IoB Insiders The speed of innovation within the Internet of Things (IoT) is gathering pace, yet developments are currently moving faster than the regulators, leaving devices, systems and people vulnerable.
A recent DDos attack that rendered millions of users unable to access major websites such as Netflix, Airbnb and Twitter was notable for its ferocity and exploitation of network-connected devices, which formed the majority of the pawns used to engineer one of the largest invasions of this kind.
Security breaches such as this are significant, but can overshadow the other crucial area of vulnerability with IoT devices: privacy. Consumers are increasingly embracing IoT devices yet are largely ignorant of the privacy risks as vast amounts of their personal data is gathered, stored and shared on devices and across networks that are often less than secure.
Consumer enthusiasm is a double-edged sword for IoT development. While eager customers are a major facilitator in development and funding, it is a customer base not demanding nor expecting robust security settings as they remain unaware, in the most part, of their own vulnerability. Consumers are seeking stylish and easy-to-use devices that are not conducive to security. They are unlikely to tolerate pop-ups demanding they provide consent and set passwords, nor want to be limited by such functions, thus manufacturers deprioritize security and privacy protection when making and marketing their products.
A general lack of awareness seems incongruous in an age when so much information is available online. There is a role for those of us working in the IoT space to play in educating consumers and manufacturers on the importance of privacy safeguards to ensure IoT devices can fulfil their potential use and minimize the harm.
That isn’t to say there aren’t some existing regulations for personal data protection, but the challenge is application to a new and constantly evolving technology. The EU General Data Protection Regulation demands that consumers should be able to review when their personal data is collected and how it is used, and be able to give or withdraw consent. With such a diverse range of data being collected in different ways via a broad range of IoT devices, consent becomes a complicated and lengthy process. What about the personal data collected as collateral, such as a security camera filming in a public place? How do you give passers-by the right to control their data when they don’t know it has been collected?
The design and operation style of IoT devices serves to hamper privacy protection efforts too – interfaces are often limited or non-existent and devices operate across networks using software that cannot easily be updated or protected.
These were all areas flagged up in a recent report on IoT security and privacy which identified the unique nature of IoT issues compared to any internet-connected devices, but stressed that regulatory improvements were paramount for the future of IoT. Yet one further complication lurks: in an arena of innovation such as IoT, there is an underlying and justifiable resistance to anything that may limit or inhibit creativity or progression.
IoT has far-reaching benefits for health, education, financial mobility and personal security, with the potential to transform lives, cities and industries. With this in mind, it’s crucial that regulation preserves and protects users without stifling system evolution – easier said than done, but necessary nonetheless.
The media provides enough scare stories to keep us focused on the heady cost of being hacked when it comes to financial loss and threats to city infrastructure, demonstrating how our interconnected systems and devices can be as dangerously powerful as they are useful. While there are fewer examples of personal data being breached, an association of IoT devices with potential risk should be enough to encourage consumers to view their devices with more caution and gradually fuel a change in manufacturing. In the meantime, the industry needs to keep working towards sustainable regulatory solutions that can keep pace with innovation, and are as innovative as the devices they regulate.
By Adam Leach, Director of Research and Development at Nominet