Security and privacy are widely identified as major concerns for the Internet of Things (IoT), but few people discuss them in any detail.
An exception is Jim Hunter, chief scientist and technology evangelist at Greenwaves Systems, a provider of IoT software and services. Holding several IoT-related patents and a co-chair on the Internet of Things Consortium, he works regularly with the security and privacy concerns that are often acknowledged only in passing.
While security and privacy are often discussed in the same breath, Hunter views them as at least partly separate. According to Hunter, security concerns center on how software and hardware are designed. Too often, security is an afterthought -- or as Hunter puts it, "it's not baked into the product, but is instead sprinkled on top.”
By contrast, he says privacy problems exist "because of the 'I' in Iot. "When I put information into my web browser, it brings value to someone else -- this is the way that the Internet runs and the agreement we have with it. By keeping 'Internet' in front of 'Internet of Things, we're enabling companies to think things will continue to work in the same way. Companies are taking your information to the cloud and then using it to make their product(s) better or selling it to other people. The mentality that your data doesn't have value is where the problem exists."
Both security and privacy problems could have been foreseen, Hunter continues -- and in some larger companies, they were. But smaller companies often overlook them. "The industry itself hasn't really been educated to the importance of security," he says, although he adds that "the tide is turning," partly because of platforms that offer secure infrastructure, such as Parse on Facebook and Fabric on Twitter.
IoT security has "massive" problems, Hunter says. Perhaps not surprisingly, given that Hunter oversees the AXON Platform, which provides a common language for IoT communication, he sees the core of the problem as communication between protocols and resources.
As in cloud computing, it involves such Internet issues as "the control over where the device is originating -- you have servers and computers communicating in the same language (IP) and you have all these standards for sending messages back and forth (encrypting packages, and http)." In addition, with IoT, before the Internet even becomes involved, "you have mesh technologies, radio technologies, all kinds of other languages."
Such a situation can make consistent security in IoT almost impossible. As Hunter observes, one of the worst cases in cloud or Internet computing is the rogue operator -- "anybody who is behind a trust, protector [security] barrier who elects to do bad things." In Iot devices, the barrier may be partly or completely missing, with the result that, "every device that is dropped into a home could potentially be a rogue operator, listening to all of the other traffic and sending it elsewhere or maliciously affecting the flow of traffic."
By contrast, Hunter regards privacy as either an ethics question about who has rights to the data or a business transaction question about what value a consumer gets in exchange for the data."
Until such questions are answered, questions of implementation, such as what information IoT devices should collect, cannot be meaningfully answered. For example, if privacy is an ethical issue, the question of what information IoT devices should collect depends on what consumers are comfortable with. "One of the most ethical ways [to decide]," Hunter says, "is through an agreement --'you will share this, and in exchange get something of value.'"
If, however, the question is answered in terms of a financial transaction, then the answer becomes what Hunter describes as a data pixel problem -- that is, one in which, like an image in .png or .jpeg format, individual pieces of data carry little meaning. Yet, when combined with other individual pieces, form a far more significant picture. Since individuals rarely see the whole picture, in such cases, an informed decision of what information to share is much more difficult. For instance, the fact that you were late paying a credit card one month might seem inconsequential by itself, yet it might be combined with other times when you were also late to create a picture of you as irresponsible with credit.
IoT security and privacy issues, in the abstract, are little different from those on the Internet or in the cloud. The difficulty is that they potentially occur with every smart device, and solutions need to strike a balance between security and privacy on the one hand, and usability on the other become that much more complex.
For example, Hunter says, "if [a smart device] is super-secure and challenges me for a password every time I try to do something, there's a conflict there. Usability vs. security needs to trade off -- there is always a balance between being usable and secure, and you have to find the right mix."
Organizations like the Internet of Things Consortium do their best to educate people about such issues, but, at a time when many struggle with the idea of secure passwords, informing everyone is obviously an uphill battle.
A large part of the difficulty," Hunter suggests, "is that we haven’t fully established the value of data. As the value of data comes more into view and the data pixels and ownership of the data becomes more of a thing, I think that is going to become a bigger issue." And even when such questions are resolved, others lie in wait, such as the degree of complicity a manufacturer should have when its lack of security enables a criminal act. Clearly, the conversation about IoT security and privacy is still at an early stage, even as the size of the IoT increases.