it wasn't all that long ago, just1999, that the term the internet of things was first coined. soon after that,lg announced its plans to release the first connected refrigerator which wasprogrammed to sense and keep track of the groceries stored inside. now, whilewe're at a relatively early stage in the development of the internet of things we'vecertainly seen it grow by leaps and bounds. and the numbers confirm thepopularity of iot devices. i'm sure that you've been hearing a lot of facts andfigures over the last couple of days but tech-researcher gartnerreports that 6.4 billion connected things will be used worldwide this yearup 30% from 2015, and by 2020 that number
will exceed twenty billion. now to put itmore starkly in 2016 alone 5.5 million new devices will be connected everysingle day. and as new iot devices continue to hit the market they continue toincrease in sophistication. smart technologies no longer simply countsteps or allow consumers to turn off their home lights remotely. iotdevices now have the ability to predict and prevent problems from just aboutanywhere. for example, connected cars can now notify drivers of dangerous roadconditions and offer real-time diagnostics to drivers and servicefacilities. and companies in the oil industry have started to implement smarttechnologies that can detect issues such
as a corroded pipe line or leaks, andimmediately address them before any accidents happen. and it's only a matterof time before your house will know that you're coming home because it'sconnected to a sensor in your car or your smartphone. but, like its potential benefits thepotential risks from the internet of things also emerged at a breakneck pace. last year researchers warned that we would soon start to hear about smarthome hacking and sure enough several studies have shown that it only takesbetween 5 and 20 minutes to find a way to compromise home automation devices. even more worrying, researchers have also
shown they're able to hack remotelyinto various medical connected devices such as insulin pumps and change theirsettings so that they no longer to deliver medicine. this is our new reality.we've now seen attackers infect connected medical devices with malwareand ransomware at hospitals, and they have exploited connected medical devicesto obtain medical data which is now considered ten times more valuable thana credit card number. incidents like these risk the erosion of consumer trust-a key issue that's facing the continued growth of the internet of things. a 2015survey conducted by trustee found that 79 percent of consumers are concernedabout smart devices collecting their
data, and 25% mentioned concerned aboutthe security and privacy of the data collected as the primary reason why theydid not currently own a smart device. so, how can we enjoy the enormous benefits thatthe internet of things can offer while at the same time addressing potential risks toconsumer privacy safety and security? how do we avoid waking up one day in thenot too distant future living in a world like the one wired magazine writer, mat honan, humorouslydescribes in his essay, the nightmare on connected home street," where our homesbecome infected with malware causing everything in them to go haywire, leadingto loss not only control over control
over almost everything in our homebut also the most basic semblance of privacy. in my view, we need to do a muchbetter job of navigating the evolving iot landscape in a way that both addressesour desire for convenience, efficiency and innovation; but, at the same timesafeguards the most personal aspects of our lives. before getting to a fewthoughts about how we might go about doing that, i'd first like to spend a fewminutes addressing what i see as the key risksthat are presented by the internet of things. and then, i'll suggest some stepsthat i think the iot industry can take to address these risks and enhance consumerprivacy and security,
thereby building consumer trust in theinternet of things. the ever-increasing collection of data and the growingsophistication of the tools to analyze that data present one of the centralrisks emanating from the internet of things. today we're bringing iot devicesinto our homes, our cars, our workplaces and with the proliferation of wearableswe are increasingly placing them on our bodies. in other words, we're placing them and bringingnew sources of data collection into what used to be intimate spaces and we'reeffectively allowing companies to digitally monitor or otherwise private
activities. the sheer volume of data thateven a small number of devices can generate is absolutely stunning. for example,fewer than 10,000 households using an iot home automation system can generatea hundred and fifty million discrete data points per day. a recent report by abi researchestimates that in the aggregate the volume of data captured by the internetof things will exceed one point six zettabytes by by 2020. a zettabyte is equivelant to about two hundred andfifty billion dvds. all of these independent data points when patchtogether percent deeply personal and startlingly complete picture of each ofus -one that includes details about your
financial circumstances, our health, ourreligious preferences, and our family and friends. and the collection of thispersonal information only to a host of other sensitive inferences, including ourmood, stress levels, personality type demographics, well-being, sleep patterns,level of fitness... to name just a few. this pervasive collection leads to thenext inevitable question and another key risk that presented by the internet ofthings: what is happening to the iot generated data? and how is it be used? asan initial matter, the gathered by iot sensors and systems can pass through anynumber of hands beyond those of the user that generated thedata: the company whose hardware collects it,
the software business that processes it, andthe app maker that provides functionality. not only might they be collecting data to extendwell beyond what is needed to provide a particular service they may very wellalso be sharing it with a multitude of unknown parties. and all those withaccess can perform analyses that would not be possible with less rich data sets; providing the ability to make additionalsensitive inferences and compile even more detailed profiles of consumerbehavior. let me give you a concreteexample: in 2014, the ftc studied 12 health-related mobile apps to determinewhether they were transmitting personal
information to third parties and if sowhat kind of information they were transmitting and to whom. we found thatthese apps transmitted sensitive health conditions, such as information about pregnancy andovulation, along with consumers names email addresses and other unique andpersistent identifiers to third parties, including ad networks and analytics firns. in the absence of appropriate controls over this kind of informationour research demonstrates that companies will continue to collect and infersensitive data from consumers often without their knowledge.
