BREAKING NEWS! “WikiLeaks on Tuesday released a trove of documents purporting to show that the CIA exploited security flaws in mobile phones, smart TVs, and other devices that allowed the intelligence agency to listen in on users in their own homes. But the documents did not disclose what those flaws actually were—instead showing user guides, developer manuals, and other communications.” “WikiLeaks will give technology companies exclusive access to alleged CIA documents to help them repair security flaws that allowed the government to spy on individuals through their smart devices, the organization’s founder Julian Assange said Thursday.” http://www.commondreams.org/news/2017/03/09/assange-wikileaks-will-give-tech-firms-leaked-docs-fight-cia-cyberweapons “Privacy is not about whether or not you have something to hide – Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.”theEternal Value of Privacy Data and the Internet of Things In the Internet Communications Technology world, we – those who use digital products – are known as “digital workers.” We provide data that is used by governments, businesses, law enforcement, researchers, and hackers. There is already a massive amount of data available on each of us – in fact, a near life log. With a move to the Internet of Things, we will be providing mega amounts more data as we go through our day. Data will stream from a multitude of IoT sources. In a lecture given at Harvard’s Berkman Klein Center for Internet and Society, internationally renowned security technologist, Bruce Schneier, delineates three main elements of the Internet of Things:
- The conglomeration of data pouring out from
- Text messages
- Google, Facebook, Instagram etc.
- on smart phones
- Smart meters
- Cars – both driver and driverless Credit cards Surveillance cameras
- Smart “things,” machines, and appliances
2. Data Centers, where the collected data is mined, analyzed and stored. 3. Actuators that affect our environment such as Drone Delivery, Predictive Policing, Personalized Marketing etc. The Internet of Things, a global platform, has tentacles that extend deep into a vast array of socio and technical systems, with billions of moving parts and as many players with deeply vested interests.
In an IoT world, privacy – as we know it – will no longer be possible
Consider the following statements made well before the IoT:
“We know where you are. We know where you’ve been. We can, more of less, know what you’re thinking about.”— Eric Schmidt, CEO of Google (2010)
“You have to fight for your privacy or you will lose it.”— Eric Schmidt, CEO of Google (2013)
“Facebook can predict race, personality, sexual orientation, political ideology, relationship status, and drug use on the basis of ‘Like’ clicks alone. The company knows you’re engaged before you announce, and gay before you come out.” — Bruce Schneier, All the Secret Ways You’re Being Tracked That You Don’t Even Realize
In the IoT, data is the intentional or unintentional “exhaust” that comes from an IoT connected products. Examples include smart cities, traffic, cars, energy, animals, wildlife, food; pills, toys, connected clothing, smart diapers, smart toothbrushes, lighting, mattresses, refrigerators, romance, “smart” sex, and even rectal thermometers. Augmented reality (AR) and Artificial Intelligence/robots (AI) will provide additional sources of data. You name it – industry has thought of it. It’s in the works – and data will stream from it.
Data mining companies are in the business of collecting, analyzing, storing, and selling our data. Governments, businesses, law enforcement, researchers, and hackers are anxious to put all this data to use. In a lame attempt to offset the huge downsides of the Internet of Things, some IoT manufacturers are coming up with applications that may provide a modicum of actual benefits. But many IoT products are at best frivolous, and some shamefully harmful, such as blue tooth pacifiers for infants or musical tampons for babies in utero.
Data collected from thousands of sources can be combined thereby producing more data and more value. For example, although much data is anonymous, once collected, fusion databases aggregate the data and then link it back to the original person. As Peter Van Buren explains in a fascinating 2014 Mother Jones Article,
“In these [fusion databases], information from such disparate sources as license plate readers, wiretaps, and records of library book choices can be aggregated and easily shared. Basically everything about a person, gathered worldwide by various agencies and means, can now be put into a single ‘file.’”
Other sources of data collected on us include biometric identifiers such as facial and iris recognition technology. Increasingly, governmental agencies, such as the FBI or NSA are using biometrics to amass yet more comprehensive and detailed data on each of us. A CNET article reports,
“The agency is using sophisticated software to harvest ‘millions of images per day’ from emails, text messages, social media, videoconferences, and other communications, according to the documents [referring to specific classified documents referenced by the NY Times].”
