Iot Security / Privacy: Behind The Tech Curve – Update

White Paper
April 27, 2020

The IoT’s growing range of services and functionalities pose new security and privacy threats.  Laws are being adopted, “best” practices updated.  But AI data inference and facial recognition technologies using freely available information sidestep network security measures and anonymized data, making “consent” and willful disclosure beside the point.  It is up to the public to decide what to do. But first it must exercise its right to know. Can it?

Following the IT development cycle, the rise of the “Internet of Things” (IoT) – devices incorporating sensors, micro-controllers, software and connectivity – is far outpacing legal frameworks, aka “safeguards”, particularly in the consumer sector.  Boosted by FCC approval of 5G spectrum, this technology – security/privacy chasm is widening, driven by an exponential increase in device-generated data, outmoded add-on software development practices, and in the start-up space, by priorities, time, money, resources, and in some cases, by values.

Exploding Market

Gartner has estimated that there were 14.2 billion connected things – cars, home security and automation systems, insulin pumps, pacemakers, FitBits – in use in 2019.  It projects 25 billion connected things by 2021, an increase of nearly 5 billion over its prior estimate of 20.4 billion devices in use in 2020.^[1]  IDC data estimates that 152,200 IoT devices will be connected every minute by 2025, when nearly 80 billion devices are forecast to be added annually.^[2]

Fortune Business Insights forecasts that the global IoT devices market, which was valued at $190 billion in 2018, will reach $1.11 trillion by 2026 at a 24.7% compound annual growth rate.  The North American IoT market alone, generated almost $84 billion in 2018.^[3]

Ericsson has projected cellular IoT growth will lead to 3.5 billion cellular IoT connections by 2023, at annual anticipated growth rate of 30%.  This is almost double the increase of prior estimates –  in part because of the prospective introduction of 5G release and anticipated demand in China, and Asia generally.^[4]

Security – Early Efforts

Manufacturers have traditionally not emphasized security, and the cyber security industry itself has focused on large, private sector firms such as financial institutions, not on IoT threat vectors into public infrastructure (utility grids, traffic control) and consumer products.

Recognizing that the IoT is making security imperative for all embedded software, the Federal Trade Commission (the first federal agency to do so) issued a detailed report on the IoT’s Consumer and Privacy Risks in January 2015^[5], calling on manufacturers to incorporate secure software in their products. Among the FTC’s recommendations –

• Build security into devices at the outset, not as an afterthought in the design process^[6];
• Consider a “defense-in-depth” strategy; use multiple layers of security;
• Monitor connected devices throughout their life cycle; provide remote security patches.

Demonstrating growing concern about to the IoT’s exposure of consumers, the FTC’s report was followed in February by a report from Sen. Ed Markey (D-MA) criticizing car makers’ “alarmingly inconsistent and incomplete” security measures.^[7]

Growing Vulnerabilities

Even as the IoT began to ramp up, the world-wide average total cost of a data breach (350 companies in 11 countries) in 2014 was $3.8 million, a 23% increase from 2013.  U.S. data breach-related costs began growing rapidly.^[8]  And studies began to show that cyber security vulnerabilities were present in newly introduced network-capable consumer products, such as infant monitors.^[9]

While IoT devices have many benefits they also carry many vulnerabilities and weaknesses which are not limited to insecure passwords, networks and device interfaces.

IoT devices are frequently compromised and added to botnets.  These dangerous networks are frequently used to launch distributed denial of service (DDoS) malware and brute-force attacks against businesses of all sizes globally.^[10]

Notable IoT statistics concerning attacks on or using connected devices, include:

• Fewer than 20% of risk professionals can identify a majority of their organization’s IoT devices. Fewer than 20% of the 605 survey respondents from a combined Ponemon Institute and Shared Assessments study can identify the majority of their organization’s IoT devices. Furthermore, 56% report not keeping an inventory of IoT devices, and 64% report not keeping an inventory of IoT applications.
• 75% of infected devices in IoT attacks are routers. Symantec data indicates that infected routers accounted for 75% of IoT attacks in 2018, and connected cameras accounted for 15% of them.
• IoT devices typically attacked within 5 minutes. Five minutes. That’s the average amount of time that it takes for an IoT device to be attacked once connected to the Internet, according to NETSCOUT’s Threat Intelligence Report from the second half of 2018.
• IoT Malware Attacks Skyrocketed in 2018, Trend Continues to 1H 2019

