Tech pundits have been warning that IoT devices are low-hanging fruit just waiting to be plundered by cybercriminals. The Dyn DDoS attack on October 21, 2016 indicates the pundits’ predictions are now fact.
Researchers at the international law firm of Mason, Hayes, and Curran in the December 2, 2016 blog post ‘IoT’ Devices under the Regulatory Microscope suggest that is indeed the case. As evidence, the authors cite findings from a recently published report by the Global Privacy Enforcement Network (GPEN).
“The annual review: Findings of the International Privacy Sweep 2016 found that many companies [involved with IoT systems] failed to explain to users how their personal data is collected, stored, and safeguarded via devices that boast internet connectivity,” mention the Mason, Hayes, and Curran authors. “GPEN found that companies demonstrating good privacy communication practices were in the minority.”
To determine the lack of privacy, GPEN researchers worked with 25 of the Data-Protection Authorities based in 39 jurisdictions around the world—including most EU countries and the US—to inspect over 300 IoT devices, focusing on what the IoT-device manufacturers communicated to their customers regarding the customer data collected and the amount of privacy being guaranteed. The Mason, Hayes, and Curran post adds, “The aim of the review was to increase awareness of best practices and to encourage compliance with privacy legislation.”
SEE: Internet of Things: The Security Challenge (ZDNet/TechRepublic special report)
Conclusions from the privacy report
The 2016 GPEN Privacy Sweep report came up with the following conclusions:
- 72% failed to explain how customers could delete their information.
- 68% failed to explain properly how information was stored.
- 60% failed to adequately explain to customers how their personal information would be collected and processed.
- 38% failed to include easily identifiable contact details if customers had privacy concerns.
John Rogers, senior investigations officer at the Office of the Data Protection Commissioner in Ireland, who coordinated the Irish privacy sweep which inspected nine devices, ranging from smart electricity meters to fitness trackers mentions, “There can be no doubt as to the benefits of modern technology in our everyday lives, but the introduction of this technology must be done in a clear and transparent manner and not adversely impact privacy rights.”
“The findings of our sweep show that much more needs to be done to meet data protection standards,” adds Rogers. “Companies making these devices must make it clear to consumers about how their personal information is being collected, used, and how consumers may delete their information if they wish.”
The Mason, Hayes, and Curran blog post points out that officials from the DPAs involved in the sweep are reviewing their options going forward, which include:
- possible legal action against developers and suppliers who have been breaking laws, and
- identified concerns may result in enforcement action.
So not only are IoT devices vulnerable to malicious attacks, the device manufacturers seem to be ignoring privacy concerns.
SEE: How the Mirai botnet almost took down an entire country, and what your business can learn (TechRepublic)
Advice for IoT device developers
The Mason, Hayes, and Curran authors point out regulatory bodies are increasing their focus on the principles of data protection by design and default, particularly in cases where large amounts of personal data are collected or used. They then suggest that IoT developers and manufacturers should:
- be transparent about how personal data is collected, used, and disclosed;
- implement privacy policies and just-in-time notices to inform users and other individuals; and
- design, optimize, and adopt internal data protection policies and practices in line with these principles.
SEE: Video: The top 5 reasons you should care about privacy (TechRepublic)
The reality of the situation
Sadly, there is a good chance nothing will be done to improve privacy with regards to IoT devices. Alasdair Allan in his Motherboard article Why the Internet of Things May Change How We View Privacy writes:
“Right now there is a poor understanding of how the Internet of Things will be paid for, and in the short term companies are attempting to fill the gap using the business model they’re most comfortable with…”
And the business model Allan refers to is the one in which user data—likely considered private—is being sold.