It’s a concern, but it’s not one many people actively consider. “I think most people err on the side of, ‘I’m just going to permit everything, because I’m sure the people who made the application know what they’re doing,’” says Samani’s colleague Scott Montgomery, CTO for the Americas for Intel Security. But they don’t always have your best interests in mind. Samani once discovered a simple flashlight app, for instance, that was quietly accessing the phone’s contacts and sending the information back to the app’s makers. “People had no idea,” he says.
T-Mobile’s Kim Kardashian Super Bowl commercial had the tagline “It’s your data. Keep it.” Of course, it wasn’t referring to your personal data, but it’s that kind of information that people hand out like candy. Or to get candy. Samani says he’s witnessed people in department stores giving out all kinds of personal details just to get a bar of chocolate. “We need to be able to demand a fair value of our data. Sadly, what I see is people using loyalty cards and giving away their data for literally peanuts,” he says. “I think it’s getting worse. I think the perceived value of personal data is gradually decreasing.”
“We need to be able to demand a fair value of our data.”
Samani lives in the United Kingdom and is working with the European Commission to develop security and privacy standards for smart meters and the smart grid. He’s also involved with the European Privacy Directive 95/46/EC, which is aimed at providing guidance in regards to data privacy. One other project he’s very passionate about is working with governments to implement “personal data economies.” If this one had a Kardashian-style slogan, it could be “It’s your data; charge for it.”
The personal data economy is the idea that consumers should get more benefit — specifically financial — for their data, instead of just gaining access to an app. By 2020, the European personal data economy will be worth €1 trillion ($1.14 trillion), and individuals will see a €670-billion ($763-billion) slice of that pie, according to the Boston Consulting Group. Samani pictures it like an insurance site, where you plug in your information, receive a bunch of bids for it, and choose which one you want to sell your data to.
“If you go to a car manufacturer for example, they may be willing to pay up to $500 to get information about your car, what car you want to buy, your preferences, and so on and so forth,” he says. “You could actually monetize that data.”
If that idea makes you feel a little uncomfortable, Samani says you’re already monetizing your data — you’re just making very little profit. “When you use an app, and that particular app takes data from your phone, you’re monetizing that,” he explains. “The challenge becomes how can I begin to increase the value of that data, because people give away their personal data on social-media sites.”
Right now, it’s the companies that are benefiting from users’ data. Some people are happy to grant permissions to every app, letting them control the phone’s camera, access the contact, and see their locations. Others may not be aware that all this is taking place. “If I printed out the iTunes user agreement, and I rolled it up, and I hit you over the head with it, you could die. That’s how big it is. But no one pays any attention to what it says before they simply click through and agree to it,” says Montgomery.
The Federal Trade Commission recently released a report on the Internet of Things. While it stopped short of recommending legislation to regulate users’ privacy and security, it did have many strong warnings and suggestions for how consumers can protect themselves and how companies should behave. For example, makers of these devices shouldn’t store users’ data for eternity, and they shouldn’t use it for purposes that they haven’t disclosed. It may surprise some that such regulations don’t exist.
“I spend a lot of time working on cyber-crime issues, and we all rail against cyber criminals for utilizing the Internet for monetizing your personal data,” says Montgomery. “They steal aspects of your personal data, and they monetize it. Well, we’re really letting the industrial internet do the same thing; it’s just legal.”
Unlike in the E.U., there are also no legal repercussions in the U.S. for a company if a third party steals users’ data. But Montgomery thinks that could change. “When that becomes the vector [through which] their data is exposed and there is no regulatory oversight that protects them in those cases, that’s when I think you’ll see people sit up and take notice, because it does affect them,” he says. “I think a lot of people are going to have to suffer from that before people change their behavior.”
Smart-home device hacking is more a matter of “when” than “if.” A recent HP study found that every Internet-connected home security system it tested had critical flaws that made them vulnerable to spying. These include encryption issues, a lack of a lockout feature when trying to guess passwords, and a failure to require strong and complex passwords. Virtually every website you log into stipulates that your password must contain a mix of numbers and letters, at least so many characters long. These top security systems do not.
It’s possible that such specifications are built into the software, says Daniel Meissler, Practice Principal of the HP Fortify Team, but a decision was made by these companies to favor simplicity over security. For Meissler, it’s not surprising that device manufacturers are so lax on security; he says it’s familiar territory. We saw similar issues with networks, applications, and mobile. “Every time we switch from one space to another, we make all sorts of mistakes there,” he says. With the IoT, “We have to relearn these lessons.”
“If I printed out the iTunes user agreement, and I rolled it up, and I hit you over the head with it, you could die.”
However, he says these are not difficult problems to fix. “They have been solved already. There are people that know how; the question is will they make this investment.” In order for that to happen, he adds, consumers need to start putting pressure on manufacturers by opting for devices that make security a priority.
Part of the problem, Meissler believes, is a lack of awareness. But even when people know how dangerous lax security can be, they still choose “123456” and “qwerty” for their passwords. “It seems to be some sort of human limitation not fixable by a report or article,” he says.
Luckily, we may be approaching the day when passwords are a thing of the past. “This is one where there is certainly light at the end of the tunnel, purely around the area around authentication,” says Montgomery. “We’ve heard about the promise of biometrics or the ability to use physical characteristics about your own body to be your authentication mechanism, and I don’t think we’ve ever been closer as an industry to realizing that.”
He envisions a future where it will be a bit like Mission Impossible to get into your house; there could be retina and fingerprint scans, voice identification and facial recognition barriers before you’d be let in the door. More likely, though, it would be a two-factor authentication process. Turning on certain smart devices, especially ones that could compromise your physical safety, such as a smart car or a connected medical device, would require both a pin and a fingerprint scan, for example. It’s not a bulletproof solution, he says, but it’s much safer than what we’re doing now.
One area of research that excites Montgomery is using electrocardiograms for determine a person’s identity. “Your heartbeat is as unique a snowflake as you are,” he says, and this is true whether you’ve been exercising, sleeping, or startled.
It’s a little ironic that we may eventually have to give up these new pieces of personal data — the sound of our voice, the rhythm of our hearts, the pattern of our prints — to keep the rest of our information secure. Still, it seems nothing is stopping our march towards a fully connected world, and this could make us safer. “IoT will just be considered normal,” Meissler predicts. “I think it will come down to acceptance; both the security risks and the benefits.”