SonicWall reports that IoT malware attacks jumped 215.7% to 32.7 million in 2018 (up from 10.3 million in 2017). The first two quarters of 2019 have already outpaced the first two quarters of 2018 by 55%. If this rate continues, it’ll be another record-setting year for IoT malware attacks.^[11]

Legislation

The California IoT Law, the first in the nation to expressly regulate the security of connective devices, went into effect on January 1, 2020.^[12]  In contrast to California Consumer Privacy Act of 2018 (CCPA)^[13] which protects personal information, the new Cal IoT law is aimed at safeguarding the security of both IoT devices and any information contained on IoT devices.

Currently, there are no U.S. national security standards for IoT devices; security features and protections are left to the discretion of manufacturers and vendors.  Supporters in Congress have tried repeatedly but unsuccessfully to advance an IoT cybersecurity bill that would set minimum security standards for the connected devices that the federal government purchases for various projects. The most recent attempt is the IoT Cybersecurity Improvement Act of 2019 which was introduced in the Senate on March 11, 2019.^[14]

Reducing Risks – the Business Perspective

Breaches of consumer and proprietary business information are very costly for firms, resulting in fines, damage awards, litigation and compliance expenses, forensic audits and consulting fees.^[15]

Practical steps and questions business should consider to mitigate risks to IoT implementations include:

• Device-Specific Software. Design security software into a network capable product which takes into consideration what kind of information it will collect and how that data will be used.
• Environment. How the device will work in its environment; e.g., will the device be deployed in a public space or in an area where there is an expectation of privacy; will the device be maintained by a third-party vendor?
• Change in Risk Profile. How does the IoT device change a company’s traditional business risks – consider its industry, the type of information it collects, whether its government regulated, or adheres to industry standards.
• Legal.  Shift data breach risks via contract with IoT vendors; require vendors to meet product security and testing standards; carry insurance; have information security programs which are “commercially reasonable” in firm’s industry, and consistent with its compliance obligations; require vendor data breach notification; compliance with applicable national laws, regulations; require vendor subcontractors conform to vendor’s data handling obligations.^[16]

Societal Implications – the User Perspective

Given the geometric growth rate of IoT device- generated data and communication nodes, the privacy and security implications of the IoT extend orders of magnitude beyond the traditional corporate risk calculus.

The 20th century business risk and product liability models, with their focus on the financial interests of corporate stakeholders (shareholders, employees, suppliers, etc.) and cost/benefit are too limited in scope.  “Cost per stolen record” does not acknowledge, nor can “optimizing” it deal with the potential threat – frequently personalized, and immediate – to the physical safety of masses of users presented by the IoT security / privacy vacuum.

Consider …

The structure of a firm’s IoT implementation involves several components (devices > communication gateways > smartphones > cloud storage or on-site storage), each of which offers multiple axes of attack^[17] for private and state-sponsored hackers, and criminal gangs.

Take portable monitors.  There is no single application “location” for wearable medical and fitness trackers.  The device’s functionality is actually distributed – on the wearable itself, in a smartphone app and in the cloud. Similarly, some of the medical and fitness data reside on the device itself, but much of it is stored on the smartphone, and some is stored in the cloud.^[18]

A 2016 study at Bingham University, New York found that smartwatches, fitness trackers and other wearable devices may be giving away bank PINs. Data from sensors embedded in wearable devices can be used to track hand movements which, when combined with computer algorithms, can be used to identify access codes.^[19]

Devices which collect, store and transmit personal data via radio frequency technology (RFID), the next generation bar code, also present very significant security vulnerabilities.

