Privacy through ignoramity doesn’t work, either

In the headlines seemingly every day of late, the controversial NSA metadata collection program is viewed by many as a huge incursion into privacy of billions of people. Amid the latest vehement denials from Apple over reports they, Cisco, Microsoft, and others may have either abetted or been victimized by the NSA program, the debate on privacy and security is thickening.

Whichever side of the political debate you may find yourself on, the technological implications for the Internet of Things are unavoidable. As 2014 dawns, people want to be connected, and we have willingly coughed up some privacy to be able to access services in the cloud – generally assuming someone out there somewhere is handling the security. That is a dangerous assumption in some cases.

First, let’s clarify the working definitions of these important concepts. There is some overlap, but privacy and security are two very different things:

  • Privacy means control, determining what information is shared with whom when.
  • Security means safeguarding, protecting information from unintended use by any party.

Users – that means you and I – are responsible for privacy. Yes, developers need to clearly disclose and enforce permissions, and put in capabilities for users to control communication, but a user still decides to participate in a network and share personal information. Like it or not, cellular carriers have a concept called Customer Proprietary Network Information in their privacy policy (this is the Verizon version, I pick on them because I’m a Verizon customer), which is exactly the type of stuff the NSA is picking up.

Developers are responsible for security. Some are doing a better job than others. Many developers have gone through great pains to keep their stuff secret, but that doesn’t make it secure. In fact, in this age where the success of an IoT device or social app now relies on the ability to discover and establish communication with others easily, secrecy is all but impossible to maintain for very long, especially if something becomes popular. Generally accepted practice uses well-known communication standards with some form of encryption to protect messages and stored data.

The idea of open networks with encrypted data is far from new. The concept of security through obscurity should have been thoroughly torched by Kerckhoffs’ Desiderata in 1883. Kerckhoffs made the observation that a communication system can still be secure, even if every detail of its architecture is well-known – except the private key used for encryption. This led to his observation:

Compromise of the system should not inconvenience the correspondents.

Snapchat application settingsObviously, the folks at Snapchat didn’t read Kerckhoffs, and have managed to inconvenience 4.6M users who thought they were exchanging stuff privately. Their phone numbers and user names were mined, and rather easily, via an API exploit. Analysts have suggested that the Snapchat system is “fundamentally insecure” and would be difficult for a team of security experts to fix.

Hackers are now declaring open season on Snapchat. This is really unfortunate, because the users who flocked there, allegedly fleeing other social networks like Facebook to achieve what they thought was better privacy, have now been completely exposed. Snapchat is likely doomed, with the best possible outcome now a Bump-style acquisition and assimilation of their intellectual capital to work on future projects within some larger firm.

The lesson for the IoT is twofold:

  • Privacy through ignoramity doesn’t work any better than security through obscurity. If value is to be derived from services, users will need to be much more aware of what and how they are sharing. There needs to be some trust that network operators, cloud service providers, and yes, even governments aren’t targeting individuals unless specific circumstances dictate otherwise. Entities violating trust will be outed quickly via social media channels.
  • Security cannot be ignored until millions of users are engaged in a service. It may be costly to implement, and is never perfect, but IoT firms need to pursue security up front – and keep pursuing it as threats evolve. Not implementing encryption, or failing to apply software patches, or leaving security to chance is like hanging a red neon sign on an application, saying “Hackers Welcome.” Devices that are connected will be found.

There are likely to be more high-profile breaches coming, but maybe some can be prevented with better education of users and design of systems. What do you think of the issues surrounding privacy and security, as they apply to the IoT?

, , , , , , , , , , , ,