Even More Reason to Boost Internet of Things Security: Feds Spying

As if there wasn’t already enough reason to make privacy and security your top IoT priority (see what I wrote earlier this week), now there’s more evidence Uncle Sam may be accessing your IoT data as part of its overall surveillance efforts (MEMO to NSA Director: we notice the lights at the Stephenson household went on precisely at sunset. Was that a signal to launch Operation Dreadful Winter?).

The Guardian reports that US. Director of National Intelligence James Clapper told the Senate:

“In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.”

Shades of former CIA Director David Petraeus, who I noted several years ago was also enamored of smart homes as the motherlode for snooping:

“‘Transformational’ is an overused word, but I do believe it properly applies to these technologies,’ Petraeus enthused, ‘particularly to their effect on clandestine tradecraft.’ All those new online devices are a treasure trove of data if you’re a ‘person of interest’ to the spy community. Once upon a time, spies had to place a bug in your chandelier to hear your conversation. With the rise of the ‘smart home,’ you’d be sending tagged, geolocated data that a spy agency can intercept in real time when you use the lighting app on your phone to adjust your living room’s ambiance. ‘Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing,’ Petraeus said, ‘the latter now going to cloud computing, in many areas greater and greater supercomputing, and, ultimately, heading to quantum computing.’ Petraeus allowed that these household spy devices ‘change our notions of secrecy’ and prompt a rethink of’ ‘our notions of identity and secrecy.’”

Yikes!

Gathering data on spies, terrorists and other malefactors is always such a double-edged sword: I’m generally in favor of it if there’s demonstrable, objective proof they should be under surveillance (hey, I went to school with uber-spy Aldrich Ames!) but if and when the NSA and CSA start hoovering up gigantic amounts of data on our homes — and, even more questionably, our bodies [though Quantified Self devices] then we’ve got to make certain that privacy and security protections are designed in and tough, and that there is some sort of effective civilian oversight to avoid gratuitous dragnets and trump(ooh, gotta retire that word from my vocabulary)ed up surveillance.

Big Brother is watching … your thermostat!

No Debate: Protecting Privacy and Security Is 1st Internet of Things Priority

This just in: your Internet of Things strategy will fail unless you make data privacy and security the absolute highest priority.

I didn’t always think that way.

Long-time readers know one of my favorite themes is what I call the IoT “Essential Truths,” the key priorities and attitudinal shifts that must be at the heart of all IoT strategies. I’ve always ranked privacy and security the last on the list:

  1. Share Data (instead of hoarding it, as in the past)
  2. Close the Loop (feed that data back so there are no loose ends, and devices become self-regulating:
  3. Redesign Products so they will contain sensors to feed back data about the products’ real-time status, and/or can now be marketed not as products that are simply sold, but services that both provide additional benefits to customers while also creating new revenue streams for the manufacturer.
  4. Make Privacy and Security the Highest Priority, because of the dangers to customers if personal or corporate data becomes available, and because loss of trust will undermine the IoT.

No longer.

I’ve reversed the order: privacy & security must be the precondition for anything else you do with the IoT, because their absence can undermine all your creativity.

      Newsweek article about Shodan

Newsweek article about Shodan

The specific incident that sparked this reordering of priorities was a recent spate of articles about how Shodan (in mid-2013 I blogged about the dangers of having IoT data show up there — did you pay attention??) — the “search engine for the Internet of Things” — had recently added a new feature that makes it easy-peasy to search unsecured webcams for video of everything from sleeping babies to marijuana farms. According to CNBC:

“‘Shodan has started to grab screenshots for various services where the existing text information didn’t provide much information,’ founder John Matherly wrote in an email. ‘This was launched in August 2015 and the various sources for screenshots have expanded since then — one of those recent additions is for webcams.'”

I’ve written before that I feel particularly strongly about this issue because, unlike engineers who are hell-bent on getting their IoT products and services to market ASAP and at as little cost as possible, I have an extensive background before my IoT days as a crisis management consultant to Fortune 100 companies that had screwed up big time, l0st public trust, and now had to earn it back. As a result, I see IoT privacy and security threats differently.

As I’ve said, a lot of engineers — as left-brained and analytical as I am right-brained and intuitive — simply don’t understand factors such as the fear parents feel when their sleeping babies can be seen anywhere and creeps can yell obscenities at them. After all, fear isn’t factual, its emotional. However, that can no longer be an excuse.

No more Mr. Nice Guy! you must make privacy and security a priority on the first day you brainstorm your new IoT product or service, or you risk losing everything.

As cyber-security expert Paul Roberts says:

“The Internet of Things means that the impact of cyber attacks will now be felt in the physical world and the cost of failing to security IoT endpoints could be measured in human lives, not simply zeroes and ones.
“Like any land grab, the rush to own a piece of the Internet of Things is chaotic and characterized by the trampling of more than a few treasured and valued principles: privacy, security, accountability. As companies clamor to develop the next Nest Thermostat or simply to whitewash aging gear with a web interface and companion mobile app, they’re conveniently forgetting the lessons of the past two decades.”
The key is “security by design.”As Gulio Corragio puts it:
“the principle of data protection by design requires data protection to be embedded within the entire life cycle of the technology, from the very early design stage, right through to its ultimate deployment, use and final disposal. This should also include the responsibility for the products and services used by the controller or processor….
The benefits include:
  • “limit the risk that Internet of Things devices are deemed not compliant with privacy laws avoiding sanctions that under the new EU Privacy Regulation will reach 5% of the global turnover;
  • reducing the potential liabilities deriving from cybercrimes since data breaches have to be reported to privacy regulators only if the data controller is unable to prove to have adopted the security measures adequate to the data processing and
  • exclude liabilities in case of processing of data that are not necessary for the provision of the service also through the usage of anonymization techniques which is relevant especially for B2B suppliers that have no relationship with final users.”

