News & Insights  |  Newsletters

Practice Areas

The Internet of Flings and Things

September 2015
Privacy In Focus

By: Greg Garcia

What do wearable technology and Ashley Madison have in common? One can measure high heart rate, the other can cause it, and both are hackable, exposing the risky interplay between the networked human and networked technology. Whether it is a matchmaker of connected things like wearable technology, the automated home, or searchable flings, the Internet can be a glass house of mirrors, recursively exposing and amplifying users’ most private and sensitive information.

Automated Productivity or Risky Business

And now we have the “Internet of Things” (IoT), where “things” and systems can communicate data with each other over a network without human or computer interaction. Think networked self-driving smart cars, or home appliances with sensors and remote control; industrial control systems that support predictive maintenance and reduce energy waste; or diabetes monitoring equipment that keeps one’s doctor informed remotely of critical trending changes in a patient’s health status.

Clearly, the opportunities for both productivity and peril are plentiful. IoT presents a variety of potential security risks that could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on networked systems; and (3) creating risks to personal safety. Still, by 2013, there were as many as 13 billion Internet-connected devices, and projections indicate that this will grow to 50 billion or more by 2020.

Risk-Aware Innovation

What is most needed as we feel out this evolving marketplace is an ongoing calibration of human trust in the design of our networked services. In short, risk-aware innovation. Security and privacy built in. The market will flourish when users trust that their connected services will perform as advertised and not expose security and privacy flaws.

Even with the steady growth of IoT technology, many consumers and businesses don’t yet trust that there is a mature structure for ensuring these protections are built in. Nor do they necessarily trust that government regulation can anticipate all the promise and problems in the IoT. I am reminded of a revelatory confession made years ago by a European Commission (EC) official comparing the EC way of thinking about technology against that of the United States: “In Europe, when a new technology comes along, we think of everything that can go wrong and then regulate it,” he said. “In the United States, a new technology comes along and you wait until things go wrong, and then you regulate what needs to be regulated. In Europe,” he mused, “I’m afraid fear is stronger than curiosity.”

Trust Framework

So how do we get to risk-aware innovation without following the EC path? The Online Trust Alliance - a 501(c)(3) nonprofit organization and think tank, developed and released on August 11 a discussion draft of an “IoT Trust Framework.” This framework focuses on voluntary best practices in security, privacy, and sustainability. The initial focus is on two primary categories: 1) home automation and connected home products, and 2) wearable technologies, limited to health and fitness categories. The draft is open for public comments and preliminary reports indicate significant constructive feedback and general support.

At minimum, the draft framework takes control over the conversation about expectations of trust, privacy, and security. It contains 23 recommendations:

  1. The privacy policy must be readily available to review prior to product purchase, download, or activation and be easily discoverable to the user. Such policies must disclose the consequences of declining to opt-in or opt-out of policies, including the impact to usage of key product features or functionality.
  2. The privacy policy display must be optimized for the user interface to maximize readability.
  3. Manufacturers must conspicuously disclose all personally identifiable data types and attributes collected.
  4. Any default personal data sharing must be limited to third parties/service providers who agree to confidentiality and to limit usage for specified purposes.
  5. The term and duration of the data retention policy must be disclosed.
  6. Manufacturers must disclose if the user has the ability to remove, have purged, or made anonymous personal and sensitive data (other than purchase transaction history) upon discontinuing device use, loss, damage, sale, or device end-of-life.
  7. Personally identifiable data must be encrypted or hashed at rest (storage) and in motion using best practices including connectivity to mobile devices, applications, and the cloud utilizing Wi-Fi, Bluetooth, and other communication methods.
  8. Default passwords must be prompted to be reset or changed on first use or uniquely generated.
  9. All user sites must adhere to SSL best practices using industry standard testing mechanisms.
  10. All device sites and cloud services must utilize HTTPS encryption by default.
  11. Manufacturers must conduct penetration testing for devices, applications, and services.
  12. Manufacturers must have capabilities to remediate vulnerabilities in a prompt and reliable manner either through remote updates and/or through consumer notifications and instructions.
  13. Manufacturers must have a breach response and consumer safety notification plan, at a minimum reviewed semi-annually.
  14. Manufacturers must provide secure recovery mechanisms for passwords.
  15. Device must provide a visible indicator or require user confirmation when pairing or connecting with other devices.
  16. All updates, patches, revisions, etc. must be signed/verified.
  17. For products and services which are designed to be used by multiple family members and collect PII, manufacturers need to incorporate the capability for creating individual profiles and/or have parental or administrative level controls and passwords.
  18. Manufacturers must publish and provide timely mechanisms for users to contact the company regarding issues including but not limited to the loss of the device, device malfunction, account compromise, etc.
  19. Manufacturers must provide a mechanism for the transfer of ownership including providing updates for consumer notices and access to documentation and support.
  20. The device must have controls and/or documentation enabling the consumer to set, revise, and manage privacy and security preferences including what information is transmitted via the device.
  21. Manufacturers must publish to consumers a time-frame for support after device/app is discontinued or replaced by newer version.
  22. Manufacturers must disclose what functions will work if “smart” functions are disabled or stopped.
  23. Configure all security and privacy related email communications to adopt email authentication protocols.

The IoT Trust Framework draft pegs these recommendations to the Fair Information Practice Principles (FIPPs), and further supports the development of a device and application certification program that evolves over time with the latest best practices, security standards, and regulatory requirements and the changing threat landscape.

Policy Implications

While federal agencies have been looking seriously at where the regulatory and policy equities play in the emerging IoT space, there is not yet a rush to regulate but perhaps a more measured exercise of the government’s role as a convening authority. This is a good thing. And whether the Internet generates trust or trysts among things or flings, the government will do well by letting private sector initiatives like the IoT Trust Framework play out. Where problems arise or the market fails, then bring together the multidisciplinary stakeholders and iron out the standards for keeping the Internet safe and our heart rates in check. Clearly there is a different trust framework in play in online affair sites, but the need for privacy and security controls remains an imperative wherever we connect people with the Internet.

For more information, please contact:

Greg Garcia
202.465.7755 |