Information Technology and Ethics/Internet of Things (IoT)
Internet of Things (IoT)
Introduction
Since the inception of digital computer systems, computers have continued to shrink in size and grow in capabilities. Starting from room sized mainframes, computers have progressed from monstrous desktops to briefcase laptops and then to cellphones and tablets. The next logical step in the progression was to expand to the Internet of Things (IoT). IoT is comprised of all devices that now have the capabilities to utilize the internet and network infrastructure to improve the capabilities of the system (Poudel, 2019 p. 997).
Common Applications of IoT
[edit | edit source]Common uses include most devices that are outside the scope of traditional computers, tablets, and smartphones. Some examples of modern IoT devices consist of cars, toasters, light bulbs, thermostats, door locks, and much more. A more specific example would be the Nest thermostat. This device replaces the traditional thermostat by providing traditional wiring connections. Once connected, this device is capable of utilizing the internet to provide 24/7 access to your home thermostat. You can change temperatures on the fly from a mobile app. In addition, the Nest is also capable of being programmed on a schedule, detecting changes in temperature or proximity of residents, and warming or cooling the dwelling based on these criteria (Poudel, 2019 p.998). The initial idea is that the Nest thermostat can reduce the amount of wasted energy by using these new capabilities.
IoT is still relatively new and continues to undergo changes at a rapid pace as new ideas and capabilities are added to everyday items. The idea of IoT is to provide an interconnected network of devices that can use the information from other devices to make smarter decisions. This can be problematic currently, as many IoT devices are not compatible with other IoT devices. This means there is no standard in how IoT devices are made or implemented. Lack of standards can realize a number of security and privacy issues, both from a technical perspective as well as a legal perspective.
Privacy Concerns
[edit | edit source]Data Collection
[edit | edit source]This advancement in the IoT technology, despite bringing along ease of use for its users, also raises concerns over the privacy of its users. This poses a threat to the privacy of the device users since data is always being collected by the manufacturers. This data includes sensitive information and is often shared with other third parties for collection and advertisement purposes. This collection of sensitive data sometimes happens directly via sensors and other times indirectly via inferences (Poudel, 2016, p.1013). This collection of data whether done directly or indirectly includes but is not limited to; a person’s health information such as weight, heartbeat, user demographics, and driving habits. An example of this would be data collected from an IoT device used for exercise, where inferences could be made by the manufacturers about the user’s diet, heart condition, and stress levels just by analyzing their exercise routine, how often they exercise, how long it takes them to complete a certain distance, and how does their heart rate changes with each activity.
In an article named, “The Internet of Things and Potential Remedies in Privacy Tort,” the author sheds light on some crucial facts and statistics on how much data is being generated by these devices and reveals that according to the FTC “fewer than 10,000 households using IoT home-automation products can ‘generate 150 million discrete data points a day or approximately one data point every six seconds for each household’” (Tran, 2017, p.268). This reveals that the data being generated by the IoT devices is growing day by day which raises a concern for data aggregation issues which aids in analyzing and combining this data to create digital profiles for users which can be used by the organizations such as insurance companies for their own good but could be a potential disadvantage to the users.
Prioritization of Convenience
[edit | edit source]While many users are aware of the fact that their privacy is at risk, they still choose to continue using IoT devices due to the convenience and ease of use that this technology offers. On the other hand, most users when signing up to use these devices do not usually read the privacy and disclosure statements and agree to all the terms listed there. Most of the time, it is very hard to read and hard to fully understand. In addition, users don’t have time to read such lengthy statements and typically decide to agree to the terms of use listed, without even reading or understanding these terms. While one might argue that there is a crucial and critical need for stricter regulations, this technology is evolving at a very fast pace and it has become far too difficult for the current legal community to catch up and frequently update the regulations pertaining to IoT technology.
