As part of National Data Privacy Day on January 28th, 2016, we are proud to have been selected to participate in an event sponsored by the California State Governor’s Office of Business and Economic Development, CyberTECH and the Ponemon Institute. Called Securing the Internet of Things: National Data Privacy Day 2016, the event was held in the California State Capitol Building and brought together leaders from the California State Government, educational institutions and private industry to discuss how all can work together to better protect privacy and security in the age of IoT (some of our thoughts on the subject can be found here).
Intertrust’s own Vivek Palan participated on a panel discussion entitled, “Security, Privacy and Trust in IoT Platforms.” Moderated by Davis Hake from Palo Alto Networks, the panel also included Lance Cottrell from Ntrepid, also the founder of the well-known privacy tool Anonymizer, Peter Day from Bank of the West, and Ford Winslow from centrexIT. To start with, Vivek stated the breadth of the issue by saying, “Everything you see now from household products to medical devices will be affected by IoT. The only limit is our imagination… Intertrust believes that for IoT to be successful, there is a very strong need for a common security layer with open standards .”
Mr. Cottrell made a very interesting point regarding just how to define IoT. At the heart of things, IoT is really about computers but the difference between IoT and other computing devices such as personal computers and smartphones is more psychological than technical. “The user doesn’t think of a device such as a connected car, smart meter or SCADA system as a computer but as a device that does something. The person who built it doesn’t think about it as a computer either,” (Cotrell). This also affects security since a laptop user is expected to be responsible to a large extent for their security. The same expectation does not exist with IoT devices. Mr. Day put another spin on this, saying “IoT really means a radical loss of control to end users.”
Need to Act Quickly
The panel emphasized the need for quick action to develop trust in IoT. Given the potential ubiquitous nature of these devices and the intimate connections IoT devices will have for both homes and organizations, Mr. Day suggested that the risk environment for IoT is different from other types of computing environments. With the scope and threats of IoT deployments yet to be determined, he is particularly concerned about unforeseen risks. “The situation is similar to right before 9/11…. Policy planners must think about freely about the possibilities free of what happened in the past,” (Day).
With a reference to the recent past, Intertrust’s Mr. Palan put forth one unnerving potential privacy risk around IoT. In June 2014, it came out in the press that Facebook had been manipulating some of their user’s newsfeed posts to see if it could change their emotional state. With consumer IoT devices potentially having access to very sensitive personal data throughout an individual’s life, “imagine the type of subtle manipulation these devices could do, (Palan).”
According to Mr. Cotrell, the dangers are increasing as many IoT manufacturers are putting out product without any clear guidance on who is liable for privacy and security. “IoT is essentially creating cyber security smog. Everyone can produce it but no one has to take responsibility for it, (Cotrell).”
Much of the discussion was about how to establish trust for IoT devices. Mr. Palan has had some experience working for startups in the past. Noting that many companies active in the IoT space are startups, “I can understand how the pressures of releasing a product quickly can sometimes lead to skipping non-visible aspects like security and reliability,” (Palan). According to Mr. Palan, however, this is likely to be just a temporary state of affairs for as time goes on business pressures will make sustainable user trust a competitive advantage.
The panel as a whole saw a real opportunity for open standards, protocols and industry organizations to play a large role in IoT privacy and security. Mr. Cottrell stated that the industry needs to get away from the stance of relying on end-user education. “When you buy a phone charger, you don’t expect to have to do your own testing to make sure it is safe, you just look for a UL (Underwriter’s Laboratory) code on it,” (Cottrell). As to how this sort of “UL mark for IoT” security will actually work, “Open standards and protocols will be baked into products as a matter of course and standards bodies will make sure devices comply with security,” (Palan). The idea of introducing clear lines of liability for IoT privacy and security and coming up with indemnification mechanisms was a recurring theme throughout the panel.
Beyond the usual drumbeat of privacy and security hacks, Mr. Winslow suggested that a move from selling IoT devices to selling IoT services could provide an effective economic incentive for IoT security. “Six months ago, I saw a medical device manufacturer move to giving a device away for free and charging a subscription fee, getting 10 to 20 times the revenue,” (Winslow). With additional revenue and an added incentive to keep the service up and going, a subscription model means more resources available for security measures.