THE INTERNET OF THINGS
The week of January 4, 2015

The one problem the Internet of Things hasn’t solved

By Aaron Sankin

There seems to be a lack of public appreciation of the extent to which the Internet of Things is going to fundamentally change how people interact with the world around them.

While the actual list of technologies comprising the Internet of Things (IoT) has the potential to be unimaginably broad, the overarching concept behind it is relatively simple: Take everything from everyday household devices like thermostats and refrigerators to street lights and factory components, connect them to the Internet, and then use the data they generate make the world a more efficient place.

The most high-profile entry into the Internet of Things is Google’s Nest Learning Thermostat, which collects data on its users’ preferred temperatures, automatically lowers temperatures when the house is empty to save energy, and can be controlled from anywhere in the world.

A litany of other companies are looking to follow Google’s lead, which bought Nest for $3.2 billion in early 2014. The whole concept of the “connected home” looks to be one of the biggest themes in at this year’s Consumer Electronics Show. While only 1.5 percent of U.S. homes are currently dialed in to the Internet of Things, that number is expected to top 15 percent within five years.

But the implications for the Internet of Things go far beyond the home.

The USDA recently approved the use of imaging sensors to inspect food safety at poultry processing plants that can increase efficiency by a factor of five. When the city of Mumbai, India, teamed with an American company to install smart meters throughout its aging, leaky public water system, it cut the amount of water lost by 50 percent. Cities around the country have installed Internet-connected auditory sensors to listen for the sound of gunshots in an effort to decrease the response time of first responders.

As the Internet of Things grows to a projected 212 billion items by 2020, the question of regulation looms increasingly large. While some preexisting rules governing conduct on the traditional, computer-based Internet could apply to the Internet of Things, there is little regulation specifically governing this new frontier of Internet-enabled devices.

The Internet of Things presents litany of thorny questions for regulators across the globe. When everything you have is connected to the Internet, what’s the best way to ensure privacy? Or stop all of that information from being nabbed by hackers? How much should each item connected to the Internet of Things be required to notify users about what data is being collected? Should there be rules about how the collected data can be used? Is there even a way to craft regulations addressing all of these questions in a way that doesn’t cut off at the knees an industry that’s expected to be valued at $8.9 trillion by the end of the decade?

Hacker-proofing your refrigerator

Over the period stretching from Dec. 23, 2013 to Jan. 6, 2014, a group of hackers used malware installed on over 100,000 devices to send out 750,000 virus-bearing spam emails. Botnets like this are nothing new. What raised eyebrows was that many of the devices in question weren’t computers or even smartphones. The culprits were things that most people didn’t think were even capable of getting infected—televisions, home entertainment centers, and even a refrigerator.

When cybersecurity firm Proofpoint revealed evidence of the attack early last year, it served as a serious wake-up call. Virtually anything connected to the Internet has the potential of being hacked, no matter how unlikely.

As the Internet of Things grows to a projected 212 billion items by 2020, the question of regulation looms increasingly large.

In the case of this “thingnet,” the vectors of attack weren’t particularly sophisticated. Instead, the way that many Internet of Things devices were set up left them open to being easily compromised. Many Internet of Things devices come with with default passwords and, since people don’t really think of their refrigerator as something that could be hacked, there’s less motivation to take precautions (like changing your password). If a hacker knows the default password for a device, all he or she has to do it find other instances of that device splayed out across the Internet and enter it.

Proofpoint noted that, unlike traditional computers, Internet of Things devices often lack systematic protections against viruses or spam.

“Botnets are already a major security concern and the emergence of thingbots may make the situation much worse,” Proofpoint’s general manager of information security David Knight said in a statement. “Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come online and attackers find additional ways to exploit them.”

If Internet of Things devices are vulnerable to hackers turning them into nodes in a botnet, it also means they’re likely also vulnerable to hackers using them for other purposes. Ken Hoyme, a scientist with cybersecurity research firm Adventium Labs, told the Minneapolis Star-Tribune that smart devices are often “the weakest links” in a network. If a hacker gets into a home network through lax security protections on a smart refrigerator, they could potentially also have access to the computers connected to that same Wi-Fi network or to the smart security system that controls door locks or carries information about whether residents are home.

