When Google announced that it was coming out with a competitor to Amazon’s Echo device at the I/O conference on Wednesday May 18, most of the discussion was about the capabilities, and whether it would be able to overcome the frustrations of other digital assistants, including Amazon’s Alexa.
At this point, most of the discussion is mere speculation because it will be months before Google’s currently nameless assistant will be in a ready-to-ship form later this year.
But what’s not being discussed is the security and privacy provisions of Google’s new device. The lack of details about privacy is ironic considering Google, of all cloud companies, routinely raises privacy flags the most. So the question then becomes, what is Google planning to do to safeguard security and privacy?
Both of these issues are critical because privacy and security get very short shrift in the vast and unregulated Internet of things. The IoT is well known for its casual approach to security, because manufacturers may not go to a lot of trouble to make devices secure and because users rarely spend any time or thought to make sure their networks even minimally secure.
Two devices that have been running for a while on the IoT, routers and webcams, demonstrate just how lax security is with those devices. Go to any even moderately populated area and do a search for a WiFi hot spot and you will find dozens of unsecured WiFi routers with names like “Linksys.”
In many cases, an attempt to log in using the default user name (usually “admin”) and the default password (frequently it’s “password”) will all too often provide instant access to the device. Once into the router, you have access to that person’s network and maybe to the devices on the network.
It’s even worse for other types of devices such as Webcams, which may not even be password protected and available to any would-be voyeur who happens by. Other devices that are now populating home and office networks, including smart refrigerators, smart lightbulbs and smart white boards, are often bereft of any provision for security or any means to protect the information they transmit on the network.
Imagine, if you will, that a competitor finds your unsecured smart white board that has detailed information about your sales plans, your customers and a look at future products. That information could be in their hands in a matter of seconds, but it gets even worse.
When the device on the IoT is from Google, then it’s part of an information universe that’s almost unlimited. Get into one device that’s connected to Google, and you could have a person’s entire life in your hands.
Security for Google’s New Home Assistant May Get Lost on the IoT
“Google is able to combine data in ways that Amazon can’t,” said Dimitri Sirota, founder and CEO of BigID, a company that focuses on privacy and security. “Google has visibility into your day to day activities.”
Sirota said that with products such as Nest, and with access to a vast array of information through their mobile devices and new automotive products, Google already knows what you buy, where you go, and when you’re home. He wonders if a device such as Google Home might provide access to all of this information.
Making matters worse, Sirota pointed out that the regulation of IoT devices when it comes to privacy protection is unclear. While the EU has the General Data Protection Regulation (GDPR) the U.S. doesn’t have an equivalent regulation so there is less privacy protection.
On top of that, data about nearly everyone is being collected by new sensors and is coming from new sources. Now, it’s possible to know not only whether you’re home or at your office, but what room you current occupy, perhaps what you’re having for dinner, when you’re planning to go out for the evening and where you’re planning to go.
“Because Google knows so much about you they’re acting like your mother by anticipating what you want,” Sirota said. He pointed out that most people affected by Google’s plans are adults who may not want their virtual mother looking over their shoulders. “All of a sudden, those interfaces are all around us.”
The chances are actually pretty good that Google will embed some actual security into their Home device when it ships later this year, but then the next question becomes how well it can protect data on an insecure network. Will the data stream be well enough protected that even if hackers get into the network, the data will be useless? And if the data is breached, just how much other data will be suddenly available to those same hackers?
Perhaps the Google Home device will be able to determine whether it’s on a properly-secured network, and refuse to handle sensitive data if it’s not. But considering the sad record of previous IoT devices, I wouldn’t bet a lot on that eventuality.
But what’s worse is the rest of the vast network of Things on the IoT that aren’t secure, can’t be made secure and can’t even be updated so they can be made secure. Adding to that dismal outlook are all of those devices where security is possible, but is never actually done.
To say that this growth to the IoT is going to make the world a more interesting place is an understatement; it will also make the world a much more frightening place.