Experts largely agree that the IoT brings with it significant risks in terms of security and privacy – but will the advantages of convenience outweigh them for consumers?
Not according to an admittedly less-than-scientific, but nevertheless interesting, poll of “technologists, scholars, practitioners, strategic thinkers and other leaders”, conducted by the Pew Research Center and Elon University’s Imagining the Internet Center.
In July and August last year, the researchers asked how attacks and ransomware concerns would influence the spread of connectivity – 15 percent of the 1,201 respondents said significant numbers of people would disconnect, while 85 percent said most people would “move more deeply into connected life”.
Why? Strikingly, many of the survey’s respondents pointed to the convenience that comes with connectivity, and the so-called “optimism bias” that leads people to think bad things will happen to other people, but not to them.
“Unless we have a disaster that triggers a major shift in usage, the convenience and benefits of connectivity will continue to attract users,” read one comment from MIT senior research scientist David Clark. “Evidence suggests that people value convenience today over possible future negative outcomes.”
Tesla software engineer David Wuertele, meanwhile, told the researchers that people’s desire “for these magic devices is so strong that they will sign away their own personal data as well as their families’ (and sometimes their friends’) data to get the goodies”. Mimecast chief scientist Nathaniel Borenstein chipped in that “there are few examples in human history of people making rational decisions about privacy or security”.
What’s the risk in IoT?
How serious are the risks of the internet of things, though? And in particular, are we likely to see the kind of catastrophic events that would grab the attention of regular consumers? The key here, according to the security experts to whom Internet of Business has spoken, is the scale at which vulnerable devices are deployed.
“Even a small security hole that may be exploitable only under very narrow conditions could become fatal in today’s IoT world if a certain device is deployed a million times,” says Steffen Wendzel, professor for information security and networks at the Worms University of Applied Sciences in Germany.
“Infrastructures are becoming more and more connected due to convenience and… we’ve seen every time there is excessive connectivity, then there comes the risk represented in different forms of cyberattacks,” adds David Barzilai, chairman and co-founder of the Israeli automotive security firm Karamba Security. “The motivation today is unfortunately not just kids trying to be smart. We’re seeing organised crime or terrorist organisations or states. The temptation or the reward for that is high. What you could gain after such attacks is [increasing] because of the sheer scale of one attack.”
Barzilai raises the notorious example of Chrysler’s mass vehicle recall back in 2015, which followed the revelation by two security researchers that the Jeep Cherokee could be remotely commandeered, to potentially lethal effect. “There was only one security bug that was exploited by the white-hat hackers in that Cherokee. The recall was for 1.4 million cars. All of them had the very same single security bug,” he says.
“Each car today has hundreds or thousands of security bugs and we know it… The same bug repeats itself in hundreds or thousands or more of cars, so an attacker could affect the lives of so many people with one attack. This is just cars. We could talk about connected medical devices and connected infrastructure. It’s a big deal.”
A matter of convenience
But what about that convenience, along with the demonstrable benefits of the IoT? As Wendzel notes, “self-driving cars could ultimately make driving safer, prevent several deaths and provide drivers with the chance to do something else while driving”.
However, the professor adds that consumer enthusiasm for connected devices can sometimes be overstated. “The big breakthrough of ‘smart homes’ was expected several times to become reality in the last decade,” he points out. “However, it is still ongoing and – at least in Germany – quite slowly. Besides costs, customers see no strong gain and promised energy-saving does not always work as expected.”
Here’s the thing: when it comes to the IoT, the pull may not be as important as the push.
Barzilai suggests that convenience is a “major enabler” for connected cars, but efficiency – for suppliers, not consumers – remains a bigger driver in the wider IoT industry. “I think the internet of things is at least now not something that is consumed by the end user, like a smart home or something like that,” he says.
“But we do see a push created by vendors for [deploying in aid of] support. The escalator vendor is now selling escalators connected to the internet in order to get alerts for maintenance and do remote software upgrades.”
Could we disconnect in future?
There’s clearly a world of difference between consumers letting newly-connected devices into their lives, and the builders of the public environment adding connectivity to their infrastructure. Many respondents to the Pew research seem to have conflated the two phenomena under the banner of connectivity, making it difficult to tell whether they saw widespread enthusiasm for smartphones translating into acceptance for new-fangled IoT devices.
But that said, some did note that IoT acceptance was likely to become involuntary. As Erik Johnston, associate professor and director of the Center for Policy Informatics at Arizona State University, put it: “Trying to disconnect in the future will be increasingly difficult. Only those who are either very privileged or unprivileged will find themselves in a situation where the majority of their lives are not connected in a meaningful way… It would be impossible to opt out of public surveillance, the TSA [Transportation Security Administration] and many other essentials of navigating a normal life.”
And in the words of spreadsheet pioneer Bob Frankston, another Pew respondent: “A significant number will have the illusion of being disconnected [when they actually are not].”
The optimism bias may be a real phenomenon, but that all-important risk-versus-convenience assessment may not end up being down to consumers after all.