Security Architecture, Endpoint/Device Security, IoT, Governance, Risk and Compliance, Compliance Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

No clear policy: IoT and privacy

The Senate sponsors of the DIGIT Act may have the right idea when it comes to IoT, but advocacy groups warn many thorny security and privacy issues lurk. Steve Zurier reports.

President Donald J. Trump has only been in office for a short time, and with so many contentious issues, it's hard to believe anything constructive – or dare we say “bipartisan” – could ever get accomplished.

But when it comes to the Internet of Things, the Developing Innovation and Growing the Internet of Things (DIGIT) Act may yet see the light of day.

The DIGIT Act has support from both sides of the aisle. Senators Deb Fischer (R-Neb.), Corey Booker (D-N.J.), Corey Gardner (R-Colo.), and Brian Schatz (D-Hawaii) reintroduced the bill on Jan. 10 and by Jan. 24 the Senate Commerce Committee marked it up and quickly passed it. 

Now, the DIGIT Act awaits a hearing before the full Senate. When? Nobody really knows for sure.

Not to be too snarky, but the bill includes little or no controversy. The bill would convene a working group of diverse federal agencies that would consult with private sector experts over an unspecified time and deliver recommendations to Congress. 

So it's perfect. Consider this Washington's attempt at business as usual in a most extraordinary time. All the DIGIT Act does right now is call for a working group to convene and consider the security, privacy and spectrum issues surrounding IoT. 

Who could possibly be against that? None of the politicians have actually proposed anything too specific – at least not yet. 

All kidding aside, IoT became a hot-button issue in the aftermath of the attack on DNS provider Dyn late last year, when IoT devices became a launching pad for an attack that shut down high-profile sites such as Amazon, Twitter and PayPal. While the DIGIT Act was proposed much earlier last year and various hearings on IoT were held throughout 2016, the sense of urgency to get something done – and for the government to have a role in making IoT policy – was stepped-up following the Dyn attack. And for good reason. Most security experts fear that it's only a matter of time that the nation's critical infrastructure experiences some form of IoT attack – many think it will be as soon as this year. 

Step in the right direction 

Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, says that the fact that Congress at least mentions security and privacy in the original DIGIT Act bill is a step in the right direction t.

 “I think it's good that the government tries to look at IoT policy in an interagency way,” says Tien. “The bill itself is non-substantive. It's basically ‘rah-rah' on the potential growth of IoT and sets up a working group.” 

But there's quite a bit lurking under the surface, says Tien (left), who points out that IoT is very broad and can't be just a discussion about FitBits, smartphones and medical implants. 

For example, there's IoT for the home, factory, office, smart grid and in agricultural communities, and all of those sectors have pressing privacy and security issues.

In a letter to the Senate Commerce Committee on Jan. 23, the Electronic Privacy Information Center (EPIC) said that IoT poses significant privacy and security risks to American consumers. For starters, IoT expands the ubiquitous collection of consumer data. EPIC said this vast quantity of data could be used for purposes that are adverse to consumers, including remote surveillance. 

“Smart devices also reveal a wealth of personal information about consumers that companies may attempt to exploit by using it to target advertising or selling it directly,” the letter said. “Because the Internet of Things generates data from all aspects of consumers' daily existence, these types of secondary uses could lead to the commercialization of intimate segments of consumers' lives.”

EPIC expressed concerns about the “always on” tracking technology that records consumers' private conversations in their homes. These “always on” devices raise numerous privacy concerns as to whether or not consumers have granted informed consent to this form of tracking. And even if the consumer has agreed to “always on” tracking, a visitor to the owner's home may not consent in the same way.

EFF's Tien also has concerns about the privacy and protection of consumer information surrounding autonomous vehicles. He wonders how much control the consumer has over the data flow and if it's possible for the consumer to turn off some of the tracking features.

“And maybe I want to fix my own car,” Tien adds. “We are a nation of tinkerers. In fact, much of U.S. innovation has come from the ability to take things apart, see how they work and then put them back together.”

Tien wonders what the impact would be if the car manufacturers and dealers control everything and independent auto mechanics couldn't be involved anymore. “It seems to me the dealers would have the advantage because they would have access to the diagnostic software from the manufacturer.”

The Center for Democracy and Technology (CDT), in Washington, D.C., has been following the progress of the DIGIT Act and continues to comment on autonomous vehicles.