Security Issues
[edit | edit source]While IoT devices have been great in changing and aiding the way we do things especially in the business world, they also are inherently bad at being secure and often overlooked when it comes to making sure that they are as secure as possible. Anything that is connected to the Internet leads to a potential door for hackers to infiltrate an organization, which is especially unsettling considering the amount of personal information that IoT devices store and use. The following list is just some of the security flaws that need to be considered when installing IoT devices in a corporate setting.
Default Raw data storage
[edit | edit source]Many developers default to saving data in raw storage form, given they have the capacity available to do so. But given the ease law enforcement can subpoena this information and use it to prosecute individuals, evaluating how IoT devices collect data and how this data can be used against individuals is part of modern risk assessment (Council, 2018). Implementing policies that define clear rules on data collection as well as making sure data collected is anonymous can help relief some of the problems of using raw data storage.
Insecure Devices
[edit | edit source]When it comes to security, IoT devices are often overlooked in a corporate setting. Prior to IoT, IT departments only needed to ensure that servers and systems used in the business need to be secure, but since the dawn of IoT devices, most of which are connected to the Internet, a business should ensure that all the IoT devices are regularly updated, no devices are integrated in the first place if they don’t have sufficient security measures, and perhaps IoT devices need to be on a separate network from the main network that connects servers containing sensitive data. But this isolation somewhat defeats the purpose of the IoT devices in the first place since these devices are meant to connect to each other and form a trusted network which can help automate processes (Gilchrist, 2017,p.23) The problem arises since a lot of IoT manufacturers don’t provide regular updates to their devices, and sometimes IT departments simply overlook those devices when it comes to installing updates.
Trolls and Bad Players
[edit | edit source]Sometimes hackers do things just to troll as is the case with the biggest incident of IoT devices being hacked in the history of IoT devices. A troll managed to send white supremacist literature to printers that were online all over the world, which terrified the IT community by proving the flaws in IoT devices. Adoption of new technology sparingly only after it has been well tested and proven to be secure might be the way to counter such instances from occurring again.
Surveillance
[edit | edit source]With IoT devices all around us and accessible remotely, there is a new way to collect information about individual and group behaviors and actions. Protecting that information from outside hacking and falling into the wrong hands is a must, and businesses need to look closely into available solutions such as encryption of data to ensure protection of their employees.
Lack of updates
[edit | edit source]As stated previously, many manufacturers of IoT devices are either very slow to push updates or altogether fail to do so. The question is not whether a specific device will be hacked, but it’s all a matter of time before it is. Update cycle needs to be frequent and security updates need to be pushed as soon as vulnerability is discovered.
Data Breaches
[edit | edit source]As we can see from recent Facebook breaches, even the top firms, who invest billions in security. are not protected from the threat. Given the amount of information and patterns of usage that IoT devices collect and share between networks with numerous participants, it’s not hard to see how a breach is imminent in the future. Security measures need to be developed, along with an action plan for when a breach occurs on how to deal with and minimize the damages.
Compliant Data Storage
[edit | edit source]IoT devices generate enormous amount of data that needs to be processed and stored. “As businesses collect more data via the IoT, they must take care not to suck up personal data without storing it securely and in accordance with international privacy standards” (Council, 2018).
DDOS Attacks
[edit | edit source]If hackers gain access to large portion of IoT devices they can use those to send out huge requests to servers and infrastructures that those devices are connected to, and effectively overload them. Large companies such as Amazon, Google and Facebook all have large targets on them and are candidates for such attacks in the future. A business should have a plan B or way to fall back in case they lose access to such technologies in the event a DDOS attack becomes reality and those services are no longer available.
Sensitive Data Storage
[edit | edit source]IoT breaches can provide access to sensitive data if that data is stored locally and the IoT devices are connected to the same network. Having sensitive data such as credit card information for recurred billing elsewhere on a platform such as PayPal Pro, Authorize and others can protect it in the event of data breach. If data must be stored locally then heavy encryption must be used to assure the data can’t be read when it falls into the wrong hands.
