"The more you learn about the possibilities of the IoT, the more you realize we have only dipped our toes into this fathomless ocean of data possibilities -- and associated privacy and security concerns."
-- Rebecca Herold, Guest Editor
Opening Statement
WE'VE ONLY JUST BEGUN THIS LONG, STRANGE IOT TRIP
While reading through the articles for this special issue of Cutter IT Journal on privacy and security in the Internet of Things (IoT), I kept thinking of that old Carpenters' song, "We've Only Just Begun," along with the Grateful Dead's classic "Truckin,'" which contains the immortal line: "Lately it occurs to me what a long, strange trip it's been." If we mash up the two lines, the resulting "We've Only Just Begun this Long, Strange Trip" would seem to be an appropriate anthem for the Internet of Things. The more you learn about the possibilities of the IoT, the more you realize we have only dipped our toes into this fathomless ocean of data possibilities -- and associated privacy and security concerns.
So what do we mean by the Internet of Things? Basically, the term -- first coined by Kevin Ashton in 19991 -- describes the concept of having communications occurring not just online, on the Internet, but also implicitly through basic daily activities via our growing array of digital devices, which are now becoming more and more pervasive.
The potential uses of data gadgets in the IoT are unlimited, as are the benefits. However, with each benefit comes a risk. And what multiplies the risks is all the data that is created that has never existed before, and the new ways in which that data is used. Just a few years ago, no one was too concerned about being able to correlate meaningful information about individuals within vast repositories made up of zetabytes2 of information. One of the things that concerns me is how Big Data analytics, the capabilities of which are increasing just as fast as more zetabytes of data are being created, can be used to take those humongous amounts of data and reveal intimate information about individuals. With no restrictions on the use of Big Data analytics on data collected through the IoT, we will see privacy problems, and new types of privacy breaches, as a result.
HOW MANY PEOPLE ARE LIVE-STREAMING THEIR LIVES THROUGH THE IOT?
A growing number of companies are now creating services specifically designed to connect basically any type of product we use in our everyday life to other products. For example, the sole purpose of one business, Thingsquare, is "connecting things with low-power wireless Internet protocols to thermostats, light bulbs, street lights, and more."3
Consider how the possibilities could, and may already have, become realities:
-
Devices are being built that include sensors and wireless chips in strap-on boxes and cameras mounted within sports helmets. These are connected via WiFi chips to remote computers. Analysts are describing4 how such technologies can live-stream the players' vitals online for the coach to see, so he or she can make decisions regarding players, strategy, and so on. Alternatively, such images and data can be streamed to an online site for the entire world to see -- as the game is being played -- to give viewers not only a player's immediate perspective of the game, but also to show how the players' bodies are handling the physical stress of the sport.
-
Smartphones are being enabled to act as user-friendly interfaces for remotely controlling and configuring building thermostats. These can also serve as a geolocation app for heating, able to detect where you are located in the house and then adjust the temperature accordingly. Related to this is the existence of today's smart light bulbs5 that can be controlled by a smartphone. You can dim the lights, change the colors, get notifications when a bulb needs replacing, use a bulb as a night-light, sync lights to music, and control them remotely. (I want to play around with one of these!)
-
A smart refrigerator communicating through the IoT will now be able to communicate with many other entities, such as (1) the grocery store to order specific food products when it sees you are out of something, such as milk; (2) the appliance vendor to notify the vendor how efficiently the refrigerator is working; and (3) the electric utility so it can determine the energy efficiency of the appliance. Is this happening today? I don't know. Perhaps. Will we see this happening if it is not yet? Certainly!
Are the life-enhancing possibilities of the IoT empowered by Big Data analytics exciting? Yes! But do those possibilities bring with them some significant privacy risks and security/safety issues? Oh, my, yes indeed!
IN THIS ISSUE
We begin this issue with an article from Hugh Boyes, who discusses at length some of the issues that accompany the new ways in which data is collected, shared, and used within the IoT. In particular, he focuses on data browsers of all kinds that are collecting data, typically unbeknownst to their users, about where those users are going online and what they are doing there. He then describes how the tracking and aggregated data is transmitted without users' knowledge, let alone consent, to unknown others throughout the world. Boyes also highlights privacy and security issues that are inherent to storing, manipulating, and aggregating all that data using Big Data analytics, and he calls for a reconsideration of the legal protections in the IoT.