Privacy and security are never-ending requirements for the IoT, because the threats will continue to evolve. Making it a priority from the beginning will reduce the challenge.


I’ll speak on this subject at SAP’s  IoT 2016 Conference, Feb. 16-19, in Las Vegas.

Live Blogging from the IoT Global Summit

Keynotes:
Came in on end of presentation by Rep. Suzan DelBene, D-WA, co-chair of the House IoT Caucus and an IT industry vet. Her litany of federal inaction in the face of rapidly-evolving 2015_IoT_Summittech — especially regarding privacy protections, where  the key law was enacted in 1986 — was really dispiriting, although it’s good to know there are some members of Congress who are aware of the issue and working on it.

EU Ambassador to the US, David O’Sullivan: the IoT is a “quantum leap” because of combining digital and physical world, and will have huge implications.  Europe has created single digital market. Major investments in IoT & funding research on it.  Very open research projects.  Key is breaking down barriers within the economy. They’re doing research on every aspect of IoT. Priority must be overcoming vertical silos, such as cars and health care. Must balance regulation and innovation. Security and privacy: working on a new set of protections.

Dean Brenner, SVP for Gov. Affairs, Qualcomm: everything will need some form of connectivity. Will need new connectivity paradigm. 4G LTE gives solid foundation for cellular IoT growth.  5G will be fully-deployed by 2020.

Dr. Rakesh Kushwaha, Mformation (hmmm?) Business Leader, Alcatel-Lucent: securing IoT devices. Tech & standards that are already in place to secure mobile devices can be model for I0T devices: they worked with whole range of devices. Fundamental principle of the security: securely update through device/firmware update package.   Only about 40% of IoT will be cellular-based.  Alcatel securing vehicle-mounted devices using FW/SW updates. They will launch a project called IoT Connect.

Session 2: Security for the IoT

Dean Garfield, president & CEO, Information Technology Industry Council: think of security as a design feature, not afterthought. Have to think of it in global sense (including between vertical silos). Chinese government security demands are actually counterproductive. Security can be a differentiating feature.

Joseph Lorenzo-Hall, chief technologist, Center for Democracy and Technology: “IoT Spectrum of Insanity” — such as #IoT door locks, require protections be built in. Security by design. He thinks privacy is a bigger factor than security.

Stephen Pattison, vp of Public Affairs, ARM. Hacker only has to get it right once. You have to get it right every time!  Sensors will have to be very cheap ($5 or less), which will require real creativity.  Security will drive acceptability of IoT. Security breaches will be a major risk for IoT companies.

Chris Boyer, asst. vp, Global Public Policy, AT&T: different security concerns in each vertical domain. Functional classification determines the risk (for example, some affect interruption on critical infrastructure, or life risk). Virtualize security around the end device. Industry activities: application layers, service layer, network layer, access technologies. Looking 4 acceptable risk management levels.

Rory Gray, global head of sales, Intercede: “need world of trusted digital identities.” “Identity is the new currency.”

Government procurement standards may drive privacy and security by design.

Adam Thierer: are we overestimating how much people really care about IoT security (vs. the “cool” factor??).

Afternoon Privacy Panel:

Gary Shapiro, president & CEO, CSA: he disagrees that you should HAVE to give permission to have your info shared: cites all the benefits of sharing data. Thinks we went overboard with HIPPA & privacy. Announcing agreement on guiding principles for sharing health info from #QS devices. A sense that products will be unwelcomed if they create privacy or security issues: example of an Intel engineer who has vision problems. On a personal basis, his mother had terrible time with Alzheimer’s: he’s upset he won’t have access to a Google face recognition technology.

Rob Atkinson, president, Information Technology and Innovation Foundation: “privacy fundamentalists” argue really heavy regulation is way to protect privacy.  BUT, no empirical studies underlying that. Pew survey showed few people believe their landline or credit card data will be private, YET almost everyone uses credit cards or phones: i.e., no correlation between people’s belief in privacy of various technologies and their actual use of the technology.  Overly stringent privacy regulations will reduce their availability. Much of real value of IoT data is from secondary use of the data, which would be undermined by tough regulation. Way too early to put regulatory regime into place for IoT: too early.

Maneesha Mithal, assoc. director, Division of Privacy & Identity Protection, Bureau of Consumer Protection, FTC: two fairly controversial aspects of their 2013 workshop: minimizing data collection debate — said you shouldn’t collect all sorts of data forever, BUT, perhaps collect less sensitive data if they could still derive value. Second issue was “notice and choice.” Tried a middle ground: room for notice and choice,  Discussion of regulation: middle ground on regulation: shouldn’t have specific IoT regulation, but should have general, baseline privacy and security protections. We don’t bring “gotcha cases.”  Could have program that would provide incentives for self-regulation.

Gilad Rosner, Founder, Internet of Things Privacy Forum:  “notice & choice” has been the default privacy & security approach for Internet, but it “fundamentally places the burden of privacy protection on the individual.” A presidential group said the responsibility should rest with the provider, not the user.  Hallmark of a civil society is being regulated.

