What is internet of things (IoT) privacy?
Internet of things privacy is the special considerations required to protect the information of individuals from exposure in the IoT environment. These steps are necessary because in an IoT setting almost any physical or logical entity or object can be given a unique identifier and the ability to communicate autonomously over the Internet or similar network.
As endpoints, or the "things," in the IoT environment transmit collected data autonomously over the internet and typically display that data on mobile applications, they also work in conjunction with other endpoints and communicate with them. Interoperability of things is essential to the IoT's functioning so that, for example, networked elements of a smart home work together smoothly.
The data transmitted by a given endpoint might not cause any privacy issues on its own. For instance, a smart meter used in remote monitoring and data collection for a consumer and their utility company is commonplace and typically harmless. However, when even fragmented data from multiple IoT devices is gathered, collated and analyzed, it can yield sensitive information about people's whereabouts or living patterns, for instance.
The idea of networking appliances and other objects is relatively new, especially in terms of the global connectivity and autonomous data transfer that are central to the internet of things. As such, security risks haven't always been considered in product design, which can make even everyday household objects points of vulnerability. For example, in 2014, researchers at Context Information Security found a vulnerability in a Wi-Fi-enabled light bulb that let them request its Wi-Fi credentials and use those credentials to get network access.
This article is part of
What are IoT privacy issues?
Skepticism and suspicion around IoT systems is often rooted in cybersecurity and privacy concerns. Not only is it increasingly difficult for businesses to ensure their IoT devices are secure given how advanced hackers and other malicious actors have become, but there is also a public trust issue. Consumers feel their data privacy is at risk; they worry about both the businesses entrusted to safeguard their data and the malicious actors.
The following privacy risks still hinder IoT's full potential:
- Excessive data. There are billions of connected devices worldwide that generate huge amounts of data in just one day alone. Those acting in bad faith have many targets and opportunities to compromise consumer privacy. As a result, IoT device manufacturers and companies that use these devices have their work cut out for them in ensuring public trust.
- Intrusion into personal space. Hackers can target an unsecured IoT device or network to access personally identifiable information (PII) or other sensitive information about consumers. Device manufacturers and organizations that use those devices also have access to PII data and must take precautions to prevent unauthorized access and misuse.
- Private data sharing. A device manufacturer might include in its fine print how it shares consumer data with third parties. If consumers don't read the legalese that comes with their sensors, connected cars and other devices, they could unknowingly have their sensitive data viewed and used by these third parties.
IoT security's role in ensuring privacy
The fact that internet-connected devices can operate with high performance in remote locations is useful and even critical in many cases. But this also means hackers and cybercriminals are coming up with new, sophisticated tactics to hack these devices. Denial-of-service and malware attacks are both methods hackers use to compromise IoT device data.
A lack of testing and mandatory software updates both before and during IoT deployments leaves many organizations vulnerable to attack. If IoT device manufacturers don't pay attention to security concerns when businesses and consumers are trusting them to deliver highly secure products and smart devices, they could be blindsided by malicious actors. If manufacturers enforce routine software and firmware updates, their devices will have less data security vulnerabilities over time.
Another security issue that affects IoT privacy is the bandwagon effect in different industries, such as healthcare providers, insurance companies and automotive manufacturers. Companies adopt new technologies like IoT as part of a broader Industry 4.0 transformation without rigorously vetting them. For instance, an organization might quickly set up an IoT network without assessing the resources needed to maintain and secure the network and its IoT devices in the long term.
Lastly, flaws in IoT security ecosystem may be more fundamental if manufacturers produce devices without the computing power needed for built-in security. Some devices are built for core functions, like processing data, without attention to security. Future hacks and data breaches will likely draw attention to the need for built-in security.
The state of IoT privacy frameworks
As IoT networks become more common, the data privacy involved is an increasingly important topic. Regulations and governance frameworks to ensure privacy might seem like the clearest solution, but the extent and comprehensiveness of these vary by location and private companies might prefer their own approaches.
The General Data Protection Regulation (GDPR) in the European Union (EU) and the Data Protection Act of 2018 in the United Kingdom (U.K.) are primary examples of IoT regulatory frameworks. EU citizens' private or personal data is regulated by GDPR both within the EU and also when leaving the EU to be used in another country. Also, GDPR standards must be adhered to when IoT products are manufactured, tested and deployed within IoT networks.
Organizations involved in efforts to improve IoT privacy protection include the Industry IoT Consortium headquartered in Boston and the IoT Security Foundation headquartered in the U.K., which have worked to shape IoT into something more safe and secure. In the absence of federal IoT frameworks, California has adopted the California Consumer Privacy Act, which encompasses IoT privacy as it requires manufacturers to secure connected devices.
Businesses are taking the following steps to improve IoT data privacy practices:
- Explicitly inform consumers how their data is being used.
- Require consumers' consent for specific data use.
- Provide fully featured access controls and metrics to limit access to private data access to authenticated users.
While these efforts are currently in the hands of private companies, policymakers could play an increased role in this effort in the future, especially if they choose to work with businesses to change laws.