Internet-enabled refrigerators aren’t the only vulnerable devices. Earlier this year a team of researchers at the University of Michigan put out a study detailing how mind-bogglingly easy it is to hack smart traffic lights. The study, which looked at the traffic signal system in one Michigan city, found that not only were signals being sent over a network unencrypted, but the passwords on the lights hadn’t been changed from their factory defaults—meaning anyone who downloaded a copy of the manual (which listed the default password) would be able to break into the system with ease.

Once inside a network, the study’s authors note that it would be possible for hackers to carry out a denial-of-service attack to grind the lights’ operation to a halt, throw off the timing of how they sync up to each other to spark traffic gridlock, or use a “light control attack” to ensure that a single driver never hits a red light.

This is just one reason why there’s concern about safety regulation. There are ways to start doing this, of course: For example, lawmakers could mandate all communication sent over Internet of Things devices be encrypted. They could create regulation about how companies notify that users about the importance of changing default passwords on devices that may not seem password-protected in the first place. They could also release a set of best practices for judging security on governmental Internet of Things projects.

But of course, everything’s more difficult when you’re building the road as you’re driving on it.

Protecting your privacy

The Internet is awash in your data. Mining information—everything from what websites you visit to the text of your personal emails and private Facebook messages—is the Internet’s economic lifeblood.

Your every action online generates data that companies use to better sell you junk you don’t actually need. In a world saturated by the Internet of Things, the amount of data collected about you will grow exponentially.

The Mauritius Declaration, a statement put out by the International Conference of Data Protection and Privacy Commissioners earlier this year, charged that the data generated by the Internet of Things has the potential to reveal far more about users than any technology in history.

Virtually anything connected to the Internet has the potential of being hacked, no matter how unlikely.

“These devices can make our lives much easier … The Internet of Things however, can also reveal intimate details about the doings and goings of their owners through the sensors they contain,” read the declaration. “Personal development should not be defined by what business and government know about you. The proliferation of the internet of things increases the risk that this will happen.

Realizing that your smart refrigerator could be conspiring with your fitness tracker to figure out how your diet works with your exercise regimen is kind of creepy, sure. But the more information collected by Internet of Things systems, the greater the potential harm for users when those systems get hacked.

“Everyone is going to be subject to a breach … It’s just an issue we’re going to have to address,” explained Federal Trade Commissioner Julie Brill during a panel discussion during New York’s Advertising Week. “You can’t ignore issues around data minimization. Collection is going to be important … especially when that information is linkable to individuals.”

Imposing rules about how much information Internet of Things products are allowed to take from users and what they’re then allowed to do with that information is likely to be high on the list of things regulators may want to control. For privacy advocates, this development would undoubtedly be a welcome one; however, for many of the companies involved in building this technology, restrictions on data collection would undoubtedly affect their bottom lines.

A huge percentage of the traditional Internet’s value comes from taking data provided by users and monetizing it. Since the Internet of Things has the potential to produce an enormous amount of data, collecting as much of it as possible and then using it for advertizing is likely inevitable. Doing this creates a second revenue stream for the products on top of users paying to purchase it in the first place. Even if the data is stripped of details that directly identify individuals, using that information has the potential to rub people the wrong way—especially when some data researchers have demonstrated an ability to pin real-world identities on supposedly anonymized data.

Additionally, since the full potential of certain data sets will be unknown until long after that information starts being collected, giving companies, and even governments, more leeway expands those possibilities considerably. There’s an argument to be made by IoT advocates that anything limiting that freedom could be a barrier to growth.

For example, a report by tech industry-backed think tank the Center for Data Innovation points to the city of Chicago’s Array of Things project, which has made over 600 datasets collected by Internet of Things-empowered projects freely available online. These datasets are aimed at letting private companies, researchers, and other government agencies work on issues ranging from making the city’s public transit system more easily navigable to controlling Chicago’s rat population.

Competing standards

Much of the potential power contained in the Internet of Things is the ability of multiple devices to share data. Information collected from one device could be infinitely useful spread out to a litany of others.

