iot information privacy and security issues

43312942 ISYS100 Final Essay: Question 7 1/06/2015

1

The internet has become central in the everyday lives of countless people

across the world. Our ability to access information and communicate has

been greatly enhanced by the internet, and as technology has evolved,

our abilities to take advantage of this has become easier and easier. The

internet has become a critical utility of the modern world, which people

have constant, quick access to through many devices such as laptops,

smartphones, and tablets. As this ability to communicate increases

alongside the data generated each day by ever-prevalent and constantly

developing technology at a greatly accelerating pace, the

interconnectedness provided by the internet’s ability to share and

distribute data becomes a critically important feature.

This increasing ability to generate and communicate data has given rise to

the prevalence of specialized devices which gather and share data on

numerous things, of which a growing sector has been personal and user

activity data. These devices, which use the internet to share specialized

real-world activity data between each-other and other smart devices, are

what is now commonly referred to as the Internet of Things, or IOT

devices. These span from personal fitness trackers and smart TV’s, to

connected automotive technology and beyond with countless other

previously unconnected tools and devices getting ‘smart’ redesigns which

connect them to the internet and to each-other to provide convenience

through automation for the user. Gartner estimates 4.9 billion IOT devices

are currently connected, and predicts that this will rise to 25 billion by

2020i. With this growing amount of IOT devices putting more and more of

our lives online, issues of information privacy become apparent.

IOT devices are categorized by David Rose (2014) into 6 broad areas:

Omniscience, Telepathy, Safekeeping, Immortality, Teleportation, and

Expressionii. These can be thought of as data & web assisted versions of:

Information Display, Social & Communicative Aids, Property Protection,

Health and Safety, Transportation, and Creative Tools. All of these aim to

provide digital solutions to physical problems. With devices such as FitBit


2

fitness tracking watches recording and transmitting our physical activity

and location data, and Apple TV’s monitoring our viewing habits to tailor a

personalized viewing experience, information from numerous personal

devices is constantly being transmitted across the internet, not only to

our own other devices, but to numerous corporate servers which are often

essential in providing the service. This means that as more of our lives go

online, the more information about ourselves is being given away to

corporations. This is then used to do things such as targeted advertising

campaigns, or provide demographic information to the company.

Although this seems harmless at first, as Consumerreports.org (2015)

outlines, the data that is sent to these corporations is often far beyond

what we may anticipate, and hidden in lengthy terms & conditions of use,

and privacy policies. It is also often shared and sold between companies,

with basic data such as name and gender retailing at an average of 10.7c

per personiii (Athena Information Systems, 2015), which when collected

across an entire user base, can amount to significant amounts of money,

creating a data sales economy between corporations. This means that

once your data is out there, you have very little control over who can see

it, or what it may be used for. Even if many consumers don’t take issue

with their data being collected and used, Consumerreports.org argues

“They need to have a choice, as it’s not always clear what information

stays on the device, and what goes out onto the internet” (Privacy tips for

the Internet of Things, 2015), and Haque agrees that “people should be

able to set policies governing which devices can talk to the devices that

they own, and what information is shared about them.”(cited in Bradbury,

‘How can privacy survive in the era of the internet of things?’2015). Along

with this, the information that is relayed between your devices and

corporate servers is often unencrypted, leaving it vulnerable to hackers

and other criminals being able to gather personal data, and with identity

theft the largest growing cybercrime (Week 6 Lecture), this leaves a

serious vulnerability for users of IOT technology to become victims.


