IoT benefits and privacy not mutually exclusive, says industry expert

It is possible to mitigate the privacy and security risks of the internet of things (IoT) without losing its benefits, according to an industry expert

It is possible to mitigate the privacy and security risks of the internet of things (IoT) without losing its benefits, according to an industry expert.

While IoT technologies that will enable devices to talk to each other and provide data to new services could deliver previously unimaginable benefits, many have raised concerns about security and privacy.

Security professionals and others are concerned about the risk of unauthorised access to data as a new breed of internet-connected devices collect and combine data in an unprecedented way.

“But by using certain frameworks it is possible to identify and address those risks,” said independent consultant and board member of the Oasis open standards group, Gershon Janssen.

“For example, the Oasis privacy management reference model [PMRM], which is an Oasis candidate standard, can help technology developers and service providers to translate laws, regulations and policies into effective measures they can take in the design phase,” he told Computer Weekly.

The PMRM, under development by an Oasis technical committee, is one of several new and emerging methodologies, frameworks and standards that can help to identify security and privacy risks, as well as help find ways of addressing them.

Another useful standard in developing IoT products and services, said Janssen, is the Oasis draft privacy-by-design standard for software engineers.

“These can be used both at the development stage and at the implementation stage of new products and services to ensure they are secure and protect privacy,” he said.

“Most people nowadays want assurances that the information they allow to flow into systems will be used only in the way they have approved, and that it will be encrypted so that it cannot be accessed by any unauthorised parties.”

For example, if an electric car owner has agreed to share information about power consumption with the vehicle makers, they want to be sure that no other information is shared, such as location data and recharge billing information.

This means that developers and suppliers of IoT-related products and services will increasingly be required to demonstrate that their offerings meet the privacy and security expectations of users.

“The PMRM takes developers or implementers through a set of steps to determine where the risks are that need to be addressed, such as insecure networks, and how best to do so,” said Janssen.

“This is an iterative process, and at each instance you can take it deeper and keep going as far as necessary,” he added.

Privacy and security secondary to commercial drive

But while Janssen believes that privacy by design is necessary and that emerging standards can help developers to achieve this goal, he concedes that privacy and security are typically secondary to the commercial drive to get products and services to market as soon as possible.

Read more about the IoT

“Finding the right balance is always a challenge, and even though end users are more concerned about and aware of security and privacy than ever before, there is also a tendency to focus on the benefits of new devices and services rather than paying attention to the potential risks,” he said.

However, Janssen said even though consumers are fairly unlikely to reject IoT-enabled devices and services because of privacy or security concerns, the suppliers should be concerned about the reputational damage from any associated data breaches.

“In addition, existing and particularly coming data protection legislation in the European Union do require products and services to be secure and ensure that personal data is protected,” he said.

In all likelihood, IoT devices and services will grow rapidly and initially in the consumer space, but ultimately they are also expected to infiltrate enterprise environments.

Janssen believes that many, particularly larger enterprises are aware of the IoT and are investigating what benefits and opportunities might be available to them, but that it will be at least another two to three years before there is any large adoption by enterprises of IoT-related devices and services.

If this prediction is accurate, then it will give enterprises a bit longer to evaluate the emerging offerings and to assess the potential risks as well as the benefits.

In light of the potential risks, however, Oasis is one of the organisations campaigning for IoT devices and services to be secure and privacy-protecting by design and by default.

“End users should not have to worry about configuring devices and services to ensure data is private and secure. Developers and implementers should take care of these things proactively and transparently,” said Janssen.

“Privacy and security should be enabled by default, they should be embedded into the design, and they should be enabled throughout all interactions from start to finish. Nothing should rely on end users taking action because in all likelihood they will not,” he said.

Janssen is to take part in a panel discussion on mastering IoT privacy and security risks without losing the benefits of IoT at the European Identity & Cloud Conference in Munich from 5-8 May 2015.

Read more on Privacy and data protection

Data Center
Data Management