By Kathleen Carroll, Vice President Corporate Affairs, HID Global
In today’s inter-connected world, the Internet of Things (IoT) promises new opportunities for consumers and businesses to improve productivity and quality of life. At the same time, the IoT opens the door to new threats to information privacy. Yesterday’s vision for the information superhighway has come true. Unfortunately, that superhighway is creating a number of new IoT-related on-ramps that cybercriminals may be able to use as vectors of attack to commit fraud and identity theft.
The IoT enables electronic devices to wirelessly connect and communicate, combining the Internet and the physical world into a complex new matrix of cyber/physical systems. This network of connected physical objects embedded with electronics, software and sensors is making its way into our daily lives – controlling home automation and security systems, connecting our cars, and enhancing and managing municipal services in smart cities.
In a world where potentially everything can be connected the risks multiply exponentially. Privacy protections must be as important as security assurances, and protecting personal information should be one of the most important focus areas in the design, deployment and lifecycle of each and every interconnected device, service, application and system.
The Pressure on identity
Today’s biggest privacy threats have generally been associated with personally identifiable information (PII), which is at the heart of identity. Many companies in the security industry today rely on identities as the core of a multi-level security strategy to authenticate and authorize user access to buildings, services and information systems. As the IoT evolves, identity is expanding beyond people and their PII to objects and their authenticity. In addition, sensors in the IoT are often collecting what some consider PII and that data deserves security and privacy protections as well.
Sensors, such as mobile fitness applications and other wearable devices, are collecting data, as are home security and automation systems, smart meters and other devices. The IoT is fueling a growing category of consumer products and services that are collecting information about health metrics, running routes and homeowner habits which create vulnerabilities not only in cyberspace but in the physical world as well.
The IoT’s benefits are substantial, but they come with risks. Energy companies can use smart-meter usage data to recommend energy management applications or alert users to high-energy usage that might signal a pending maintenance issue. Now, imagine that a thief accesses that same data which could reveal when a homeowner is away. Consider too that financial institutions can engage customers based on consumption, health, travel, leisure activities and other data. But a health insurance provider could use that same data to determine coverage levels.
“Privacy by Design” and the IoT
In January 2015, the Federal Trade Commission’s staff report on the IoT recommended a series of concrete steps that businesses could take to enhance and protect consumer privacy and security. According to the report, experts estimate that there will be 25 billion connected devices this year and 50 billion by 2020.
The report listed a variety of potential security risks presented by the IoT that could be exploited to harm consumers, a list that included (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety.
The report noted that privacy risks could flow from the collection of personal information, habits, locations and physical conditions over time.
“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” said FTC Chairwoman Edith Ramirez. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
The new privacy imperative
It is imperative that the industry embrace the FTC’s tenets and a mindset and approach that makes privacy proactive rather than reactive, positioned at the very center of security solutions and business practices. In March 2015, a Consumer Privacy Bill of Rights debuted that included this same “Privacy by Design” concept with its approach to building privacy management and protections directly into the design of a company’s information technology systems, business practices and infrastructure, while also factoring them into each stage of product and service development.
It is also important to support the long-standing Fair Information Practice Principles (FIPPs) that include the elements of notice, choice, access, accuracy, data minimization, security and accountability. When it comes to the IoT, one of the most important principles is data minimization, which ensures that systems collect only the required data and delete that data in a timely manner. For instance, when RFID tags are used alongside cameras and other connected devices to monitor and control assets and processes, there is the potential that the data associated with a connected object will be stored and used for a business purpose and profit. This IoT data might include personal information such as an individual’s location, activities, images, or even private transactions and messages.
For the most privacy-protective solution, RFID tags should not collect or store PII. In those cases where PII is required, the data should be encrypted and mutual authentication, a secure handshake between the RFID tag and the reader, should be employed.
Leveraging Technology and Standards
According to the FTC’s report, IoT-specific legislation at this stage would be premature. The FTC recognizes the potential for innovation and suggests that self-regulatory programs designed for particular industries can encourage the adoption of privacy- and security-sensitive practices.
Connected cars are a great example. The auto industry is working to leverage existing standards such as digital certificates and encryption to ensure there are trusted connections and secure communication both throughout and beyond the in-vehicle network.
Beyond encryption and digital certificates, there are technologies with great potential for privacy protection, including biometrics. Biometrics goes beyond what the user has and knows – card or phone and PIN – to characteristics unique to an individual such as fingerprints or iris recognition.
Biometrics will become even more important with the increasing reliance on digital versions of our identity for use on ID cards, phones and other mobile devices. Binding digital credentials to the actual person through biometrics, reduces the risk of fraud. Additional technological capabilities such as the ability to distinguish between live and fake fingerprints, further enhance security and privacy.
The most effective security strategies are multi-layered and in many cases, multi-factored. With the rapid growth of the IoT, it will be particularly important that the industry makes privacy a central element in system design, development, deployment and management. The requirement will increase in importance as conventional networks increasingly overlap with the IoT, adding applications that present additional opportunities to expose personal information. Security and privacy must have co-equal status for the IoT to thrive and deliver its promised benefits.