The rapid rise of the Internet of Things (IoT) has begun to transform areas as diverse as connected cars, cooking, smart infrastructure, digital healthcare, agriculture, and industrial channels.
While each of these domains is sensitive and necessitates the rigorous application of Privacy/Security by Design, few areas are more private than the inner sanctum of one’s home, which is increasingly becoming “connected” in various ways.
Connected homes and technologies open new vulnerabilities and opportunities for cybercriminals worldwide.
The Rise of Connected Homes and Technologies
The exponential proliferation of IoT connected devices can be explained by the timely melding of various drivers and technological capabilities.
The prevalence of low-cost sensors, advanced and inexpensive cloud computing platforms, social media, “big data” analytics, and increased spectral efficiency of wireless technologies and networks have all expedited the creation of more interconnected devices.
Connected devices generate valuable user data that can be aggregated and sold to marketers and other businesses to provide insights about customers and prospects. This has made a consumer’s behavioral data from inside the home much more treasured.
First, the Worst Case Privacy Scenarios
The Potential for Creepiness
When in the home setting, people are at their most vulnerable. There may be children around, conversations are had that are not meant for public consumption, and generally one’s guard is relaxed in ways it might not be at work or in public. And so, the “creepiness factor” can be high.
This is no better reflected than in the chilling recent case of a man hacking a couple’s baby monitor to speak to a child in its bedroom and control the night-vision-enabled video camera inside.
Such a violation of privacy and decency highlights the fact that there will always be people who view connected devices as an attack vector ripe for exploitation.
Exploiting Connected Device Vulnerabilities
And, aside from the unsettling manipulation of baby monitors, outsiders will no doubt look for ways to compromise connected garage doors and locks in order to gain physical entry into a home, or to demand payment of a ransom before allowing the owner re-entry.
Moreover, even if a hacker does not wish to personally engage in further crimes first-hand, it is not hard to fathom a black market where IoT-related vulnerabilities for devices and individuals’ homes can be peddled.
Enter Voice and Facial Recognition
Voice, video and biometric capabilities are likewise becoming components of the smart home experience.
Google recently announced its plans to enter the voice-controlled virtual assistant market (a la Amazon’s Echo) with Google Home, which “becomes a hub to run a home network of Internet-connected devices that collect millions, if not billions, of pieces of data—frequently.”
Google Home enables two-way conversations, can interact with the Nest smart thermostat and will engage with other smart devices that, collectively, contain data indicating when someone is home or away, and information about an individual’s preferences and more.
The Good News: Privacy Practices Build Customer Trust
Although no device or service unequivocally can be made 100% safe and impregnable, there are ascertainable steps that any company can take to mitigate the risk of creepiness, third party exploitation and other smart home cybercrime.
As a threshold matter, companies must continually test and be aware of all of the data that a connected home device collects and transmits.
When this data is appropriately categorized, inventoried, and secured (encrypted and/or de-identified), and what information is shared with who (vendors, service processors, partners) over which networks is known, then companies can build in appropriate controls for security.
To categorize the data:
- Define whether it’s non-pII vs. PII vs. sensitive PII (personally identifiable information).
- Whether it’s actively vs. passively collected.
- And include the transmission medium as well as any persistent identifiers.
Ongoing monitoring throughout the lifecycle of a connected device, as well as accurate disclosures to consumers before and throughout usage of a product, are also requisites of building customer trust.
Open Questions at the Heart of the Connected Homes and Technologies
This relatively nascent frontier of monitoring about and within the home raises as yet unanswered issues for privacy-aware consumers and regulators. These include:
- What limits, if any, are needed around the granular profiling of individuals from combined IoT-device data collected on a single platform (including, e.g., protected health information or geolocation)?
- Should a special regulatory status be afforded to data collected in the home?
- Where do advertisers and marketers fit into the connected home landscape?
- How can meaningful notice and consent be provided in the IoT home setting?
- What of unknown or future secondary uses of connected home data?