Day Two:

smart health panel:

You can access my “Smart Aging” presentation on Slide Share.

Peter Ohnemus of dacadoo, a Swiss company, gave an overview of IoT and healthcare and talked briefly about his company’s Health Score, a 0-1000 score assigned to participating individuals based on their real-time scores on factors including movement, nutrition, sleep and stress.

Chantal Worzala of the American Hospital Association gave an overview of issues such as information interoperability and new wellness incentives.

Robert Jarrin, senior director of gov. affairs for Qualcomm, talked about some of the policy issues. FDA now has dedicated staff for electronic devices, and they are now not requiring regulatory compliance for some basic devices.

Smart Home panel:

Hmm. Little actual focus on smart homes in this one…

Cees Links, ceo, Green Peak Technologies: they are a chip manufacturer, “wireless plumbers.” Shipped 1M Zigbee chips. “IoT is not about things, it’s about services.” “Smart Home should be called a butler.” Confusion about IoT standards: thinks ZigBee & Bluetooth will survive, proprietary standards won’t.

Ilkka Lakaniemi, chair, European Commission’s Future Internet Public-Private Partnership Program: working on smart cities strategies, esp. ones that are scalable. Working with NIST on common standards for the demo grants in US & EU. 61 cities involved.

Tobin Richardson, president & ceo, ZigBee Alliance. ZigBee, wi-fi & Bluetooth will form basis of a stable ecosystem. Dollar chip is the goal, getting there quickly.

Paul Feenstra, sr. vp of government & external affairs, The Intelligent Transport Society of America: evolution over last 5 years from car focus to a really varied multi-modal transportation industry. Shocking how we accept the high death rate & congestion on highways. 80% of crashes could be avoided by connected cars.

Business Models for the IoT:

Ana Sancho, Libellium: they manufacture sensor networks for the IoT. Solve problems from smart cities to agriculture & water resources. More than 90 different sensors. They just see very early testing the water with IoT on part of their clients: not widescale implementation.

 

 

 

 

 

 

 

I’ll Speak Twice at Internet of Things Global Summit Next Week

I always love the Internet of Things Global Summit in DC because it’s the only IoT conference I know of that places equal emphasis on both IoT technology and public policy, especially on issues such as security and privacy.

At this year’s conference, on the  26th and 27th, I’ll speak twice, on “Smart Aging” and on the IoT in retailing.

2015_IoT_SummitIn the past, the event was used to launch major IoT regulatory initiatives by the FTC, the only branch of the federal government that seems to really take the IoT seriously, and understand the need to protect personal privacy and security. My other fav component of last year’s summit was Camgian’s introduction of its Egburt, which combines “fog computing,” to analyze IoT data at “the edge,” and low power consumption. Camgian’s Gary Butler will be on the retail panel with me and with Rob van Kranenburg, one of the IoT’s real thought leaders.

This year’s program again combines a heady mix of IoT innovations and regulatory concerns. Some of the topics are:

  • The Internet of Things in Financial Services and the Insurance sector (panel includes my buddy Chris Rezendes of INEX).
  • Monetizing the Internet of Things and a look at what the new business models will be
  • The Connected Car
  • Connected living – at home and in the city
  • IoT as an enabler for industrial growth and competition
  • Privacy in a Connected World – a continuing balancing act

The speakers are a great cross-section of technology and policy leaders.

There’s still time to register.  Hope to see you there!

 

 

Free Citywide IoT Data Networks Will Catapult IoT Spread to Hyperspeed!

One of the truly exciting things about viral digital phenomena is how rapidly they can take hold, outstripping the slow, methodical spread of innovations in the pre-digital era.  I suspect we may be on the verge of that happening again, with an unlikely impetus: the crowdsourced global movement to create free citywide IoT data networks.

We’re been there before, with the movement to open real-time public access to city data bases, beginning when CTO (and later US CIO) Vivek Kundra did it in DC in 2008, then sponsored the Apps for Democracy competition to spark creation of open-source apps using the data (bear in mind this was at a time when you had to explain to many people what an “app” was, since they, and smart phones, were so new).  From the beginning, Kundra insisted that the apps be open source, so that hackers in other cities could copy and improve on them, as they have — worldwide.

I was doing consulting for him at the time, and remember how incredibly electric the early days of the open data movement were — it inspired my book Data Dynamite, and led to similar efforts in cities worldwide, which in turn set the stage for the “smart city” movement as the IoT emerged.

As detailed in my last post, we’re now launching a crowdsourced campaign to make Boston the first US city, and second worldwide (following Amsterdam) to have a free citywide IoT data network — and plan to up the ante by setting of goal to cover the neighborhoods too — not just the downtown.

The Things Network guys plan to build on their accomplishments, announcing this week that they will advise similar crowdfunded networks on five continents (including our Boston project). They place a major emphasis on grassroots development, to avoid subscription-based infrastructures that could be controlled from above and which would limit l0w-cost innovations, especially on the neighborhood scale.  According to founder Wienke Giezeman:

““If we leave this task up to big telcos, a subscription model will be enforced and we will exclude 99% of the cool use cases. Instead, let’s make it a publicly owned and free network so businesses and use cases will flourish on top of it.”