“It [facial recognition technology] means that I can identify you and know where you are going in public, I can record and keep that information and you don’t know it’s happening. I know where you are, I know whether you’ve just visited a protest rally, I can identify everybody at that protest rally and I can keep records of that. It has a chilling effect.”
Joel Rosenblatt shares an observation made by Marc Rotenberg, President and Executive Director of the Electronic Privacy Information Center (EPIC):
“’Biometric identifiers are a key way to link together information about people, such as discrete financial, medical and educational records.…”
NBC Prediction That We Will All Have an RFID Chip Under Our Skin by 2017
Metadata vs. Data
Data comes in two forms — data and metadata. Take for example, email. The content of an email would be the data. But each email also carries data about the date, time, message size, sender, and recipient of the email and perhaps the specific computer or device being used to send the email. These constitute the metadata. Although it would appear that metadata has little value, as it turns out, it’s incredibly useful to law enforcement, governments, businesses, researchers, and cyber criminals.
The more data or metadata collected, the more valuable the data becomes. In fact, profit is one of the main driving forces behind the collection, sale, and use of big data as it allows companies to offer more “affordable” IoT products. In the words of Chris Rouland, CEO of Bastille, “Your sensor-packed wearable device isn’t really the product – you are.”
“Since data – the fuel of advertising markets – is the source of their profits, tech firms are happy to offer, at highly subsidized rates, services and goods that yield even more data. Ultimately there is no limit as to what kind of goods and services those could be: they might have started with browsing and social networking, but they are as happy to track us exercise, eat, drive or even make love: for them, it’s all just data – and data means cash.”
Consider the following excerpt from the article, Former CIA Director: ‘We Kill People Based On Metadata’
As NSA General Counsel Stewart Baker has said, ‘metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.’
“When I [Georgetown University Law professor David Cole] quoted Baker at a recent debate at Johns Hopkins University, my opponent, General Michael Hayden, former director of the NSA and the CIA, called Baker’s comment ‘absolutely correct,’ and raised him one, asserting, ‘We kill people based on metadata.’”
Will Big Data Impact the 4th Amendment?
The 4th Amendment of our Constitution protects our right to privacy. It states that a search cannot be conducted “without a warrant, and probable cause supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” But through something known as the “third party doctrine,” data collected from a third party does not warrant 4th Amendment protection. So for example, government or law enforcement can access data from cell phone companies, without a warrant, about where, when, and to whom a particular call was made. Similarly, government and law enforcement can access smart meter data including what appliances were being used at a given time and how much energy each was drawing. The reasoning is that in using such services, customers presumably have agreed to relinquish this kind of information. The streams of data literally oozing from everything we do, and the images increasingly being matched to our data, create a near picture-perfect life log of each of us, and the end of 4th Amendment protections.
In Shredding the Fourth Amendment in Post-Constitutional America, author Peter Van Buren states:
“The technological and human factors that constrained the gathering and processing of data in the past are fast disappearing. Prior to these ‘advances,’ even the most ill-intentioned government urges to intrude on and do away with the privacy of citizens were held in check by the possible. The techno-gloves are now off and the possible is increasingly whatever an official or bureaucrat wants to do. That means violations of the Fourth Amendment are held in check only by the goodwill of the government, which might have qualified as the ultimate nightmare of those who wrote the Constitution.”
Who Will Regulate the IoT?
Industry has no interest in regulating privacy in the IoT. Consumers remain largely unaware of the problems. And government is reticent to get involved. So essentially, no one is regulating privacy in the IoT.
Why industry is not concerned with privacy:
One of the fundamental principles of the IoT is that products must be affordable. So profits from data must be maximized, and corners cut wherever possible. Data equals money. Privacy, cyber security, health, environmental effects, and social injustices must remain non-issues for companies to produce affordable IoT products.
