Experts: Privacy and security must be ‘baked in’ as IoT grows
The more the Internet of Things permeates everyday life, the more privacy and security need to be baked into the design of products from their inception, government officials and private sector experts said at the massive CES event Wednesday.
A panel discussion focused on how protecting data is going to become increasingly important as more and more of our everyday objects are connected to the Internet and collecting information.
Julie Brill, a commissioner at the Federal Trade Commission, said companies of all kinds, large and small, are going to have consider how their customers learn about privacy and security measures no matter what their line of business.
“It’s not just a connected insulin pump or car, it’s going to be connected pens and bottles,” Brill said.
She added that the much touted agility of contemporary software development brought its own challenges. “What you are going to have is a company, and when a vulnerability is found, they will go to version 2.0 or 3.0, but will they patch 1.0? Will consumers know they shouldn’t be using 1.0?”
John Godfrey, senior vice president of public policy for Samsung, said companies must think about how to empower their users to take control of their data without trying to shoehorn one-size-fits-all policies across the entire IoT landscape.
“The answers [on policies] are going to be different for different people,” Godfrey said. “We shouldn’t decide there is one answer that is the answer for every consumer. It will make IoT too rigid.”
Nuala O’Connor, president and CEO of the Center for Democracy & Technology, cited positive examples of how being proactive about privacy and security has materialized during early design stages. She helped work on the privacy policy governing Amazon Echo, the online retailer’s Internet-connected speaker/virtual assistant.
O’Connor said people at Amazon “had the hard conversations” about how they would let users know what’s happening with their data, even implementing a hard power-off capability — a significant feature in a device designed to be constantly listening for verbal cues.
“How do we let people know they are engaging with this device?” O’Connor said Amazon people had asked. She critiqued the current corporate conception of privacy policies: “We are not going to [send] a piece of paper in the mail that says ‘This is what we are doing with the data.’”
On the security side, Brill said more needs to be done to educate programmers about the things they can do to improve security. Her advice to developers was to think more about data hygiene, citing a stat that 20 percent of programming errors that lead to 80 percent of the vulnerabilities.
However, Brill said high-ranking professionals in the computer science community take issue with that advice.
“There is controversy about this among computer scientists, they tell me that data hygiene is worthless and you really need to protect the crown jewels,” she said. “I then ask them, ‘What are the crown jewels and tell me how to protect them?’ They don’t have an answer for that yet.”
Eric Wenger, director of cybersecurity and privacy policy at Cisco, said most software developers just do not have the needed background to bake privacy and security into their devices, a fact that will continue to cost companies money until it changes.
“[Companies] need to think about this from the design up,” Wenger said. “Unmanaged collection of data is a liability. It’s a hidden cost that’s on your balance sheet.”
Contact the reporter on this story via email at greg.otto@fedscoop.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.