I’ve been a fan of mesh networks back to my days doing disaster and terrorism because they’re self-organizing and aren’t vulnerable because there isn’t a single point of failure. But it’s as much philosophical as technological, because you don’t have to wait for some massive central authority to install the entire system: it evolves through the decisions of individuals (we’re already finding that in Boston: it turns out that our system will be able to tap a number of LoRaWAN gateways that several companies had already installed for their own uses!) The Amsterdam guys share that perspective. Tech lead Johan Stokking says:

“We make sure the network is always controlled by its users and it cannot break at a single point. This is embedded in our network architecture and in our governance.”

Takes me back to my callow youth in the 6o’s: let a thousand apps bloom! (and, BTW, the great Kevin Kelly made this point in his wonderful Out of Control, back in the mid 90’s, especially with his New Rules for the New Economy (I’m going to take the liberty of posting all the rules here, because they are so important, especially now that we have technology such as LoRaWAN that foster them!):

1) Embrace the Swarm. As power flows away from the center, the competitive advantage belongs to those who learn how to embrace decentralized points of control.

2) Increasing Returns. As the number of connections between people and things add up, the consequences of those connections multiply out even faster, so that initial successes aren’t self-limiting, but self-feeding.

3) Plentitude, Not Scarcity. As manufacturing techniques perfect the art of making copies plentiful, value is carried by abundance, rather than scarcity, inverting traditional business propositions.

4) Follow the Free. As resource scarcity gives way to abundance, generosity begets wealth. Following the free rehearses the inevitable fall of prices, and takes advantage of the only true scarcity: human attention.

5) Feed the Web First. As networks entangle all commerce, a firm’s primary focus shifts from maximizing the firm’s value to maximizing the network’s value. Unless the net survives, the firm perishes.

6) Let Go at the Top. As innovation accelerates, abandoning the highly successful in order to escape from its eventual obsolescence becomes the most difficult and yet most essential task.

7) From Places to Spaces. As physical proximity (place) is replaced by multiple interactions with anything, anytime, anywhere (space), the opportunities for intermediaries, middlemen, and mid-size niches expand greatly.

8) No Harmony, All Flux. As turbulence and instability become the norm in business, the most effective survival stance is a constant but highly selective disruption that we call innovation.

9) Relationship Tech. As the soft trumps the hard, the most powerful technologies are those that enhance, amplify, extend, augment, distill, recall, expand, and develop soft relationships of all types.

10) Opportunities Before Efficiencies. As fortunes are made by training machines to be ever more efficient, there is yet far greater wealth to be had by unleashing the inefficient discovery and creation of new opportunities.”

If you really want to exploit the IoT’s full potential, you gotta read the whole book.

Equally important, the Obama Administration announced it will boost smart city app development with a new $160 million smart cities initiative:

“Among the initiative’s goals are helping local communities tackle key challenge such as reducing traffic congestion, fighting crime, fostering economic growth, managing the effects of a changing climate, and improving the delivery of city services. As part of the initiative, the National Science Foundation will make more than $35 million in new grants and the National Institute of Standards and Technology will invest more than $10 million to help build a research infrastructure to develop applications and technology that ‘smart cities’ can use.”

The LoRaWan gateways used in the Amsterdam project are already low cost: only 10 of the $1,200 units covered the downtown area. However, The Things Network hopes to crowdsource an even cheaper, $200 version through a Kickstarter campaign.  If that happens, even small cities will be able to have their own free citywide IoT data networks, and when that happens, I’m confident the IoT will shift into hyperdrive worldwide!

Are you on board?


 

Oh yeah, did you say what about the risks of privacy and security violations with such a large and open system? The Amsterdam lads have thought of that as well, reaching out to Deloitte from the get-go to design in security:

“To make this initiative grow exponentially, we have to take cyber security and privacy into account from the start of the development. Therefore, we have partnered with Deloitte, who is not only contributing to the network with a Gateway, but will also be the advisor on the security and privacy of the network.

“’We translate technology developments in the field of Digital, Data and Cyber Security into opportunities and solutions for our clients. We are therefore happy to support the Things Network as Security & Privacy advisor’ Marko van Zwam, Head of Deloitte Cyber Risk Services.”

Deloitte provides process for nuanced IoT strategy decisions

So much of the Internet of Things is still in the gee-whiz stage that we haven’t seen much in terms of nuanced IoT strategies. By that I mean ones that carefully weigh tradeoffs between companies and consumers to try to find strategies that are mutually beneficial and recognize there are new factors at play in IoT strategies, such as privacy and data mining, that may have positive or negative consequences for the customer/company interplay.

Deloitte’s “University” has made an important step in that direction with its “Power Struggle: Customers, companies and the Internet of Things” paper, co-authored by Brenna Sniderman and Michael E. Raynor.

In it, they explore how to create sustainable strategies that will be mutually beneficial to the customer and company — which are not always immediately apparent, especially when you explore the subtleties of how these strategies might play out in the new reality of the Internet of Things.

The study’s goal was to understand the factors that can distort IoT’s benefits, and instead create win-win IoT strategies.

