Security and Privacy

[From the last episode: InteropThis refers to how well different pieces of equipment can work together. Macs and PCs, for instance have some limited interop, but there are many Mac devices that can't work on a PC, and vice versa. This is an important notion for systems, like the IoT, that involve many different pieces of equipment working together. in the IoTThe Internet of Things. A broad term covering many different applications where "things"  are interconnected through the internet. requires many things to align – just like human speech.]

SecurityRefers to whether or not IoT devices or data are protected from unauthorized viewers. and privacyRefers to whether or not information gathered about your usage of IoT devices by authorized people can be made public, or shared with others, without your consent. Different from (although related to) security, which protects such data and devices from access by unauthorized people. Different from privacy, which is more concerned about use of data by authorized people. are two of the most important aspects of the Internet of Things (IoT). Together, they may well make or break the success of the IoT.

If you’ve been paying attention, you may have seen repeated demonstrations of hackers’ ability to break into massive data repositories, making off with cartloads of personal information that can be sold on the so-called “dark web.” Some of those attacks have originated in malwareSoftware that usually finds its way into a computer or phone or IoT device without the knowledge or approval of the device's owner. It's malware when the intended purpose of the software is to cause some kind of harm. surreptitiously installed on small IoT devices. Such public security failures make many consumers (and even business people) nervous about generating data that will reside in the CloudA generic phrase referring to large numbers of computers located somewhere far away and accessed over the internet. For the IoT, computing may be local, done in the same system or building, or in the cloud, with data shipped up to the cloud and then the result shipped back down..

Meanwhile, as we discussed previously, consumer IoT devices generate tons of data about how their users behave – and that information might be sold to advertisers. Or some other business with a desire (legit or illegit). Or even the government. A big legal question is, who owns the data? Is it yours to protect? Or does your device-maker own it, being free to do with it what they want? Fear of a loss of privacy is another concern for consumers holding back on making IoT purchases.

Why do we discuss security and privacy together? Because they often come up together in conversations. The purpose of this writeup is to suggest that they are, in fact, very different – even if possibly related. So before digging into each of them specifically, let’s set a context for each one.

Security: Limiting Access to Those Who Belong

Security is all about restricting access to anything on the IoT. Only those who have the proper credentials and authority should get access; anyone else should be rejected.

In order to understand the implications of this, we must consider the entirety of the IoT. That means all of the following (at least): connected IoT gadgets; the hubsA piece of electronic equipment that gathers separate related things together. A network hub, for instance, might bring together the individual network connections of multiple local users. A sensor hub brings together sensor data from multiple separate sensors for possible combination. Or, more specifically, a device in the home (or elsewhere) that acts as a central point connecting a variety of smart-home (or other) devices. The devices talk to the hub; the hub talks to the cloud., routersAn electronic box that helps steer data on a network. For instance, you may have one in your home connecting your phone and computer and other devices to each other and to the internet. The data itself has information about where it's being sent; the router uses that information to send it in the right direction. At a really basic level, you can think of a router and a switch as being the same thing. If you want to get more technical, a switch creates a local subnetwork, and the router connects multiple subnetworks (or multiple networks)., and gatewaysA piece of electronic network equipment that takes a local network and gives it access to the internet. Your cable modem, for instance, might act as a gateway. (which we’ll talk about more in the future) between the gadgets and the Cloud, and the networksA collection of items like computers, printers, phones, and other electronic items that are connected together by switches and routers. A network allows the connected devices to talk to each other electronically. The internet is an example of an extremely large network. Your home network, if you have one, is an example of a small local network. that tie them all together.

With security, like so many things, there’s always a weak link – something folks didn’t think was important to worry about. Which means that, in reality, everything in the IoT needs to be maximally secure, no matter how trivial a device might seem. Figuring out how to do that on inexpensive devices is a work in progress.

There are many components to security. We’ll look at some of them in the next post.

Privacy: Limiting What Happens With your Data

While security is about keeping strangers out, privacy is about what non-strangers can do with your data. You’re piling up a giant data file with your device maker or serviceWe are used to purchasing products outright. "Services" is a new concept where you may or may not buy the product, but optional or mandatory services come with the product. Those services may have an ongoing cost separate from the purchase price. provider. That company has legitimate access to your data, so this isn’t about some unauthorized access by a hackerA misused, but common term for an unauthorized person trying to break into a device or network. Originally, in this context, "hackers" referred to the good guys (or "white hats"), while "crackers" were the bad guys (black hats).. That’s why privacy is different from security.

With security, there are theoretical solutions provided by technology – if there are no bugs in the softwareIn this context, "software" refers to functions in an IoT device that are implemented by running instructions through some kind of processor. It's distinct from "hardware," where functions are built into a silicon chip or some other component. (which there usually are). But with privacy, at least at present, I’m aware of no technology solutions; it’s a policy thing.

The big deal here is anonymizationTaking data that originated from an individual IoT device user and stripping off any parts of the data that can tie the data to that individual. The data then becomes anonymous.. What if companies gathered all their data to learn something from it, but, before analyzing it, they stripped away all of the bits that could link it back to you? Then the remaining data is anonymous, and your privacy is protected.

But how do you enforce that? There’s no technology that can be everywhere looking at all data all the time and deciding which data should be anonymous – and alerting someone when there’s a violation. This relies on companies making conscious policy decisions saying that, “We will anonymize any data before analysis.”

But even that’s not enough. That may be the policy, but what happens when some analysis project starts? Some data engineer is going to dig into the databaseA structured way of storing data and relating different pieces of data to each other. (Like, which address belongs to which person.) There are “query” languages, the best-known of which is SQL, that let you enter data into the database, change data that’s already in the database, and retrieve data from the database. and pull information. When they do that, they can strip off the personally identifying bits. But, even if it’s company policy to do that, what if they forget to do so because they’re under some deadline pressure? Or what if they actually decide to ignore the policy? There’s currently no technology to catch that, other than perhaps some permissions hacksThis can mean a couple things. A quick-and-dirty (but not elegant) trick to get something done is a hack. A computer security break-in is also a hack (because inelegant tricks are used to break in). It can be a noun or a verb ("he hacked my computer")..

One example where security and privacy intersect is the Roomba vacuum cleaner. You know, the robotic vacuuming disk that cats like to ride? Turns out it was quietly mapping rooms and houses. This data, if available with your name on it, would be a privacy issue. But, depending on who got ahold of it, it might become a home security issue. And the company wants to make money on that data, so they’re not planning to keep it secret. You can learn more about this example here.

We’ll talk more about this shortly, but it’s a big topic of concern for me. I may be old school, but I don’t believe that privacy is – or should be – dead.

The Industrial Context is Different

We’ve mostly talked about consumer-related concerns. Security and privacy are also of concern to industry – perhaps even more so, since competitors would love to get ahold of all the valuable data streaming around on the networks.

But industrial companies are more likely provide the resources and expertise to know when their security and privacy interests are not being met. And companies have more power to say, “No” than consumers have (or they’re more willing to say it, and providers are more willing to listen). So, in my opinion, it’s more likely that IIoTIndustrial Internet of Things. A broad collection of factory, automotive, agricultural, medical, and other areas where IoT technology is used. providers will pay attention to security and privacy than CIoTConsumer Internet of Things. IoT gadgetry designed for home and personal use. providers.