“Data collected from connected devices offer a myriad of potential benefits to consumers, clinicians, researchers, government agencies, and commercial entities, and if these datasets are shared, these benefits are multiplied,” insisted the the Center for Data Innovation’s report, which detailed a set of recommended guidelines for regulating the Internet of Things. “In order to maximize the social and economic benefits of information, data users of all kinds acting in good faith must be able to share and reuse data with ease.”

Internet of Things devices often lack systematic protections against viruses or spam.

While the World Wide Web functions fluidly due to the universal adoption of standards like Hypertext Transfer Protocol—what the “http” at the beginning of what every Web address stands for—there is no single standard for connecting devices on the Internet of Things. Instead, that are a handful of competing standards run by different coalitions of companies:

Each of the standards vary. For example, some are open-source, others are not. But different devices operating on different standards can make fluid communication between those devices tricky.

“Any major technological shift (and the IoT may be among the most significant in history) starts with islands of innovation,” wrote Oleg Logvinov of the Institute of Electrical and Electronics Engineers. “It’s common for various groups to form industry alliances where members synergistically accelerate the progress that was already started by like-minded companies. But for these islands of innovation to become a vast landmass of the future technological landscape, these early activities have to transform into global standards enabling the economy of scale and vibrant ecosystems.”

Having lawmakers simply pick a winning standard and requiring everyone to adopt it may not be the best approach. The market is typically remarkably adept at deciding between competing standards without government intervention—like what happened in the video standard wars between HD DVD and Blu-ray or Betamax and VHS.

However, there is value in encouraging the tech industry to coordinate on its own in developing open standards that are usable across many different platforms or, at the very least, not interfering with internal industry efforts on the issue.

Earlier this year, a group of 40 U.K.-based tech companies used a £6.4 million grant from the U.K. Technology Strategy Board to develop an open standard called HyperCat that allows data collected from one source to be integrated into a multitude of different systems.

As governments, which have a tendency to move slowly, get into the Internet of Things, it’s crucial to ensure that expensive, long-lasting projects don’t get stuck with outdated standards that don’t connect to the evolving industry standard. Even just by establishing a set of recommended best practices for agencies purchasing Internet of Things devices on the standards issue could be a positive step.

Proactive or reactive?

The Center of Data Innovation report sets up a dichotomy between two schools of regulation. The first is to look at the landscape, identify where potential problems could arise, and impose rules aimed at heading them off at the pass. The second is to simply let the market take its course and exclusively react to specific problems that have already been demonstrated.

The difference between the two approaches is already starting to split down traditional partisan lines.

Obama-appointed Federal Trade Commission head Edith Ramirez insisted earlier this year that the key to the Internet of Things’ success is creating smart regulations that inspire the confidence of the public. “Though it would take a lot to loosen the smartphone from our fists or pry the fitness tracker from our wrists, I believe consumers will balk before bringing connected devices into their homes, cars, and workplaces if they do not believe their privacy will be respected,” Ramirez said.

There is no single standard for connecting devices on the Internet of Things.

She charged that many companies are not only “underinvesting” in protecting users’ personal information but also need to do a better job of both informing people how their data is being used and giving them more control in the amount of data being collected. “Consumers will enthusiastically invite the Internet of Things into their homes, cars, and workplaces only if they are confident that they remain in control over their data,” Ramirez added.

Conversely, some Republicans in the U.S. Senate have voiced opposition to imposing virtually any regulations on the Internet of Things. Republican Senators Deb Fisher (R–Neb.) and Kelly Ayotte (R–N.H.) both recently argued that imposing regulations dictating privacy and security practices could harm growth.

“People want to be able to invest in a product with some degree of confidence that the government won’t stifle those opportunities,” Deb Fisher said, warning other lawmakers against “regulation for the sake of it.”

Ayotte added that allowing governmental agencies like the Federal Trade Commission to expanding their regulatory authority into areas like the Internet of Things is a bad idea because many concerns can be adequately addressed under existing rules. “The FTC already has the power … to go after unfair and deceptive practices,” she said. “We must define the parameters of this authority so the private sector understands what the rules are.”

While there may not be agreement on how the Internet of Things should be regulated, it’s a positive sign that lawmakers are starting to seriously look at the potential promises and pitfalls of the new technology. The Internet of Things is coming no matter what happens. The people in charge of keeping the public safe and the industry healthy need to be ready.

Illustration by Fernando Alfonso III