Sniderman and Raynor suggest there are four quadrants into which a given strategy might fall:

  1. (the sweet spot!) “All’s well: Sufficient value is created, and that value is shared between customers and companies sufficiently equitably such that both parties are better off and feel fairly treated.
  2. “Hobson’s choice: A Hobson’s choice exists when you’re free to decide but only one option exists; thus, it is really no choice at all…. Even when customers come out ahead compared with their former options, their implied powerlessness can lead to feelings of unfairness.
  3. “Gridlock: In their quest for value capture, both sides are pulled in opposite directions, with neither able to move toward an optimal outcome. Here, both parties recognize IoT enablement as something that should lead to success, but neither party is able to reach it, since their competing interests or different value drivers are working at cross purposes.
  4. “Customer is king: Although particular IoT deployments might make economic sense for companies, customers end up capturing a disproportionate share of the new value created, pulling this outcome more in the customers’ favor; Craigslist is an obvious example.”

According to the authors, a key to finding the win-win, “all’s well” solution is the Information Value Loop (which I first discussed last Spring) that creates value out of the vast increase in information made possible by the IoT.

As I mentioned then, “This fits nicely with one of my IoT ‘Essential Truths,’ that we need to turn linear information flows into cyclical ones to fully capitalize on the IoT.” When you do that, it’s possible to design continuous improvement processes that feed back data from actual users to fine tune products and processes.  GE has found it leads to much shorter iterative loops to design improved versions of its products.

Here’s the gussied-up version of the cool hand-drawn visualization from the Deloitte brainstorming session that led to the Information Value Loop (print it & place it on your wall next to the one on privacy and security that I wrote about a while ago):

Deloitte Information Value Loop

The information no longer flows in linear fashion: it’s created from using sensors to record how things act in the real world, then goes through the various stages of the loop, each of which is made possible by one of the new technologies enabling the IoT.  The goal is either enhanced M2M integration among things, or improved actions by humans, and, to be sustainable over time:

“A value loop is sustainable when both parties capture sufficient value, in ways that respect important non-financial sensibilities. For example, retailer-specific and independent shopping apps can use past browsing and purchasing history—along with other behaviors—to suggest targeted products to particular customers, rather than showing everyone the same generic products, as on a store shelf. Customers get what they want, and companies sell more.

…  “The amount of value created by information passing through the loop is a function of the value drivers identified in the middle. Falling into three generic categories—magnitude, risk, and time—the specific drivers listed are not exhaustive but only illustrative. Different applications will benefit from an emphasis on different drivers.”

OK, so how does this theory play out?

Sniderman and Raynor picked a range of IoT-informed strategies to illustrate the concept, some of which may include unintended consequences that would harm/turn off customers or companies. For example, “An ill-considered push for competitive advantage could well overreach and drive away skittish customers. Alternatively, building too dominant an advantage may leave customers feeling exploited or coerced, a position unlikely to prove viable in the long term.”

Understanding the underlying structure of each type of loop is critical, because they naturally pull an IoT strategy in a particular, divergent way.

The example they pick to illustrate the “all’s well” quadrant of results is the dramatic increase in built-in diagnostic technology in cars.  This is of great personal interest: genetic testing has revealed that I am one of the approximately 10% of men who are missing the male car gene: I can’t stand the things, and view them as a big block of metal and plastic just waiting to develop problems (or, ahem, get hit by deer …), so I need all the help I can get. Sniderman and Raynor zero in on maintenance as one area for win-win benefits for drivers and dealers through the IoT:

“Customers often have little understanding of which repairs are necessary, feel inconvenienced by having to go without their car during maintenance periods, and are frustrated by potential overcharges. In response, automakers are embedding sensors that can run a wide range of reliable diagnostics, allowing a car to “self-identify” service issues, rather than relying on customers (“Where’s that squeaking coming from?”) or mechanics (“You might want to replace those brake pads, since I’ve already got the wheels off”). This creates a level of objectivity of obvious customer value and enables automakers to differentiate their products. Interactive features that work with customers’ information can further add value by, for example, potentially syncing with an owner’s calendar to schedule a dealership appointment at a convenient time and reserving a loaner vehicle for the customer, pre-programmed with his preferences to minimize the frustration of driving an unfamiliar car.

In this scenario, both parties collaborate to provide and act on data, in a mutual exchange of value. The customer captures value in multiple ways: He enjoys increased convenience and decreased frustration, improved vehicle performance and longer operating life, reduced maintenance charges, and—since almost everything about this interaction is automated—fewer occasions for perceived exploitation at the hands of unscrupulous service providers.

Value capture extends to companies in the form of ongoing customer interaction. Linking maintenance programming to the dealership encourages customers to return for tune-ups rather than go elsewhere, ideally leading to continued purchases in the long term. OEMs can also access data regarding vehicle maintenance issues and may be able to identify systematic malfunctions worthy of greater attention. Dealers also have an opportunity to make inroads into an untapped market: Currently, just 30 percent of drivers use the dealer for routine maintenance…”

Kumbaya! But then there’s the opposite extreme, according to Sniderman and Raynor, represented by smart home devices, which would lead to the lose-lose, gridlock scenario.  I think they seriously underestimate the understanding already by manufacturers in the field that they need to embrace open standards in order to avoid a range of competing standards (Zigbee, Bluetooth, etc.) that will force consumers to invest in a variety of proprietary, incompatible hubs, and therefore discourage them from buying anything at all.  All you have to do is look at new hubs, such as Amazon’s Echo, which can control devices from WeMo, Hue, Quirky, Wink — you name ’em, to realize that sharing data is already the norm with smart home devices.

