Privacy in the Internet of Things era: Will the NSA know what’s in your fridge?

Privacy in the Internet of Things era: Will the NSA know what’s in your fridge?

Wojtek Borowicz, community evangelist at Estimote, freelance writer and a strong believer in the Internet of Things.


We’ve already entered the Internet of Things: a world where everything is connected, with billions of devices storing and exchanging data about each other and about their users – i.e. us. As it matures, it’s going to be hugely convenient, not only to the average Joe, whose smart home will always remember to lock the door and switch the lights off, but also to huge organizations.

However, one of the main concerns associated with it is the security of IoT platforms and devices. But it’s not only preventing hackers from accessing these systems we should be discussing: What about privacy, government surveillance and the creepy vision of Big Brother hiding in my smart fridge?

What big companies are supposedly doing about it

Apple likes to claim that it values the security and privacy of its users above all else. The ‘Privacy’ section of its website opens with those soothing words: At Apple, your trust means everything to us. That’s why we respect your privacy and protect it with strong encryption, plus strict policies that govern how all data is handled.

The proof of that are features such as two-step verification, Touch ID or extra security measures implemented in the new Apple Pay system. All are designed to protect your personal data from peeping third parties.

Well, it’s good to know, especially now, with iOS 8 venturing far into the Internet of Things territory and introducing HomeKit and HealthKit: new frameworks that will make our iPhones hubs for home automation and quantified self software. With these new platforms, the amount of sensitive information stored in our handsets will grow exponentially, which necessitates strong protection.

wwdc_2014_898

Google probably has the largest archive of digital data out there. The knowledge they have of their own users is so vast that Eric Schmidt could have said something like this back in 2010:

We don’t need you to type at all. We know where you are, with your permission; we know where you’ve been, with your permission; we are more or less able to know what you’re thinking about.

To give you more context, that was just a couple of months after the first iPad hit the shelves, so in terms of online data transfer, that’s an order of magnitude ago.

Fast forward four years and Google is also keen on getting a slice of the IoT pie through acquiring Nest, developing Android for all sorts of devices and exploring ideas like physical Web, to start harvesting loads of information about how we interact with the physical world.

Anything to worry about?

Well, I’ve gotta admit that Google is aware of the huge responsibility that comes with such deep insight into user data. It’s leading the debate on the ‘right to be forgotten’, advocating US government surveillance reform and releasing rich transparency reports. In other words, behaving as you’d expect a mature company with partial control over global information flow to behave. 

Microsoft may have slept through the explosion of mobile, but it definitely does not want to end up side-lined on IoT as well. Earlier this year, MS rolled out its program for developers interested in bringing Windows to all things connected and now, with Windows 10, it aims to build a single platform for all devices which goes well beyond PCs, tablets and smartphones.

You might not see the ‘Start’ menu on your thermostat just yet, but who knows what the future brings? Luckily for us, Microsoft also takes privacy issues seriously and goes as far as to call government snooping an advanced persistent threat. 

Which brings us back to the topic at hand…

What do these three major companies have in common, apart from being tech giants with strong appetites for leading the Internet of Things evolution? Despite their vocal claims about paying the most attention to user privacy, the NSA was still able to harvest contents and metadata of communication going through services provided by them.

Photo credit should read PAUL J. RICHARDS/AFP/Getty Images
Image credit: PAUL J. RICHARDS/AFP/Getty Images

And of course Apple, Google and others caught up in last year’s massive NSA leak swore they don’t leave any backdoor open for intelligence agencies. But apparently, this doesn’t stop the guys from Fort Meade, and they have all the tools they need, from super-advanced programs like PRISM and Xkeyscore to FISA courts, which hand out electronic surveillance warrants like candy (no, really: in the first 30 years of its existence FISA courts denied only 11 out of almost 35,000 warrant requests!).

The fact that intelligence agencies have the resources, doesn’t necessarily mean they will use them to harvest the tons of data generated by Internet of Things, right? Wrong: David Petraeus, ex-CIA director, already loved the concept of IoT as a bottomless well (or, to quote him directly: a treasure trove) of information about persons of interest back in 2012.

When the NSA started collecting telecommunication metadata, its insight into our lives became unnerving. Now we’ve realized it’s far beyond unnerving when Edward Snowden leaked documents showing that at Fort Meade, the team actually has access to the content of our communication via services provided by the biggest tech companies as well.

Now we’re at the stage when the same companies are about to start storing even more of our private data, from thermostats and cars to fitness trackers, while intelligence agencies openly admit that’s a great opportunity for them to obtain an unprecedented level of knowledge about citizens.

IoT data surveillance opens up access to a whole new layer of private information, especially as it’s not only appliances in our homes and offices that will be transferring the data: it’s also going to be services built on top of an immeasurable number of sensors we’re about to deploy throughout cities, in roads and shops. And there is absolutely no regulation in place to keep that under any control.

There will be 50 billion connected devices in the world in 2020, and no laws exist to govern the Internet of Things and its implications for privacy. This in turn, means that other laws will have to apply, including telecom regulations, along with FISA courts.

This doesn’t mean no one is trying to introduce some ground rules, though. In 2013, democrat Mike Capuano introduced two bills to prevent excessive data collection in modern DVRs and automobiles: the We Are Watching You Act and Black Box Privacy Protection Act. As of now, neither even made it to the floor.

There’s also the broadly discussed USA Freedom Act, supposed to put a stop to the NSA’s bulk data collection, but as Electronic Frontier Foundation points out, it has loopholes and compromises that the intelligence community can exploit.

Is this our potential future?

guy talking smartphone in car

Without regulation, Orwellian insight into behavior of whole societies and individual citizens might soon be at hand’s reach for the government. The greatest irony, however, would be if those regulations would come, but as a way to legitimize surveillance, instead of protecting civil liberties.

After all, it’s not that hard to imagine lawmakers pushing for the exact opposite of the aforementioned Black Box Privacy Act: obligatory Event Data Recorders in each vehicle, with constant access available to state agents. In other words: a car that could automatically fine you each time you exceed the speed limit or even one that prevents you from doing that at all. Safe? Probably. Terrifying? Absolutely.

And it’s just one example of how IoT can become its own parody – if lawmakers go all ‘1984’ with it. Does this mean we should fear the Internet of Things instead of looking at it as next milestone of the digital age? Of course not! It is a truism, but begs to be said now: no technology is good or bad by itself.

IoT has tremendous potential for making our lives easier and businesses more efficient. We just need to be aware of the implications it may have on privacy if we don’t watch the hands of those in power close enough. 

According to a recent study by Lightspeed GMI, two thirds of Americans would be so outraged (or completely violated as the survey states) by a breach of their personal data by a connected device, they would consider taking action. What exactly they mean by that unfortunately remains unknown, but it better have something to do with calling for Internet of Things-related privacy regulations and then closely watching those who will be responsible for implementing them.

Otherwise, we might end up in a super-smart world… where the NSA needs only a FISA warrant to check what’s inside your connected fridge.

Read next: Why the Internet of Things narrative has to change

Featured image credit: Mark Wilson/Getty Images

Read next: Baby boomers aren't tech novices. They just want you to think they are

Here's some more distraction

Comments