In 2016, malware clandestinely placed on IoT devices remained undetected for an average of 312 days.  Efforts since then have been directed at developing software to fully automate the security and malware detection lifecycle to reduce the delay to minutes or seconds.^[20]

Compounding the situation, legitimate outside experts are being deterred from investigating or disclosing security vulnerabilities in IoT devices by the threat that manufacturers will accuse them of violating their exclusive “Digital Rights Management” rights, under the “anti-circumvention” rule, Section 1201, of the Digital Millennium Copyright Act (DMCA) of 1998 which makes it illegal to break access controls to copyrighted works, including software.^[21]

But beating hackers to the punch makes no difference if there is self-serving delay in informing those affected.  Apart from the many such cases involving private sector businesses, there are federal agency examples, including the U.S. Office of Personnel Management (inordinate, unexplained delay in disclosure of suspected state-sponsored hack of millions of current and former federal employee records, including security clearance information), and the FDIC (cover-up of suspected Chinese government hack of top officials’ personal information and U.S. bank customer data).

Balancing

How will a “balance” between security and privacy on the IoT be struck?  Articles about technology security and privacy often conclude with such a question.  But AI algorithms fed by big data have now made such questions beside the point and demand the public’s attention, as discussed below.^[22]

Your Data Are Not Anonymous

This paper now narrows it’s focus to the security and privacy of personal identifying information (PII) in connection with devices and services vis the explosively growing IoT, a/k/a “the Wild, Wild West of the Internet”^[23].  By design these IoT “solutions” amass incomprehensible volumes of data (2.5 quintillion bytes of data daily according to one estimate ^[24]) about device operating environments and users in order to, ostensibly, improve service.  Whether such data is stored locally (on the device) or in the cloud, the driving force is to profit by aggregating and processing, and then monetizing the knowledge derived from the data.  These processes raise many privacy-related issues^[25], including whether PII can be effectively anonymized on the IoT as discussed below.

It is important to note at the outset that much digitized data which has been anonymized is therefore not considered “personal” data in many countries and is shared and marketed by researchers and data brokers without violating privacy laws.  For example, the EU’s 2019 General Data Protection Regulation (GDPR)^[26] rules attempt to safeguard user data while promoting online commerce. The GDPR allows firms to gather data without consent, provided it has been properly anonymized^[27], use it for any purpose, and retain it indefinitely.  Nevertheless, anticipating that the IoT would raise concerns requiring a range of responses, the EU Commission’s 2010 report, The Cluster of European Research Projects on the Internet of Things^[28], targeted seventeen security and privacy issues for research.

Similarly, under the California Consumer Privacy Act of 2018 (2018)^[29] “personal information does not include information that is de-identified or aggregated.”^[30]

Data Types

Effective advertising and marketing depend on having detailed and accurate customer

data.  When a firm tracks it customers’ behavior on its website, it is gathering “first-party” data.  It may then “share” that information with other companies it to create synergies.  Such sharing is being driven by the increasing availability of IoT data (GPS sensors, smart utility meters, fitness devices, etc.). These are examples of “second-party” data. Firms also frequently supplement their own first-party data with additional information (“third-party” data) from data brokers such as Acxiom, which collects up to 1,500 data points on 700 million consumers worldwide.^[31]

How PII is Anonymized

Where a dataset such as a credit card file includes individuals’ PII or personally identifying “attributes” (quantitative data about a person or household), in order to protect privacy and meet legal requirements, the data is “de-identified”.  Such data may subjected to a variety of anonymizing techniques (some of which are outlined below) which may retain all or some of the data but which attempt to remove source-identifying information.

• Data Masking Data is disguised by substituting one value for another which prevents subsequent unmasking.
• Data Fabrication Some or all Identifying attributes are replaced with fictitious data.
• Generalization Data is combined or, conversely limited, to reduce the possibility of identification while preserving desired degree of accuracy.
• Data Swapping Certain personally identifying values in a dataset are rearranged to prevent cross referencing to data sources.
• Data Perturbation (or Differential Privacy) A dataset can be anonymized by making slight modifications to certain of its quantitative elements. The size of the changes is in proportion to the size of the database so that the changed values appear valid although they are not in fact.
• Homomorphic Encryption Data is encrypted in manner which prevents reading but allows manipulation by the “data controller”.^[32]  Results can be decrypted upon return to controller.^[33]
• Synthetic data Computer generated data which is unrelated to actual in the subject dataset. Models of a real dataset’s patterns are derived by applying various statistical functions. This avoids modifying or using the original dataset to protect privacy and security.^[34]

Even though the application of these or other techniques may de-identify PII, that does not mean it has been effectively anonymized, as discussed below.

