More evidence U.S. lags dangerously behind EU on IoT privacy

There’s new confirmation that the U.S. remains dangerously behind the European Union on the twin issues of Internet of Things privacy and security. As I’ve warned before, especially in the context of the continued outrage over the NSA surveillance, if these issues aren’t solved collaboratively by the private sector and government, they threaten to derail the IoT express.

In her Stanford Masters thesis, I believe Mailyn (sic) Fidler accurately summarizes the US’s stance:

“The IoT in the United States is characterized by late but strong entry of companies to the market and by recent, but minimal, interest from the federal government. Specifically, the federal government views the IoT largely as part of the ongoing privacy and security discussion in Washington, D.C. Complicating analysis of the IoT in the United States is that the “Internet of Things” is not a generally recognized term. In the U.S., the IoT is viewed as a natural evolution of American innovation rather than as a unique field.”

http://m3.licdn.com/mpr/mpr/shrink_80_80/p/2/000/0dc/3bd/392d2fe.jpgFidler contrasts this lack of concern by the government to the EU, which, while also

Mailyn Fidler

viewing IoT privacy in the broader context of general privacy policy, has made IoT personal privacy and security a priority — more about that in a future post about the “Butler Project” report):

“The IoT has been a political priority for the European Union. Even with the recent recession, interest and funding in IoT enterprises has not slowed, and the EU has invested 70 million Euros in at least 50 research projects since 2008. In addition to the EU’s hopes that the IoT will bring economic benefits, particularly to small businesses and public institutions, the EU’s interest in the IoT reflects its concerns about who controls emerging technologies. Indeed, EU officials have stated an ambition to build an IoT ‘that will bring about clear advantages for Europe.’

However, despite the EU’s investments, a lack of legislative clarity, slow technical progress, and pressure from international strategic interactions threaten to slow EU efforts to develop a globally competitive, European-centric IoT.

The EU considers privacy a societal priority and has a history of regulating technologies to prevent privacy risks, as its Data Protection Directive indicates. The IoT is no different. The privacy risks the IoT presents, however, are discussed in the context of ongoing data protection reform in the EU. EU officials are debating how to author broad, technology-neutral guidance while, at the same time, many officials seem convinced that technology-specific guidance will be necessary. The EU’s political prioritization of the IoT fuels attempts at lobbying for IoT-specific regulation, as the myriad, overlapping attempts at IoT guidance demonstrate. The IoT’s advancement, then, is mired in this larger debate about the future of technology policy.”

Even with this greater focus, Fidler says the EU hasn’t made as much progress as might be hoped. Only 1 of the 33 2010 Cluster of European Research Projects on IoT explicitly investigated security, and, in a study the same year of IoT standards, only 2 or 175 explicityly investigated security — and none have addressed IoT cybersecurity.

In other words, they ain’t great, but we’re worse (in fact, among US agencies, only the FTC seems to give a fig about the IoT). Pathetic.

Fidler’s report also covers China. You can bet that privacy and security aren’t high on their priority list, LOL.

The EU, while perhaps lagging behind on IoT technology, may get the last laugh on the privacy and security issues. As we’ve seen with successful suits against Microsoft and Google on other Internet issues, the EU has prevailed in the past on questions of privacy and security, and, according to Fidler, it may happen again:

“The EU, faced with the IoT approaches of the United States and China—arguably the leading centers of technological innovation—may stand behind its social parameters and emphasis on new international governance mechanisms as a way of asserting alternative power. With such laws and institutions, economic activities involving the EU and the IoT would have to conform to EU-based standards. The EU, thus, compensates for technological disadvantages in innovation through social and governance parameters. Similarly, the United States and China are seeking to maintain or create their technical edge in new cyber technologies by encouraging unique standards regimes or more aggressive development environments.”

If so, I say bully for them! Someone has to stand up for the individual in this brave new world, and it looks as if the Obama Administration isn’t taking the challenge. Shame!

Fidler concludes that the geopolitical competition among the U.S., E.U., and China may have negative effects on the IoT’s overall growth if it results in incompatible standards:

“This geopolitical competition at such an early stage of the IoT’s development could create international interoperability problems, with negative political, economic, and social consequences. How governments and societies navigate the technological and political aspects of the emergence of the IoT will determine if the IoT’s benefits will be ubiquitously available or if the Internet’s foray into the realm of things will be interrupted.”

FADE TO Youngbloods singing “Get Together”…..

Shodan: maybe this will get people to take IoT privacy/security seriously!

Wired has an article this week about Shodan, the “IoT search engine,” which I hope scares the bejesus out of enough companies and government officials that they’ll finally realize how absolutely critical it is that we make security and privacy THE top public policy/corporate management priorities regarding the IoT.

