IoT security and privacy: Three questions to consider
There are many questions these days surrounding IoT security and privacy, as well as to the internet overall. When we ask ourselves whether it will all be secure, the honest answer might be ‘it depends’, in the same way that life and the internet are never really fully secure. The same thing goes with privacy.
By Cees Links, GM of Qorvo Wireless Connectivity BU
In a way, this is not a very satisfactory response, especially considering how much we expect from the IoT in the near future. So, let’s explore this further with three important questions regarding security, privacy and IoT products.
What is the cost/value perspective?
The typical scenario (and anyone who’s been in the security business will recognise this) is that everybody starts by wanting ‘the best’ security, but they change their minds quickly if it comes with a hefty price tag. In this way, security follows the usual economic laws: the higher the security, the higher the cost. And cost includes not only the security measures themselves, but also the convenience toll that comes with high end security measures, like multiple password entries, repeatedly requested, and quickly expiring.
The cost of the security should also be in balance with the value of the item that is to be secured, along with the risk of a security breach. Logically, the higher the value of something and/or the larger the risk of a security breach, the higher the price that someone should be willing to spend to secure it.
Unfortunately, it’s not quite that simple. How do you determine the value in an IoT scenario? It’s a simpler question when asked about something that can be replaced with a single trip to a store, but more difficult here. And what about evaluating the risk? Spend a few minutes reading about the continuing string of data security breaches and it quickly becomes clear that we easily underestimate the risk.
How can we prepare for ongoing technological progress?
The progress of technology is an important question, as something that’s secure today can be hacked tomorrow, and something that was out of reach in the past is probably solvable today.
Over the years, there has been a race between security and hackers. System complexity and the lack of absolute end-to-end oversight also play roles. Systems today are becoming so complex that holes in security are easily introduced, and when they’re identified, those holes need to be rapidly patched. Some suggest that this increasing complexity, and the costs associated with it, are the largest challenge to being able to build secure systems.
In any case, the progress of technology at any given moment is an important factor in overall IoT security. So, we must always be aware of technology improvements, so that IoT devices can always be upgraded.
How do we deal with IoT and internet privacy?
People tend to misevaluate privacy issues when it comes to the growing number of devices that people have at home or carry with them. These phones, tablets and TVs with cameras and microphones that can hear and see everyone in the room, unnoticeably. We even buy microphones to place in the living room or on the kitchen counter. And we assume that it is not listening the all the time. Is that true?
Privacy is a clear tradeoff between the benefit of the application versus the impact of giving up some level of privacy, a bit like the cost/value parallel for security. The key thing here is making an informed decision about this tradeoff.
But privacy and privacy protection issues are becoming more legislative than technological. Nowadays, the internet (along with the things connected to it) is a new frontier. At the moment, it is probably comparable with the Wild West, with no law and order yet established. Under what circumstances can information be collected, how and where will it be stored, and how will it be used? What are the penalties for infringement? What are the requirements for safeguarding collected private information, and what are the penalties for failing to do so?
To address these questions, we might think of a code of conduct for the Internet. Key elements would include:
- Respect for the personal environment: Data collected by cameras, microphones, sensors and other devices connected to the internet will not be used for anything other than the intended purpose, unless specifically approved.
- Respect for personal interactions on the internet: Emails, electronic documents, spreadsheets, searches, and other online interactions will fall under privacy laws and be treated accordingly.
- With regard to targeted advertising: Manipulation should be avoided by providing a balance of information and purpose.
We don’t know what’s coming next and we can’t see the whole range of threats looming on the horizon. So how can we possibly know that we’re secure, and our data is private?
Despite how it may sound, let’s not be too negative about this. We all tend to make reasonable assessments of how to stay out of trouble. This applies to the IoT (and the internet) as well. And the changes happening today in technology also come with great new opportunities in the future. The IoT, and the internet in general, will enable us to collect more data, to know more about everything, and to make more qualified decisions faster. We believe that a connected world is a better world. But this better world does not come for free. This better world is something that we need to understand, believe in and fight to make right.