Surveillance & tracking
Surveillance and tracking are serious issues for the internet of things and the connected home, and we need to build safeguards against them.
As we have learned over the last few years through the Snowden revelations, we live in a system of ubiquitous, nearly limitless tracking and surveillance. It's to a degree which easily matches the dystopian scenarios of even the most paranoid security activists. Our every step, at least in the digital world, is watched by commercial entities and governments. Directly or through meta-data, complete privacy is impossible.
Here are four kinds of tracking:
Personalization and context-aware services are a kind of tracking and surveillance we voluntarily agree to. These assistants could not work without being aware of where we are and what we have been doing. Therefore, we allow them access to this information in exchange for personalized recommendations and search results.
Other types of tracking are more obscure and more invasive, and they often come from advertisers. We might unknowingly agreed to data mining by installing an app and clicking "yes" on a lengthy, impenetrable end user license agreement. A so-called super cookie tracks our behavior across the web, even long after we have logged out of the service that initially installed it. Adtech can be nasty business indeed.
Another type of tracking—usually referred to as surveillance—comes from governments who tap into our devices and communications channels. Historically, at least in democratic regimes, surveillance was prohibited against the country's own citizens, with limited exceptions for criminal investigations. Every non-citizen was considered fair game for intelligence services. Since Snowden, we have evidence that most democratic countries run extensive surveillance on their own citizens, directly or indirectly exchanging data about their citizens with other countries: I'll watch your citizens for you, you'll watch mine.
Lastly, there is criminal cracking of our systems. Malware, trojan horses, fraud, taking over devices and using them for nefarious purposes are common tactics. A recent story got lots of media attention when a criminal network took control of internet-enabled fridges and used them to send spam and run coordinated denial-of-service attacks. It would be funny if it didn't stand for a serious, larger problem.
Tracking and surveillance are a serious problem
Tracking and surveillance are a serious problem for digital communications, for the internet of things, and especially for the connected home.
They hinder innovation as they undermine trust in these new technologies, and rightfully so. More importantly, they undermine the social contract that our society runs on.
Increasingly, user rights equal citizens rights.
A recent study by the US Census Bureau1 found that nearly one in two internet users say privacy and security concerns have now stopped them from doing basic things online:
"Americans are increasingly concerned about online security and privacy at a time when data breaches, cybersecurity incidents, and controversies over the privacy of online services have become more prominent."
The report suggest that this has reached a critical point—people stop using the internet altogether. "The research suggests some consumers are reaching a tipping point where they feel they can no longer trust using the internet for everyday activities."
The report provided a breakdown of internet users' biggest concerns:
- Nearly two thirds listed identify theft (63%)
- About a quarter was worried about data collection by online services (23%)
- Just about one in five was concerned about loss of control over personal data (22%) and data collection by government (18%).
It is this last point that is particularly concerning from a political and societal point of view, but really it is the full package that means we are in trouble.
Now this study focused on internet use, not the internet of things. But it is safe to assume that for IoT, and especially the connected home, these concerns will be as strong or stronger.
Governments are surveilling IoT, including in the home
The US intelligence services have publicly stated their intentions to use connected devices for mass surveillance. Other governments won't be far behind.
In a 2012 interview, CIA director David Patraeus called the surveillance implication of the internet of things "transformational... particularly to their effect on clandestine tradecraft."2
More recently, James Clapper, the US director of national intelligence, stated that "intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials."3
The consequences to these developments were highlighted in a study by the Berkman Center called Don't Panic: Making Progress on the "Going Dark" Debate.4 The internet of things—and again, this applies particularly in the connected home—might be a back door that helps criminals and governments alike to work their way around all other defenses (technological and legal alike) and towards a ubiquitous surveillance.
"Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the fact access. Thus an inability to monitor and encrypt channels could be mitigated by the ability to monitor from afar a person through a different channel."
It does not help at all that the majority of users find it difficult to figure out the right tools and strategies to meaningfully enhance their privacy, as a 2015 Pew Research study found.5 Again, this is for online communications—and it will apply to an even larger degree to IoT in general and to connected homes in particular.
Yet, taking privacy in their own hands might be the only way for users to protect themselves given the sad state of security in IoT these days. This is verified with a quick look at search engine Shodan, which indexes thousands of unsecured web-connected devices.6
We have to build safeguards against tracking and surveillance in the connected home
It looks that as of today, we have to assume we are being tracked and surveilled, with benevolent and nefarious purposes, by good and bad actors. We have few tools to defend ourselves, and they are hard to use. Civil society policy makers and scientists are scrambling to keep up rather than steering the course. It's a bleak outlook indeed.
To get in front of a major catastrophe, we will need to work on all aspects of securing IoT and our connected homes:
- Educating policy makers and scientists to understand the implications of complex connected, data-driven systems, like IoT, connected homes, and smart cities, so we can get to a robust, resilient legal framework that governs tracking and surveillance both from commercial and government actors and protects our privacy.
- Educating users and citizens about the importance of security and privacy when living in connected environments so they demand stronger privacy and data protection, and we get to stronger regulation and market incentives for companies in the IoT market to make security and privacy a priority for connected products and services.
These are significant, hard, and complex challenges. Yet they are essential for us to tackle. We cannot, under any circumstances, afford to allow widespread surveillance into our homes.
Yet at the same time, disconnecting is not an option either. The innovation happening around IoT and connected homes has tremendous potential both commercially and societally, and can improve the quality of life of hundreds of millions.
While the journey might not be easy, this is an endeavor worth fighting for.
1. The study is available online in full at: ntia.doc.gov/blog/2016/lack-trust-internet-privacy-and-security-may-deter-economic-and-other-online-activities. The Washington Post has a summary of the results: washingtonpost.com/news/the-switch/wp/2016/05/13/new-government-data-shows-a-staggering-number-of-americans-have-stopped-basic-online-activities/ ↩
2. See WIRED 2012 at wired.com/2012/03/petraeus-tv-remote/ ↩
3. See The Guardian (2016) at theguardian.com/technology/2016/feb/09/internet-of-things-smart-home-devices-government-surveillance-james-clapper ↩
4. The full study "Don't Panic: Making Progress on the 'Going Dark' Debate'" by the Berkman Center (2016) is available online (PDF): cyber.law.harvard.edu/pubrelease/dont-panic/Dont_Panic_Making_Progress_on_Going_Dark_Debate.pdf ↩
5. For details, refer to this 2015 study by Pew Research: pewresearch.org/fact-tank/2015/04/14/why-some-americans-have-not-changed-their-privacy-and-security-behaviors/ ↩