IoT vendors must secure the data they collect

Beware the IoT, warns Nicholas Carr, author of The Shallows and the forthcoming Utopia Is Creepy, in the Los Angeles Times.

“We’re now in the early stages of the so-called Internet of Things,” he writes. “Companies are rushing to install sensors and transmitters in all manner of consumer and industrial goods. These network-connected ‘things’ will be able to beam reports on our behavior to corporate databases. We won’t be tracked just by our smartphones. We’ll be tracked by our cars, our homes, our clothes, our appliances, and the machines and tools we use in our jobs.”

He cites a specific example: “Under Armour has announced plans to put biometric sensors in the underwear and other garments it makes. There doesn’t seem to be anywhere companies won’t go to collect information about us.”

Consumers have always divulged data to companies, he said—for example, shoe size, or a description of a house we propose to have built. However, in the past, he said, your shoe store and architect wouldn’t collaborate to develop a profile of you that they would sell to other companies. (Perhaps if you have large feet and specified high ceilings for your new house such a profile would be valuable to a company selling basketball equipment.)

And it’s not just about collecting data but making decisions for you, he writes. For example, Google Maps now has a Driving Mode algorithm that will tell you where to go.

The concerns are real, and government is involved, for better or worse. Last year I wrote about IoT pioneer and MIT professor Sanjay Sarma, who recounted how he had populated his house with dozens of connected switches, motion detectors, and thermostats to enable control of lighting and heating. His last step in the project? He killed it. “I realized that anyone could plug into the outlet on my deck and take control of my house,” he wrote in Politico.

Carr proposes that the Internet should have “privacy” rather than “surveillance” as the default setting. He suggests that the Federal Trade Commission could permit companies to collect data for the purposes of enhancing a product, but they couldn’t share that data or store it indefinitely.

I personally don’t mind vendors sharing information if that enables them to offer me products or services I might be interested in. I am concerned about security. I might not be too concerned about hackers learning my shoe size, or that I’m low on laundry detergent. But I would be very concerned if my shoe size or laundry-detergent status is linked to a credit-card number, for example. And I don’t want hackers monitoring my programmable thermostat to determine whether I’m at home.

If reputable companies can’t be counted on to secure the data they collect, then government may need to step in, or consumers will need an easy way to opt out—Carr’s privacy default setting.

As Carr concludes, “It’s possible to gain the benefits of a connected world without submitting ourselves to surveillance and manipulation. By retaking ownership and control over our personal information, we can make sure that we’re treated as people rather than as things.”