The Standards Blog

Monday Witness: It's Time to Recognize a Civil Right Not to be Connected

Monday Witness

ToasterAlong with death and taxes, two things appear inevitable. The first is that wireless connectivity will not only be built into everything we can imagine, but into everything we can't as well. The second is that those devices will have wholly inadequate security, if they have any security at all. Even with strong defenses, there is the likelihood that governmental agencies will gain covert access to IoT devices anyway.

What this says to me is that we need a law that guarantees consumers the right to buy versions of products that are not wirelessly enabled at all.

If that sounds like an over-reaction, consider the point made in a recent ZDNet story by Danny Palmer, titled Internet of Things security: What happens when every device is smart and you don't even know it? That article reads in part as follows:

"The price of turning a dumb device into a smart device will be 10 cents," says Mikko Hyppönen, chief research officer at F-Secure.

However, it's unlikely that consumer [sic] will be the one who gains the biggest benefits from every device their homes collecting data; it's those who build them who will reap the greatest rewards -- alongside government surveillance services.

"It's going to be so cheap that vendors will put the chip in any device, even if the benefits are only very small. But those benefits won't be benefits to you, the consumer, they'll be benefits for the manufacturers because they want to collect analytics,"…

For example, a kitchen appliance manufacturer might collect data and use it for everything from seeing how often the product breaks to working out where customers live and altering their advertising accordingly in an effort to boost sales -- and the user might not even know this is happening, if devices have their own 5G connection and wouldn't even need access to a home Wi-Fi network.

"The IoT devices of the future won't go online to benefit you -- you won't even know that it's an IoT device," says Hyppönen.

If you find the idea unsettling that you may soon be surrounded by hordes of invisible, unsuspected digital spies, this would be a good time to think about what we should do about it. But how likely is it that we will do anything at all?

The ZDNet article observes that most people will simply shrug and accept the situation, as they have so many others leading to the exposure of their browsing habits, and much more, in exchange for free Internet services. It also notes how unlikely and difficult it will be to update the security of devices costing as little as a dime as the threatscape continues to evolve. Only in the last sentence of the article is government action mentioned as an option, and then only to suggest that perhaps the powers that be should become involved in mandating adequate security.

In my opinion, that’s going at it all wrong.

We’ve been citizens of the technology age long enough to recognize that a few fundamental truths have become well established. They include that adding security will always be an afterthought for vendors; that the effectiveness of defenses will always lag behind the ability of black hats (not to mention the NSA) to gain access; and that the cheaper a device is, the less likely it is that it will benefit from robust security. History teaches us that government regulation has never been able to adequately address issues like these.

And then there’s the issue of what happens to the data once it is collected. The traditional approach in the US towads safeguarding most kinds of personal data is hardly comforting: a vendor can collect and share many kinds of data so long as it discloses to the consumer in advance that it has reserved the right to do so. In most cases (financial and health data being the exceptions), there are no requirements to protect that data from theft. There’s no reason to expect that this will change as more and more types of data become available and commercially useful.

I think a new type of protection is needed that rebalances the equation in favor of the individual: we need to ask governments to recognize that that we have a fundamental right not to be connected. That means that unless the essential purpose of a product demands connectivity, a consumer should be able to buy a version of that product with no embedded radio chips. There’s simply no other way to be sure that the product won’t be coopted, and every reason to assume that coopting will be too easy – even if the vendor claims that the embedded device hasn’t been activated. As recently as last week we've learned that this provides no defense.

In the current political environment, it seems unlikely that such an effort will receive a favorable hearing in the US Congress. But it might receive serious attention in various US states, and it will certainly resonate in many parliaments in Europe. Progress can be mde, but only if we raise the issue and ask for a response.

It’s time we let legislators know - and soon - that a citizen’s right to be disconnected is more important than a vendor’s desire to acquire endless amounts of data.