Immediately before the major security industry event the recent RSA Conference 2016, in a follow-up to a previous speaking engagement, Intertrust was honored again to speak at an event in San Francisco sponsored by CbyerTECH entitled “Securing the Internet of Things.” Representing Intertrust on a panel called “Securing Emerging Technologies: 3D Printers, Robots, and Drones” was Intertrust VP of Product Management Vivek Palan. Much of the panel discussion centered on what many of the panelists considered to be an essential motivator for security and privacy in IoT: policy and regulations. As one of the panelists Sid Shetye from Crypteron said, “If there is no regulation or policy, than there will be no security built in.”
There was agreement on the panel that much of the need for policy and regulations around IoT stemmed from the explosion of sensitive data emanating from IoT devices. One example discussed was of an app that tracks the location of a person using data from the sensors in a smartphone. It was pointed out that the same sensors, including a microphone, are available in smartwatches. In the example given, an innocent user might fall under suspicion just for being in the same location as some “bad actors.” Considering the privacy and security implications of data generated from drones, thermostats, connected video cameras, and the like., Vivek said, “Technology capabilities far surpass laws and ethical guidelines.”
Data Bill of Rights
Ken Baylor from Stealth Worker discussed how the ever increasing capacities of hard disk drives means the vast amounts of sensitive data that IoT devices can generate could be stored for an indeterminate amount of time. “Data will never die unless legally forced to die.” These and other issues around IoT data such as defining ownership of the data, clarification of what data is being collected, how it is being used, and so on, can be addressed by privacy policies. The point, however, was made that these policies are written by lawyers for lawyers and are difficult for average people to understand, even if they look at them at all.
Given this situation, Vivek predicted that at some point there will be a “Data Bill of Rights.” Ideally, this would be a commonly accepted framework identifying the rights of individuals over the data being collected about them. “It would clarify what is acceptable in the use of this data and the rights to have that data secured.”
Having a Data Bill of Rights in this digital age does make sense. In fact, the vast and always increasing amounts of data collected on individuals combined with a legal framework largely developed in an analog age show the obvious need for this sort of policy. Of course, actually framing and implementing such a document is a massive and difficult undertaking. The data protection laws put in place by the European Union are considered to be the most advanced and friendly toward individual rights. On the other hand, Vivek pointed out, “Entrepreneurs in Europe are frustrated they can't move as fast as they would like, and they can't do free services.” As regulators and industry grope their way forward in defining data rights in the 21st century, finding the right balance for both individuals and organizations will continue to be contentious and difficult work. Still, with the deluge of IoT data on its way, there is no time to lose.