3

It would seem that the only solution for the consumer to maintain privacy

would be to not purchase any of these internet connected devices,

however, in an age ruled by internet communications, it’s extremely

difficult to go without this technology for both the practical disadvantage

it would entail. As Christin, Engelmann and Hollick outline, “Such binary

choices … void potential benefit for both users and applications” (Usable

Privacy for Mobile Sensing Applications 2014) Smartphones and tablets

are an example of a technology which is ubiquitous enough within the

modern world so as to put non-users at an information processing

disadvantage as compared to the societal average. A 2012 study

conducted by Harris Interactive (cited in PTOI 2013) found that (despite

the retrospectively limited smartphone functionality of 2012), “The

average app usage per users amounts to 88 minutes of time saved a day

or 22 days of free time a year”iv (cited in PTOI, ‘Smartphone apps help

save 22 days of your time per year’ 2013), and a study by Kensington

Security (2015) found that between 2010 and 2015, the use of

smartphones and tablet devices allowed workers more flexible work

schedules, leading to 35% of respondents being able to work more hours

thanks to the ability to work away from the office, with a 21% increase of

workers completing the majority of their work from homev. Of this, most

respondents cited the biggest change to be reliance on smartphones and

other mobile devices allowing better remote access to services such as

email, allowing for an increase in overall productivityvi. With these

increases in productivity, those without these technologies are put at a

distinct disadvantage. However, this reliance gives smartphones and

tablets major privacy issues, especially since, unlike computer web

browsers, apps and other smartphone software often have severely

lacking, or no encryption or data security measures in place

(Consumerreports.org 2015, Thompson 2013). Now that our mobile

phones have consistent access to the internet, more technology is being

developed around them to integrate the functions of many other devices

into one, such as iOS Passbook, HealthKit, and Apple Pay. With this


4

amalgamation of device functions into a single, IOT connected device, the

information privacy risks of smartphones and tablets are extremely high.

As well as reliance on smart technology for productivity, users wishing to

maintain information privacy cannot simply abandon IOT devices, as

many are integrated into technologies that are not directly apparent with

their online functionality. The main example of this is in modern

automobiles. Mechanisms within modern cars are controlled by a series of

computers which communicate over a wired network. However, this

network is also connected indirectly to wireless internet networks via

Bluetooth, Cellular, WiFi and even Radio (Rubin 2011). These networks

are used for IOT device functions such as GPS, mobile connectivity,

distress signals, receiving and decoding digital radio broadcasts, and

collecting diagnostic information on the vehicle. Although considered

reasonably secure due to the short-range wireless capabilities of the

exploitable functions, recently, researchers have, through complex

software reverse-engineering, been able to make use of radio signals

themselves to exploit, disrupt, and gain access to the critical wired

network within the car, as well as the diagnostic and locations information

stored locally (Rubin 2011 & Corman 2013). This puts modern IOT

automobiles at not only information privacy risk, but also physical security

risk, with demonstrations being shown to be able to shut off critical

systems such as brakes and steering (Rubin 2011 & Corman 2013).

Physical security risks due to information privacy risks are now on the rise

with IOT devices controlling even more critical pieces of technology, with

medical IOT perhaps the most at risk for misuse. Implanted and external

machines such as pacemakers, insulin pumps, and cochlear implants

make use of wireless communication technologies for safety and

convenience purposes (Rubin 2011 & Corman 2013). This, however,

poses a more immediate threat to physical security, as the devices have

direct control over specific bodily processes. The information provided by

these devices can give key insights into the health status of a user, which


5

can be used for good (monitoring for medical emergencies), or bad (using

medical issues to one’s advantage). And along with this privacy risk, the

security risk of these devices being tampered with would result in serious

medical consequences for the users, up to and including death, making

murder and assassination via medical device hacking a real possibility

(Wadhwa 2012). Luckily, measures are being developed by medical

technology manufacturers to combat this security and privacy issue, with

“noise shields”, and “biometric heartbeat sensors” (Wadhwa 2012) some

attempts at creating medical cybersecurity. However, as Wadhwa points

out: “these developments pale in comparison to the enormous difficulty of

protecting against “medical cybercrime,” and the rest of the industry is

falling badly behind.” (Yes, You Can Hack A Pacemaker (And Other

Medical Devices Too) 2012).

Legal battles over the privacy of information have been plaguing big tech

companies since the advent of the information era, and with information

privacy concerns being brought to light to the consumer due to the

actions of Edward Snowden, Wikileaks, and a number of other

whistleblowers, big tech companies are being challenged legally by an

informed consumer base. This is evidenced with the legal disputes Google

faces globally, especially with a recent Anti-Trust lawsuit filed against

them by the European Union over SEO cookie concerns (Kottasova &

Goldman 2015). However, companies such as Apple have, supposedly,

taken steps to improve their image when it comes to their privacy policy,

announcing in 2014 that internet transmitted iOS 8 device data will be

encrypted with the user’s Apple passcode (Hill 2014). And various

information security practices are being developed to address the specific

issues regarding IOT privacy concerns, such as software protection from

data mining mechanisms known as Privacy Enhancing Technologies (or

‘PETs’) such as active bundle technologies or multi party computations

(Roman, Zhou and Lopez 2013). Although these policies and technologies

are moving towards securing information in IOT technology, Roman, Zhou


6

and Lopez stress that they are not perfect solutions, and rather than

relying upon these technologies to mitigate privacy concerns, “these

concepts should be extended in order to help users to become more

aware of how their surroundings capture and use their information” (On

the features and challenges of security and privacy 2013, 3.3.4.1).