Nothing Digital Is Anonymous

The vulnerability of anonymized PII has been pointed out repeatedly.  In 1996, well before the advent of the IoT, the Massachusetts Group Insurance Commission (MGIC) released anonymized data showing the state employees’ hospital visits.  Names, addresses and social security numbers had been deleted.  Then governor William Weld assured the public that patient privacy had been preserved.  Weld was soon proven wrong.  A researcher located the governor’s medical records in the MGIC dataset by using Weld’s zip code and birth date (obtained from voter rolls), and the knowledge that he had visited the hospital on a particular day, to identify him.  She sent his medical records to his office.^[35]

In 2008 a study by two University of Texas researchers successfully identified Netflix users in a Netflix-supplied dataset of nameless customer records.^[36]  A 2013 Harvard study re-identified patient names in a publicly available Washington State hospitalization dataset.^[37]  In 2015, as the potential range IoT’s applications began to be appreciated and its growth accelerated, one study demonstrated that credit card metadata which had been de-identified, could be combined with as few as four random bits of public information (e.g., Twitter, Instagram posts) using algorithms to re-identify 90 % of shoppers by name.^[38]

A 2017 study by University of Melbourne researchers re-identified anonymous Australia health department medical billing data by cross-referencing “mundane facts” such as the of birth years of mothers and their children.^[39]  As one of the researchers remarked, “It’s convenient to pretend it’s hard to re-identify people, but it’s easy”.^[40]

Data’s Lifecycle  – Multiple Hack Vectors

IoT data is continuously generated by devices, streams into and transits through networks, and resides in the cloud, on call.  In order to route data to the desired destination, the communication interfaces or “nodes” of a network are identified with media access control (MAC) addresses.  These addresses can be used to track data paths.  By combining the MAC addresses of several devices and sensors it is possible to develop unique data profiles from which user location and behavior patterns can be identified and traced.   Consequently, both users’ PII and network paths must be anonymized. This is difficult because of the great number of devices and services, data is produced in incompatible formats, and network technology has limited ability to maintain anonymity.

Further, to achieve “comprehensive” anonymity, in addition to data, routing and communication paths, data modeling, storage, analytics and aggregation must be secured.^[41]

This involves moving “…beyond the deidentification release-and-forget model”.^[42]  It requires active involvement by stakeholders, including device manufacturers, IoT cloud services and platform providers, third-party application developers, government and regulatory agencies (standardization and interoperability), and users and non-users (vis information captured by devices about persons within devices’ “view”.^[43]

But is end-to-end security over the IoT actually possible?  At present the answer is no.  As one commentator put it, “If your systems are digital and connected… to the internet, …they can never be made fully safe.  Period.”^[44]

Legal Safeguards?

Unlike the event studies cited above, last year researchers at the Université Catholique de Louvain and Imperial College London constructed a model to estimate the degree of difficulty in deanonymizing any given dataset. They found that a dataset with just 15 demographic attributes, “would render 99.98% of Americans unique”.  And as the authors point out, data brokers market deidentified datasets containing much more information (scores more data points) per individual.^[45]

So, in addition to problematical network security, the UCLouvain / ICL and comparable studies strengthen the conclusion that companies and data brokers cannot – in reality – meet the security and anonymization requirements of the GDPR and the CCPA, for example.

