Chapter 1: IoT, Privacy, and Security

1.     Introduction

1.1 The Benefit of IoT

There are as many ways to describe the Internet of Things as one can imagine resulting in not one single, universally agreed upon definition.  What all definitions do have in common however, is the focus on the always-on collection of copious amounts of data via sensors embedded into physical devices which are seamlessly connected through an information network. This ecosystem, sometimes referred to as “connected devices” or “smart objects”, connects people anywhere to anyone or to any service at any time.[1] It is this interconnection of devices which is expected to bring automation and efficiency to a wide range of sectors.

IoT has a strong potential for both B2B and B2C applications to deliver considerable worldwide economic benefit. Many of these benefits will come from B2B[2] where IoT can deliver efficiencies with improved product development insights, customer service, or even in the case of healthcare, reduce hospitalizations through implanted devices.[3] This should not overlook the B2C market which is increasingly becoming saturated with home automation and appliances, wearables such as fitness trackers, and even the beginnings of connected cars.

Estimates of proliferation and economic delivery vary considerably depending on source but widely cited measures tend to benchmark the number of devices available on the market or global economic impact. One popular quoted figure by Cisco in 2010 estimated 50 billion devices by 2020[4] while more generally accepted numbers produced by Gartner and Ericson estimate approximately 20 billion connected devices by 2020.[5] Device numbers are difficult to gauge economic benefit on its own but does give an indication of consumer uptake of such devices. Other estimates on worldwide impact predict a monetary value of anywhere between $3.9 trillion and $11.1 trillion per year by 2025. [6] Regardless of measurement itself, the adoption of IoT will play a fundamental role in both social and economic development spanning all major domains including health, education, manufacturing, transport, and so forth.

1.2 Complexity of IoT Infrastructure & Its Value

IoT is unique in that it comprises of many layers of infrastructure to operate. For simplicity, this can be broken down into three main layers; at the core of IoT devices is the perceptual layer where sensors and actuators such as RFID tags or Wireless Sensor Networks (WSNs) with limited computing resources enable IoT devices to collect real-time data and ‘sense’ the physical environment. The middleware layer contains both a network and service layer acting as a ‘bridge’ between the device application layer and the sensors through providing a data link via an access network connection such as the Internet. Data is transported to a service middleware layer encompassing either a web-service or cloud-based data management platform (DMPs). Finally, there is an application layer from which users can interface and operate the device.[7] In this sense, though there are three layers, there are four main elements that underpin IoT: sensors and actuators, data communications, cloud computing, and data analytics.[8] 

Although IoT relies on Internet infrastructure as a method to transport data, there is a clear distinction between the Internet and IoT since IoT does not operate on TCP/IP protocols nor does it generate or rely on web-based technologies such as cookies. Furthermore, the data generated from always-on sensors in the perceptual layer exceed that of the Internet and, since many applications generate traceable signatures, smart devices have the potential to expose more sensitive and personal data on users.

The true value of IoT therefore comes from the large datasets which sensors in the perceptual layer collect. Often termed ‘big data’[9] due to the volume, speed, and frequency of data generated by devices, the ability to apply machine learning to boil these datasets down into meaningful information and find hidden insights that could benefit either an individual, business, or greater cause is an integral aspect of IoT.  Moreover, it is the pervasive collection of data combined with an ability to link datasets from one sensor or device to another dataset from a separate device or sensor that will really drive IoT forward. 

1.3 Privacy & Security

1.31 What is Privacy?

Defining privacy is made particularly difficult because of its subjective nature – not only between individuals as two individuals may have different ideas of ‘privacy’ – but that the idea also rests upon societal and cultural values which is ever-changing with the developments of new technologies.

Theoretically, privacy in IoT would be best conceded as Westin’s description of informational privacy and control - the ability for individuals to determine when, how and what information is communicated to others, [10] affording us a choice of who we would like to share specific details with[11] to thus limit public access to oneself. [12]  An intrusion upon privacy ultimately results in Person or Company C knowing something about Person A without any relationship or justification as to why C would know such information.

