Last week, I participated on a panel for the TRUSTe Internet of Things (IoT) Privacy Summit at a beautiful resort in Menlo Park, California. The event brought together people from many different companies, large and small, as well as privacy advocates and legal experts. Videos of the event can be found here. The consensus perspective at the conference was that soon all of our electronic devices will be connected spanning across smart meters in our homes, smart thermostats on our walls, and wearable devices on our wrists sending health information to our smartphones. So, someone needs to ensure privacy is being addressed. This looms as a large issue as more and more data is being captured for our benefit, and we are able to remotely control our household electronics and even our lights from our smartphones.
Organizations want to mine that data for analysis. Much of this data is personally identifiable information (PII), such as name, address, age, sex, location, and contact info, which affords protections. But, some of it is legally protected information, such as health or financial data (eg, credit card linked to account). The core of privacy is Notice and Choice. An organization must notify the user what data is being collected, how it’s being used, and with whom else it might be shared. The user [technically] has a choice to allow this use of their data or not. This usually just amounts to “accepting” the privacy and license agreement that is shown to you when you install or log into the application. There are large concerns that users have been numbed with notifications, they just scroll down and accept anything. So there is the discussion of enforcing the concept of “acceptable use.” Meaning I won’t be selling your data to marketers, as well as protecting your data from unauthorized access, and I’ll give you access to the data I have to allow you to correct or delete it. This is gaining traction but law is still Notice and Choice.
We specifically had discussions about perspectives of millennials, who appear to be less privacy focused and seem to accept all uses of their data. However, one of the panelists provided an excellent perspective that “it’s not that millenials don’t care about privacy, they actually manage it very well, they just have a different threat model than the older generations.” Meaning, they are fine with sharing different information about themselves, which they don’t see as harmful, but are very savvy in hiding information they don’t want shared (i.e., with parents as personal enemies)
What we were striving for is that companies and developers build privacy into their products instead of trying to bolt it on at the end. We learned this lesson over a decade ago with web application security: it’s much more expensive to attempt to apply security controls on a working application, then to design it in at the beginning. Also, controls are more effective when there are integrated than added on later. We also need to look at the entire data supply chain, not just at collection points. Is this data flowing to a back end system? Is data stored in multiple places? Is this data in a cloud? What country is this data stored? There are many country specific data privacy requirements, especially in Europe, around storage and protection of PII to consider. Overall, it was a great conference that covered many topics, but like many conferences, the folks who attended already get it. We need to get the word out to more industries. As a security professional, my industry struggles with understanding the difference between privacy and security, and considers privacy encryption, or confidentiality. It’s really about “appropriate use.” That’s a good place to start.
– Rick Doten, DMI Chief Information Security Officer (CISO)