Two issues dominate –

• Under the GDPR^[46], CCPA^[47] and similar regimes, how can a firm can make a “reasonable” judgment that its anonymization protocols are compliant when there are no metrics specifying how difficult it must be to re-identify data? Consider the studies (drawn from a large and accumulating body of similar literature) noted here.  Legalistic standards such as “reasonableness” do not and cannot, ultimately, provide solid guidance in the face of continuously evolving hacking expertise.  One view of the “guidance” provided by a statutory / regulatory reasonableness standard in this context would be whatever the consensus of experts might be about the state of anonymization technology relative to contemporaneous hacking techniques (of which “experts” often learn about only post hoc) during the period at issue.  Another approach courts may use is the “risk/utility” test to judge whether a defendant’s actions were “reasonable” and were comparable to others in the same industry, and if the potential harm outweighs the burden of adopting protocols necessary to prevent such harm.^[48]  Still a third “standard” by which to interpret what is “reasonable “ are the 20 controls in the Center for Internet Security’s Critical Security Controls^[49], which then California Attorney General Kamala Harris stated define the minimum level of information security that all organizations that collect or maintain personal information should meet.  The failure to implement all the controls that apply to an organization’s environment constitutes a lack of “reasonable” security.^[50]

Absent precise guidance, counsel advise tech clients to mitigate risk by applying cost / benefit analyses to their network security and data anonymization protocols, i.e., how much is protecting users’ privacy worth to us?^[51]  (Off-loading these risks onto third-party vendors and consequently elevating users’ risks is also often recommended.^[52])

• Apart from unauthorized data access and the security of anonymized data itself, studies have repeatedly demonstrated that it is possible to re-identify individuals using external data sources. Where a de-identified dataset is analyzed using exogenous information which is not itself de-identified (the universe of such information is exploding), such sources can function as de-encryption keys to unlock the identities of individuals in the anonymized dataset.

PII Security – False Pretenses

These two hard realities, in addition to network vulnerabilities, are why tech company defendants argue truthfully and – richly – that despite their privacy policies’ representa­tions, users and consumers should have no reasonable expectation of privacy.  This in turn raises the issue of whether legislators are misleading the public about the efficacy of privacy laws by promoting the idea that they can actually accomplish their purpose.  Yes, the perfect is the enemy of the good, and no, there is no ethically defensible reason not to attempt to protect what personal privacy still exists.  But government needs to be clear that the notion that personally identifying information can be effectively “anonymized” or “de-identified” is wrong.  The failure to be frank with the public about something as existential as the protection of personal privacy is contributing to the erosion of public trust.^[53]  When authorities do not level with the public they corrode social institutions whose declining legitimacy is becoming politically destabilizing.^[54]

Public officials’ honesty about privacy and the efficacy of efforts to protect it have never been more important than they are now in the digital age.  Why?  Because “privacy” is a defining element of what it is to be a human being.  It is central to all humane societies.

Harvard Business School Prof. Shoshana Zubhoff has argued that the IoT is part of a rapidly expanding tech ecosystem with monopoly power which compromises free will and autonomy, and threatens freedom.

“The age of surveillance capitalism is a titanic struggle between capital and each one of us.  It is a direct intervention into free will, an assault on human autonomy.”  It is the capture of our intimate personal details, even of our faces.  “They have no right to my face, to take it when I walk down the street.”  Such violations threaten our freedom, Zuboff says.  “When we think about free will, philosophers talk about closing the gap between present and future.  We make ourselves a promise:  I’ll do something with that future moment – go to a meeting, make a phone call.  If we are treated as a mass of ‘users’, to be herded and coaxed, then this promise becomes meaningless.  I am a distinctive human.  I have an indelible crucible of power within me…  I should decide if my face becomes data, my home, my car, my voice becomes data.  It should be my choice.^[55]

Although California does not have a specific biometric privacy law regulating the capture, processing, storage, and transfer of biometric data by businesses similar to the Illinois 2008 Biometric Information Privacy Act^[56], it has attempted to address Prof. Zubhoff’s concerns.  The CCPA treats biometric information (including facial recognition data)^[57] as one of the categories of PII protected by the law, and as such provides consumers the right to obtain information about the collection and sale of that information and opt out of its sale.  In addition, California recently joined Oregon, New Hampshire and several municipalities in banning law enforcement use (body cams) of facial recognition technology.^[58]

Nevertheless, under the CCPA affirmative opt-outs of “personal information” collection are required, and the proposed California Privacy Rights Act of 2020 opt-out or limitation provisions regarding the sale or sharing of “sensitive personal information” do not acknowledge the continuing insecurity of cybersecurity.^[59]

On a related matter, vetting the integrity of how PII is analyzed and used by commercial and other entities, the federal Algorithmic Accountability Act^[60] (introduced by Democrats in April, 2019) proposes to impose federal oversight of AI and data privacy.  The Act would regulate “automated decision systems” that make decisions or facilitates human decision-making which affects consumers.  Businesses would be required to screen for implicit AI bias and discrimination and resolve any issues. The FTC Federal Trade Commission would have oversight responsibility.

