Internet of Things (IoT) refers to the devices that have sensing or actuation capabilities and are connected via the internet. It includes a diversity of solutions that you may find in your daily life, such as smart televisions, wearable fitness bands, smart home appliances, medical devices, among many others. The data collected from these devices allows to establish your individual profile by monitoring daily routines and parameters, identifying inconsistencies and displaying alerts in case of emergency. Thus, they are a great resource to age healthily and independently at home. However, these devices bring security challenges and, in many cases, you may not even be aware that the device is communicating your data over the internet.

When will technology actively promote privacy and security needs?

If IoT devices can help you live a healthier life, who wouldn’t like to use them? But if that means sharing our personal data online every time we use or interact with a smart device, then we would probably think again [1]. Information is power and money. On the black market, our social security number may be worth 10 cents while our credit card may reach 25, but our health record can be worth hundreds, or even thousands of dollars! [2] So we will certainly want to keep our information safe and have the power to control who accesses it and when.

However, no optimal security infrastructure, nor standards or even best practices are yet available to properly protect the users. It is also complex to balance availability and confidentiality. This means that users must be able to access and connect to the devices whenever they need while at the same time securing all that generated data and provide for their privacy. Therefore, there is a need to implement privacy and security-preserving solutions, transparent to its users with regards to data flow [4].

Legislation to the rescue?

From May 2018, stricter rules will be available to protect the processing, by others, of European residents’ personal data. Succinctly, the EU General Data Protection Regulation (GDPR) [5] states that you have the following rights: i) informed consent must be sought from you at all times for every different type of data processing; ii) you can access your data whenever you want, free of charge, in an electronic format; iii) you can request data processors to erase your personal data and cease further dissemination; iv) you can receive data previously provided, in an understandable format to be transmitted to other data controllers, if you so wish; and v) data protection must be included as another essential feature of any system, and not just patched later.

However, all this raises some important questions. First, how will you, as a lay user, know if the right measures are being in place even if there is a text saying there are? Even if you are a tech savvy, security issues may not be completely clear to you, and they usually aren’t. Second, what happens to the way our data was treated until now? Will it all be retrospectively corrected as well? And finally, when will these security measures and processes be well-tuned to be integrated in every practice, of every personal data processing, of every device?

It is wonderful to have such legislation to back us up and give us power and control, for a change, but how will that help in practice where there are no means to do it? What can we do until we get there?

Autonomy and Empowerment. Security technology can assist!

Maybe the solution can be found within the same technology where the problems lie. As with any “physical” tool, technology, either in the form of a device or a software application, can be used to perform “good or bad deeds”. So maybe one solution can rely on using technology that can assist users to control their privacy requirements while still providing their usual services.

As our online footprint can be used by businesses to target marketing and tastes, so it can be used for the benefit of each owner of that footprint. Each action we take online can comprise rich information about technical and behavioural attributes of a system, which can be used to assess security problems at that specific moment. This information can help decide, on the fly, safer means of interaction and protection of personal data in use. An example of such developing technology is SoTRAACE, a Socio-Technical Risk-Adaptable Access Control Model that can take into account contextual (e.g., physical location as work, home, public places), technological (e.g., type of device, network connection, secure protocols) and user’s interaction profiling (e.g., user’s history of accesses to specific data) to conduct a quantitative and qualitative risk assessment analysis to decide, for each user’s request, what is the most secure and private way to access and display personal information [6].

So why do we have keys and alarms to secure our homes and cars? Why about 60 years ago there were no seat belts? The same care (or even more) must apply to our valuable personal online data. Technology should serve and help people and not create added stress or be another source of danger, hindering us from benefitting from its full potential. And we, users, have a word… or two, to make this happen by getting informed and claim the right to control the way our own personal data is managed.


SOURCES

[1] Balta-Ozkan, N, Davidson, R, Bicket, M, & Whitmarsh, L. (2013). Social barriers to the adoption of smart homes. Energy Policy, 63, 363–374. https://doi.org/10.1016/j.enpol.2013.08.043

[2] https://www.forbes.com/sites/mariyayao/2017/04/14/your-electronic-medical-records-can-be-worth-1000-to-hackers/#13ee3df250cf.

[3] Minoli, K, Sohraby, K & Occhiogrosso, B. (2017). IoT Security (IoTSec) Mechanisms for e-Health and Ambient Assisted Living Applications. 2017 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE), pp. 13-18. doi: 10.1109/CHASE.2017.53

[4] Garg, V, Camp, LJ, Lorenzen-Huber, L, Shankar, K, & Connelly, K. (2013). Privacy concerns in assisted living technologies. Annals of Telecommunications – Annales Des Télécommunications, 69(1-2), 75–88. doi:10.1007/s12243-013-0397-0

[5] Regulation (EU) 2016/679 of the European Parliament and of the Council L119. Official Journal of the European Union.

[6] P. Moura, P, Fazendeiro, P, Vieira-Marques P & Ferreira A. (2017). SoTRAACE — Socio-technical risk-adaptable access control model. 2017 International Carnahan Conference on Security Technology (ICCST), Madrid, pp. 1-6. doi: 10.1109/CCST.2017.8167835.