Security imply a wide range of elements, one of them is Privacy. But since the nature of this topic is particularly sensitive I will talk about it separately.
Privacy in the Internet of Things assume a different taste than we used to think. We should think again what IoT means. A lot of objects that are able to communicate and process data, equipped with sensors that make them aware of the neighborhood.
Those sensors will be able to track where we are (geolocalization) what we buy and eat (smart fridge) how often we shower or be at home (smart meter for gaselectricity), our taste in terms of media, show (smart tv) and so on.
When we go out our smart cars will communicate in our smart roads about our position destination and driving skills, our smart medical devices will keep track of when we sleep, or make exercise…
Forget to have an affair, or just a little moment for yourself, all will be monitored by something, somehow.
This open a completely new scenario in terms of privacy, the amount of data available will be way bigger than what we have today.
but who will be able to protect our privacy? how we will be able to monitor who will access our data?
for sure we will need a clear definition of personal and sensitive data. but in an environment where every move or choice is registered, or can be deducted analyzing the output of different sensors and systems, the extension of “personal” will grow from direct data to metadata, to deducted data.
This is somehow a more complex environment of a already complex dilemma: how to handle all this?
As of now there is not even an agreement on the definition of personal and sensitive data, nor how to handle those data.
Some countries have strict controls, other lousy, and it is not just a matter of developed or not developed country. Take as an example the querelle between Europe from one side and USA (plus UK) from the other on mass surveillance rights.
EU approach on Data privacy is way more restrictive than the lousy USA ones. But even in EU we can see difference form country to country, and the recent statement of Austria against the new GDPR agreement is a clear sign that we are moving in a really complicated area.
And not all personal data are the same, some can have a really “personal” connection. Not only sexual orientation or political and religious believes, but think as an example about your medical record.
If we will use IoT medical devices, those will be able to help us to stay alive, but at the same time will collect, process and send a lot of really sensitive and private data about our physical condition. those data if not managed correctly could expose us to unpleasant situation but how to control the flux of those data?
Same concerns can be found in the geolocalization. Sure it can be useful to find the place where I have to go, or being found if I wantneed to, but at the same time tracking our move can expose us to risks. may be I am going during my vacation to an interview and I don’t want my boss knows, or I tell my mom i can’t go to visit her because I am at work while I am actually watching something on TV I don’t want to miss (lousy reason I know). No matter what is the reason I would like to be sure I can get control of who is accessing those information.
On the other end those data can have a great value for third party, interpolating the result coming from different sensors it can be possible to track consumer behavior to a level we cannot imagine right now.
We can understand mixing geolocalization data with actual purchases, how much time we need to choose a product, how we choose and why.
So it is not only governments, police enforcement agencies, that want to know all about us, it is a bigger entity: marketing.
If we sum all the data we can have in the IoT even communication, personal communication, assume a whole new significance. Using the so called metadata nowadays it is possible to understand a lot of people behavior (ask GCHQ).
But with localization, hart beat rate, may be we will be able to tell if you are lying or if you are nervous and we don’t knows what more. Again it is not Science Fiction, but just the evolution prospect by IoT.
Privacy can be simply disintegrated because all of those sensors, the incredible amount of data will make able no know, see, listen or deduct all we do.
Privacy of Things
Probably we will have to introduce the Privacy of Things among the Internet of things, and create rules that allows us to stop interpolating data that can expose critical information, and not only direct personal or sensitive information as we do today.
A scenario that is open to new unexpected evolution, no so different from the one I presented for the security space.
What we should consider is not only the simple data, but the data that can be extrapolated analyzing other stuffs apparently unrelated.
In the age of Safe harbor 2.0 (aka Privacy Shield)
I wrote in the past on Safe Harbor and the problems related to data privacy in our age, now we have a safe harbor 2.0 (Privacy Shield), that we don’t know how long will stand.
Even with the relative small amount of personal data (compared to the IoT) we face problems nowadays, how we will manage the next to come?
There are sensible questions that have to be addressed in order to, at least, start to analyze the impact of privacy on IoT.
A few points are the following:
- Where my data are stored?
- How my data travel?
- Who is storing my data?
- How I will control who is managing my data?
- Who can access those data?
- How my data are used?
- What if I want to change something?
Since there is not a common understanding on the basic definition this will be hard. and the questions does not have a simple solutions, and will require a sound technological approach.
Consider the problem of how data travel. In a world where data can travel trough different countries and stored “in the cloud” that means somewhere we do not actually control any control will be difficult.
Storing the data is just one of the aspect, because data, as an example, can be legally sniffed if the passed in certain countries that allow this. Take, as an example, USA. All data that physically pass trough the USA are subject to USA federal laws, this means USA government can check those data, even if will be stored somewhere else. The simple transit put privacy at risk no matter what “privacy shield” state.
And so may be some encryption will be not allowed.
A solution, may be, would be implementing geotraking of every single packet, in order to determine the path that the packet is allowed to take, but this is at the moment far form our real implementation capabilities.
Legal, technological, cultural frames are still missing ….
We are moving in a slippery field, where legal, technological cultural frames are still missing.
In the absence of indications, some implementations could be not privacy aware and can create problems in the future, as the safe harbor things showed us.
Alas politics and governments are not still on this boat, too technical probably (it is a sarcastic comment).
But it is the cultural lack that is the major obstacle to understand those issues, a knowledge gap that is related to lack of experience, lack of real technical knowledge, lack of interest. Alas Security and Privacy suffer of the same problems, they are multidimensional and require a holistic approach (with technical, legal, economical, cultural basics) and not the compartmentalized ones we still have on those subjects.
Next Post will be on the infrastructures required by IoT.