VIZIO and big data abuse

The FTC has charged VIZIO under the FTC Act and New Jersey consumer protection laws for collecting data on 11 million VIZIO TVs without consent. VIZIO has agreed to settle out of court for $2.2mil USD.

The settlement has implications for your data and IoT — an internet-connected TV is certainly an IoT device. The scale of what was allegedly collected is staggering, to the tune of pixel matching down to the second. Before you can ask if this scale of data collection, analysis, and inference is possible, the answer is yes, thanks to big data. Check out my explainer on big data — in this case, this is not a big data application, but a big data abuse by snooping on your viewing habits. Since it is possible to collect that scale of data from an IoT TV, it is possible to collect a similar picture of other IoT devices, which typically have less data to transmit.

Unfortunately, a concurrent statement released by the chairman of the FTC telegraphs that they will back off on consumer privacy concerns. The chairman supplies a weak argument claiming it is unclear if anything “unfair” is going on (emphasis mine):

[The case] alleges that granular (household or individual) television viewing activity is sensitive information. And it states that sharing this viewing information without consent causes or is likely to cause a “substantial injury” under Section 5(n) of the FTC Act.…[U]nder our statute, we cannot find a practice unfair based primarily on public policy. Instead, we must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers.

The data collection in question is hard to avoid when the practice is hidden from customers. What’s hidden here is questioning the effect of correlated data. Let’s give VIZIO the benefit of the doubt and assume they scrubbed all personally identifying information (PII) from the collected data. Bruce Schneier explains why correlated data is just as sensitive as PII in Data Versus Goliath:

[B]eing identified by a unique number often doesn’t provide much protection. The data can still be collected and correlated and used, and eventually we do something to attach our name to that ‘anonymous’ data record.

In addition to being a practice hostile to consumers — one would assume that's what lead to the charge in question — it is unfair to the competition; by collecting data and generating a customer database without consent, VIZIO is able to sell that database to advertisers, providing VIZIO with revenue unfairly earned at the expense of consumers. This could have been avoided with an opt-in.

I’ve warned before on the risk of providing your data to a second party without knowing its final resting place — when taken without your consent, that risk becomes unimaginable. So hurry and get your very own tele screen while supplies last.

Industry standardization: the answer for IoT security

It’s been a busy week for IoT and security. Between the DDos on Krebs’ website and the subsequent release of alleged source code, to Yahoo’s unprecedented, full access custom-built NSA search tool, to the arrest of a purported “Second Snowden” (spoiler alert: not so much), there’s been plenty of news on the wire. But Bruce Schneier’s thoughts IoT security may be the most impactful for IoT security policy in the near future.

For the uninitiated, Mr. Schneier is a world-renowned expert in computer security — he has authored numerous books on the subject in addition to contributing to several cryptographic algorithms. I was thrilled when he joined the board of directors at EFF, enjoy reading his blog, and consider his most recent publication one of the most important books on digital privacy. That said, Mr. Schneier’s solution for IoT security could not be more incorrect; to the point: 

     The IoT will remain insecure unless government steps in and fixes the problem.

This solution is not only the least desirable path, it could cripple innovation within the IoT industry. There is a lot wrong with this approach. Industry standardization, not government regulation, is the better solution:

  • First, government actors are not subject matter experts in either IoT nor security, and will never be held accountable for any failures of government regulation. When market fails, the industry is directly incentivized to repair the damage -- otherwise, they lose our business.
  • Government and market operate under a different set of incentives and measure success differently. We would expect the market to initiate some form of industry standardization — similar standardization generated the USB and Wifi protocols. Further, that the successes of this standardization would benefit both market and consumer; the same is not true of government regulation.
  • While the attack on Krebs was described as “simple and amateurish” (rightly so), there’s a reason why an attack like this would succeed so well at this point in time -- IoT is in the middle of a maturity curve!  No one expected a gigabit throughput on a dial-up modem
  • Most important, this is not a market failure; this is a demonstrated need for stronger security, realized through the test bed of the current state of IoT. Attacks like this are exactly what the field needs to harden IoT systems.