The use of RFID tags has been a growing concern to not just me, but all those involved with privacy. The ways in which these tags are being used to track people continue to evolve, with few to no legal restrictions. In our second article, Analía Aspis takes aim at the specific concerns involving RFIDs used in the IoT. She first provides some interesting statistics and then describes ways in which RFID tags are being used, such as for profiling and for tracking locations. Aspis then describes the ways in which privacy could be legally protected when organizations decide they want to use RFID tags.
Speaking of legal protections and requirements, two of the longest-standing privacy principles include providing notice for when data is collected and then asking for consent to use that data. But how can notice and consent be accomplished within the IoT when the data is often collected through the devices we are wearing or carrying, or even as a result of where we are walking and talking? R. Jason Cronk highlights these issues in our third article. He begins by discussing some of the challenges -- and outright failures -- of notice and consent concepts. He then builds upon this discussion to point out how providing notice and obtaining consent within the IoT may become not only enormously challenging, but in many cases impossible.
And why will it be impossible to give notice and obtain consent in many corners of the IoT? Well, one of the ways this becomes challenging or impossible is when Big Data analytics takes all that disparate information and uses massive computational power to quickly reveal new insights into the lives and activities of individuals. In our fourth article, Jason Stradley outlines some of the more significant ways in which Big Data analytics may be applied to data collected from the IoT to uncover more information than was ever previously possible, leading to new and unique privacy risks and potential exploits. One of his main points is that there is no security built into Big Data analytics. While I agree that this is overwhelmingly true, after seeing some Big Data analytics companies trying to establish security controls, I am hopeful that this tide will soon start turning. Read Stradley's article to learn more.
So now that we've described just a few of the major privacy issues involved in the IoT, what can we do about it? Just accept that there is no privacy left? Instead, how about being proactive and building some privacy protections into the IoT? I am a Privacy by Design (PbD) Ambassador,6 and I can tell you that using the PbD philosophies, along with long-standing privacy principles and effective information security controls, we have a great arsenal of privacy protections we can implement within these new IoT and Big Data technologies to mitigate privacy risks. Someone else who recognizes this is Nicola Fabiano, who writes about such possibilities in our fifth and final article. Fabiano also details some of the efforts of the European Commission and international privacy authorities to ensure that personal privacy doesn't become some quaint relic of the past.
SO LET'S GET THIS IOT PARTY STARTED!
I saw the following statement on the Internet7 and loved how it succinctly and clearly described the IoT:
The Internet is like the air, available everywhere. By connecting products and devices to the Internet, they can be accessed from anywhere and instantly.
Welcome to the IoT -- you are already there whether you realize it or not! I'm looking forward to attending a Pink concert a few months from now, and I'm going both to enjoy her music -- as you can probably tell from the subhead above -- and will also be searching out indications of where the IoT is being used at such an event. I'm sure there will be many!
The IoT is an ever-evolving topic. I hope you will take the insights our authors have provided and then examine how the IoT is being used in your own organization, in those you travel to and through, and those with whom you do business. And please give us your feedback. We want to know what you think about the IoT and how you may already be using it!
ENDNOTES
1 Ashton, Kevin. "That 'Internet of Things' Thing." RFID Journal, 22 June 2009.
2 How much data is in a zetabyte? A LOT! See a nice graph showing you how much in the following recent article: Lacey, Stephen. "The Zetabyte Era: An Illustrated Guide to the Energy-Hungry Digital Universe." Greentech Media, 14 August 2013 (www.greentechmedia.com/articles/read/the-zetabyte-era-an-illustrated-guide-to-the-energy-hungry-digital-universe).
3Thingsquare (http://thingsquare.com).
4 For a discussion of what can be done, listen to the following podcast: Higginbotham, Stacey. "The History of the Internet of Things Includes a Swedish Hockey Team and LEGOs." Gigaom, 16 May 2013 (http://gigaom.com/2013/05/16/podcast-the-history-of-the-internet-of-things-includes-a-swedish-hockey-team-and-legos).
5For example, see Lifx (http://lifx.co).
6See more about Privacy by Design (PbD) Ambassadors in particular, and PbD in general.
7 "About Thingsquare." Thingsquare (http://thingsquare.com/about).