today, a consumer may use a fitness trackersolely for wellness related purposes, but the data gathered by the device could beused to price health or life insurance or to infer the user's suitability for creditfor employment. some of these concerns are ones that weaddressed recently in our big data report. all of this is particularlyproblematic if these uses occur without consumer's knowledge or consent withoutensuring the accuracy of the data, or outside of the context in which theinformation was provided. there are also a number of other unexpected ways inwhich iot technologies might be used that
could infringe on consumer's privacy.recent news reports show that a whole host of iot devices including babymonitors and other household video cameras, smart tvs, toys, and cars, can beused for identification surveillance monitoring and location tracking. inlight of various studies showing that consumers are deeply concerned about iot's data collection, disclosure of sensitive information, and their lack ofcontrol and awareness of who has access to the data that'scollected, it's particularly important for iot manufacturers to design devicesthat take into consideration unexpected uses of their iot data and the potentialfor misuse. another key issue relates
the heightened security risks presentedby the internet of things. security research in this area could be moreacute because of the lack of economic incentives to provide reasonablesecurity. the increased vulnerability from internet connectivity and use ofshared networks and the potential impact on consumer's physical safety. many iotdevices are small low-cost and essentially disposable, and companies maynot view it as cost-effective to update software, apply a patch, or provide otherongoing consumer support for existing devices, focusing instead on new productdevelopment or other opportunities for business growth.
moreover, the small size and limitedprocessing power of many connected devices can inhibit encryption and other robust securitymeasures. second, there are a number of security risks that result fromincreased connectivity between iot devices and the internet. one risk is that attackers can exploitiot devices by accessing and misusing consumer's personal information collectedand transmitted to or from these devices. let's take fitness trackers as anexample. a recent study by canadian nonprofit called, open effect, found that7 of 8 fitness tracking devices transmitted
a persistent unique bluetooth identifierallowing them to be tracked by beacons that are increasingly being used byretail stores and shopping malls to recognize and profile their customers. this study also found that companion apps for these fitness devices leaked login credentials and transmittedactivity tracking information in a way that allows unscrupulous actors tointercept or tamper with them. as consumers use smart devices moreregularly intruders may exploit these vulnerabilities to facilitate a defector other types of fraud. related concerns that vulnerabilities on a single device canfacilitate attacks on other systems. for
instance, recent news reports also showhow hackers gained access to 900 internet-connected closed circuit tvcameras and used those cameras to perform a denial of service attack on a company. denial of service attacks are more pernicious when the attacker has moredevices under his or her control, and as iot devices proliferate these types ofattacks may become more common. as another example just last month the ftc settledcharges with computer hardware maker asustek that critical security flaws inits routers put the home networks of hundreds of thousands of consumers at risk. specifically, we allege that the router's
insecure cloud services led to thecompromise of thousands of consumer's connected storage devices exposing theirsensitive personal information on the internet. as iot devices connecting tohome networks increase, the harm from insecurity router security will only continue toescalate. finally, security vulnerabilities can have a significantimpact on our personal and physical safety. by exploiting vulnerabilitiesin iot devices, attackers may well be able to open garage and other doorsacross the whole country, switch off critical medical devices, or set millions of ovens onfull heat, causing some to catch fire. last month in the uk a temporary glitchat british gas resulted in smart
thermostats raising the temperature ofconsumer's homes to 90 degrees fahrenheit. as these examples show, as the use of theinternet of things becomes more widespread unfortunately so do therisks. at the ftc we're continuing to examine these and related risks in thecontext of the internet of things and related arenas; in fact, today we justannounced a series of workshops that the fcc will be holding in the fall toexamine protection implications of ransomware, drones, and smart tvs. nowhaving spent some time discussing what i see to be the principal risks presentedby the internet of things let me now turn to what i think the iot industry can do to address them. first, i
firmly believe that companies shouldfollow the principle of data minimization. while i recognize the valueof some data might lie in in an unanticipated uses these interests canand should be balanced with the interest in limiting to privacy and data securityrisks to consumers. companies should examine their data practices in businessneeds and develop policies and practices that weigh the potential benefits againstthe potential harms. so, what might this kind of exercise look like? companiesshould be asking questions at the front end about what types of data they're collecting, andto one end and for how long they anticipate keeping it. they should also weighthe potential usefulness of particular
