The next big phase of technological development is the „connected world“ or the so called Internet of Things. The term refers to the increased digitalization in everyday objects. Each new technological device, whether a "smart" TV or a "smart" toaster is being developed with the idea of their connection to the Internet, which provides us with virtually endless possibilities. But this technological boom is precisely what poses one of the most serious issues over the protection of personal data and privacy.
A recent study predicts that by 2020, 25 billion connected devices will be used on a daily basis. How does this increased comfort affect our privacy and security?
What is the price at which people are willing to share even their innermost personal information? A study from March 2015 shows that 56% of respondents would share personal information in exchange for money and if they have confidence in the organization collecting the information. When asked how they would rate the value of their personal data, participants identify passwords to access personal accounts as their most expensive piece of information. Could you guess what price is to be placed on other types of sensitive data?
Consumers state that they have become more concerned about privacy and security over the past five years following the technological developments and their potential. An interesting fact, though, is that people are actually more concerned about the security of the devices themselves, rather than privacy when using the Internet of Things and social media. This high concern among consumers about the security of their devices is largely due to the great fear of becoming a victim of data or identity theft due to a problem with the security of these same devices.
Where is the balance? How far could we go in building secure applications? What is the price of information we defend and could it be measured with money?
LIBRe Foundation’s team has devoted the past five years to studies and research on the intersection of privacy and security and the development of applications and recommendations at policy level for creating privacy-by-design technologies. We believe that there is a balance and continually seek opportunities for technological development which does not harm the consumer interests and which protect the basic human rights, minimising cases of abuse.
Internet of Things represents the next step towards the digitisation of our society and economy, where objects and people are interconnected through communication networks and report about their status and/or the surrounding environment. It is a computing concept that describes a future where everyday physical objects will be connected to the Internet and be able to identify themselves to other devices. The term is closely identified with RFID as a method of communication, although it also may include other sensor technologies, wireless technologies or QR codes.
Internet of Things is significant because an object that can represent itself digitally becomes something greater than the object by itself. No longer does the object relate just to you, but is now connected to surrounding objects and database data. When many objects act in unison, they are known as having „ambient intelligence“.
To many people, the phrase “Internet of Things” conjures images of consumer gadgets, but some of the most exciting and practical applications are happening in the Industrial Internet of Things: smart agriculture, smart cities, smart factories and the smart grid, etc.; being a vast number of connected industrial systems that communicate and coordinate their data analytics and actions to improve performance and efficiency and reduce or eliminate downtime. A classic example is industrial equipment on a factory floor that can detect minute changes in its operations, determine the probability of a component failure and then schedule maintenance of that component before its failure can cause unplanned downtime that could cost serious financing.
LIBRe Foundation’s experts study the implications of Internet of Things from a security and privacy perspective. Our research is focused on the technical and organizational measures and safeguards that need to be implemented in order to ensure that the right to privacy of individuals is observed. We study the consequences of emerging forms of cyberattacks facilitated by the ubiquity of IoT and their impact on the society and individuals.
Organizations that develop, sell, rent or rely on devices with embedded functionality inherent in the Internet of Things concept should recognize the diverse consequences of using these technologies in the context of privacy, security, and law. While the benefits of the Internet of Things are not fully realized, many expressed concerns about the technology and its use having the possibility to serve as catalysts for a potential legal risk, attribution of responsibilities and accountability.
Security in the Internet of things is especially important for IT specialists. New technologies often experience the typical problems of growth as companies fight for market share and compete to impose their standards. During the initial deployment of Internet of things, the creation of secure devices, applications, and platforms that facilitate the Internet of things implementation is rather a later stage. We witness this phenomenon in other areas as well, including the development of mobile apps. At the same time, the Internet-of-Things type platforms are often similar in terms of design, which allows hackers to exploit common platform vulnerabilities on different devices. Even after these vulnerabilities are detected, the low price of the devices may discourage platforms’ manufacturers from developing security maintaining applications.
