It’s not often that you hear discussions about smart automobiles and smart coffee makers bandied about in the halls of the U.S. Senate, but it happened on Feb. 11 as the Senate Committee on Commerce, Science and Transportation held its first hearing on draft legislation aimed at safeguarding Internet security.
Senators’ comments showed they were concerned about ensuring the security of users without thwarting the way of future innovation.
But first they felt compelled to discuss the day’s news about Samsung smart televisions, which apparently, can record entire conversations held within range of their microphones, and then send them off into the cloud.
Ranking Member Senator Bill Nelson (D-FL) expressed his concern about personal information getting into the hands of third parties without the knowledge of device users, and the subsequent risk to privacy.
“And, more recently, we learned that Samsung’s privacy policy for its voice-activated ‘Smart TV’ informed consumers that their indoor conversations can be recorded by the television and sent to a third party,” Nelson said. “So, Big Brother may really be listening to us.”
This part of the discussion underscored the committee’s broader concerns about Internet security. On one hand, growth of the Internet of Things promises a whole new world of data-based capabilities. But on the other hand, if it’s done wrong, it’s rife with risks to security and privacy. The risks that Senators on both sides of the aisle discussed go far beyond just the release of private information. They’re also worried about security risks in the form of criminal and terrorist attacks.
“IoT devices can collect sensitive consumer and business data; therefore, privacy considerations should be at the forefront as we consider this great technological wave,” noted Committee Chairman John Thune (R-SD) in his opening remarks. “Security will also be a critical concern of the Internet of Things due to the scope and sensitivity of the data collected and the interconnection of devices and networks.”
Thune added that the government needs to move carefully. “These issues are real, but I encourage policymakers to resist the urge to jump head first into regulating this dynamic marketplace. Let’s tread carefully and thoughtfully before we consider stepping in with a ‘government knows best’ mentality that could halt innovation and growth. Let’s treat the Internet of Things with the same light touch that has caused the Internet to be such a great American success story.”
During the discussion and the questions that followed, much of the concern focused on security. A recent segment on the CBS program “60 Minutes” drew specific mention because it showed how easy it can be to break into an unprotected network and to take control of the devices on the network.
Senators Ponder Internet of Things Security in First Hearing
The same kind of attack on networked automated devices was the mission of the Stuxnet worm that led to the destruction of most of Iran’s uranium centrifuges. There the invasion required tempting engineers to plug in a USB stick. These days with nearly every device connected to the Internet, it’s much easier.
Unfortunately, unauthorized access to networks is only one of the security problems facing the widespread use of the IoT. Another, potentially much more serious problem is the use of data gathered by those devices.
In the case of the Samsung television that listens in on your conversations, the company claims that it doesn’t actually use the recorded speech for anything beyond improving speech recognition. But once you’ve signed the user agreement allowing Samsung to record those conversations, what’s to keep that from changing?
Here’s another example that’s closer to home. I recently purchased a Garmin Vivofit activity monitor that keeps track of when I’m walking, when I’m sitting and when I’m sleeping. That data goes first to my phone, then it goes to Apple and then to Garmin. From Garmin it can go to my Windows computer where it can be retrieved. But what’s to keep a law enforcement agency from demanding to see activity that’s stored at Garmin?
The device also allows Garmin to know how much I weigh (too much) how tall I am, how old I am and my normal level of fitness (next to zero). I’m willing to take this risk if only because most of this data is already in some government database already. But suppose it was my television viewing habits? Or suppose it was data related to my credit cards or bank accounts? At some point you get to data that I’d rather not have the world see.
While it’s unlikely that the first security problem that gets discussed in these hearings, the encryption of the link between devices, will prove to be much of a problem, the fact is that the ultimate destination of the data is a huge problem and a huge privacy issue.
One of the Senators in the hearing said that while it’s fine with him if his smart refrigerator tells him that he’s getting low on milk, it’s not fine if the refrigerator also tells the grocery store so it can be used for marketing information. And this is just one part of the problem.
Consider that the majority of the IoT will probably not be used by people at all, but rather by devices in organizations that communicate with other devices. How hard will it be to protect that data, regulate where that data ultimately goes, who accesses it and how it’s used? While it’s likely that most of the companies gathering such data will say they protect it, will they? Or will they quietly place a disclaimer into their agreements allowing unspecified use by unnamed third parties?
Ultimately, it’s controlling the background distribution of private data that poses the greatest risk and somewhere in this legislation this needs to be nailed down.