data against its sensitivity andconsider making alternative choices for instance a company might choose to collect zip codes rather than precise geolocation after considering the risks. and when companies make a determination about what data they need to collectthey should consider what controls are in place to mitigate potential harms.as part of his analysis company should ask questions like, "can the data be maintained in the identified form?" "can access to the data be limited?" "is there a process forvetting new or innovative uses of the data to determine whether they may leadto adverse consequences for consumers before engaging in them?" through thiskind of an approach company can minimize
its data collection, take steps to address risks to the datait chooses to collect and maintain, and still promote its business goals. ultimately, companies should keep in mind that just as collecting and retainingdata may bring an anticipated benefits it might also bring unanticipated harms.second, companies should give consumers clear notice and provide simplifiedchoices for unexpected collection or uses of their data. consumers know forexample that is smart thermostat is gathering information about their heatinghabits and a fitness band is gathering data about their physical activity. but wouldthey know and expect this information to
be shared with data brokers or marketing firms? probably not. in these and similar casesconsumers should be given clear and simple notice of the proposed uses oftheir data and a way to give consent. now, i recognize that providing simplifiednotice and choice in an iot world where devices often lack a consumerinterface is easier said than done. and we risk inundating consumers with toomany choices as connected devices and services periphery. but in my mind thequestion is not whether consumers should be given a say over unexpected uses oftheir data but rather how to provide consumers with control over theirpersonal information. whatever approach
a company decides to take to providechoice -whether it's at the point of sale, during setup and installation, or anotherway, they should ensure the privacy choices are clear and prominent and notburied within lengthy privacy notices. it's also important that companies aim toprovide just-in-time choices in which they can convey important information toconsumers and allow them to exercise choice at the time of data collection,sharing, or use. there are promising ideas that may help companies provideconsumers with more control. at carnegie mellon sci lab for example, they're developingpersonalized privacy assistance that are capable of learning the privacypreferences of their users over time.
semi-automatically configuring manysettings and making privacy decisions on their behalf imagine having a privacy assistant thatis running on your smartphone or your smart watch. the privacy assistantlistens for sensors that are broadcasting their privacy policies andcan make determinations on your behalf. if it knows for instance that you don'tmind sharing your home's temperature settings it can make that decision foryou. or, you can prompt you to make decisions. if it realizes that yourthermostat is sharing your email address with an ad network you can ask you todecide whether you are comfortable with
this kind of sharing. clearly, there's morework to be done in these areas but i'm confident that the same ingenuitydesigned acumen and technical know-how that is bringing us the internet ofthings can also provide innovative ways to give consumers easy-to-understandchoices. finally, companies should prioritize security and build it intotheir devices from the outset. companies should conduct a privacy or securityrisk assessment as part of the design process. they should test security measures beforeproducts launch. use smart default by requiring consumers to change defaultpasswords in the setup process. they should
consider encryption particularly for thestorage and transmission of sensitive information such as health data, and theyshould monitor products throughout their lifecycle and to the extent possiblepatch known vulnerabilities. in addition, companies should implement technical andadministrative measures to ensure reasonable security includingdesignating people responsible for security in the organization, conductingsecurity training for employees, and taking steps to ensure service productproviders also protect consumer data. so, let me just close with a final thought: the internet of things is clearly still in its early stages but it's growing much more rapidly than manyimagined. iot devices and systems are
becoming more integrated into importantareas of our lives and transforming the way that we interact with technology. and,while the internet of things can provide enormous benefits to consumers in a widearray of arenas, the risks iot devices pose to consumers privacy safety andsecurity has also been significantly magnified. if we want to instill consumerconfidence in the internet of things and ensure that we don't end up anywherenear the futuristic dark scenario that matt honan set out in his wired magazine essay,companies need to develop and implement innovative approaches to protectingconsumers' privacy and security, and they need to do that now. in my view, it's onlywith protections that are mindful of
privacy and security that the internet ofthings will maximize its potential in our daily lives and across our economy. thank you very much.
0 comments:
Post a Comment