "Hackers Expose How Connected Toilets, Heaters and Lightbulbs Are at Risk," July 31, 2013, Wall Street Journal. Available at http://online.wsj.com/news/articles/SB1000142412788732399700457864031093203377 .
  16. Zhou, H., "The Internet of Things in the Cloud: A Middleware Perspective," CRC Press, October 29, 2012.
Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.