Technical writers such as Webb similarly recommend awareness and

appropriate policy implementation with corporate responsibility, believing

“If designed responsibly, our devices will have no interest in world

domination, but rather in using their intelligence and communicative

capabilities to make our lives as troublefree as possible”, and that

“Putting in place the right controls today will protect our privacy

tomorrow” (Does the Internet of Things mean the end for Privacy? 2015).

This approach would ensure legal protections for the consumer’s

information regardless of the advance in technology required to keep up

with new IOT implementations, however the key flaw is that it offers no

protection from the illegal seizure of information by non-corporate

entities, such as hackers and scammers. Corman uses the metaphor of

“getting in the water with an apex predator” (Swimming with sharks -

security in the internet of things 2013) to describe the risks of using IOT

technology. In the increasingly internet connected world, Corman believes

that the apex predators are not technology corporations, but rather the

hackers and cybercriminals who do not operate via codes of conduct, and

are often outside the limits of legal culpability due to anonymizing

technology. Along with the aforementioned rise in identity theft, crimes

relating to remote access to IOT devices are prevalent, with the 2014

celebrity sextortion photo hack making use of Apple’s lack of security on

their iCloud interdevice photosharing service (Williams 2014) despite laws

in place to prevent this data collection. As well as this, countless IOT

webcams and security cameras have had their technical vulnerabilities

exploited to create ‘open access’ personal webcam streams online, where

anyone on the internet could access and illegally view people’s webcam


7

activity without their knowledge, leading to similar cases of sextortion

(Toor 2013, Corman 2013, Opentopia.com 2015). Hence, the legal and

social approach to securing IOT information privacy concerns is not

reliable in truly preventing information theft, as Kranenberg argues:

“Policies are no longer hacking it”(via Bradbury 2015) due to the dangers

of illegal parties having these capabilities.

The emergence of Internet of Things technology, driven by the

accelerating development of internet based technologies has brought the

online world into the physical. However, in doing so, information privacy

issues associated with these technologies have now too moved into the

realm of personal, physical data collection and communication. More IOT

technologies are being developed, and these technologies are becoming

further integrated as necessities in a modern society, often in

mechanisms whose internet connected nature is not immediately clear to

consumers. IOT devices are also performing more and more critical

functions, such as medical treatment devices. As these developments

continue, attempts to control the information privacy risks posed by these

technologies are being instituted by legal, political, and social forces, and

technologies are being developed to further secure these vulnerabilities.

However, these policies and technologies cannot keep up with the new

functionality of IOT technology, and cannot adequately ensure that

personal information is secure from cybercriminal activity. Information

privacy risks are inherent when dealing with IOT technology, and until

cybersecurity technologies advance enough, and until IOT developers

create a standard for information privacy and security, this risk can only

be mitigated by consumer awareness rather than prevented outright.

Appendix Over Next Page:


8

43312942 ISYS100 Final Essay: Appendix 1/06/2015

a

i Gartner IT 2014, ‘Gartner Says 4.9 Billion Connected "Things" Will Be in Use in 2015’, Press Release,

11 November, Barcelona, accessed via <http://www.gartner.com/newsroom/id/2905717> viewed

30 May

ii Rose, D 2014, Enchanted Objects: Design, Human Desire, and the Internet of Things, TEDx Talks,

YouTube, Boston MA, accessed via <https://www.youtube.com/watch?v=I_AhhhcceXk> viewed 28

May. Picture via: <http://enchantedobjects.com/wp-content/uploads/EnchantedObjectsPoster.png>

43312942 ISYS100 Final Essay: Appendix 1/06/2015

b

iii Athena Information Solutions 2015, Privacy and Security in a Connected Life, accessed via

Multisearch & ProQuest

<http://search.proquest.com.simsrad.net.ocs.mq.edu.au/docview/1669890772?accountid=12219&t

itle=Privacy and Security in a Connected Life> viewed May 27

NOTE: AMOUNT SHOWN IS IN RUPEES, TOTAL AMOUNT of GENDER + NAME CONVERTED TO USD

= 10.7c

iv Press Trust of India 2014, Smartphone apps help save 22 days of your time per year, NDTV Gadgets,

accessed via <http://gadgets.ndtv.com/apps/news/smartphone-apps-help-save-22-days-of-your-

time-per-year-371724> viewed May 30

v & vi Kensington Computer Products Group2015, ‘Productivity Trends Report 2015’, pp. 1 – 12,

