We've focused so much about Big Brother and Big Data that we may be missing the real data security threat — little things. A tremendous data flow is being generated from the so-called Internet of Things, the interconnected devices that monitor, control, and transmit information about both industrial and personal activities.
One report states that an estimated 10 billion intelligent sensors are already in place, gathering data, communicating with each other and us, and transmitting data through Internet connections — and that the count will increase to 50 billion by 2020.
The Internet of Things encompasses everything from remotely programmable DVRs to sophisticated industrial control systems. It includes RFID chips used to tag objects in supply chains, remote-control home thermostats, cargo ships tracked by Lloyd's of London, and even remote monitoring of a person's vital signs. Its components range from wearable devices to critical components of our national infrastructure. We could eventually see our cars, refrigerators, mobile phones, computers and home devices all connected and communicating with one another.
Call it what you will — Internet of Things (IoT), machine-to-machine communications (M2M), or the Intelligent Internet — it is increasingly affecting our lives.
And those 10 billion sensors are collecting lots of data. At first blush, that data may seem so granular and isolated, so specialized and dry, that it wouldn't raise serious concerns. But not so. Other people's data may not seem important, but your own data matters. And even isolated specialized data bits can be revealing.
According to a declaration by a group of national privacy commissioners, IoT devices "can ... reveal intimate details about the doings and goings of their owners through the sensors they contain." Specifically, because sensor data is "high in quantity, quality and sensitivity," analysts can draw broader conclusions, "and identifiability becomes more likely than not." Put simply, from your sensor data, people may be able to identify you and what you are doing.
This “Mauritius Declaration on the Internet of Things,” issued October 14, 2014, called for special privacy protections for IoT devices. Among other things, the declaration asserted that firewalls are not sufficient, that "end-to-end encryption" should be required, and that greater transparency and notice should be given to users than under current practices.
Their concerns are not isolated; Internet-connected devices are clearly leaking data. One recent article highlighted the thousands of webcams around the world — many of them baby monitors — that are not password protected and hence are available for viewing by anyone in the world. In some cases, metadata including geographical location information is also accessible.
Against this background, policy makers are considering how to protect data security and privacy on the Internet of Things. The National Institute of Standards and Technology (NIST) has formed a Cyber-Physical Systems Public Working Group that is addressing the cybersecurity and privacy implications of the IoT. The Senate Commerce Committee may hold an oversight hearing on the issue later this year.
New privacy approaches may be required. Many policy makers are looking at mandating "privacy by design" standards, in which privacy is addressed in the concept and engineering phases of sensors and their systems. Some are focusing on "responsible use" requirements rather than traditional "notice and consent" approval by users. Some consumer advocates will ask for limits on combining IoT-derived data with other databases.
Creating IoT privacy regulations won't be easy. As one writer put it, "What kind of privacy notice can a toaster provide?"
Until specific IoT regulations are enacted, IoT devices are subject to standard privacy and data laws, few of which were developed with these devices in mind. The federal Computer Fraud and Abuse Act, and state anti-hacking laws, for example, prohibit accessing of computer and network data without authorization or beyond the scope of authorization, and hence they criminalize hacking of sensor data. But users may prefer the proactive security of encryption to CFAA litigation after a data loss has occurred, and if breaches occur, device vendors may be charged with failing to implement adequate security. State data breach laws, of course, require notice if IoT systems containing personal information are breached. Accessing data from devices in Europe could violate European database protection laws. Finally, customer agreements for IoT devices will likely notify users of inherent security risks, and disclaim liability for breaches, but ambiguities will inevitably emerge about adequacy of notices, ongoing responsibilities, warranties, and liabilities.
Until more specific regulations are enacted, we're likely to hear more and more IoT horror stories. Like the hackers who showed that they could break into web-enabled baby monitors and yell obscenities at young children. Or the researchers who were able to remotely hack into an automobile and take over its basic functions.
Sometimes, it seems, big problems can arise from little things.
Mark Sableman is a partner in Thompson Coburn’s Intellectual Property group. He is the editorial director of Internet Law Twists & Turns. You can find Mark on Twitter, and reach him at (314) 552-6103 or firstname.lastname@example.org.