It’s a major challenge to tackle consumer trust on the web, computers and mobile. But what happens when connectivity extends to light fittings, alarm systems and cars? The IoT could see millions, maybe billions, more devices gathering data about people. A panel of experts discussed the issue at the MEF’s Consumer Trust Summit last December…
At present, issues of privacy, trust and security centre mostly around PCs and phones. They’re the devices that ask consumers for their data, connect that data to the cloud and demand that third parties house and protect that data.
And for all the challenges associated with this, we can agree that most organisations in the ecosystem do care about the problem.
Kids love interactive computer play. The question is: how much can they learn from it with zero intervention?
But does a maker of a connected lamp care about security? Does a maker of lamps have an incentive to care about security?
The era of connected things is coming. And some experts believe the new breed of manufacturers – without previous experience of consumer trust issues – need to change their thinking.
Gervase Markham, policy engineer at Mozilla, is one. Speaking at the seventh MEF Consumer Trust Summit in London in December, he said: “If a device is cheap, once it’s sold, there’s zero incentive to provide security updates and continue working on that product. The fundamental baseline is having a secure home network, but the economics of that are not good. The incentives are misaligned.”
“In time some flaw could be discovered and this could disrupt and pollute the ecosystem. So trying to figure out how to change that ecosystem so incentives are more aligned – or constructing technically so it doesn’t matter so much – is really difficult.”
Trying to get every IoT device to be secure for the lifetime of the device is not possible. Instead, we need to architect system so it’s not necessary.
Markham believes one solution would be making it standard for devices to not even connect to the internet. “It would be awesome…if there was mediator or a home hub… that was able to control to shut down traffic flows it didn’t like.
“I think trying to get every IoT device to be secure for the lifetime of the device is not possible. Instead, we need to architect system so it’s not necessary.”
Ian Ferguson, VP of worldwide marketing and strategic alliances at ARM, agreed. He cited the recent hack of digital video recorders and web-connected cameras that briefly shut down major websites such as Netflix, Spotify and Twitter.
He believes the makers of processors have a role to play in remedying the problem. “The scary thing was that the DVRs still behaved normally even though they’d been hacked and were pushing out data,” he said. “So I agree that people have focused on making chips for a component and that was the end of their responsibilities.
“Fundamentally security is hard. It takes up power and CPU cycles. I think it will take cases like this one to make people re-think. They can’t just focus on getting a cheap chip out.”
Data-stealing lamps and website-closing DVRs may be a nuisance, but other IoT-based breaches could be much more serious. This point was made by fellow panellist Alan Duric, CTO of Wire.
He said automotive was especially concerning. “Even Tesla has been hacked – and it’s considered super safe. The issue is with the cloud communications model. Data is not end-to-end encrypted…and this is not going to work,” he said.
They say data is the new oil, but I see it as radioactive waste. Most data is not used. It’s just waiting there for damage to be done.
“There will always be a chance there will be a man in the middle acting as cloud, and when we are driving at 80 mph, we will get a message to empty our bank account or the car will go to 180 mph. There are hundreds of thousands of these kinds of ransom cases already with laptops. Way more scary scenarios can happen in cars unless we change the fundamental technologies.”
Duric is well-placed to comment on this. His Wire app is privacy-focused, and encrypts all data (including media and content) that is sent across its network. He is now looking to apply some of the underlying processes and technology to the IoT.
But as well as arguing for more encryption, Duric also feels strongly that organisations should simply ask for less information in the first place. “They say data is the new oil, but I see it as radioactive waste. Most data is not used. It’s just waiting there for damage to be done.”
Markham added that a light touch can be better for companies too. “Data can be a liability. If you store personal data and it gets stolen, you’re in a worse situation than if you don’t have that information in the first place.”
He referred to the recent case of Signal, an encrypted chat app. The US government subpoenaed the company for all data on a particular user. Markham said: “They could only say when he had created his account and last logged in – thats all we got. If you don’t have the data, it can’t be stolen from you.”
The MEF European Consumer Trust Summit – watch now
Watch more sessions from the 7th Consumer Trust Summit supported by Mozilla for more in-depth discussion on the regulation, use cases, trends and drivers that are disrupting and enabling game-changing opportunities for businesses, consumers and their personal data.