Internet of Things Makes Big Data Even Bigger (And Riskier)
By Doug Pollack - Article on January 18, 2016
- Cyber Security
- Data Breach Notification
- Data Privacy
“If we had computers that knew everything there was to know about things—using data they gathered without any help from us—we would be able to track and count everything, and greatly reduce waste, loss and cost,” Kevin Ashton wrote in the RFID Journal back in 1999. Today, the Internet of Things (IoT), with connected devices literally everywhere, is moving us towards this vision of a society in which businesses run with maximum efficiency, resources are used sparingly and wisely, and our every individual need is anticipated and met at the click of a mobile device button. It’s already happening: Internet-connected devices monitor buildings, factories, cities, and crops to conserve energy and other resources, refrigerators can text you grocery lists, and your mobile phone can find the nearest Starbucks for you and order your favorite drink so it’s ready when you arrive.
The flip side of this vision is a dystopia where individuals are monitored every moment of every day, personal privacy is a distant memory, and individuals and organizations are exposed to constant threats of theft and worse. (A headline in The Guardian this year asked, “Internet of things: the greatest mass surveillance infrastructure ever?”)
All the services provided by the IoT depend on monitoring something—a user’s GPS location, the amount of electricity or fuel being used, the location of a package in transit, the amount of medicine being dispensed by a medical device, the image feed from a security camera—and all those monitors are transmitting massive amounts data that can be used or misused by anyone with the determination to get it. The IoT is exploding, and if the businesses that are benefitting from it don’t get ahead of the privacy and security issues, they and their customers will quickly become victims of their own success.
Quote: Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it's digital cameras or satellites or just what you click on, we need to have more explicit rules—not just for governments but for private companies. —Bill Gates
Whenever a device transmits data, there is a privacy risk. For example, in May 2015, CNN Money reported that hackers in stores were stealing Starbucks customers’ mobile payment information and using their Starbucks apps to drain bank accounts via the auto-reload feature. Researchers have shown that everything from medical devices to vehicles can be hacked [links to our medical device and IoT3 articles], and there is always the risk that a would-be burglar will tap into a smart home to find out whether the owner is there. (In fact, the Federal Trade Commission (FTC)’s first complaint related to the IoT was against TRENDnet Internet-connected cameras that allegedly failed to protect consumer credentials.)
But the other large privacy risk of the IoT is the sheer volume of personal data that will be available to organizations via these devices, and the challenge of protecting it. Cisco research estimates that the IoT will generate over 400 zettabytes of data annually by 2018. (That’s 400 trillion gigabytes.) In addition to information directly related to whatever service or process the device delivers, organizations will be able to gather a potential treasure trove of data on trends, user behavior and preferences, locations, and more. In many cases, the inclination will be to warehouse most or all of that information and figure out how to leverage it later. Data analysis could reveal new opportunities for product offerings, personalized advertising, location-specific services, or selling information to other businesses. Smart devices helping businesses to be smarter. What could be more fitting? But the IoT is in its relative infancy, and how organizations handle the privacy and security of all this information will determine their success in using it, and whether regulatory agencies decide to get involved.
The larger the data store, the more attractive it will be to cyber-criminals, and the data being generated by the IoT could dwarf today’s typical data repositories. The sheer variety of IoT devices and services also guarantee that these data stores will contain more than basic SSNs and financial information. Access to very personal information will be rich fodder for phishing and other targeted attacks meant to rob victims or use them to gain access to business networks. Five years from now, as IoT devices become even more ubiquitous, we will be seeing news of cyber-schemes and scams that we can’t even imagine today.
At the beginning of 2015, the FTC issued a report on the IoT, The Internet of Things: Privacy and Security in a Connected World. In addition to looking at issues around device security, the report discusses the risks of data collection from the IoT. The report makes two high-level recommendations to organizations capturing data from the IoT:
The FTC report also notes that IoT technology and business models are developing fast—too fast for regulators to define appropriate IoT-specific privacy protection—so technology vendors and businesses need to develop their own best practices and policies. (With the implicit message that, if business doesn’t set standards, the government will.) Precisely because the situation is developing so fast, we recommend that privacy and security professionals move preemptively to define best practices for IoT usage in their own organizations.
The business opportunities of the IoT are exciting and transformational, and your business should be prepared to take advantage of them. But, as a recent white paper from the Industrial Systems Audit and Control Association (ISACA) noted, business teams outside of privacy and security are likely to focus almost exclusively on the business potential. (Check out the white paper for a really good list of do’s and don’ts for adopting IoT technology.) To leverage the IoT successfully, your business needs to move quickly but cautiously. You can help them prepare by putting safety checks in place now.