Because this missive is getting long, I’ll leave it to you, dear reader, to investigate Sniderman & Raynor’s examples of the “customer is king” scenario, in which the customer grabs too much of the benefit (have to admit, a lot of the location-based IoT retail incentives still give me the creeps: I hate shopping under the best of circumstances, and having something pop up on my phone offering me an incentive based on my past purchases makes a bad experience even worse. How about you?); and the “Hobson’s choice” one, in which usage-based car insurance runs amok and insurers begin to charge unsafe drivers a surcharge — as documented by the devices such as Progressive’s “Snapshot” (I was dismayed to read in the article that Progressive is in fact doing that in Missouri, although I guess it’s a logical consequence of having objective evidence that someone consistently drives unsafely).

I can’t help thinking that the 800-pound gorilla in the room in many of these situations are the Scylla and Charybdis of the IoT, threats to privacy and security, and that makes it even more important that your IoT strategies are well thought out.

They conclude that, from my perspective, data isn’t just enough, you also need the decidedly non-technical tools of judgment and wisdom (aided by tools such as their Information Value Loop) to come up with a sustainable, mutually advantageous IoT strategy:

“Identifying where the bottlenecks lie (using the Information Value Loop), how each party is motivated to respond, and seeking to shape both incentives and the value loop itself puts companies more in control of their destinies.

“Second, taking a hard look at who benefits most from each IoT-enabled transaction, understanding when a lopsided value-capture outcome tips too far and becomes unsustainable, and taking steps to correct it may also lead to long-term success.

“Lastly, an honest assessment of where IoT investments may not have an appreciable benefit—or may decrease one’s potential for value capture—is just as crucial to a company’s IoT strategy as knowing the right places to invest.”

I may quibble with some of their findings, such as those about smart homes, but bravo to Sniderman and Raynor for beginning what I hope is a spirited and sustained dialogue about how to create sustainable, mutually-advantageous IoT strategies!  I’ve weighed in with my Essential Truths, but what are you thinking about this critical issue, often overlooked in our concentration on IoT technologies? 

Give It Up, People: Government Regulation of IoT Is Vital

Could this be the incident that finally gets everyone in the IoT industry to — as I’ve said repeatedly in the past — make privacy and security Job 1 — and to drop the lobbying groups’ argument that government regulation isn’t needed? 

I hope so, because the IoT’s future is at stake, and, frankly, not enough companies get it.

I’m referring to the Chrysler recall last week of 1.4 million Jeeps for a security patch after WIRED reported on an experiment in which two white-hat hackers remotely disabled a Jeep on an Interstate from miles away, exploiting a vulnerable link between its entertainment and control systems.  Put yourself in the place of reporter Andy Greenberg, then tell me with a straight face that you wouldn’t be out of your mind if this happened to you:

“As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.

Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.

“You’re doomed!” Valasek [one of the hackers] shouted, but I couldn’t make out his heckling over the blast of the radio, now pumping Kanye West. The semi loomed in the mirror, bearing down on my immobilized Jeep.”

OK: calm down, get a cool drink, and, when your Apple Watch says your heart beat has returned to normal, read on….

But, dear reader, our industry’s leaders, assumedly knowing the well-publicized specifics of the Chrysler attack, had the hubris to still speak at a hearing of the Internet Subcommittee of the House of Representatives Judiciary Committee last week and claim (according to CIO) that that government regulation of the IoT industry wasn’t needed.

CEA CEO Gary Shapiro said in calling for government “restraint”:

“It’s up to manufacturers and service providers to make good decisions about privacy and security, or they will fail in the marketplace….. Industry-driven solutions are best to promote innovation while protecting consumers.”

Sorry, Gary: if someone dies because their Jeep got spoofed, the survivors’ attorneys won’t be content with the company’s failure in the marketplace.

There are some important collaborative efforts to create privacy and security standards for the IoT, such as the AllSeen Alliance. However, as I’ve written before, there are also too many startups who defer building in privacy and security protections until they’ve solved their technology needs, and others, most famously TRENDnet, who don’t do anything at all, resulting in a big FTC fine.  There are simply too many examples of hackers using the Shodan site to hack into devices, not to mention academics and others who’ve showed security flaws that might even kill you if exploited.

One local IoT leader, Paddy Srinivasan of LoMein, gets it, as reported today by the Boston Globe‘s Hiawatha Bray:

“‘I think it is a seminal moment…. These new devices need a fresh approach and a new way of thinking about security, and that is the missing piece.'”

But it’s too late to just talk about self-policing.

Massachusetts’ own Ed Markey and his Connecticut counterpart, Richard Blumenthal, have called the associations’ bluff, and filed legislation, The Security and Privacy in Your Car Act (AKA SPY Car, LOL)  that would require the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure cars and protect drivers’ privacy. It would also create a rating system — or “cyber dashboard”— telling drivers about how well the vehicle protects drivers’ security and privacy beyond those minimum standards. This comes in the wake of the Markey study I reported on last Winter documenting car companies’ failure to build in adequate cyber-hacking protections.

Guess what, folks?  This is only the beginning.  Probably the only thing I’ve ever agreed with Dick Cheney on (ok, we agree it’s cool to have been born in Wyoming and that Lynne Cheney is a great writer), is that it wouldn’t be cool for the Veep to have his pacemaker hacked, so you can bet there will be legislation and regulations soon governing privacy and security for wearables as well.

As I’ve said before, I come at this issue differently from a lot of engineers, having earned my keep for many years doing crisis management for Fortune 100 companies that bet the farm by doing dumb things that could destroy public trust in them overnight. Once lost, that trust is difficult, if not impossible, to regain.  Even worse, in this case, cavalier attitudes by even one IoT company, if the shock value of the results is great enough, could make everyone in the industry suffer.