I’ve written before on the dynamics of IoT security — it is more complex than other products, specifically because bad security doesn’t immediately affect the end user. Similar to carbon emissions in cars — legislation there hasn’t filled roadways with a fleet of Priuses and bikes.

I will grant that at the moment, the typical IoT customer probably doesn’t care about the security of their system. But consider two different scenarios:

  1. An IoT attack targets a popular site. The general person’s reaction would be a lot different if NetFlix was targeted instead of Krebs.
  2. Security is a two-way street. If IoT devices are marketed as more secure (and are indeed more secure), its possible the average consumer would be willing to pay for that perceived utility

The economics of IoT doesn’t necessarily mean that exploitable devices will continue because no one cares. Certainly IoT companies are paying attention to event; hopefully this event will precipitate industry standardization of IoT security. I have stated that standardization would be necessary for the IoT security, but the time wasn’t right. Now is the time to reconsider that.

IoT lessons from mobile: digital property

This has been a tough week for privacy advocates. On Monday, the Intercept brings news that the 4th Circuit Court of Appeals rules that obtaining location data from a cell phone company doesn't require a warrant; today, the Verge reports agencies are filing warrants seeking phone location data so precise it can track you down to a specific building. Some agencies even have a manual to assist with filing practices.

Since this isn't a mobile technology blog or a law blog, you might ask why I would bother covering that news. With an emerging field like IoT, it's critical to understand the domain, from both in a technical and law approach. Mobile is a connected technology just like IoT, so there are lessons to be learned, whether from similar tech or precedents.

For the 4th Circuit case, it's an example of the interpretation of the third party doctrine. I've warned previously about being judicious concerning your data and who can access it. Maintaining presumption of innocence, most people caught in a drag net like that would probably want evidence in the form of location data supporting their innocence; as an aside, this is why dash cams are popular in some countries.

But the point is not how this data may benefit you; the point is if access to it should be granted without your consent. We have protections in place for other instances of your property, like needing a warrant to access your home or a locked car trunk. So why is it different for your data and phone companies? Nicholas Weaver sums it up: it all depends on a company's willingness to fight subpoenas; there are no legal protections for your digital property.

IoT to overtake mobile

When talking about IoT, people will referred to the billions of devices that are projected to be connected by the next decade. That can be hard to wrap your head around, so keep two things in mind -- your current data plan and the ubiquity of cell phones, in terms of sheer number; Wikipedia tells us it was around seven billion in 2014.

Today, Mashable is reporting that in five years, it is estimated the average mobile user in the US will use 22GB of data per month -- better lock in that data plan now! Assuming IoT services scale similarly, it's interesting is to anticipate how that would impact bandwidth for connected devices. As the mobile infrastructure scales, I would assume IoT would as well; especially if it is built on top of cellular technology.

And while IoT is a growing market projected to include several billion more devices in the coming years, that's nothing new. But In the linked Ericsson report, not only does it agree with that projections, anywhere from 16 to 28 billion devices by the early 20s, but also by 2018, we may see IoT devices overtaking mobile devices as the largest category of connected things. 

While IoT traffic probably won't overtake mobile traffic for a while (the majority of mobile traffic is video), with the projected increase in both number of devices and bandwidth, it will be interesting to see what sort of services become available and how current services scale.

Security challenges of IoT

At a recent panel discussion, EFF hits the nail on the head with the IoT and security. A quote from EFF's Nate Cardozo:

“If the data is there you’re going to have to protect it. One way of protecting it, of course, is to not collect it in the first place... That’s a great way of keeping all of that content secure.”

Mr. Cardozo's further discusses the security issues of industries who have never had to deal with security in the past, namely the medical device industry. There's genuine concern over securing data for connected devices, but perhaps a more urgent concern — especially for the medical device industry —  is ransomware in IoT devices. It’s one thing to have your health data stolen, it’s another to have a connected pacemaker, for example, held for ransom.

Continuing with Mr. Cardozo’s comment on the benefits of a zero knowledge model, there are more than a few industries and devices that would benefit from non-connection solution until either 1) the industry becomes more security-savvy or 2) IoT security becomes standardized.