Credit Writedowns: Privacy and the ubiquity of embedded technology

Today’s commentary

Yesterday, Google announced that it would buy privately-held Nest Labs for $3.2 billion. This was Google’s second largest acquisition ever. Nest is a smart thermostat and smoke alarm-maker which promises to give Google a leg up in the fast expanding home automation market. But the acquisition also highlights the degree to which communications technology is now embedded in ordinary devices. The benefit is convenience. The risk is privacy.

Since this is a thought piece, I am putting it outside the paywall.

Last week cryptography expert Bruce Schneier wrote an interesting piece on the NSA at the Atlantic, arguing that the intelligence agency threatens national security. His argument in a nutshell was that the NSA – in its zeal to undermine security for espionage purposes - made the digital world vulnerable to any attacker, including foreign governments and common hacker criminals. Schneier pointed to the NSA’s “collect-everything mentality” as being at the heart of the security vulnerability. And I believe this is important when thinking about embedded technology in the context of the Google acquisition.

Embedded technology or embedded systems are computer systems that operate within larger devices in order to make them ‘smart’ and more technologically advanced. Think of electronic watches, baby monitors, refrigerators or washing machines. These articles are by their very nature mechanical/electronic. But in today’s world, they also contain tiny little computers in order to enhance their functionality and ease of use. Embedded systems of this sort are literally ubiquitous. The Nest acquisition gives Google entree into this embedded technology market in its most important application, home automation.

The problem with embedded systems is that they are a major security and privacy risk. In another Bruce Schneier post, he explains:

“We’re at a crisis point now with regard to the security of embedded systems, where computing is embedded into the hardware itself — as with the Internet of Things. These embedded computers are riddled with vulnerabilities, and there’s no good way to patch them.

It’s not unlike what happened in the mid-1990s, when the insecurity of personal computers was reaching crisis levels. Software and operating systems were riddled with security vulnerabilities, and there was no good way to patch them. Companies were trying to keep vulnerabilities secret, and not releasing security updates quickly. And when updates were released, it was hard — if not impossible — to get users to install them. This has changed over the past twenty years, due to a combination of full disclosure — publishing vulnerabilities to force companies to issue patches quicker — and automatic updates: automating the process of installing updates on users’ computers. The results aren’t perfect, but they’re much better than ever before.

But this time the problem is much worse, because the world is different: All of these devices are connected to the Internet. The computers in our routers and modems are much more powerful than the PCs of the mid-1990s, and the Internet of Things will put computers into all sorts of consumer devices. The industries producing these devices are even less capable of fixing the problem than the PC and software industries were.

If we don’t solve this soon, we’re in for a security disaster as hackers figure out that it’s easier to hack routers than computers. At a recent Def Con, a researcher looked at thirty home routers and broke into half of them — including some of the most popular and common brands.”

Schneier focuses on the security risk. And that’s a big problem because these embedded technology products are never updated by end users, making them vulnerable to hackers, especially if they are internet-enabled. But then there is the privacy risk too. A lot of ink has been spilled over GPS and WiFi tracking for example. For retailers, tracking customers in-store will soon be the norm. But these tracking mechanisms can be used across retailers too in the same way tracking cookies are used across the Internet. Turnstyle Solutions has set up a WiFi tracking mechanism in downtown Toronto that uses sensors at 200 different stores, allowing the company to create a mosaic of 2 million people and their shopping habits – in the hopes of serving them with proto-Minority Report-style advertising.

We see the emerging location tracking technology developing in cars too at this year’s Detroit auto show. The Guardian reported on privacy problems:
the US government accountability office (GAO) found inconsistencies in the way automakers handle data from car owners, raising fears of privacy breaches. The study looked at information collected by Chrysler, Ford, General Motors, Honda, Nissan and Toyota as well as navigation device-makers Garmin and TomTom and map and navigation app developers Google and Telenav.

“Without clear disclosures about the purposes, consumers may not be able to effectively judge whether the uses of their location data might violate their privacy,” the report noted.

Now, note, that these technologies are geared not just toward enhancing computing power but toward increasing convenience for end users. So the convenience factor is the trojan horse for security and privacy vulnerabilities. Couldn’t the government embed hidden backdoors into these systems? Couldn’t hackers break into the vendors’ computer systems to access our private information? Couldn’t someone or some company or some government use our home automation devices to watch our every move where we live and sleep? The answer to all of these questions is yes. This is what happened with the Target and Neiman Marcus data breaches, affecting 70 million customers with not just stolen credit card information but stolen email addresses, telephone numbers and other personally identifying information. I don’t have a solution to this problem but I think it will be end up as a mutli-factored problem in a world that is increasingly dependent on always-on computing and internet communications capabilities. The economic and social impact will be in terms of theft, industrial and government espionage, privacy and freedom of speech. it’s hard to tell when, where and how the privacy and security vulnerabilities will be made manifest as serious problems but the NSA spy scandal tells you it already is one. And it is likely to get bigger unless we do find a solution.

Bruce Schneier makes a good case for seeing the security and privacy risks as social in nature. He writes:

Not only is ubiquitous surveillance ineffective, it is extraordinarily costly. I don’t mean just the budgets, which will continue to skyrocket. Or the diplomatic costs, as country after country learns of our surveillance programs against their citizens. I’m also talking about the cost to our society. It breaks so much of what our society has built. It breaks our political systems, as Congress is unable to provide any meaningfuloversight and citizens are kept in the dark about what government does. It breaks our legal systems, as laws areignoredorreinterpreted, and people are unable to challenge government actions in court. It breaks our commercial systems, as U.S. computer products and services are no longer trusted worldwide. It breaks our technical systems, as the very protocols of the Internet become untrusted. And it breaks our social systems; the loss of privacy, freedom, and liberty is much more damaging to our society than the occasional act of random violence.

And finally, these systems are susceptible to abuse. This is not just a hypothetical problem. Recent history illustrates many episodes where this information was, or would have been, abused: Hoover and his FBI spying, McCarthy, Martin Luther King Jr. and the civil rights movement, anti-war Vietnam protesters, and—more recently—the Occupy movement. Outside the U.S., there are even more extreme examples. Building the surveillance state makes it too easy for people and organizations to slip over the line into abuse.

It’s not just domestic abuse we have to worry about; it’s the rest of the world, too. The more we choose to eavesdrop on the Internet and other communications technologies, the less we are secure from eavesdropping by others.

The end result of not fixing this problem will be an erosion of the legitimacy of government and democracy, something that will eventually create economic upheaval and revolution. One way to hold this at bay is to stop government from exploiting the security and privacy loopholes. But another important factor is for citizens to start taking security and privacy seriously. The trade-off between convenience and privacy/security needs to move more in the direction of security and privacy – and by that I mean we consumers need to force companies to add security into their systems. Two-factor authentication systems and easy to use security protocols. One reason I think Bitcoin is interesting is that it sets up a way for people to interact across the web securely in a way that is independent of the security systems of one individual company. It is the technology behind Bitcoin that provides answers for the future more than the currency, which is a legacy of the increasing distrust of government and the erosion of the legitimacy of democracy.

Eventually, repeated violations of security and the erosion of privacy will lead to a breakdown in society. I think we can have the convenience and the security and the privacy. But we need to take the security and privacy seriously or we won’t get it.

Comment Stream