No, the IoT does not need strong privacy and security to flourish

The Internet of Things will happily march along with lousy privacy and security, and we will be the poorer for it.

Get notified when our free report “Privacy and Security in the Internet of Things,” by Gilad Rosner, becomes available.

padlock-322494_1280“Without addressing privacy and trust, the Internet of Things will not reach its full potential.”

This refrain can be heard at IoT conferences, in opinion pieces in the press and in normative academic literature. If we don’t  “get it right,” then consumers won’t embrace the IoT and all of the wonderful commercial and societal benefits it portends.

This is false.

It’s a nice idea, imagining that concern for privacy and security will curtail or slow technological growth. But don’t believe it: the Internet of Things will develop whether or not privacy and security are addressed. Economic imperative and technology evolution will impel the IoT and its tremendous potential for increased monitoring forward, but citizen concern plays a minor role in operationalizing privacy. Certainly, popular discourse on the subject is important, but developers, designers, policy-makers and manufacturers are the key actors in embedding privacy architectures within new connected devices.

Unsurprisingly, much current research shows that people are still uncomfortable and feel overexposed regarding their privacy. The prolific Pew Research Center tells us:

“…Americans feel privacy is important in their daily lives in a number of essential ways. Yet, they have a pervasive sense that they are under surveillance when in public and very few feel they have a great deal of control over the data that is collected about them and how it is used.”

Research across 26 European countries found:

“Rather high general perception of risks related to the disclosure of personal information online” and “very strong expectations that personal information is used by the website owners / shared with third parties without the users’ knowledge and consent.”

However, it’s very hard to prove that people decline to buy IoT products now or in the future because of these concerns. Such proof would be difficult to obtain: it would require large surveys that not only laid out a common definition of the IoT (something that experts have yet to agree on) and then show a strong relationship between consumers declining to purchase something IoT-like and concerns over its privacy and security risks. Or, specific vendors could disclose lackluster sales of their latest devices, ask consumers why they’re not buying, and the response must then be poor privacy characteristics. (Such disclosures are not in vendors’ interests.) The absence of this proof, however, does not stop professionals and the commentariat from proclaiming this constraint on the growth of connected devices. I call this ‘The Orthodoxy of Chilled Innovation.’

We’ve seen this before

The IoT is only the latest market domain in which we hear this orthodoxy. To wit:

1995: The global marketplace is doomed!

“Unless … adequate protection for copyrighted works is ensured, the vast communications network will not reach its full potential as a true, global marketplace.” (Copyright violation was and is a rampant problem.)

2000: Electronic commerce is doomed!

“The [Federal Trade] Commission believes that its proposed legislation, in conjunction with self-regulation, will ensure important protections for consumer privacy at a critical time in the development of the online marketplace. Without such protections, electronic commerce will not reach its full potential and consumers will not gain the confidence they need in order to participate fully in the electronic marketplace.” (The proposed legislation never came to pass.)

2000: The national information infrastructure is doomed!

“Unless security and privacy are protected, the [national information infrastructure] won’t reach its full potential.” (Seems to be healthy and evolving.)

2004: The networked economy is doomed!

“A networked economy will only reach its full potential if sectoral boundaries are dismantled and an even take-up of ICT in society is ensured.” (There are plenty of uneven socio-economic qualities to the Internet and related technologies.)

2010: Online business is doomed!

“If we don’t get privacy right then the online consumer will revolt, which will negatively impact everyone involved in online businesses.” (Consumer revolution is a fantasy.)

Time proved these vague assertions hollow: the Internet, the US national information infrastructure and e-commerce are doing just fine. The privacy and security risks have not been addressed in any radical or comprehensive way, and people are still communicating, buying and surfing.

The warm fuzzies

So, what accounts for this orthodoxy? My theory is that it’s an attractive, intuitive argument influenced by the collective vulnerability people feel. Starting from the research that says people are worried about the intrusiveness of technology, one can imagine a desire to believe that our worries will translate into a will to slow things down, or a wariness on the part of IoT vendors. The argument that privacy and security must be addressed for the IoT to blossom, then, can be met with head nodding and warm feelings because it assuages fears.

It is, however, an empty sentiment. The Internet of Things, whatever it is, will happily march along with lousy privacy and security, and we will be the poorer for it. Collective senses of the loss of privacy are a small part of what encourages the improvement of privacy preservation. Certainly, businesses large and small do think about what the populace might find “creepy,” but there is a wide gulf between considering opinions that might affect sales and actually baking privacy into devices. One should not confuse marketing with engineering or business practice. Regarding the IoT, the Orthodoxy of Chilled Innovation ignores recent history and economic logic: businesses seek frictionless transactions, privacy is rarely a differentiator, security and privacy become more opaque topics over time, and businesses behave according to their (absence of) regulatory regimes. The danger of the Orthodoxy is that it may lull people into thinking that something will ensure their sense of privacy loss is addressed before the IoT remakes our world into a digital utopia; a false sense of security.

