With the mass adoption of smart devices for Home and industrial usage, the Internet of Things (IOT) ecosystem also introduces a large amount of data which gets embedded and synchronized across these devices. These devices are thus capable of being controlled by any exposed APIs provisioned by third party platforms and smart devices.
The integration of a smart device across multiple devices (such as Mobiles, iPad etc.) with data linkages at every point of presence (PoP) causes concern for the privacy of individuals and groups of people.
In a lot of cases, individuals would not be even aware of their data being synchronized across multiple devices and tracked by smart devices which potentially has the ability to send and receive data to or from virtually any platform.
This situation can be correlated with the watchwords for having a dystopian life without freedom where “Big Brother is always watching you”.
Due to the increased pace of technology, significant use of third parties and an increased need to do more with personal data, individuals are now challenged to have a conscious judgment of choosing a smart device with multiple considerations in order to effectively mitigate numerous privacy risks.
Scientifically, in today’s date a smart device in itself is one of that ultra-connected environment of capabilities and services, which enables interaction with and among other smart devices. The smart devices virtual representations are based on existing technologies such as sensors, controllers or low powered wireless along with services available from the wider internet.
Key Security Constraints
The data processing in Smart appliances and devices can take place in multiple ways ranging from locally (on the device), to remotely, with information being sent to the point of presence (such as mobiles, tabs etc.). Once the data is sent to another device it can be scrutinized and replaced by either another device or a human being.
Information collected by smart device sensors which are connected to the cloud or other smart devices can yield a tremendous amount of data which further can be combined, analyzed and acted upon, all potentially without adequate accountability, transparency, security or meaningful consent.
Some of the major privacy and security concerns impeding the momentum of the adoption of smart devices include:
- Gaining physical access to homes or commercial business through potential attack vectors against smart door locks, and electronic locking mechanisms.
- Capturing of data from sensors across smart devices is another major area to which a consumer is generally unaware.
- In such cases, there’s a high potential risk of a user being under surveillance by an organization or any individual without the customer knowing about the same.
- With the distribution of data across multiple devices and ecosystems, (using clustering and classification algorithms) patterns could be identified for tracking the current location of a user based on the information stored in smart devices and shared with devices having location sensors.
- Personal and sensitive data leakage: Stealing money and identities based on leakage of personal information is one of the major concerns which potentially could happen by aggregating data from multiple smart devices controlled by a single device (such as mobile) etc.
- Ability to gain unauthorized access to smart devices
- Mis-using features of an application: One of the interesting applications which can be extended to a smart watch (Android Wear 2.0) is a Remote Camera Shutter.
- If the phone’s camera app is activated, the screen can be shared with the smart watch, and the user can have control of the shutter and view photos. Third-party applications also support the features using the phone camera for streaming and potentially other camera control features.
- From a security perspective, the remote camera shutter, if exploited, could become a means to spy on individuals which again is one of the major concerns and a root to the notion of “SOMEONE IS… ALWAYS WITH YOU”.
.. as a customer what should I focus on?
As a customer, the prime focus should be to obtain security tested products and keep them updated as per the latest software releases provided by the smart device vendors. The following are some of the key factors which a customer should primarily focus on to reduce the privacy risks associated with potential threats with the existing smart devices they utilize:
- Identifying the data subjects (smart home devices which are connected and have your personal information).
- The relationship of the affected data subjects to other data (e.g. third-parties, cloud applications etc.).
- If the Personally identifiable information (PII) is shared with external party applications (for correlation and analysis like health-related applications).
- The location of the affected data subjects and control considerations.
- The management and controls related to the PII involved.
The following are some of the key principles which Customers should follow at a minimum while embracing new smart devices.
- Notice: Only provide or input details to an appliance or application, if it provides a notice at the time information is collected describing how personal information is processed and protected. Only provide personal information that is necessary, relevant and not excessive for the purposes for which it is to be used. This notice should include:
- information about the purposes for which the appliance collects and uses information and
- to whom it may be disclosed
- Access: Restricted access should be provided to third party applications and devices to access the personal information including the opportunity to correct, amend or delete any personal information from the smart device.
- Information Integrity: Reasonable steps should be taken to verify the information which is shared will be used for the purpose for which it is to be used.
- Information Retention: Identify the retention period to ensure that personal information is retained only for the timelines required to meet the purposes for which it was collected.
Remediation for Smart Device vendors
Vendors primarily should emphasize upon the following key controls to reduce the security and privacy risks:
- Approach for Masking & Scrambling Data: Personal and sensitive data needs to be masked in all appliance and virtual environments in order to avoid exposure of data to people who are not normally authorized to see this data.
- Criteria for Masking & Scrambling Data: There should be at minimum certain criteria followed for masking and scrambling data. Few of the important criteria which should be considered include:
- It should be not reversible
- It should be impossible to determine original data
- It should maintain relational integrity
- It should have the ability to mask key fields
- It should be compatible with all systems on the platform (standard across devices and appliances).
- Strategies for sharing relevant data across parties – Copy only subset of data which is relevant. This strategy has its share of drawbacks as it requires special conditions and effort for copying only a subset of the data.
- Delete personal or sensitive data across devices and use unique identifiers to identify the resources – One strategy that can be used to mask personal or sensitive data is to use unique identifiers across devices to correlate the information from the primary source of the smart device.
- However, this strategy is not very helpful for all cases since we might require the absolute data for testing or validations. Also, an effort is required to delete particular data which is personal but may have technical limitations which are due to the platform requirements.
- Replace personal or sensitive dates with ‘aged’ dates – This strategy is more specific to data which involves dates and is useful to masking date of birth.
- Altering personal or sensitive data by character replacement – This strategy is more specific to data which involves text and numbers and is useful to mask data without losing the size (length) of the data in the field.
- Maintain the confidentiality and integrity of personal data collected from the smart devices and appliances through the provisioning of encryption, authentication and integrity protections.
Thus, in addition to providing tight security to devices, data privacy can be ensured by having a comprehensive security framework defined with a fundamental rule of masking or scrambling personal and sensitive information wherever not required across platforms at a minimum.