Brave New World: security and the Internet of Things

Internet of ThingsIt’s a brave new world with security and the Internet of Things (aka IoT).

More and more of the tech security stories I read are about things getting hacked (as opposed to computers or tablets).

What is IoT?

First what is the Internet of Things or IoT? IoT is all those devices that are connected to the Internet.  Here are some examples: home security devices, your car, laundry machines, your fridge, your smart watch.

And there are more of them every day. Companies are rushing to market with Internet connected devices and control apps.

Brave New World

One of the more silly examples hit the news in the summer. A start-up wanted to produce “Lovely: A wearable sex tracker“. This phallic Fitbit (can you imagine the badges?) would track all the sex activities, hook up with an app on your phone and even suggest improvements. The fundraising campaign for this device was a flop but it raised some interesting questions that apply to all these IoT devices.

First, how and where is the data from these devices stored? Who has access to it? Increasingly these devices are tracking personal information which are subject to Canadian privacy laws. If you have a Fitbit you might have noticed in the legal terms of usage that you consented to let Fitbit store that information outside of Canada.

Second, how is this data being used by the host company? I still find it creepy when I go to a web site to look for some clothing and the next day I get an email from that company with a sudden sale on the items I was looking at. And all the ads on Google are also for that same item. Who did they sell that information to? Was it anonymized?

Third, how secure are these devices? Last week in tech news, there were three big stories about IoT devices being hacked: a power plant in the Ukraine, Jeeps being remotely controlled by hackers and a smart TV being infected by malware.

How does this IoT affect your business?

First, if you’re planning an IoT device for your customers, you have to be aware of the privacy laws in Canada (PIPEDA, PIPA) and other countries. Also you need to have a clearly articulated data usage policy for your clients. Something they can understand, not gobbledegook. And you have to decide how you will use that data.

Recently in the United Kingdom, nine universities have started a $33 million project to explore the privacy, ethics and security of the Internet of Things. The study is part of a larger government project to encourage businesses to get into the IoT.

Wouldn’t it be nice if the Canadian federal government started a similar project?

Second, how will you store all that data? Storage space is way cheaper than it used to be but you still to pay for the storage and pay for the management of the data.

Third, your business could be at risk from an insecure IoT device. Last fall a company’s corporate Wi-Fi got hacked via an internet connected kettle.

Fourth, as these devices proliferate I expect we will see new government legislation in the next five years in Canada and abroad that could impact how businesses manage IoT.