Privacy does not protect itself, nor do markets arc toward the social goals of privacy and consumer protection on their own. Privacy is a technocratic pursuit: designers, engineers, product managers, risk and compliance managers, and company leaders are ultimately the ones who can actively improve the privacy posture of their devices. Complementing this are technology-neutral information policies that require privacy impact and security assessments and consumer protection. An unpopular view is that privacy is a paternalistic pursuit by the state. Such a view flies in the face of the economically driven belief that self-regulation is the main force by which we should engender privacy, or that “[e]ducating and empowering citizens is the better way” to address privacy failures – two more orthodoxies. Markets in liberal democracies cannot exist without regulation, and regulation itself is not sufficient to effect the protections we seek. Privacy protection occurs through a plurality of necessary but insufficient steps. Wishing is not one of them.

Public domain image on article and category pages via Pixabay.

tags: , , ,

Get the O’Reilly Hardware Newsletter

Get weekly insight and knowledge on how to design, prototype, manufacture, and market great connected devices.

  • Wrenn Bunker Koesters

    I wonder what effect an expanding hacker society will have.

    The IOT so new that barely one generation has grown up and experienced a world that is highly focused on its use. The more people dig into this new thing, the more holes the white hat sector will have to fill.

  • Ilya Geller

    IoT is a substitute for structured data.

    I discovered and patented how to structure any data: Language has its own INTERNAL parsing, indexing and statistics and can be structured. (For more details please browse on my name ‘Ilya Geller’.)
    For instance, there are two sentences:
    a) ‘Pickwick!’
    b) ‘That, with the view just mentioned, this Association has taken into its serious consideration a proposal, emanating from the aforesaid, Samuel Pickwick, Esq., G.C.M.P.C., and three other Pickwickians hereinafter named, for forming a new branch of United Pickwickians, under the title of The Corresponding Society of the Pickwick Club.’
    Evidently, that the ‘ Pickwick’ has different importance into both sentences, in regard to extra information in both. This distinction is reflected as the phrases, which contain ‘Pickwick’, weights: the first has 1, the second – 0.11; the greater weight signifies stronger emotional ‘acuteness’; where the weight refers to the frequency that a phrase occurs in relation to other phrases.

    That above statistics allows structuring of texts.
    All data is or can be reduced to texts.

    IoT is not needed. Period.

  • Krowdthink

    Like social networks which data rape their users, analysing your inner thoughts, psyche and behaviour, the IoT will as Gilad says go forward, trading convenience/utility for ever greater insights. We have only had this social platforms for just over 10 years so we have zero idea what impact it’ll have over a persons lifetime…but the signs are really not good….no system will remain secure during anyones lifetime, the costs are too high to the business, so the loser will be the consumer as their data is accessed by the unauthorised.

    There is only one way to address this issue, to answer the question my wife posed when I denied my child a Facebook account. “What’s the alternative?”
    After years of thought my short answer is this
    1. Build and operate a Trust framework for your cyber service (as Gilad highlights Privacy is not the issue, its just an operational building block).
    2. Compete on the basis of delivering a Trusted engagement platform, and so build value into the trust model itself.

    After all…who really trusts Facebook?

    The same thought process can, and should, be applied to the IoT (although until we crack how to enable device to device discovery and interoperability a true IoT won’t exist it’ll just be silo’s of M2M2C systems.)

  • Although I agree that the IoT will develop regardless of privacy, this is a broad view of the situation which does not address specific solutions or businesses.

    For example, a medical device company collaboratively creates a connected breathing apparatus with the health service provider. They hope to provide everyone with data in order to provide value-added services to involved parties; doctors, health insurance, manufacturer. They create a business model, secure funding, develop, and bring it to market. When they go to give them to patients, the devices are refused as their use requires permission for the manufacturer to sell their personal health data in order to generate various other revenue streams. The product is good, however business model is not.

    This example happened over the past few years here in France. The oversight cost a lot of time and money.

    Not factoring end-user privacy into a business model and go-to-market strategy could have very costly consequences down the line which could jeopardize a products/businesses success and is a significant risk.

    Expanding on the idea of the IoT blossoming; I would propose that privacy, data use, and security are elements which will affect how it grows and blooms over time.

  • tashear

    I believe privacy can be accomplished in a Trust Network composed of what I call an entity ‘data custodian’, contracted by a data ‘owner’, the entity, to manage storage and retrieval of entity data from any source; devices, apps, etc. Through privacy rules dictated by the data owner, access to data in the custodian’s hands, at a granular level, can be granted. This data custodian can be implemented within a ‘gateway’ service controlling the IoT devices.

    Access to this data custodian network would be by paid subscription. As the custodian can control granular data, it is possible for analytical processing across multiple entities, in multiple domains to be accomplished. This opens many services to be developed, all with the data owner’s permission. Profits from this service could be given back to the data owner.