Roger Clarke originally defined four types of privacy in the 1990’s. These types included bodily, personal data, personal behaviour, and personal communication privacy[13] but the advent of new technologies can rightfully expand this into seven types to extend its scope to protect images, thoughts and feelings, location and space including the right to solitude in the home, and association.[14] Finn et. al. argue that different technologies will impact separate types of privacy[15] but there is an argument that technology is also increasingly blurring the lines. For instance, IoT can transform bodily privacy such as a fingerprint for smart home entry into bits of data and, if also timestamped, can determine behavioural attributes about the home over a longer period of time. Since privacy types can be thought of as the proactive protection to prevent harms,[16] policy-makers tend to focus on regulating types rather than harms, but does not mean that harms should not be evaluated.

1.32 Privacy Harms

Privacy harms differ from traditional ideas of harm since there is no physical harm involved. Typical harmful activities usually relate to information collection, processing, dissemination, and invasion[17] but academic literature in this respect has not usually focused on the cognitive impact of these activities.

Calo therefore suggests two kinds of psychological harm in relation to privacy intrusion; subjective harm which is the perception of unwanted observation, and objective harm referring to the unanticipated or coerced use of information about a person.[18] Both of these harms are prevalent in IoT since a data breach could give a feeling of vulnerability even if no actual personal data was stolen giving a perception of risk and thus resulting in subjective harm.[19] Moreover, companies’ ability to sell users’ data to other organizations without the knowledge or consent by the individual could result in objective harm.

In building on the theory of subjective and objective harm, a rather extreme study was conducted in Helsinki to further evaluate the cognitive effects of pervasive surveillance from smart objects. Individuals were placed into a “smart home” and monitored through multiple devices to understand acceptance levels over a period of time. While overall, individuals began to accept the surveillance, this could have been due in part that individuals knew how the data was protected and deleted. Some individuals could not adjust and displayed apprehension and in some cases, “annoyance, concern, anxiety and even rage”[20] which were attributed to privacy violations since individuals could not find solitude in what was supposed to be a private space. Further, when asked about the disclosure of information collected by the devices, gravest concerns resulted from public disclosure though some individuals objected to their data being released to other organizations citing a privacy violation of the home.[21] 

It is clear from this study that IoT impacts various types of privacy, and that a fundamental right to privacy should encompass all types to prevent harms, including a digital right to privacy. This digital right has been recognized at supranational level[22] and implemented through various legal frameworks globally. In Europe, the right to data protection appears under Article 8 of the European Charter of Fundamental Rights and Freedoms.[23] Article 7 of the Charter[24] and Article 8 of the European Convention on Human Rights protects the right to respect for private and family life[25] with further legislative frameworks to protect electronic communications.[26]

1.33 Linkage of Privacy & Security

Most IoT cybersecurity breaches result in network attacks such as DDoS attacks at either the perceptual or middleware layers, or the insertion of malicious code into a device via the Internet but can also be a result of misuse or inappropriate use of data by authorized users who violate security policies or unauthorized access by non-legitimate users for abuse and misuse.[27] 

The devices and underlying sensor technologies are often to blame for these breaches as many are shipped to consumers with weak authentication measures; inadequate or no encryption due to constrained energy, memory and processing power and/or; insecure software or firmware that cannot receive and download updates[28] making general security patches difficult. Of course, consumers are genuinely left to ensure their technology is updated (if possible) or to change passwords to protect themselves. Attention from regulators however, tend to focus on the widely available devices that have not been given proper consideration for security.

It would be unwise to say that all security incidences result in a concern for privacy since cybersecurity as a general concept, is overly broad. Hackers may not intend to “harm” a specific individual, but rather gain access to disable critical infrastructures or launch other attacks which have far more serious consequences. But data breaches nonetheless leave people open to the feeling of vulnerability through a sense of loss of control. Though government surveillance is beyond scope, the insertion of malware to eavesdrop on individuals[29] or the hacking of smart baby monitors[30] further results in a sense of privacy invasion within the home.

Through implementation of controls such as organizational policies, technical architecture, and additional physical barriers where appropriate, [31] security aims to ensure that confidentiality, integrity and availability (the CIA triangle) [32] is not compromised by authorized or unauthorized individuals. Security therefore compliments privacy and data protection in an increasingly technology-driven society and can clearly link in a technological sense of data security.

