Short update: in the most important news for security this week, Reuters reports the Burr-Feinstein proposal will not continue in this year's Congress. Great news, but if SOPA/PIPA transformation into IPAA is any indicator, we can expect to see a different form of the proposal in the future.
Who owns your data and when
This piece from the Atlantic will make you consider not to whom you're giving you're data, but with whom it may eventually reside. From the article:
If a...company can’t legally sell off its data, then it may just sell itself in order to cut its losses. Among the post-crash rubble, the principal value that a potential buyer might see in snapping up the company is its data. It’s like an acquisition hire, but for a huge and detailed dataset.
I agree that the best way to protect your personal data is not to provide it. More than once I've heard people offer justifications for providing personal data to a company simply because, they "trust them."
That's fantastic to have a service provider/company that you trust, but that rationalization presupposes the company and its policies are persistent. I'm not on every social media platform, but there's not one that didn't have at least one update to its privacy policy or terms of service. What's more likely is the company you're providing your data is aiming to be acquired by a larger company, whose privacy policies may not be in line with the original for which you signed up. And with most companies opting to collect as much data as possible and decide what to do with it later, at some point, your data could be in the hands of someone with whom you didn't intend to share it.
Security challenges of IoT
At a recent panel discussion, EFF hits the nail on the head with the IoT and security. A quote from EFF's Nate Cardozo:
“If the data is there you’re going to have to protect it. One way of protecting it, of course, is to not collect it in the first place... That’s a great way of keeping all of that content secure.”
Mr. Cardozo's further discusses the security issues of industries who have never had to deal with security in the past, namely the medical device industry. There's genuine concern over securing data for connected devices, but perhaps a more urgent concern — especially for the medical device industry — is ransomware in IoT devices. It’s one thing to have your health data stolen, it’s another to have a connected pacemaker, for example, held for ransom.
Continuing with Mr. Cardozo’s comment on the benefits of a zero knowledge model, there are more than a few industries and devices that would benefit from non-connection solution until either 1) the industry becomes more security-savvy or 2) IoT security becomes standardized.
Hardware security and healthcare
Today, readwrite brings some attention to the dangers of data without security in a growing market. According to the article, we’ve passed the inflection point in security incidents where malicious attacks now out-number the classic PEBCAK, with healthcare as the most-targeted industry. From the article:
[C]oncerns are increasing that current data management and security among both private and public organizations are woefully ill-prepared to defend private data from hackers increasingly targeting sensitive personal health information.
A good warning to be thoughtful about with whom you share your data.
When IoT subscription service turns shady
The Internet of Things! It allows us to connect nearly every device in our lives in a meaningful and useful way, glean new insights from sensors, and utilize hardware as never before. What could go possibly wrong?
Today, Kit Walsh from the EFF provides that answer with a review of a disappointing update from Nest/Google. From the article:
"...[B]ricking the Hub sets a terrible precedent for a company with ambitions to sell self-driving cars, medical devices, and other high-end gadgets that may be essential to a person’s livelihood or physical safety."
This news is frustrating on many levels, but I will stay in my wheel house of hardware, data, and privacy.
- Hardware: once you purchase a device, it's your's and you own it. End of story. With this decision, Nest/Google effectively went into the homes of every lifetime member and poured water on their laptop. Sure, you could reclaim some parts, but your home isn't a chop shop and customers aren't scavengers.
- Data: certainly the people who purchased a Hub are interested in their data, but after the shutdown date, the data will be deleted.
- Privacy: getting back to the laptop analogy -- borrowing from Newton, every possession in your home remains in a state unless acted on by an outside force. Most customers probably wouldn't be happy about Nest/Google entering their homes.
So what recourse to consumers have in the emerging field of IoT? In general, you can count on me to be against compelling an entity to "do the right thing" through regulation or similar means. But how can we react against behemoths like Alphabet at al when they make decisions against the interests of **paying** customer base? Again from the article:
"But there's another way to push back against untrustworthy devices, and that's refusing to buy electronics and software that prioritize the manufacturer's wishes above your own."
In the Internet of Things, who really owns hardware after purchased? Without a doubt, the customer. However, stripping people of their right to use their property as they choose and denying access to their data shows people in this case don't actually own said hardware and data -- they've subscribed to it! While subscription works fantastically well in some cases (Netflix, Spotify, etc), it's counter-intuitive and wrong for this use case in IoT. Something to keep in mind the next time you're building out your smart-home.