Rethinking IoT Privacy on Data Privacy Day


Today, January 28, is Data Privacy Day--  a good day to reflect on the challenges around protection of data from the rapidly multiplying number of IoT devices. As this article ably points out, despite being young, the IoT market opens up large opportunities, and the market will grow even larger if it can assure people that their data is protected from misuse. With the diminishing cost of sensors and microprocessors, the number of connected devices people will interact with on a daily basis will greatly expand. It’s not hard to imagine a smart home with hundreds of devices in a not too distant future. Today, most homes have under 10 connected devices, and already people have difficulty knowing just where their personal data is going and how to manage it to protect their privacy. Imagine how that challenge will multiply in a world of hundreds of devices.

This challenge gets even more complex when you consider an axiom in the security industry. A system is only as secure as its weakest link. When you increase the number of devices in the system, you increase the number of weak links you need to cover. A 2014 study found an average of 25 security vulnerabilities in connected devices; this shows that the size of the problem is already starting to become apparent. Still, it’s only one part of the whole since you have to remember that IoT devices are hyper-connected. Not only are they connected to each other, they are also connected to cloud services, sometimes with a device communicating with multiple services. These cloud services also represent privacy vulnerabilities, not only for security but also in the business models and privacy policies of the entities controlling them. Not all of them may necessarily be to the benefit of the individual. Given this, the potential privacy vulnerabilities begin to look like they scale on a logarithmic scale.

This IoT privacy conundrum could be possibly solved by having all the IoT devices working on one company’s platform. The individual would then only have to work with one company to protect their privacy. While there certainly are technology companies that would welcome this, the state of affairs is neither desirable from a market competition standpoint nor likely to happen. Yet, while the IoT ecosystem should center on the needs of the individual, expecting the individual alone to be responsible for protecting their own privacy and security is clearly too onerous.

One area that we think holds great promise is identity and cryptography key management systems used in open standards based authentication systems. Not only will these authentication systems authenticate the personal IoT devices in an individual’s ecosystem, they can also authenticate the individual to these devices. With IoT device manufacturers and service providers working with interoperable open authentication protocols, services can define best practices for privacy protection and make it simple and easy for individuals to be granted their wishes. The cloud services could also be set up to follow these as well. Just a thought for Data Privacy Day.