Why More Sensors Means More Susceptibility in the IoT

Data privacy can only be guaranteed when users make their own informed decisions regarding device use.
Published: September 22, 2019

Have you taken a moment to notice how Internet of Things (IoT) devices are more prevalent these days in people’s homes and lives? Smart doorbells with facial recognition, pet technology with microphones, Teslas with cameras—devices are only becoming more sophisticated and widespread.

These devices, often using susceptible connections from server to receiver, have the ability to capture many data points about a user. Furthermore, the varying data rights of global citizens means that IoT eyes are everywhere, with little legal oversight. The devices undoubtedly make the lives of people around the world more efficient and better connected—but at what cost?

A Spike in Devices
If you can think of it, there is probably already an IoT device for it. Devices have become so niche thanks to cheaper computational components and better global connectivity. It would not have been too long ago that an internet-connected pet camera and live feed direct to one’s pocket device sounded like something in the far-off future—and yet, here we are. Smart toothbrushes, refrigerator cameras, self-monitoring trash cans, internet-connected egg checkers—the designs of devices know no bounds.

The result? A soaring number of connected devices that increasingly invade people’s homes and private lives. For example, experts predict that there will be 10 billion such devices by 2020, and 22 billion by 2025. Perhaps this would not pose so much of an issue if governments and IoT companies could agree on technology safeguards, but that has not proven to be the case.

What This Means for Users
Not all devices are created equal. Form and function vary wildly from one device to the next, and so do their privacy safeguards. It is no secret that IoT devices are hackable in many cases. Perhaps even more alarming is that most hacks relate to devices with cameras. Research has found that security cameras represent almost half of the vulnerable devices installed on home networks. Furthermore, the report noted that the average U.S. household contains 17 smart devices, while European homes have an average of 14.

In the IoT, customers certainly get what they pay for. Cheap devices are hackable since many employ cheap security, with many low-cost devices based on a similar blueprint, meaning that if a vulnerability is found in one, it may also work against other models. Furthermore, cloud server connections which relay device information often do not even need to be hacked to be openly accessible to outside forces. Once the data is accessed, it becomes a question of who has the data and what they are doing with it.

Perhaps it is sold for marketing and research purposes, or perhaps it is being unlawfully accessed during criminal proceedings. The possibilities depend on the person who has access to the device, and that is unknown.

As reported by The Times, detectives in the United Kingdom are being trained to spot digital footprints that might track or record activities, providing crucial insight into the last moments of a murder victim, evidence of false alibis or inconsistencies in witness statements. This led Mark Stokes, Scotland Yard’s head of digital, cyber and communications forensics unit, to state, “The crime scene of tomorrow is going to be the Internet of Things.”

The Legal Backing—Or the Lack Thereof
So what can users do about it? That depends on where they live and their dedication to data privacy. For example, European citizens already have much more data protection than U.S. citizens, thanks to their bloc’s fight for online privacy. The General Data Privacy Regulation (GDPR) regulated how companies must treat the sensitive information of European customers, or else they risk legal proceedings. One year later, and that legislation’s impact has been felt widely, resulting in 281,000 breaches and €55 million ($61.8 million) in fines to some of the world’s largest technology companies.

Rules in the United States are not as clearly defined. There is no federal standard and states are beginning to make rules of their own accord. The California Consumer Privacy Act (CCPA), which will go into effect in 2020, will grant consumers insight into and control over their personal online information. As reported by Wired, the sweeping law gives Californian residents the ability to request the data that businesses collect about them, as well as demand that it be deleted and opt out of having that information sold to third-parties.

Then there is New York’s approach. The New York Privacy Act entered the state senate in May 2019. If approved, it will grant the strictest controls over personal data in all of the nation. On top of the bulk of California’s regulations, the East Coast ruling would give New Yorkers the right to sue companies directly over privacy violations.

Still, the truth is that the onus continues to be on users rather than on companies to protect online privacy, regardless of where they live. Fines do help to deter data breaches, yet they will only be so effective against companies with billions of dollars in annual revenue. Users need to educate themselves and protect accordingly. This is possible by ensuring device connections run through a peer-to-peer (P2P) server so that the signal cannot be intercepted along the way.

However, the fact remains that data privacy can only be completely guaranteed if users make their own informed decisions regarding device usage. Ultimately, it is up to each user, rather than the government, to decide how much his or her personal privacy is worth.

Carsten Rhod Gregersen is the CEO and founder of Nabto, a company that provides a P2P-based platform for IoT devices. Carsten has almost two decades of experience leading software and innovation companies, with an aim toward creating technology that continuously improves and makes the world a better place, one line of code at a time.