Internet of Things and Security of Boundless Data

The Internet of Things (IoT), or as otherwise called the Internet of Objects, is a new development of the Internet that has entered almost all areas of human lives whether it is business, industry, healthcare, education or any other, and is expected to change everything in society including ourselves. The IoT can be described as objects/things in our regular environment being connected so as to provide homogeneous communication and contextual services. IoT involves a huge number of connections of things to things and things to humans and so it is more complex than the Internet. The term Internet of Things was coined by Kevin Ashton in 1999, initially to promote Radio Frequency Identification (RFID).

The term ‘things’ refers to everyday objects that are readable, recognizable, localizable, and addressable via information sensing devices, and/or controllable via the internet. In simple terms, IoT enables ‘things’ to be connected anytime, anyplace with anything and anyone using any path-like network.

IoT devices are computing devices that connect wirelessly to a network and are capable of transmitting data. The IoT extends internet connectivity beyond standard devices (laptops, desktops, smartphones, tablets), to any type of traditionally dumb or non-Internet-enabled physical devices and everyday objects. These devices, embedded with technology, can communicate and interact over the Internet, and be monitored and controlled (network controllability is a necessary feature for assuring the control of IoT devices). Much available content in the IoT has been produced using coded RFID tags and Internet Protocols (IP) linked into an Electronic Product Code (EPC) network.

The concept of the “Internet of Things” is no longer the stuff of science fiction but an essential part of the reality of our lives. The recent rapid development of the IoT and its ability to offer different types of services has made it the fastest growing technology, with huge impact on social life and business environments. IoT has gradually permeated all aspects of modern human life, such as, education, healthcare and business, involving the storage of sensitive information about individuals and companies, financial data and transactions, product development and marketing. Today, there are more than 13 billion interconnected digital and electronic devices in operation globally, the equivalent of more than two devices for every human on earth. One of the most common examples of IoT in action includes technologies and applications intended to support the deployment of the so-called “smart home” systems and devices. Indeed, a brief visit to any technology retailer will reveal the scope and breadth of IoT-based smart home devices already in the market, such as programmable appliances, thermostats and lighting controls.

But the widespread use of connected smart home devices and systems has also provided an attractive platform for targeted cyber-attacks by hackers and other unscrupulous operators. In one of the most recent high-profile examples, the operation of a New Hampshire-based internet domain name system company was overrun by millions of requests originating from security cameras, digital video recorders and other connected smart home devices manufactured by a company located halfway around the world. The attacks, which were orchestrated by an outside perpetrator, resulted in the temporary denial of service for many users of Twitter, Spotify, Netflix, Amazon and other social media sites and online retailers across the north-eastern seaboard of the United States.

The other and most important issue is privacy. Privacy is currently a topic of widespread societal interest and debate as digital technologies generate and trade on personal data on an unprecedented scale. The calls of industry and government alike proclaim the social and economic benefits to be had from personal data and run alongside a steady flow of scare stories detailing its misuse and abuse. Current industry efforts to quell anxiety offer security as the panacea to public concerns. Encryption in turn becomes a matter of concern to those charged with state security. It also glosses, hides or at least renders opaque, a key threat to consumer or user privacy: the ability to ‘listen in’ and stop devices ‘saying’ too much about us.

The IoT further complicates the situation, reshaping the nature of data collection from an ‘active’ feature of human-computer interaction to a ‘passive’ one in which devices seamlessly communicate personal data to one another across computer networks. Insofar as encryption is seen as the panacea to privacy concerns, this gives rise to ‘walled gardens’ in which personal data is distributed to the cloud before it is made available to end-users. Encryption offers the consumer no guarantee that privacy will be protected then, as consumer data is still open to the kinds of industry abuses that we are all familiar with. Open IoT platforms, such as Samsung’s ARTIK, do not circumvent the problem either; they are only open to developers.

Security has been defined as a process to protect an object against physical damage, unauthorized access, theft, or loss, by maintaining high confidentiality and integrity of information about the object and making information about that object available whenever needed. According to Kizza2 there is no thing as the secure state of any object, tangible or not, because no such object can ever be in a perfectly secure state and still be useful. An object is secure if the process can maintain its maximum intrinsic value under different conditions. Security requirements in the IoT environment are not different from any other ICT systems. Therefore, ensuring IoT security requires maintaining the highest intrinsic value of both tangible objects (devices) and intangible ones (services, information and data).

This is not an objection to the IoT; clearly security is an important part of the privacy equation, though it is equally clear that more is required. There is need in particular to put the end-user into the flow of personal data; to make the parties about whom personal data is generated into active rather than passive participants in its distribution and use. The need to support personal data management is reflected in a broad range of legal, policy and industry initiatives.

Here issues of trust, accountability, and user empowerment are paramount. They speak not only to the obligations of ‘data controllers’ – the parties who are responsible for processing personal data and ensuring compliance with regulation and law - but seek to shift the locus of agency and control towards the consumer in an effort to transform the user from a passive ‘data subject’ into an active participant in the processing of personal data. That is, into someone who can exercise control and manage their data and privacy, and thus become an active player or participant in (rather than a passive victim of) the emerging data economy.

Since IoT does not concern objects only but also interrelations between objects and humans, there is a strong need to consider the philosophical, ethical, and legal issues of IoT cohabitation with humans. The ‘principle of informed consent’ is of utmost importance in contracts between IoT providers and IoT users/consumers. Users sign before using IoT devices and services contracts with ‘terms of use’ that typically most of them do not fully understand. Very often, these terms imply that users give companies broad rights to data collection, sharing, and use. Probably, if users had comprehended the risks and harms that these terms could cause, they never would have agreed and signed them. Thus, it is of primary importance to review the IoT and understand the limitations of protective legal and regulatory frameworks, in order to provide sound recommendations for maximizing good and minimizing harm.

Ankita Singh
B-Tech (CSE) LLB (Hons.)
Surana & Surana International Attorneys