Report, accessed via: <http://www.kensington.com/us/us/6786/kensington#.VWrb5M-qqkr>

viewed May30

43312942 ISYS100 Final Essay: Reference List 1/06/2015

i

Reference List:

1. Athena Information Solutions 2015, Privacy and Security in a Connected Life, accessed via

Multisearch & ProQuest

<http://search.proquest.com.simsrad.net.ocs.mq.edu.au/docview/1669890772?accountid=

12219&title=Privacy and Security in a Connected Life> viewed May 27

2. Bradbury, D 2015, How can privacy survive in the era of the internet of things?, The

Guardian, accessed via

<http://www.theguardian.com/technology/2015/apr/07/howcanprivacysurvivetheinterneto

fthings> viewed May 27

3. Burnett, C A 2015, Welcome to the Internet of Things. Please check your privacy at the door.,

IT World, accessed via <http://www.itworld.com/article/2906805/welcome-to-the-internet-

of-things-please-check-your-privacy-at-the-door.html> viewed May 26

4. Caruana, A n.d, Privacy and the Internet of Things, CSO Australia, accessed via

<http://www.cso.com.au/article/559985/privacyinternetthings> viewed May 27

5. ConsumerReports.org 2015, Privacy tips for the Internet of Things, accessed via

<http://www.consumerreports.org/cro/magazine/2015/06/privacy-tips-for-the-internet-of-

things/index.htm> viewed May 27

6. Corman, J 2013, Swimming with Sharks – Security in the Internet of Things, TEDx Talks,

YouTube, Naperville IL, accessed via <https://www.youtube.com/watch?v=rZ6xoAtdF3o>

viewed 28 May

7. Cusanelli 2015, Kensington Survey: Mobile Devices Increase Productivity, Working Hours, The

VAR Guy, accessed via <http://thevarguy.com/business-smartphone-and-tablet-technology-

solutions/033015/kensington-survey-mobile-devices-increase-productivity-> viewed May 30

8. eMarketer 2014, 2 Billion Consumers Worldwide to Get Smart(phones) by 2016, accessed via

<http://www.emarketer.com/Article/2-Billion-Consumers-Worldwide-Smartphones-by-

2016/1011694> viewed May 27

9. Essers, L 2013, Google trial to continue to Italian supreme court, PCWorld, accessed via

<http://www.pcworld.com/article/2035387/google-video-trial-to-continue-to-italian-

supreme-court.html> viewed May 31

10. Gartner IT 2014, ‘Gartner Says 4.9 Billion Connected "Things" Will Be in Use in 2015’, Press

Release, 11 November, Barcelona, accessed via

<http://www.gartner.com/newsroom/id/2905717> viewed 30 May

11. Hill, K 2014, Apple And Google Will Force A Legal Battle Over The Privacy Of Your Passcode,

Forbes, accessed via <http://www.forbes.com/sites/kashmirhill/2014/09/19/apple-and-

google-privacy-of-your-passcode/> viewed May 30

12. Information Age 2012, Privacy, smart meters and the Internet of Things, Information Age,

accessed via

<http://www.informationage.com/technology/informationmanagement/2113628/privacys

martmetersandtheinternetofthings> viewed May 27

13. Kensington Computer Products Group2015, ‘Productivity Trends Report 2015’, pp. 1 – 12,

Report, accessed via: <http://www.kensington.com/us/us/6786/kensington#.VWrb5M-

qqkr> viewed May 30

14. Kosman, J 2015, Microsoft the big winner in Google antitrust lawsuit, New York Post,

accessed via <http://nypost.com/2015/04/15/microsoft-the-big-winner-in-google-antitrust-

lawsuit/> viewed May 31


ii

15. Kottasova, I & Goldman, D 2015, Google Under Siege: Europe Wants Blood, CNN Money,

accessed via <http://www.pcworld.com/article/2035387/google-video-trial-to-continue-to-

italian-supreme-court.html> viewed May 31

16. Mayer, C 2013, Don’t Be Dumb About Smartphone Privacy, Forbes, accessed via

<http://www.forbes.com/sites/nextavenue/2013/03/05/dont-be-dumb-about-smartphone-

privacy/> viewed May 30

17. Naccache, D & Sauveron, D (eds.) – Preneel, B 2014, Lightweight and Secure Cryptographic

Implementations for the Internet of things (Extended Abstract), pp. XIII – XIV, Kasper, T,

Oswald, D, Paar, C 2014, Sweet Dreams and Nightmares: Security in the Internet of Things