Security Enhancements
[edit | edit source]Because there is a prevalence of security issues, there is a need for organizations and technologies to combat these digital threats. Because IoT is a relatively new concept with a large array of manufacturers, consumers have a great deal of choice when purchasing internet-capable electronics. With this freedom comes great responsibility, if not a burden, of ensuring that these items are secure. The encryption, security protocols, and continued updating of IoT products needs to be at the forefront of the minds of those purchasing them. More importantly, producers need to compensate for the lack of coordination among competitors with strong security standards. Until these innovations are made more universal (Poudel, 2016, p.1016), many home and enterprise systems employ network-wide firewalls and security software to attempt to filter malicious content before it reaches a vulnerable IoT device.
Deep Packet Inspection (DPI)
[edit | edit source]Some security protocols have evolved to become more secure by a morally questionable means. One key example of this is deep packet inspection (DPI), a speedy and inherently invasive method for firewalls to view the contents of packets flowing through it. This not only offers a preview of data flowing from the web, but also a processing speed that can be applied to high-speed connections. While its initial application was solely for security, it has become a centerpiece for the surveillance of networking infrastructure (Corwin, 2011, 311-314). This tool for fast and in-depth security shouldn’t be banned on the fallacy of a slippery slope, but instead should receive the oversight and scrutiny of organizations like the FCC. To borrow from some of the better aspects of the GDPR, more transparency is needed for how IoT security tools like DPI are utilized to ensure they are put to place in a manner effective for security and respectful of privacy. The security risks and benefits of these new technologies deserve consumer awareness (Wachter, 2018b, p.278).
Network-Wide Security Standards
[edit | edit source]With more interconnected devices also comes a greater need for routine maintenance and vulnerability checks. The methods used to compromise an IoT device are changing to circumvent the aforementioned security measures, something made evident by the 2016 myriad attack which brought down large segments of the Internet in the northeastern United States (Adryan, Fremantle, Obermaier, 2017, p.381-382).
This was made possible by the compromising of approximately 100,000 IoT devices to launch a unified botnet DDoS attack against an array of DNS servers. Most devices were home security cameras, made accessible with open ports and guessable passwords (Adryan, Fremantle, Obermaier, 2017, p.387), something that those users should have had better awareness of. Security subsequently became a hot topic after the incident, which even inspired the formation of companies like Minim who were founded to create a consumer security platform with an IoT-centric approach (Hitchcock, 2018). Security that caters to both consumers and industry leaders helps fill the gaps in varying standards between manufacturers, a necessity as IoT devices become more common.
Key IoT Laws
[edit | edit source]Laws are an integral part of society that are needed to regulate both old and new things that come into existence. The IoT is no exception to this. There are many laws in place that have a role in the sphere of the IoT around the world. Unfortunately, these laws and regulations could be seen as lacking. This is due to the fact that laws “are often too narrowly drafted to cover all implementations of new technologies” (McMeley, 2014, p.71). The IoT is growing and understanding the laws that are currently impacting IoT in the context of privacy should be known. By understanding the current foundation that is in place, proper solutions can be considered in creating new laws or adjusting old ones to properly tackle the numerous privacy-related issues stemming from the IoT.
United States
[edit | edit source]When it comes to the United States of America, regulations that are in place are categorized based on whether it is federal legislation, state legislation, or executive agency enforcements (Tran, 2017, p.273). These current regulations focus on privacy as a whole rather than privacy that is directly related to technologies such as the IoT. The Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), and the Fair Crediting Report Act (FCRA) fall under federal legislation that can be used for regulation of the IoT (Tran, 2017, p.274). HIPAA deals with health and medical information, COPPA protects information related to children, and FCRA involves credit information. State legislation differs between each state and due to these inconsistencies, there is a gray area when it comes to IoT privacy and brings forth a lot of confusion.