So, if you’re arguing for no regulation of the IoT industry, I have just one suggestion: shut up,clean up your act and take a positive role in shaping regulations that would be performance-based, not prescriptive: the horse has already left the barn.

Now I have to check my Apple Watch to see when my heart rate will get back to normal.

 

Every IoT office needs this graphic on privacy and security

Long-time readers know that I frequently rant that privacy and security are Job 1 when it comes to the IoT.  

No apologies: it’s because I spent many years in corporate crisis management, and I learned the hard way that public trust is hard to earn, easy to lose, and, once lost, difficult or impossible to regain.

That’s why I was so glad to see this really informative, attractive, and scary infographic from Zora Lopez at Computer Science Zone, because it lays everything out so vividly.  Among the key points:

  1. (seen this before, but it still astounds me) In 2011, 20 typical households generated as much data as the entire Internet did as recently as 2008.
  2. the number of really-large (on scale of e-Bay, Target, etc.) data thefts grow annually.
  3. the bad guys particularly go after extremely sensitive data such as health, identity and financial.

It concludes with a particularly sobering reminder (you may remember my comment on the enthusiastic guys who presented at Wearables + Things and cheerfully commented that they would eventually get around to privacy and security — NOT!):

The barrier to entry in tech has never been lower, leaving many new organizations to later grapple with unsatisfactory security.” (my emphasis)

So: print a copy of the following for every employee and new hire, and put it on the cube’s wall immediately (here’s the original URL: http://www.computersciencezone.org/wp-content/uploads/2015/04/Security-and-the-Internet-of-Things.jpg#sthash.c6u2POMr.dpuf)

IoT Privacy and Security, from Computer Science Zone

Sensors remain critical to spread of Internet of Things

What happens with sensor design, cost, and security remains front-and-center with the Internet of Things, no matter how much we focus on advanced analytical tools and the growing power of mobile devices.

That’s because, on one hand, truly realizing the IoT’s full potential will require that at least some sensors get to the low-power, tiny size and cheap costs needed to realize Kris Pister’s dream of “smart dust” sensors that can be strewn widely.

On the other hand, there’s the chance that low-end sensors that don’t include adequate security firmware can’t keep up with the changing nature of security risks and may give hackers access to the entire network, with potentially disastrous effects.

That’s why several reports on sensors caught my eye.

PWC released a report, Sensing the Future of the Internet of Things, zeroing in on sensor sales as a proxy for increased corporate investment in the IoT, and concluding that by that measure, “the IoT movement is underway.” Based on its 2014 survey of 1,500 business and technology leaders worldwide, there was one eye-popping finding: the US lags behind the entire rest of the world in planned spending on sensors this year: 26% of Asian and almost as many from South America (percentage not given)  followed closely by Africa, with 18%.  The surprising laggards? Europe with 8% and North America, dead last at only 7%.  Hello?????

Equally interesting was the company’s listing of the industry segments leading the deployment of sensors and examples of the sensors they’re using:

  • Energy & Mining: 33%. “Sensors continuously monitor and detect dangerous carbon monoxide levels in mines to improve workplace safety.”
  • Power and Utilities: 32%.  Instead of the old one-way metering, “Internet-connected smart meters measure power usage every 15 minutes and provide feedback to the power consumer, sometimes automatically adjusting the system’s parameters.”
  • Automotive: 31%.  “Sensors and beacons embedded in the road working together with car-based sensors are used for hands-free driving, traffic pattern optimization and accident avoidance.”
  • Industrial: 25%. “A manufacturing plant distributes plant monitoring and optimization tasks across several remote, interconnected control points. Specialists once needed to maintain, service and optimize distributed plant operations are no longer required to be physically present at the plant location, providing economies of scale.”
  • Hospitality: 22%. “Electronic doorbells silently scan hotel rooms with infrared sensors to detect body heat, so the staff can clean when guests have left the room.”
  • Health Care: 20%. “EKG sensors work together with patients’ smartphones to monitor and transmit patient physical environment and vital signs to a central cloud-based system.”
  • Retail: 20%. “Product and shelf sensors collect data throughout the entire supply chain—from dock to shelf. Predictive analytics applications process this data and optimize the supply chain.”
  • Entertainment: 18%. “In the gaming world, companies use tracking sensors to transfer the movements of users onto the screen and into the action.”
  • Technology: 17%. “Hardware manufacturers continue to innovate by embedding sensors to measure performance and predict maintenance needs before they happen.”
  • Financial Services: 13%. “Telematics allows devices installed in the car to transmit data to drivers and insurers. Applications like stolen vehicle recovery, automatic crash notification, and vehicle data recording can minimize both direct and indirect costs while providing effective risk management.”

The surprises there were that health care penetration was so low, especially because m-health can be so helpful in diagnosis and treatment, while the examples of telematics seemed off the mark in the financial services category. Why not examples such as ApplePay?

More compelling were the relatively high rates of sensor deployment in high-stakes fields such as energy, utilities, and automotive: those are such huge industries, and the benefits of real-time data are so compelling that they show the IoT is really maturing.

Finally, the percentage of companies investing in sensors grew slightly, from 17% to 20%, with 25%of what PWC labels “Top Performers” are investing in them compared to 18% the previous year. Surprisingly, most companies don’t get it about sensors’ importance: only “14% of respondents said sensors would be of the highest strategic importance to their organizations in the next 3–5 years, as compared to other emerging technologies.”

