Will 2015 be the year when smart home hacking is a real threat? Sure, attacking automated homes has been a topic for the last few years at security conferences, but Federal Trade Commission chairwoman Edith Ramirez reminded people of the home hacking warning for 2015 during her keynote (pdf) at CES. Any device connected to the Internet is “at risk of being hijacked.” Insecure devices could allow attackers to “access and misuse personal information collected and transmitted by the device.”
2015 marks the first year for Personal Privacy and Cyber Security Marketplaces at the International CES. Although there are nine exhibitors listed in the Personal Privacy Marketplace and five listed in the Cyber Security Marketplace, there are more than 65 privacy- and security-focused exhibitors displaying their products this year. How many thousands of other new devices being displayed at CES are not designed with privacy or security in mind?
Whether you find the plethora of new smart products that connect to the Internet or to a smartphone to be wildly wacky or wonderful, they present “risks to privacy and security” that undermine consumer trust. Ramirez pointed out three privacy challenges: “the ubiquitous data collection of personal information, habits, location and physical condition over time;” the unexpected uses of consumer data flowing from “smart cars, smart device and smart cities;” the heightened security risks of the Internet of Things.
“In the not-too-distant future, many, if not most, aspects of our everyday lives will be digitally observed and stored. That data trove will contain a wealth of revealing information that, when patched together, will present a deeply personal and startlingly complete picture of each of us.” Ramirez added, “I question the notion that we must put sensitive consumer data at risk on the off chance a company might someday discover a valuable use for the information.”
Security by design, minimizing and anonymizing data for privacy, increasing transparency and telling consumers about “unexpected data uses” were a few “key steps” suggested by the FTC chairwoman.
On the security side, Ramirez said companies should use encryption to transmit sensitive information. Companies should make devices with smart defaults to ensure consumers change default passwords when setting up devices. The security of devices should be tested before the product is offered to consumers as Ramirez pointed out, “Some of the developers entering the IoT market, unlike hardware and software companies, have not spent decades thinking about how to secure their products and services from hackers.”
During her keynote speech, Ramirez gave a creepy example of unexpected uses of consumer data.
Your smart TV and tablet may track whether you watch the history channel or reality television, but will your TV-viewing habits be shared with prospective employers or universities? Will they be shared with data brokers, who will put those nuggets together with information collected by your parking lot security gate, your heart monitor, and your smart phone? And will this information be used to paint a picture of you that you will not see but that others will – people who might make decisions about whether you are shown ads for organic food or junk food, where your call to customer service is routed, and what offers of credit and other products you receive?
Data minimization would be beneficial for privacy; just because a company can collect data doesn't mean it should. Ramirez suggested that companies should notify consumers how data is being used and give people opt-out or simplified choices. Will consumers realize that their smart thermostat collecting info about their heating habits or their fitness band gathering data about physical activity might be shared with data brokers or marketing firms? Not if companies aren’t up front with informing consumers about unexpected uses of their data.
Although Ramirez can’t force companies to do more to protect the privacy and security of consumers, as The Register pointed out, her speech may pave the way for future regulations. Such speeches often serve “as a policy marker that entrepreneurs do well to note because going beyond the boundaries outlined can be seen as flouting sensible guidelines.”
Some people might not consider security or privacy before purchasing expensive toys that are tracking, monitoring or secretly spying on them. Those folks might enjoy the English version of Alexander Lehmann’s short film that debuted at the 31st Chaos Communication Congress.
Lehmann explained:
For some time now it has been clear that we are facing the greatest surveillance scandal the world has ever seen. The perpetrators lie and cheat and betray our trust and build their very own evil empire and we just look away. The state ignores the state’s own laws. And why? The truth is self-evident: We love surveillance. And here are 7 very good reasons why you should love it, too!