Federal Trade Commission
[edit | edit source]Regulations created by the Federal Trade Commission (FTC) are labeled as executive agency enforcements. This agency are under the FTC Act which “states that ‘unfair or deceptive acts or practices in or affecting commerce’ are unlawful” (Tran, 2017, p.276). The FTC are not afraid to act on this powers as shown when TRENDnet experienced their IoT cameras being compromised. These cameras recorded information that many would consider sensitive. To make matters worse, TRENDnet failed to properly set up security countermeasures to combat any privacy and security vulnerabilities that these devices contained (Tran, 2017, p.277). However, the FTC is limited in their power to completely enforce anything on a national level to protect the privacy of all denizens since they can do nothing if the situation is beyond the scope of their authority.
Europe
[edit | edit source]Contrastingly, European countries have the Article 29 Working Party instead of the FTC to focus on data security and privacy (Poudel, 2017, p.1019). In addition to this, they have the General Data Protection Regulation (GDPR) which came into play on May 2018. This regulation accounts for numerous privacy-related issues of the IoT. The relevant IoT standards relate to “informed consent, notification duties, privacy by design and privacy by default, data protection impact assessment, algorithmic transparency, automated decision-making, and profiling” (Wachter, 2018a, p.3). This is by no means a perfect solution since many of the GDPR provisions have conflicting issues between how IoT devices and their data controllers function but it is still one step in the right direction to securing IoT and our privacy.
References
[edit | edit source]Adryan, B., Fremantle, P., & Obermaier, D. (2017). The technical foundations of IoT, 381-414.
https://library-books24x7-com.ezproxy.gl.iit.edu/assetviewer.aspx?bookid=132775&chunkid=246844967&rowid=803
Corwin, E. (2011). Deep Packet Inspection: Shaping the Internet and the Implications on Privacy and Security. Information Security Journal: A Global Perspective, 20(6), 311–316.
https://doi-org.ezproxy.gl.iit.edu/10.1080/19393555.2011.624162
Council, Y. E. (2018, August 08). 10 Big Security Concerns About IoT For Business (And How To Protect Yourself). Retrieved April 27, 2019, from
https://www.forbes.com/sites/theyec/2018/07/31/10-big-security-concerns-about-IoT-for-business-and-how-to-protect-yourself/#38ec52c17416
Gilchrist, A. (2017). IoT Security Issues|Paperback. Retrieved April 28, 2019, from
https://www.barnesandnoble.com/w/IoT-security-issues-alasdair-gilchrist/1125533132
Hitchcock, J. (2018). Why Minim. Retrieved from
https://www.minim.co/blog/why-minim
McMeley, C. S. (2014). Protecting Consumer Privacy and Information in the Age of the Internet of Things. (Cover story). Antitrust Magazine, 29(1), 71–77.
Poudel, S. (2016). Internet of Things: Underlying Technologies, Interoperability, and Threats to Privacy and Security. Berkeley Technology Law Journal, 31, 997–1021.
https://doi-org.ezproxy.gl.iit.edu/10.15779/Z38PK26
Schultz, J. (2016). Law and Technology The Internet of Things We Don’t Own? Communications of the ACM, 59(5), 36–38.
https://doi-org.ezproxy.gl.iit.edu/10.1145/2903749
Tran, A. H. (2017). The Internet of Things and Potential Remedies in Privacy Tort Law. Columbia Journal of Law & Social Problems, 50(2), 263–298.
Wachter, S. (2018). Normative challenges of identification in the Internet of Things: Privacy, profiling, discrimination, and the GDPR. Computer Law & Security Review, 34(3), 1-22.
https://doi-org.ezproxy.gl.iit.edu/10.1016/j.clsr.2018.02.002
Wachter, S. (2018). The GDPR and the Internet of Things: a three-step transparency model. Law, Innovation & Technology, 10(2), 266–294.
https://doi-org.ezproxy.gl.iit.edu/10.1080/17579961.2018.1527479