With connectivity comes the creation of data associated with the connected object; with the creation of data comes the need for its collection and the acknowledgment that these data are valuable (in some cases more valuable than the object they relate to); desire to sell the collected data for business purposes and profit also grows. Take a 'connected' pen for example. Imagine what personal information could be obtained from its use? It could track your location, including information regarding the shops and restaurants you visit. Data written with this pen could also be stored, including companies or individuals you have issued with checks and the amounts of those checks; or information on your private messages to a friend or a family member, or even trade secrets related to a specific business proposal. If the device is equipped with a camera it could transmit in real-time audio and video streams to its manufacturer or a third party for further use and analysis. When the concept of the Internet of Things is fully implemented, the potential variety and volume of personal or confidential information and the ability to make them available to third parties will be huge and will ultimately impose risk on consumers and on companies seeking to collect and use this information.
Internet of Things resides in the physical world by default and is related to physical objects. These objects, in the event of a software or hardware error, could cause physical injury - an insulin pump loosing connectivity during the night and failing to track blood sugar levels and delivery of insulin respectively; connected alarm system not detecting an offender due to a technical problem; car being subject of computer virus attack causing an accident; and many others. The more we rely on connected devices, the more we make our own decision-making processes dependant on the systems themselves and create potential for damage or injury.
Therefore, when developing policies and applications to ensure our security, we should consider all legal consequences or technological problems that may occur and to develop our design in a manner that complies with the established legal and technological standards.
LIBRe Foundation explores ways of ensuring the Internet of Things security from both legal and the technological perspective. We believe that technology solutions should embed the ethical and legal norms that determine the future development of our society. Therefore we believe that any hardware or software solution introducing measures to ensure highest security level should be consistent with the latest developments in legislation, jurisprudence and current doctrinal views of recognized experts.
Equipment manufacturers and designers are facing new design challenges due to the continuing need for increased data security in many of today's electronic systems. There is the specific need to either implement security and anti-tamper countermeasures into a new application that never before required such mechanisms, or to avoid the introduction of new design variables into proven existing security circuitry. This is compounded with the emergence of new security standards, the ever-increasing demands the certification bodies require, and, at the same time, the challenges of maintaining size and cost competitiveness.
Because ensuring software/firmware integrity is an extremely complex issue, the burden is placed upon hardware to maintain security and not become the weakest link in a complex security implementation. With the formation of new standards bodies, as well as various digital rights management proponents, the issue of security is rapidly affecting a broad range of devices, including consumer, media, industrial, medical, automotive, and telecommunication equipment, but also governmental or homeland security system upgrades and the increased proliferation of electronic banking and e-commerce applications.
Smart surveillance is a specific use of computer vision and pattern recognition technology to analyse information from situated sensors. Smart surveillance technologies imply automated processing of data and is defined as including the following operations if carried out in whole or in part by automated means: storage of data, carrying out of logistical and/or arithmetical operations of those data, their alteration, erasure, retrieval or dissemination. There is a specific added value of using smart surveillance technologies being expressed in the following properties: (1) smart data collection enables targeted data gathering (data collection and storage to detect risks to public order, criminal risk assessment, smart information acquisition in the changing face of crime); (2) smart data processing enabling automated data sharing (purpose of data processing, interoperability, data security, technical safeguards); and (3) technical safeguards to prevent privacy infrigement (privacy enhancing technologies, transparency-enhancing tools, secure hash algorithms, etc.).
Automated recognition of individuals lies at the basis of smart surveillance systems. However, laws and regulations - and specifically those on information sharing between police and security forces - explicitly prohibit automated decision-taking regarding individuals unless they are authorized by a law which lays down safeguards for the individual’s legitimate interests.
Where are these laws, what can these measures be and what else should the laws contain? Can the laws be technology-neutral but sector specific, thus permitting a measured approach to the appropriateness of smart surveillance technologies in key security applications? Can they be extended to all security applications of smart surveillance? LIBRe Foundation’s Team addresses these and other questions through a comprehensive approach which combines a technical review of key application areas by sector with a review of existing pertinent legislation.
- CYBERSEC - European Cybersecurity Forum
- Law for Protection of Personal Data (last amend. SG. No. 81 / 14.10.2016; in Bulgarian only)
- Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
- National Reform Programme within “Europe 2020” Strategy - 2016 update
- Commission for Consumer Protection, Bulgaria