Both government and the tech industry have promoted the demonstrable fictions of “privacy” and “anonymity” in order to mollify the public, and keep it from demanding an “opt-in”^[61] consent regime in which users and consumers affirmatively assume the risks their private personal information will be compromised – but which would stifle the “sharing” ecosystem and cost businesses huge sums.  Moreover, it has been argued that privacy and cybersecurity are converging, and with the growth of AI data inference sophistication, individual consent of any type will no longer play a role in privacy and data protection ^[62]  If so, can the ability to perform data pattern recognition can be constrained?^[63]  No, that genie is out of the bottle.

For companies this is about facilitating advertising and marketing efforts.  Studies have shown that that consumers are willing to share information with a brand that they trust will protect their information.^[64]  Anything that threatens trust, e.g., acknowledgement of the limits of data anonymity and cybersecurity generally, threatens the bottom line.  This concern is summed up by business scholars Sachin Gupta and Matthew Schneider.

The promised benefits of data-driven marketing are at grave risk unless businesses can do a better job of protecting against unwanted data disclosures. The current approach of controlling access to the data or removing personally identifiable information does not control the risk of disclosure adequately. Other approaches, such as aggregation, lead to severe degradation of information. It’s time for businesses to consider using statistical approaches to convert the original data to synthetic data so they remain valuable for data-driven marketing, yet adequately protected.^[65]

Notably and typically, the ability to use de-identified data from external sources to identify individuals with AI data inference algorithms, is not addressed.^[66]  In the interests of maintaining a functioning democracy by promoting a smart, humane capitalism, it must be.  In this writer’s view, there is no chance this will originate from business or government.

A Failure Will

Regulators’ failure to disrupt the overreaching of Facebook, Amazon, Apple, Netflix and Google through antitrust enforcement has allowed them to dominate online retail offerings, direct consumers to preferred sites, distribute content via a limited number of platforms, and use their algorithms and AI to serve up news according to inferred user preferences,^[67]; all this while extracting economic rents.  The result?  Consumers seeking online services for which there are no or few realistic alternatives are faced with a choice – agree to dominant actors’ terms of service and privacy policies which do not and cannot ensure security and privacy, or go without.

Government failure to address privacy and public safety extends to threats arising from the startup world as well, a prime example being Clearview AI.  Clearview’s facial recognition software allows the user to take a person’s photo, upload it to Clearview’s platform, and then compare it with billions of photographs in its database of billions which have been scraped off the internet, including Facebook, YouTube and Instagram sites.^[68]  Clearview’s biggest clients have been law enforcement agencies.^[69]  In February 2020, Clearview disclosed that hackers had broken into its database and stolen its entire client list.^[70]

Both an opt-in consent regime and a moratorium on facial recognition technology should be considered by federal and state governments.  But whether or not any action is taken authorities have the obligation to tell the public that data inference and recognition technologies are out of the bottle, their use cannot be effectively constrained given their spread, and they will continue to be available on the dark web.

Leveling

The vestiges of Americans’ personal privacy are now under assault by “functionalities” and algorithms that are stripping what is left of their right to be let alone.  In the words of one tech legal executive “…privacy is now best described as the ability to control data we cannot stop generating, giving rise to inferences we can’t predict.”^[71]  This is incompatible with a democratic society.  Only the public can take back its privacy by demanding^[72] that its representatives act.  But first its representatives must tell it the truth.  This is not something which can be addressed through policy or law.  If this is to happen it will only be because the press continues to expose what is happening to Americans’ privacy.^[73]

Let us hope that when government^[74], with the aid of big tech^[75], starts using tracking technology to enforce public health lockdowns, and then inevitably in other “exigent circumstances”^[76], the press will shine its light on exactly what is being done.^[77]