Shodan’s homepage proudly proclaims that it will let you “EXPOSE ONLINE

Shodan

DEVICES: webcams, routers, power plants, iPhones, wind turbines, refrigerators (there’s that meme again!), VoIP phones.” Anyone out there who isn’t covered by that list? If so, stay in your cave!

As for everyone else, maybe you’d be more properly attracted by the CNN story about Shodan several months ago: “Shodan: the scariest search engine on the Internet.” Got your attention yet?

Here’s what Shodan can do, according to CNN:

“It’s stunning what can be found with a simple search on Shodan. Countless traffic lights,security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.

Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.”

Command and control systems for nuclear power plants? Sheesh!

Reminds me that while the Obama Administration remains abysmally ignorant of the IoT (and, remember, I’m a fan of them in general …) one official who was all in was former CIA Director David Petraeus:

“‘Transformational’ is an overused word, but I do believe it properly applies to these technologies,’ Petraeus enthused, ‘particularly to their effect on clandestine tradecraft.’

All those new online devices are a treasure trove of data if you’re a ‘person of interest’ to the spy community. Once upon a time, spies had to place a bug in your chandelier to hear your conversation. With the rise of the ‘smart home,’ you’d be sending tagged, geolocated data that a spy agency can intercept in real time when you use the lighting app on your phone to adjust your living room’s ambiance.

‘Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing,’Petraeus said, ‘the latter now going to cloud computing, in many areas greater and greater supercomputing, and, ultimately, heading to quantum computing.’

Petraeus allowed that these household spy devices ‘change our notions of secrecy’ and prompt a rethink of’ ‘our notions of identity and secrecy.’ All of which is true — if convenient for a CIA director.”

Sufficiently alarmed yet?

Let me be clear: I am convinced that security and privacy are the two issues that have the greatest potential to stop the Internet of Things dead in its tracks — and I felt that way even before Edward Snowden was a household name.

Snowden, ooops, Shodan, has revealed shocking indifference to security on the part of countless organizations (and, BTW, don’t forget that 85% of the U.S.’s critical infrastructure — power plants, pipelines, chemical factories, etc., is in private hands):

“A quick search for ‘default password‘ reveals countless printers, servers and system control devices that use  ‘admin’ as their user name and ‘1234’ as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.

In a talk given at last year’s Defcon cybersecurity conference, independent security penetration tester Dan Tentler demonstrated how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.

He found a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with a click of a button. A city’s entire traffic control system was connected to the Internet and could be put into ‘test mode’ with a single command entry. And he also found a control system for a hydroelectric plant in France with two turbines generating 3 megawatts each.

This is as scary as the Vanity Fair article last year about how a miscreant could use an iPhone to kill you!

The 85% of critical infrastructure in private hands number should be a stark reminder: the only way we can possibly address IoT privacy and security is through collaborative government/private sector action — with strong involvement by you and me.

If you are involved in the IoT in any way, you simply can’t duck this issue!

 

Sol Chip: progress in harvesting energy for Internet of Things

Posted on 22nd April 2013 in energy, environmental, Internet of Things

Reducing sensors’ energy needs and meeting them efficiently and without the need for battery replacements is one of the Internet of Things’ important technological obstacles.

That’s why it’s noteworthy that Sol Chip Ltd., an Israeli firm, has won the Technical Development Award  at the 2013 IDTechEx Energy Harvesting & Storage and Wireless Sensor Networks Event.

Its new, patented solar battery technology, the Sol-Chip Energy Harvesterintegrates solar energy sources and low-power electronic devices, eliminating the need for a solar panel while providing long-lasting power for wireless sensors and mobile devices.

The PV cell produces six selectable voltage levels: 0.7 volt, 1.4 volt, 2.1 volt, 2.8 volt, 4.2 volt, 8.4 volt.

Applications include active RFID, security and military, agriculture, livestock sensors, and medical technology.

FTC to hold a workshop on #IoT privacy and security implications!

Posted on 17th April 2013 in Internet of Things

Bravo! I’ve been critical of the President’s silence on the IoT, especially in light of how frequently the Chinese premier mentions it — and  spends money on it.

Now the FTC has broken that silence, with announcement of a Nov. 21st workshop in DC on the Internet of Things’ implications for privacy and security.

Specifically, they are looking for comment on the following questions:

  • What are the significant developments in services and products that make use of this connectivity (including prevalence and predictions)?
  • What are the various technologies that enable this connectivity (e.g., RFID, barcodes, wired and wireless connections)?
  • What types of companies make up the smart ecosystem?
  • What are the current and future uses of smart technology?
  • How can consumers benefit from the technology?
  • What are the unique privacy and security concerns associated with smart technology and its data?  For example, how can companies implement security patching for smart devices?  What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
  • How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve health-care decisionmaking or to promote energy efficiency? Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances?

The commission is requesting written comment on these and other issues by June 1st.

Bravo!

comments: 0 » tags: , ,