from the no-hyperbole-intended dept
If you’re a long-standing reader of Techdirt, you know we’ve well documented the shitshow that is the “internet of things.” It’s a sector where countless companies were so excited to develop, market and sell new “smart” appliances, they couldn’t be bothered to embrace even the most rudimentary security and privacy standards once these devices were brought online. The result is an endless stream of stories about refrigerators, TVs, thermostats or other “smart” devices that are busy hemorrhaging personal data, inadvertently advertising that sometimes the smart option — is actually the dumb one.
This systemic incompetence has now fused with a cultural disdain for more modern consumer privacy protections. The end result has been an obvious uptick in concern about how much data is now being collected by even childrens’ toys like Barbie dolls, something that last year’s Vtech hack illustrated isn’t just empty fear mongering. Convincing parents who already find technology alienating has proven to be difficult, as is attempting to craft intelligent regulation that protects kids’ playtime babbling from being aggressively monetized, without hindering emerging sector innovation and profits.
To that end, the Family Online Safety Institute and the Future of Privacy Forum held a presentation last week (you can find the full video here) where analysts and experts argued, among other things, that privacy policies need to be significantly simplified and modernized for an era where a child’s doll can profoundly impact the privacy of countless people. It has been, needless to say, an uphill climb.
And while this all is seen as kind of cute and theoretical when we’re talking about not-so-smart tea kettles or talking dolls, the amusement has worn off as the conversation has shifted to territory where incompetence or a clever hack can kill you (namely, automobiles). As Bruce Schneier notes over at Motherboard, this massive introduction of privacy flaws is a pretty big problem at scale, when appliances aren’t swapped out or updated often:
“As more things come under software control, they become vulnerable to all the attacks we’ve seen against computers. But because many of these things are both inexpensive and long-lasting, many of the patch and update systems that work with computers and smartphones won’t work. Right now, the only way to patch most home routers is to throw them away and buy new ones. And the security that comes from replacing your computer and phone every few years won’t work with your refrigerator and thermostat: on the average, you replace the former every 15 years, and the latter approximately never.”
And while mocking the internet of things has become a running joke, Schneier notes it quickly becomes less funny when you begin to realize that the interconnected nature of all of these devices means we’re introducing millions of new attack vectors daily in homes, businesses, utilities, and government agencies all over the world. Collectively these flaws will, no hyperbole intended, inevitably result in significant deaths:
“Systems are filled with externalities that affect other systems in unforeseen and potentially harmful ways. What might seem benign to the designers of a particular system becomes harmful when it’s combined with some other system. Vulnerabilities on one system cascade into other systems, and the result is a vulnerability that no one saw coming and no one bears responsibility for fixing. The Internet of Things will make exploitable vulnerabilities much more common. It’s simple mathematics. If 100 systems are all interacting with each other, that’s about 5,000 interactions and 5,000 potential vulnerabilities resulting from those interactions. If 300 systems are all interacting with each other, that’s 45,000 interactions. 1,000 systems: 12.5 million interactions. Most of them will be benign or uninteresting, but some of them will be very damaging.”
At that scale, the argument that you didn’t embed useful security because “it was only a refrigerator” or you didn’t impose some basic privacy protections and guidelines because “it might hurt an emerging sector’s ability to make more money” start to lose their luster. Schneier tries to argue that the only way we can truly mitigate the looming risk is the involvement of an informed public and an accountable government:
“Security engineers are working on technologies that can mitigate much of this risk, but many solutions won’t be deployed without government involvement. This is not something that the market can solve. Like data privacy, the risks and solutions are too technical for most people and organizations to understand; companies are motivated to hide the insecurity of their own systems from their customers, their users, and the public; the interconnections can make it impossible to connect data breaches with resultant harms; and the interests of the companies often don’t match the interests of the people.
Governments need to play a larger role: setting standards, policing compliance, and implementing solutions across companies and networks. And while the White House Cybersecurity National Action Plan says some of the right things, it doesn’t nearly go far enough, because so many of us are phobic of any government-led solution to anything.
The next president will probably be forced to deal with a large-scale internet disaster that kills multiple people. I hope he or she responds with both the recognition of what government can do that industry can’t, and the political will to make it happen.
This is of course the part of the story where the author is supposed to inform you that with good intentions and enough gumption, government, the public and industry will come together and quickly nip this problem in the bud. Of course this particular post’s readership is painfully aware that the same government Schneier hopes will come to the rescue is too busy trying to embed its own problematic backdoors in everything under the sun while a large portion of it rushes to gut the funding and authority of any regulator capable of imposing basic privacy and security protections.
Said readers are also probably painfully aware that neither looming major Presidential candidate has shown the remotest competence in regards to technology or genuine cyber-security. That means it’s more than likely these unfortunate outcomes Schneier predicts will need to arrive before we’re collectively even willing to begin to take serious steps to address them. At that point the only certain outcome is that all of the players involved will be sure to shirk their own personal responsibility for the security and privacy nightmare they helped build. Still, for whatever it winds up being worth, we can’t say we weren’t warned.
Filed Under: bruce schneier, internet of things, iot, privacy, security