BACKGROUND IMAGE: iSTOCK/GETTY IMAGES

CIO Decisions

The marriage of mobile and data analytics

iSTOCK/GETTY IMAGES

News Stay informed about the latest enterprise technology news and product updates.

FTC sounds the alarm on IoT privacy

There are almost 5 billion IoT devices in use -- and counting. To reap their rewards, says the FTC, focus on consumer privacy, not just security. Also in Searchlight: Apple's quarter earnings make history; Amazon breaks into business email with WorkMail.

A world of Internet-connected TVs, fitness bands, home thermostats and other devices is here to stay, says Gartner. There will be about 4.9 billion connected units in use this year, the research firm estimates; by 2020, that number will grow to 26 billion. This forecast might sound promising to companies who are already using or seek to use the Internet of Things to create more personalized experiences for their customers. But despite the benefits these devices offer, they come with a huge caveat, warns the Federal Trade Commission: The personal information these smart devices collect represents a significant security and privacy risk to consumers.

The FTC's recently published report, which summarizes a workshop discussion it hosted on the Internet of Things (IoT) and staff recommendations, listed the various ways vulnerabilities in IoT devices could pose security risks. These include: facilitating unauthorized access to or misuse of personal data; attacks into other networks; and the possibility of major risks to our physical safety.

"Although each of these risks exists with traditional computers and computer networks, they are heightened in the IoT," the report stated. In an unnerving example of how an IoT device could endanger physical safety, a workshop participant described how he was able to remotely hack into connected insulin pumps and alter their settings so that they stopped administering medicine.

A 2014 HP Security Research report illuminates just how vulnerable the IoT sector really is. The study, which looked at the 10 most common devices from the most popular IoT niches, including webcams and home alarms, found that 90% of them collected one or more pieces of sensitive information either from the device itself or its associated cloud service or mobile app. Furthermore, 70% of these devices lacked encryption when communicating with their networks or on the Internet; 60% were vulnerable to such issues as weak default credentials and persistent cross-site scripting; and a whopping 80% failed on one of the most basic of security controls -- passwords of sufficient complexity and length (many allowed passwords like "123456").

Privacy also got short shrift. The HP report found that 80% of the IoT devices examined raised privacy concerns and, even more troubling, that the risks were greater than with other types of devices that collect some form of personal data because of the cloud services and mobile apps that work in tandem with an IoT device. The study raised the question the FTC's report also seeks to address -- namely, whether these devices really needed to collect this personal information to function properly.

Consumer privacy bill of rights for the IoT?

The FTC report offers recommendations to designers about "security by design," or building security into IoT devices from the start; it also advised companies to enact security basics such as risk assessments, changing default passwords, employee training and a layered approach to defense -- standard advice in the era of data breaches. But security is only one-half of the IoT puzzle, the report asserts. Privacy, along with consumer trust, is something both designers and companies will need to address if they want to really take advantage of the IoT's potential, the FTC report states.

One pixelSearchSOA shows how one organization is
working to define IoT standards

Whether the FTC's focus on privacy will spark a call for consumer privacy rights on the IoT remains to be seen. At present, most organizations tend to focus primarily on security, not privacy, with regard to the IoT, said former Forrester analyst Eve Maler, now vice president of innovation and emerging technology at ForgeRock, an identity management vendor. Indeed, the lack of concern about privacy borders on arrogance. "It's as though companies are automatically granted access to consumers' personal data by virtue of their privileged position, versus consumers controlling the information that is sharable," Maler said in an email.

Both Maler and the FTC stress that transparency and limiting the collection of personal information is crucial. Implementers should use devices that have privacy-respecting features built in; they should also aim to minimize data collection and retention and give end users "notice and choice" about some of their personal data. Who will enforce those practices, however, is still a question.

CIO news roundup for week of Jan. 26

Here are more tech headlines from the week as some of us recover from Snowmageddon:

  • Apple just reported the largest quarter earnings of any company in the world, ever. No biggie. On Tuesday, the tech giant said net profits in its fourth quarter were a record-breaking $18.04 billion on revenue of $74.6 billion. (By comparison, the last record holder, Russian company Gazprom, pulled in a profit of $16.2 billion in a quarter.)
  • For one long hour on Tuesday, Facebook and Instagram became unavailable to users worldwide, an event that many feared was the result of a cyberattack. Facebook, however, explained that it was instead caused by an internal malfunction that "affected our configuration systems." Unsurprisingly, people turned to the other big social network that was available at the time, Twitter, to joke about the incident.
  • Looks like universities are wholeheartedly jumping on the big data bandwagon. University of California, San Diego, is taking advantage of employment trends on LinkedIn to drive its career services; Boston analytics startup EverTrue weeds through the social media activities of college graduates to see which of them are more likely to donate to or volunteer for certain causes.
  • Amazon is at it again with another cloud service, this time tackling email services. Amazon Web Services this week launched WorkMail, a work email and calendaring product that seeks to take on the likes of Google Gmail and Microsoft Exchange (it even works with Microsoft Outlook).
  • Calling all predictive analytics experts: The National Weather Service predicted "historic" snowfall for New York City early this week -- which was so off base that its director even scheduled a press conference to apologize.

Check out our previous Searchlight roundups on Microsoft's Windows 10 announcement and the buzz around Docker's container software.

Article 1 of 6

Next Steps

Check out more security and privacy highlights from the FTC Report on SearchSecurity.

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

How transparent are you with your customers when it comes to data collection practices?
Cancel
This reminds me a bit about a recent episode of Elementary, where this doll connected to an AI, it was believed it had committed a murder.  I think it turned out that a virus was slipped onto some music that the AI accessed and that it was an inadvertent behavior...

As these household devices become more self aware, and the ability for them to be turned against their right full owners by a malicious parties, I suspect there is good reason for this.  

Is there not some consumer group or agency that can take the helm and work to help identify the things that are indeed safe and less of a privacy concern?  If not, maybe someone should start an organization to do just that.
Cancel
thanks for the insight Veretax. scary to think that what happened in that Elementary episode doesn't seem all that farfetched...
and I think you're right, don't think there's an established group or agency that is taking charge of privacy standards and guidance. the FTC does recommend self-regulation among particular industries on top of governmental involvement.
Cancel

Get More CIO Decisions

Access to all of our back issues View All

-ADS BY GOOGLE

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...

Close