CDT has also been closely following statements from the National Highway Traffic Safety Administration (NHTSA) on autonomous cars. CDT's Joseph Jerome writes in a blog that on driver privacy, it's not always clear how NHTSA views its role. 

According to Jerome, NHTSA's automated vehicles policy outlines only cursory privacy guidance. The agency directs companies to model their practices after a 2014 set of generic privacy principles released by automakers. While focusing on privacy and committing publicly to a set of principles was an important first step, how or whether they are implemented in practice will be the true test. Jerome says NHTSA must address important privacy considerations regarding driver data, such as when and how to de-identify data, enact data minimization and set data retention limits.

Further, Michelle de Mooy (left), director of the Privacy & Data Project at the Center for Democracy and Technology, says that much more needs to be done in securing consumer privacy as the industry rolls out autonomous vehicles. “While the guidelines by the automakers are good principles, it's not really clear if the manufacturers actually follow them and whether there's any clear oversight process,” she says. 

Privacy by design 

To be sure, general issues surrounding IoT and privacy have been discussed in the past several years in government circles. 

The CDT's Alex Bradshaw writes in a recent blog that according to the FTC, companies should re-evaluate their business practices and needs, keeping “privacy by design” top of mind. If geolocation data is not necessary for a device to function, but still useful to the business (for future product features) the FTC recommends waiting to collect such data types until the new feature is unveiled and/or collecting less specific data of that type, such as the ZIP code instead of precise geolocation. If the company determines that geolocation or a similar data type is needed, the company should fully disclose its intention to collect this data and receive the users' express consent. This is key: The FTC says IoT devices should not just collect all possible data points on the off-hand chance that they could prove interesting one day in the future.

“CDT agrees with this recommendation,” writes Bradshaw. “Purposeful, strategic data collection and retention is not only good for consumers' privacy – it's good for business. Companies that implement thoughtful processes on the front-end for determining what data to collect and how long to keep it are arguably less susceptible to data breaches and the reputational damage and loss of consumer trust that accompany a breach.” 

Merritt Maxim (left), a senior analyst with Forrester Research who serves security and risk professionals, says IoT companies need to provide consumers with the choice to opt in to share information. And they also have to spell out explicitly what they plan to do with the information they collect. 

“This is clearly an important area, because we'll only see more attacks involving IoT devices in the future,” Maxim says. “It's just simple math. How many billions of IoT devices are there versus PCs, there are just many more IoT devices.” 

While it's not 100 percent clear, presumably agencies such as NHTSA, the FTC and others would be involved in the interagency group that the DIGIT Act would authorize.

Piecing together some of the previous testimony and comments, and it's clear that at least among federal agencies, advocacy and industry groups, there's genuine concern about consumer privacy as IoT technologies develop. 

This early in the Trump administration, its views on IoT are unclear. Sure, they have issued predictable pro-business bromides on IoT's potential or general concerns about consumer privacy, but the administration really hasn't weighed in on IoT in any meaningful way. It's primary focus is on general cybersecurity policy and the indications are that the administration appears ready to study that issue as well at this point. 

Sen. Deb Fischer (R-Neb.) has been a leader on the DIGIT Act and her input and continued leadership may be key. Can she get both sides to overlook politics and do something bipartisan that will help industry sort out some difficult security, privacy and technical issues? As contentious as the political climate has been, convening a working group makes sense. Let the tech pros meet with federal tech experts and report back later this year. With any luck, the dust may have settled some and Congress can focus on nuts and bolts commerce issues, such as IoT policy.

[sidebar 1]

Is there an IoT doctor in the house?

Lee Tien, senior staff attorney at the Electronic Frontier Foundation has some serious concerns about medical IoT and privacy. Tien points out that the HIPAA laws only apply to a patient's very specific communications with a doctor's office and an insurance company. 

“The reality is that when it comes to a FitBit or a crowdsourced medical device, the HIPAA laws don't apply,” he says. 

The main point is that there are lots of gaps as these devices evolve. For example, what about a device that tracks a pregnancy, but isn't specifically prescribed by a doctor? What then? 

Michelle de Mooy, director, Privacy & Data Project at the Center for Democracy and Technology, says that's an issue. “It's a problem mainly because the expectation by the consumer is that personal medical information is protected by law,” she says.

Clearly there are numerous issues that the officials reviewing the DIGIT Act must consider before this bill becomes law. Lots to sort out in the days ahead. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.