In many ways, IoT’s possibilities are limited only by our imaginations. Particularly when we consider all the data that goes unrecorded, all the bits of information that slip through our fingers, and how IoT will allow us to finally capture this data and use it in a way that has eluded humanity for years, it’s easy to ignore the dark side of the new IoT world.
But businesses cannot afford to invest in their IoT systems without first understanding the major risks inherent in any system that is connected to the Internet. From the day we turned on the first computer, we have known that our reliance on technology can lead to disruption, big and small. This is not to scare companies away from embracing IoT; by far, the opportunities outweigh the risks. Yet every company must understand that for every problem IoT solves, there is another problem it creates. Here are three of the biggest risks that come with IoT.
Privacy
When the world’s billions of sensors are constantly acquiring data on their surroundings, which includes humans, then privacy concerns are paramount in an IoT world. Most of the developed world has attempted to protect consumers from illegal use of confidential information, but in many cases the laws are not adequate to meet the tremendous number of new ways personal information is being captured and used. The EU’s recent attempt to update copyright law is a symptom of the outmoded nature of many of the developed world’s laws.
At an earlier stage of the Internet, consumers became familiar, if not entirely comfortable, with tracking software, otherwise known as cookies. Because there was no specific law restricting a website’s use of cookies to track a user’s browsing behaviour, many companies simply adopted the practice without much forethought on user concerns. In fact, it was the browsers that responded to consumer anxiety with tools to restrict the use of cookies and eliminate them after a browsing session. Legislation in the EU now regulates how cookies are used and what type of data they are allowed to collect on the user, but with the rise of mobile technology, which doesn’t need cookies to track user behaviour, many of these laws are swiftly becoming outdated and inadequate in an IoT world.
Likewise, the US also relies on older regulatory models for new IoT devices and systems. But there is no single federal law that governs the collection and use of personal data. Rather, the US relies on a patchwork of existing federal and state laws to protect consumer privacy. Public outcry at the federal government, particularly the National Security Agency, for “data-mining” activities related to law-enforcement and counter terrorism presage the public policy debates to come.
The US Federal Trade Commission (FTC) released a report in January 2015 that surveyed the state of IoT in the US and suggested “best practices” for companies to follow when it comes to consumer data and security. The FTC report, however, continues the federal government “light touch” when it comes to Internet, and thus IoT, regulation. For instance, the report concludes “that any Internet of Things-specific legislation would be premature at this point in time given the rapidly evolving nature of the technology. The report, however, reiterates the Commission’s repeated call for strong data security and breach notification legislation”.
Privacy concerns extend to the workplace as well. There are lots of programmes on the market that enable an employer to track worker behaviour, usually via the worker’s PC. But IoT allows employers to embed sensors in virtually any corner of the office to monitor employee habits. For example, a former sales executive in California has filed a lawsuit against her employer, alleging she was forced to download a tracking app to her smartphone which the employer used to monitor her whereabouts both during and after work hours.
IoT’s ability to track and capture human action raises multiple ethical questions that haven’t as yet been fully answered, such as:
• Can a worker be punished because of data collected from an IoT object?
• Must an employer inform his workforce about sensors tracking their behaviour?
Cyber security
Cyber breaches are a major threat to businesses today. According to one estimate, cyber crime costs businesses US$400 billion every year.
What’s most troubling from an IoT perspective is that the cyber criminals are breaching ostensibly secure systems with multiple layers of protection in place. The complexity of ensuring the security of IoT devices is an area of improvement for business, especially in preparation for the day the “IoT ecosystem” comes to life where billions of objects are connected to the Internet and each other.
We must remember that any device with an Internet connection is a potential gateway for a hacker. For example, in 2014 a hacker was able to break into a baby monitor to harass a two-year-old girl. Follow-up research on the product, which was produced by China-based company Focsam, discovered that 40,000 out of 46,000 devices had not been updated with a security measure that would have prevented the breach.
We must also remember that the more we automate and connect certain systems, particularly industrial systems, the more open those systems are to hacking. A city that builds a smartgrid for electricity might realise great cost savings in the way the system streamlines troubleshooting. At the same time, the very system also gives a potential hacker an easy way to shut down an entire city’s electrical supply from his computer.
In yet another example, the US Government Accountability Office issued a report in April 2015 that discussed the threats that come with the increased interconnectedness between airplanes and ground systems. “This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems,” the report warned. In other words, a hacker-terrorist could use the system to gain control of the aircraft.
Because of the networked nature of IoT – i.e., that each connected object uses data from other connected objects – there is also the risk that a malfunction could lead to catastrophic system failure. A malfunctioning object potentially could feed incorrect data to another device that’s functioning normally. Yet as the bad data inches its way up the system, it begins to infect more and more systems. If we consider a natural disaster, such as flooding, malfunctioning sensors might monitor the integrity of dams and levees and could lead to massive property damage or even loss of life.
Examples like these underscore the new risks many businesses will face when it comes to IoT cybersecurity. While we can expect that the manufacturers of these devices will improve their security measures in time, the sheer number of connected things is growing exponentially.
Liability
When it comes to autonomous vehicles, like driverless cars, we are faced with an obvious ethical dilemma: In the seconds before an accident, should an autonomous vehicle do anything it can to protect the passengers, even if it means harming other motorists or pedestrians?
When humans are behind the wheel, collateral damage, as terrible as it is, doesn’t pose much of an ethical problem. A human being in danger can’t be faulted when its survival instincts make it swerve its car into a pedestrian. But when machines are the decision makers, does a pedestrian harmed in accident have a case against the car manufacturer? Does a driver have a case against a car manufacturer following an accident in which he or she was injured? As an European Commission report on the ethical dilemmas inherent in IoT technology stated, “People are not used to objects having an identity or acting on their own, especially if they act in unexpected ways.”
Other questions of liability emerge when we consider data ownership. With billions of devices collecting data, the lines get blurred on who is responsible for what data. IoT objects function autonomously and in conjunction with multiple other objects. Data is quickly shared, processed, reshared, and reprocessed before it might be seen by human eyes. In other words, it’s too simple to associate one device with one piece of data, since so much of IoT’s potential lies in the seamless transfer of this data between objects. For instance, an IoT heart monitor won’t just monitor a patient’s heart looking for warning signs of an impending heart attack. It might also access data from another object that tracks the patient’s fitness routine, which in turn takes data from a device that monitors food intake. If the patient has a heart attack, who’s responsible?
IoT devices also raise troubling questions when it comes to device malfunction. Sensors can be embedded in critical infrastructure like dams, bridges, and roadways to monitor structural integrity as well as environmental conditions that could undermine structural integrity. A road near a flood area could be embedded with sensors that know the moment rainfall has exceeded a point that gives engineers advanced warning of flooding. Indeed, protecting infrastructure is one of the most exciting aspects of IoT. Yet when we turn more and more of our critical infrastructure and security systems over to IoT objects, we run the risk of a catastrophe if and when those objects fail.
We can apply this to the private sector as well. To cite a non-lethal example, in April 2015 several American airlines flights were delayed when a software malfunction rendered pilots’ tablets, which they use for navigational purposes, useless. Although the malfunction was easily fixed with a software update, these examples show just how exposed we already are because of our connected devices. When they fail, will we be prepared?