(Abstract), p. XV, Christin, D, Engelmann, F, Hollick, M 2014, Usable Privacy for Mobile

Sensing Applications, pp. 92- 107, in ‘Information Security Theory and Practice’, WISTP,

International Federation for Information Processing, Springer, accessed via Multisearch &

Springer <http://www.springer.com/us/book/9783662438251> viewed May 27

18. Nicholls, J 2015, Google alleged privacy violations ‘merit a trial’, Computer Business Review,

accessed via <http://www.cbronline.com/news/cybersecurity/business/google-alleged-

privacy-violations-merit-a-trial-4542123> viewed May 31

19. Opentopia 2015, Opentopia: Free Live Webcames, accessed via

<http://www.opentopia.com/hiddencam.php> viewed May 31

20. Povoledo, E 2009, Google executives on trial in Italy, The New York Times, accessed via

<http://www.nytimes.com/2009/02/03/technology/03iht-google.4.19904181.html?_r=0>

viewed May 31

21. Press Trust of India 2014, Smartphone apps help save 22 days of your time per year, NDTV

Gadgets, accessed via <http://gadgets.ndtv.com/apps/news/smartphone-apps-help-save-

22-days-of-your-time-per-year-371724> viewed May 30

22. Press, G 2014, Internet of Things By The Numbers: Market Estimates and Forecasts, Forbes,

accessed via <http://www.forbes.com/sites/gilpress/2014/08/22/internet-of-things-by-the-

numbers-market-estimates-and-forecasts/> viewed May 30

23. Roman, R, Zhou, J, & Lopez, J 2013, ‘On the features and challenges of security and privacy in

distributed internet of things’, Computer Networks, vol. 57, no. 10, pp. 2266 – 2279,

accessed via Multisearch &

ScienceDirect<http://www.sciencedirect.com/science/article/pii/S1389128613000054>

viewed May 27

24. Rose, D 2014, Enchanted Objects: Design, Human Desire, and the Internet of Things, TEDx

Talks, YouTube, Boston MA, accessed via

<https://www.youtube.com/watch?v=I_AhhhcceXk> viewed 28 May

25. Rubin, A 2011, All Your Devices Can Be Hacked, TEDx Talks, YouTube, Washington D.C,

accessed via <https://www.youtube.com/watch?v=metkEeZvHTg> viewed 28 May

26. Steel, E, Locke, C, Cadman, E, Freese, B 2013, How much is your personal data worth?,

Financial Times, accessed via <http://www.ft.com/intl/cms/s/2/927ca86e-d29b-11e2-88ed-

00144feab7de.html#axzz3bchVxdtT> viewed May 30

27. Thompson, C 2015, Here’s how much thieves make by selling your personal data online,

Business Insider Australia, accessed via <http://www.businessinsider.com.au/heres-how-

much-your-personal-data-costs-on-the-dark-web-2015-5> viewed May 30

28. Thompson, G, Gould, M, Christodoulou, M 2013, In Google We Trust, Four Corners,

Australian Broadcasting Corporation, Sydney,

<http://www.abc.net.au/4corners/stories/2013/09/09/3842009.htm> viewed May 31


iii

29. Toor, A 2013, Creepstreams: an interactive map of insecure webcam feeds, The Verge,

accessed via <http://www.theverge.com/2013/1/22/3902698/trendnet-security-camera-

streams-mapped-out> viewed May 31

30. Wadhwa, T 2012, Yes, You Can Hack A Pacemaker (And Other Medical Devices), Forbes,

accessed via <http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-

pacemaker-and-other-medical-devices-too/> viewed May 31

31. Webb, G 2015, Does the Internet of Things mean the end for privacy?, ABC Technology and

Games, accessed via

<http://www.abc.net.au/technology/articles/2015/04/24/4223019.htm> viewed May 27

32. Weber, R H 2010, ‘Internet of Things – New Security and Privacy Challenges’, Computer Law

& Security Review, vol. 26, no. 1, pp. 23 – 30, accessed via ScienceDirect

<http://www.sciencedirect.com/science/article/pii/S0267364909001939> viewed May 27

33. Williams, O 2014, This could be the iCloud flaw that led to celebrity photos being leaked, The

Next Web, accessed via <http://thenextweb.com/apple/2014/09/01/this-could-be-the-

apple-icloud-flaw-that-led-to-celebrity-photos-being-leaked/> viewed May 31

34. Wind River 2015, ‘Security In The Internet Of Things’, Report, accessed via

<http://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-

the-internet-of-things.pdf> viewed May 30

iot information privacy and security issues

Documents