I presented at Grace Hopper 2016 on a panel titled You and Your Data: Privacy Challenges in the Internet of Things
This are some of the questions we covered and my answers to them, as well as a recording of the full panel.
Moderator: Navid Rezvani
What is your definition of privacy (in the context of IoT) what excites or worries you about it?
I gave a talk at Cloud Identity Summit earlier this year titled Identity in Ten Hundred Words in which I attempted to define some common identity terms using only the thousand most common words in the English language. The definition I used for privacy was “Being able to say who can know what about me.” I think that definition holds true in the context of the Internet of Things. I think people should be able to share their data with anyone whenever they want, but it should be their choice when and where to send that data.
Do you think the market will address consumers’ privacy concerns?
The market has a perverse incentive to collect and sell user data. I don’t mean that they’re evil or have bad intent. I mean that it’s vastly more profitable to collect and sell data than it is to properly secure data and only make it available at the request of the owner of that data. Securing and archiving data is expensive. Building intuitive privacy-preserving APIs is expensive. I’m not sure that the market as it stands now has its interests aligned with those of its consumers.
Can we engineer solutions to know what data is being collected? By whom? And where it’s going?
We don’t need to engineer them – they already exist! There’s a great Lifehacker post titled How to Tap Your Network and See Everything That Happens On It. I suggest you take a weekend and do that. Are there devices on your network that you don’t recognize? Are the devices you do recognize pinging or sending data to places you don’t expect? If your privacy is important to you, you should do this sort of inventory on a regular basis, particularly if you are an early adopter and buy new devices regularly. *ahem*
What role do standards play in realm of security and IoT?
A huge role! I’m a co-author on NIST’s Digital Authentication Guidelines. I also work with the IETF and the OpenID Foundation to further authentication and authorization standards in the digital space. Ideally, we want devices to be interconnected and interoperable, and in order to do that and maintain the integrity of everyone’s security, we have to agree on standards, and implement them in the design of our products from the beginning.
What are your thoughts on the state of the art in anonymity? Is it impossible for data to remain anonymous? For individuals to remain anonymous?
In 2009 there was a contested election in Iran. It resulted in massive numbers of young people marching peacefully in the streets to protest what they saw as an oppressive and corrupt regime. Many of those people were brutally hurt by police. Because the protests were sudden and unexpected, no international journalists had time to travel there to document what was happening. However, people live on the ground were tweeting descriptions, pictures, and video of the violence. They were able to do that because Twitter protected their anonymity. Had they been forced to identify themselves or post under their real names, their lives would have been in danger, and the world might never have known what happened. The ability to authenticate securely but anonymously on the internet is absolutely essential.