Confusing accuracy with application creates insecurity in the IoT

Accuracy is relative.  So is security.  Trust is built from honesty and consistency. 

These are the thoughts that ran through my mind when I read the latest article on the dangers of inaccurate wearables data.  Jason Bloomberg’s post in Forbes Tech considers how recent events with Fitbit and Volkswagen are representative of accuracy problems in the Internet of Things (IoT) and the effect it can have on customer trust.  I followed Mr. Bloomberg’s logic that inaccurate data holds peril for both the manufacturers and the technology ecosystem.  But when he ties the accuracy of a measurement device to the skills of the product designers and then goes from there to the data security of the product, or insecurity in this case, I have a problem.  Accuracy and security are definitely key factors for users, but creating a predictive correlation from one to the other requires speculation on both the capabilities and intent of the developers. Regardless, customer trust comes from meeting expectations, not specific levels of performance.

"The question consumers should be asking is whether wearable vendor’s inability to provide accurate readings..."

Let’s first look at accuracy, particularly accuracy as it relates to wearables and its relationship to user trust.  The accuracy of an instrument is fundamentally a function of the technology used to make the measurements and the skills of the designers of the instrument.  However the accuracy of an instrument does not predetermine the skills of its designer. 

Consider ammeters. In my past I used a Hewitt Packard 4140B picoammeter for semiconductor device experiments.  The HP 4140B was the state of the art in current measurement at the time, and as the name implies, consistently measures currents in the pico amp range.  I also have used Fluke ammeters throughout my career and I consider them state-of-the-art in handheld current measurement.  Typically I measured milliamps with the Fluke meters.  The HP instrument is more precise and accurate, in the absolute sense, than the Fluke meter but I do not conclude that Fluke’s designers had an “inability” to provide accurate readings.  Accuracy is relative and should be appropriate for the application.

"Trust, after all, is not only about accuracy…"

No, trust is about honesty and consistency.  I did not trust the HP meter more than I trusted the Fluke. Both instruments reliably and consistently met my expectations and delivered on their promise for my application.  This is the key to IoT wearables like Fitbit today.  Both the manufacturer and the user have to understand the intrinsic capabilities of the instrument and the limits those capabilities put on its application.  Does the device measure as promised and does it do so consistently?  If it does, then I can trust its use in appropriate applications. 

I am a Type 1 diabetic – have been for more than 40 years.  I have used home blood glucose devices since their first introduction to the market.  As a scientist I bristle at how the glucometer marketing teams always show the meter reading either 104 mg/dl or 106 mg/dl on the box.  I bristle because the meters even today are only accurate to ±20% measured against laboratory instruments, which is the ISO requirement.  Since most diabetic blood sugars are over 100 mg/dl, that is our struggle, the instrument is accurate to ±20 mg/dl and to my scientific expectation should not report to single digits.  However, the glucometers have high repeatability, i.e. if I test quickly in succession I see 104 mg/dl repeatedly.  So I trust the glucometer as part of my therapy and I credit them single digit precision, not accuracy. The key to my trust is that I do not act on blood glucose differences of a few mg/dl; I act on changes of 20-25 mg/dl which is the accuracy of the instrument.

If a wearable device maker advertises that their device has more accuracy OR precision than it actually does, then I find fault with their marketing and criticize them accordingly.  Trust is lost.  This appears to be Bloomberg’s conclusion regarding Fitbit and their recent trials in the press.  However, if the device measures consistently with accuracy as promised, I can use the device effectively and I do not recognize the right to berate the designers’ ability.  As an experienced low-accuracy instrument user I discount complaints about inaccuracy when the device doesn’t purport to meet requirements for a particular application.  Rather I question the judgement of users who are using it in an unintended way; as if I used my Fluke ammeter to measure CMOS device currents.

"The question consumers should be asking is whether wearable vendor’s inability to provide accurate readings signals an inability to secure their data as well."

This is where Bloomberg switches from a scientific analysis to psychoanalysis.  Even if we accept that the wearable vendors do not have the ability to build accurate instruments, what does that have to do with their security skills; particularly since the data at risk is primarily in the cloud as opposed to the device?  The thesis, based on a shaky device-accuracy-to-design-capability premise, seems to be that “if they don’t care about accuracy how can you trust them to care about security?”  The logic now indicts the psychology of the designers as well as their skills.  I agree that it’s hard to trust someone who doesn’t care, but, as discussed above, I do not accept that the accuracy of step measurement determines ability or intent. 

"…when fitness wearables (or any other Internet of Things sensors, for that matter) struggle with accurate results, such invalid data become powerful tools in the hacker’s tool belt."

At this point the whole argument flies out the window with the introduction of the recent VW pollution controls story.  As an example of the accuracy-to-capability-to-security” argument this fails completely.  The VW engineers understood the accuracy, precision, and operation of both their system and the regulatory testing process so well that they were able to generate whichever outcome they wanted.  Unfortunately we now understand they chose to use their skill in a fraudulent manner.  They were skilled enough to execute a “calibration attack.” This deliberate use of skill to create an inaccurate measurement was not facilitated by the accuracy of the system, but rather diligence of the measurement process.  A hacker can exploit accuracy only to the level upon which the user depends and the care they take to confirm the measurement.  Accuracy does not intrinsically create risk but poor judgement and carelessness do. 

"Given the numerous accuracy, privacy, and security concerns surrounding fitness wearables, therefore, we have an important question to answer: is such technology too immature and too dangerous to use?"

So it all comes down to this concluding question.  Bloomberg and others believe that wearables and many IoT sensors are not ready for prime time because they do not have laboratory instrument accuracy.  They do not trust the new technology enough to adopt.  I say to those who understand the relationship between accuracy and application: “Forge on.”  Bloomberg’s final statement is certainly true – customers will vote with their wallets. 

Remember that customer trust is built on honesty and consistency and success will be yours.