Why consumers are not concerned with privacy:
Consumers would probably be more disturbed about loss of privacy if they were fully aware of the extent of it. But most aren’t. And even if they were, there’s little they could do about it. Privacy agreements fail miserably due to their complexity, and would be impossible to orchestrate for surveillance cameras or sensors in public spaces. And most people prefer to buy less costly products. There is no fail-safe, practical, and affordable way ensure your privacy except by disconnecting – and that’s only a partial fix.
Surely government will step in to regulate privacy:
There is an unspoken complicity between government and industry.
Schneier elaborates on how this works:
“Data that’s illegal for the government to collect, they purchase from corporations. Corporations purchase data from the government. It goes into databases in the United States. It’s bought and sold. And profiles are generated. And those profiles are used, in both cases, to pigeonhole us, to make decisions about us, maybe whether we can get a mortgage, maybe whether we can board an airplane, maybe what sort of credit card offer we see.”
Georgetown University professor of law, Julia Cohen, notes this as well. Author Julia Powles quotes her in an article entitled; We are citizens, not mere physical masses of data for harvesting:
“In her lecture Cohen outlines the deal we have struck with the ‘surveillance-innovation complex,’ involving a deeply worrying complicity between state and private actors – ‘a mutually satisfactory game of regulatory arbitrage.’”
As things stand now, government is electing to largely steer clear of regulating the IoT so as not to stifle innovation.
FCC Chair Wheeler was unequivocal in his approach toward regulating the IoT:
“Turning innovators loose is far preferable to expecting committees and regulators to define the future. We won’t wait for the standards to be first developed in the sometimes, arduous standards-setting process or in a government-led activity. Instead, we will make ample spectrum available and then rely on a private sector-led process for producing technical standards best suited for those frequencies and use cases.”
In a 2015 Senate Commerce, Science and Transportation Committee Hearing, Senator Thune (who incidentally is now sponsoring a bill intended to fast track the deployment of 5G infrastructure) echoes this sentiment:
“Let’s not stifle the Internet of Things before we and consumers have a chance to understand its real promise and implications.”
Even if government were to adopt a strong stance on privacy and Big Data, their efforts would likely not succeed. In the digital world, innovation happens so fast that by the time legislation were crafted and passed, it would already be outdated.
“Policymakers are somewhere between three and 20 years behind what we’re doing. By the time policy is discussed, we’re on the third generation, and the reality on the ground overrides policy.” Jim Waldo, Now arriving: Internet of Things
Another reason government is not well equipped to regulate our digital world, is because government tends to operate in a compartmentalized manner, whereby each agency has jurisdiction over specific areas. Digital technology touches so many systems and in so many different ways simultaneously that it defies being effectively regulated by one agency of branch of the government. Schneier explains:
“Government operates in silos. In the U.S., the FAA regulates aircraft. The NHTSA regulates cars. The FDA regulates medical devices. The FCC regulates communications devices. The FTC protects consumers in the face of “unfair” or “deceptive” trade practices. Even worse, who regulates data can depend on how it is used. If data is used to influence a voter, it’s the Federal Election Commission’s jurisdiction. If that same data is used to influence a consumer, it’s the FTC’s. Use those same technologies in a school, and the Department of Education is now in charge. Robotics will have its own set of problems, and no one is sure how that is going to be regulated. Each agency has a different approach and different rules.”
And finally, regulation is nearly impossible because the Internet of Things is a global platform, so regulations set in one country will not affect products manufactured in other countries. Schneier calls it “a domestic solution to an international problem.”
Even If governments and industry are not asking the following question – we should be: Will the benefits of a particular IoT “thing” being considered, outweigh the downsides of the loss of privacy, cyber security risks, health effects from the increased radiation, impacts on the environment, social injustices, and e-waste. If not, this IoT product or platform should not be bought.
In light of all the harms from the IoT, it might be time to disengage from the gargantuan IoT albatross that is suffocating the public in order to benefit industry and government…and, at the expense of every living being on our planet.
For more up to date information about the current state of affairs on regulating privacy and big data in the IoT, see Electronic Privacy and Information Center’s overview, Big Data and the Future of Privacy.