______________________________________________________________________

[1] 'IERC-European Research Cluster On The Internet Of Things' (2016) available at <http://www.internet-of-things-research.eu/about_iot.htm> accessed 4 June 2017

[2] McKinsey Global Institute, 'The Internet Of Things: Mapping The Value Beyond The Hype' (2015) p 29

[3] Maria Regan, 'Implantable Med Devices – 3 Smart Technologies to Watch' available at <http://Implantable Med Devices: 3 Smart Technologies to Watch> accessed 8 September 2017

[4] Cisco, 'The Internet Of Things How The Next Evolution Of The Internet Is Changing Everything' (2011) p 3

[5] 'Gartner Says 8.4 Billion Connected' (2017) available at <http://www.gartner.com/newsroom/id/3598917> accessed 5 June 2017; Ericsson, 'Ericsson Mobility on the Pulse of the Networked Society' (2015)

[6] See n. 2; 'Machina Research Expands the Scope of Its IoT Forecasts and Highlights a USD4 Trillion Revenue Opportunity In 2025' (2016) available at <https://machinaresearch.com/news/machina-research-expands-the-scope-of-its-iot-forecasts-and-highlights-a-usd4-trillion-revenue-opportunity-in-2025/> accessed 3 June 2017

[7] Pawani Porambage et al., 'The Quest For Privacy In The Internet Of Things' (2016) 3 IEEE Cloud Computing p 38

[8] OECD, The Internet of Things: Seizing the Benefits and Addressing the Challenges (2016) p 10

[9] Charith Perera et al., 'Big Data Privacy In The Internet Of Things Era' (2015) 17 IT Professional

[10] Alan F. Westin, Privacy and Freedom (Atheneum 1967) p 7

[11] Norman E. Bowie, Karim Jamal, 'Privacy Rights on the Internet' (2006) 16 Business Ethics Quarterly p 325

[12] Adam Moore, 'Defining Privacy' (2008) 39 Journal of Social Philosophy p 420

[13] Roger Clarke, 'What's Privacy?' (2006) available at <http://www.rogerclarke.com/DV/Privacy.html> accessed 8 June 2017

[14] Rachel L Finn, David Wright, Michael Friedewald, Seven Types of Privacy. in European Data Protection: Coming of Age (Springer 2013) p 3-32

[15] Ibid.

[16] Ibid.

[17] Daniel J. Solove, 'A Taxonomy of Privacy' (2006) 154 University of Pennsylvania Law Review

[18] Ryan Calo, 'The Boundaries of Privacy Harm' (2011) 86 Indiana Law Journal p 17-19

[19] ICO, 'Information Security (Principle 7)' available at <https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/> accessed 12 June 2017

[20] Antti Oulasvirta et al., 'Long-Term Effects of Ubiquitous Surveillance in the Home', Proceedings of the 2012 ACM Conference on Ubiquitous Computing (2012) p 49

[21] Ibid. p 47

[22] See for example, United Nations, The Right to Privacy in the Digital Age (December 2013 A/RES/68/167) Note that this seems to only address government surveillance and not commercial or individual surveillance activities which are addressed under other frameworks

[23] Charter of Fundamental Rights of the European Union [2000] 364/01, Art 8

[24] Ibid. Art 7

[25] European Convention on Human Rights and Fundamental Freedoms [1953], Art 8

[26] Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) protects electronic communications but does not currently extend to cover certain messaging platforms

[27] Maria Karyda, Lilian Mitrou, 'Data Breach Notification: Issues and Challenges for Security Management', Mediterranean Conference on Information Systems (MCIS) (2016) p 4

[28] 'HP Study Reveals Smartwatches Vulnerable to Attack' (2015) available at <http://www8.hp.com/us/en/hp-news/press-release.html?id=2037386#.WbKdeYjyvIU> accessed 4 June 2017

[29] Wikileaks, 'Vault7 - Home' (2017) available at <https://wikileaks.org/ciav7p1/> accessed 10 April 2017

[30] Doug Gross, 'Foul-Mouthed Hacker Hijacks Baby's Monitor - CNN' (2013) available at <http://www.cnn.com/2013/08/14/tech/web/hacked-baby-monitor/index.html> accessed 10 June 2017

[31] Stephen Northcutt, 'Security Controls' available at <https://www.sans.edu/cyber-research/security-laboratory/article/security-controls> accessed 12 June 2017

[32] Sean Brooks et al., An Introduction to Privacy Engineering and Risk Management in Federal Systems at 606