Most important, 54% of those “Top Performers” said they’d invest in sensors this year.


 

Sensors’ promise as the size decreases — radically — and functionality increases was highlighted by The Guardian.  It focused on PragmaticIC Printing, a British firm that prints tiny, hairlike sensors on plastics. CEO Scott White’s hope is that:

” the ultra-thin microcircuits will soon feature on wine bottles to tell when a Chablis is at the perfect temperature and on medication blister packs to alert a doctor if an elderly patient has not taken their pills.

“With something which is slimmer than a human hair and very flexible, you can embed that in objects in a way that is not apparent to the user until it is called upon to do something. But also the cost is dramatically lower than with conventional silicon so it allows it to be put in products and packaging that would never justify the cost of a piece of normal electronics,” said White.

 

These uses certainly meet my test of real innovation: what can you do that you couldn’t do before. Or, as White puts it, “It is the combination of those factors [price and size] which allows us to start thinking about doing things with this which wouldn’t even be conceivable with conventional silicon based electronics.”

Another article that really caught my eye regarded a new category of “hearable” — and perhaps even, more radically, “disappearables” –sensors which the headline boldly predicted “As Sensors Shrink, Wearables Will Dis-appear.” But they were barely here in the first place, LOL!  The article mentioned significant breakthroughs in reducing sensors’ size and energy requirements, as well as harvesting ambient energy produced by sources such as bodily movement:

“Andrew Sheehy of Generator Research calculates that, for example, the heat in a human eyeball could power a 5 milliwatt transmitter – more than enough, he says, to power a connection from a smart contact lens to a smartphone or other controlling device.”

 The same article mentioned some cutting-edge research such as a Google/Novartis collaboration to measure glucose levels in tears via a contact lense, and an edible embedded microchip — the size of a grain of sand — and powered by stomach juices, which would transmit data by Bluetooth.
Elsewhere, a sampling of sensor design breakthroughs in recent months show the potential for radical reductions in costs and energy needs as well as increased sensitivity and data yield:

HOWEVER, as I said above, here’s what worries me. Are developers paying enough attention to security and privacy? That could be a real downfall for the IoT, since many sensors tend to be in place for years, and the nature of security challenges can change dramatically during that time.  Reducing price can’t be at the expense of security.

Let me know what steps you’re taking to boost sensor security, and I’ll mention them in a future post!

Smart Cities: opportunity … and danger if security isn’t a priority

Smart cities are one of the Internet of Things’ most promising areas — as well as one of the most potentially dangerous.

As this list of smart city initiatives shows, The IoT can reduce energy consumption, cut operating costs, and improve the quality of life. However, if hacked, it could also potentially paralyze an entire city and plunge it into darkness and/or create traffic gridlock.

As in so many other IoT areas, which scenario wins out will rest increasingly on making security and privacy in smart cities an absolute priority from Day 1, not an afterthought.

A recent New York Times article brings the issue to the foreground again, through the work of Cesar Cerrudo, an Argentine security researcher and chief technology officer at IOActive Labs, who showed what happens when idiots (so sue me…) decide not to make security a priority:

” (he) demonstrated how 200,000 traffic control sensors installed in major hubs like Washington; New York; New Jersey; San Francisco; Seattle; Lyon, France; and Melbourne, Australia, were vulnerable to attack. Mr. Cerrudo showed how information coming from these sensors could be intercepted from 1,500 feet away — or even by drone — because one company had failed to encrypt its traffic.

“Just last Saturday, Mr. Cerrudo tested the same traffic sensors in San Francisco and found that, one year later, they were still not encrypted.”

Even worse, Cerrudo found the same failure to bake in obvious security measures such as encryption in a wide range of other smart city devices and software.

The article goes on to cite a variety of very real cybersecurity threats to cities and critical infrastructure (don’t forget that about 85% of the nation’s critical infrastructure is in private ownership) including a break-in at a utility’s control network by a “sophisticated threat actor” that just guessed a password.

Among the measures Cerrudo suggests that cities take to reduce their vulnerability:

  • think of cities “as vast attack surfaces that require security protection just as a corporate network might.”
  • encrypt data, use strong passwords, and patch security holes
  • create computer emergency response teams (CERTs), for rapid response
  • restrict data access and monitor who does have it.
  • “Finally, he suggests that cities prepare for the worst, as they would for a natural disaster.”

He concluded:

“When we see that the data that feeds smart city systems is blindly trusted and can be easily manipulated — that the systems can be easily hacked and there are security problems everywhere — that is when smart cities become dumb cities.” (my emphasis)

Let me be blunt about it: whether in smart cities or any other aspect of the Internet of Things, if your attitude is “we’ll get around to security” after concentrating on product development, you’re irresponsible and deserve to fail — before your irresponsibility harms others.


BTW, here’s a great way for you to have a role in shaping tomorrow’s smart cities. IBM (who would have thunk it?  I suspect this is reflects Ginni Rometty’s change in direction and attitude at the top) has created People for Smarter Cities, a new site to crowdsource ideas for how to make cities smarter. It’s a great example of democratizing innovation, one of my IoT Essential Truths. I plan to contribute and hope you will as well!

http://www.stephensonstrategies.com/">Stephenson blogs on Internet of Things Internet of Things strategy, breakthroughs and management