Read my lips: new requirements on privacy approaching

December 17, 2016

dataprivacy_218266510-1200x545I never miss an opportunity to make the point that Security and Privacy are the two big challenges for IoT, and that privacy is the bigger one. Security problems can be fixed since we accept apologies and forget rapidly. Was it billions of accounts Yahoo? Privacy issues are different since it is about trust and without a proper architecture no service can cope with new requirements on privacy.

Most people respond along the lines of “I have nothing to hide” or “that’s the way people are these days”. But people living in countries where they don’t trust the government have a completely different point of view. In most western countries we have quite tough policies about what you can ask people in interviews for employment. But given the data available to employers today (provided from users by signature!) combined with data analytics, they already know much more than you can imagine, so they don’t need to ask.

This is the naive era and it will come to an end, soon! Your personal data is yours and you should only give it away if you think it is a good idea! And many organisations are equally naive today! Critical data has to be kept safe! Web services for IPR management might not be a good idea for example. At least not unless you know where the servers (and their backups) are.

The only architecture I know of today which can support future requirements on privacy, is that users own their data and opt in to share it. I’m working with Springworks in the automotive industry today. In our company, enabling mobile operators to connect cars, the owners of the cars own the data generated in the car and they opt in to insurance companies, road side assistance companies etc to get some of their data. Car manufacturers typically argue that they own the data.

Here is a good example of what will drive new requirements on privacy – a report from Democratic Media on how wearables are used to collect and sell health data. Is this something we want? I don’t think so. Consumers and enterprises will raise new requirements, and governments will follow with legislation. Proper architectures for privacy and trusted partners will be kings.

 

Advertisements

Let’s face the M2M security challenges

April 13, 2013

hackersInitially technical innovators focus all they have on making it do whatever they want their innovation to do. Shortly after the breaking news about their brand new product, solution or service we use to receive the follow-on news about problems with things like security, health impact, integrity or fair trade. The scope of the problems obviously relates to what the new thing actually is.

Lets face it, it has always been like this. Telephone systems, microwave ovens, TV set-top boxes, ATM:s, door locks, PCs and Wi-Fi networks are all examples of things that quite easily were possible to manipulate, at least initially. But when we connected people and businesses to the Internet the magnitude of the problem increased many times. Having almost everything using the same communication protocols and even the same network gained us a lot of efficiency but also raised the security bets drastically. Most attacks are not reported publicly but the ones we hear about are serious enough. Fire Eye claims one security attack to enterprises every third second, based on analysis of information on more than 89 million security related attacks reported. Some specific examples since last summer, picked up from Network World: 450.000 stolen passwords from Yahoo, 5,8 million passwords from LinkedIn, 1,5 million from eHarmony, 8 million online credentials from Gamigo and about 3.6 million Social Security numbers and 387,000 credit and debit card numbers from South Carolina. And we all remember the series of password thefts at Sony some two years ago. We’re already at the point where this belongs to the daily news feed and is business as usual.

Now we are connecting also things to the Internet and we will inevitably enter a new era of security and integrity issues, yet on another scale. Imagine hackers manipulating traffic lights, road signs, railroad control systems, power grids, nuclear plants, TV broadcasts, elections, pacemakers, airplanes, stock exchanges or hospitals. Media is quite frequently presenting examples along those lines and even if it is hard to differ between urban legends and real life cases it is safe to say that security will be a very important part of the M2M industry.

Recent examples from media include the Techspot.com story about a security consultant and pilot who claims he can hijack a commercial airplane remotely with his Android app, a story about a hacked pacemaker in the US where almost five million pacemakers and implantable defibrillators have been sold the last five years and several stories about hacked cars including the most recent research from Rutger University and University of South Carolina where they manipulated cars in motion via the TPMS system. At the Hack in the Box conference in Amsterdam the other day electrical vehicle charging stations were identified as potential targets for hackers to cripple parts of the electricity grid.

If the issues of security, safety and integrity aren’t taken seriously by the industry they will slow down or even prevent deployment of M2M solutions. Since perception is reality we need to go beyond just fixing the issue – we also have to make people believe it is taken care of seriously.


%d bloggers like this: