Navigating the Internet of Things--Asking the Right Questions
Imagine a scenario sometime in the very near future: John and Marsha leave their suburban home to go camping. About half way to their destination, Marsha realizes that she forgot to run the dishwasher full of smelly dishes. John realizes that he left the sprinkler system set on a daily water cycle. Time to panic about an impending soggy lawn and smelly kitchen! Not at all.
Through the coming magic of the Internet of Things (IoT), John and Marsha can log into their home utility dashboard from their smart phones, tell the dishwashers to start, and schedule the sprinklers to fire every third day. Crisis averted!
But behind John and Marsha’s serendipitous crisis aversion, technology futurists are beginning to sound the privacy and security alarms. In a new world where the family washing machine is smarter than the family dog and utilities can be controlled from anywhere in the world, what happens if these devices get hacked?
With all the rhetoric and overblown predictions, we thought it might be prudent to identify a few of the salient issues see on the horizon for the coming world of IOT, from both a security and a privacy perspective.
Let’s start with the “Advanced Metering Infrastructure” scenario, where a home’s appliances are linked to a smart meter that reports usage to the utility and also informs the home user of consumption patterns. This scenario lines up neatly with forward-looking public policies for both energy conservation and consumer convenience. People will save on their power bills, the theory predicts, while also lowering the overall energy usage for society, as utilities will less frequently be forced to fire up a coal plant on a hot July afternoon to supply peak power to the grid.
IT professionals seek to enable better public policy while implementing the IOT. However, policy makers have yet to answer key questions about how this is going to work. With respect to smart meters, who owns the consumer usage data— the utility or the consumer? Does public law need to specify that a utility is the “legal custodian” of such data, or is that implied? Who will define these roles and responsibilities?
Analysis of consumer electric usage information, including consumption patterns for specific families, will create a trove of valuable data that promises to yield even better public policy and consumer cost savings. For example, a drought stricken region will know how to most efficiently regulate their water usage. Consumers will save money with more efficient and precise controls over the functions of their home.
Serious privacy concerns accompany these broad societal benefits. For example, if a utility stores information on reduced appliance usage in a database that is penetrated, bad actors could identify whether a home owner or renter is away on vacation and how long they have been gone from their domicile. If water and power consumption records become exposed through a data breach or even as a result of human error, private behavior will be exposed to public view. Imagine, for example, an environmentally green city council person facing the shame of being the highest power consumer in her neighborhood.
"With respect to smart meters,
who owns the consumer
usage data—the utility or the
consumer? Does public law
need to specify that a utility is
the ‘legal custodian’ of such
data, or is that implied?"
The fear of “Big Brother” spying on us is real as well. Beginning in California in 2012, multiple law suits were filed against municipalities seeking to install advanced meters, citing both health and privacy concerns. Alarmed by government behavior regarding the privacy of their communications, citizens no longer trust government to “do the right thing” with respect to their personal data.
In a climate of heightened privacy and security concerns, we will need to tackle the following questions relating to new systems:
• Who determines the ownership of the data gleaned from IOT?
• Will policy makers for government agencies allow this data to be sold or shared?
• Will personal consumer data on energy usage patterns be subject to public records requests, or should such personal data be exempt from such information requests?
• What data needs to be collected in the first place?
• How long should IOT consumer usage data be retained, to accomplish both public policy and individual behavior-related goals?
• How can data be “de-identified” or anonymized for the purpose of doing data studies?
Power and water utility consumption data represents only one narrow IOT category. Automobile “black box” telemetry data stands out as another IOT category , revealing the usage patterns of millions of individuals as their drive their cars and trucks around the country and the same essential questions apply: Who owns the data and who has the right to use it and for what purposes?
We live in a new era of cyber-security threats; where knowledgeable people in the industry advice us that “assumption of breach” is a prudent policy. In this context, adding in new fields of IOT data magnifies both the risk of raising the profile of a target and the attendant privacy concerns. As we strive to navigate this new environment, it will become essential to conduct a thorough review of the security and privacy risk profiles of new systems that expose the public to jeopardy and make informed policy decisions.