What's not to like about the Internet of Things (IOT)?
People can check-in on their cars and homes from afar. Companies can track the behavior of customers to design better products, giving consumers what they actually need. Hackers can get all of your data in order to steal your identity. Thieves, and worse, can look in on our homes and plan the perfect crime.
When I started writing this post, I planned on discussing the ethical responsibilities of companies to protect the information they collect from all the IOT devices being deployed. If they are going to keep that data, it is their duty to protect it from breaches and make sure that as much data as possible is anonymized. Then I read an article about people looking at photos of sleeping babies online.
In a rush to get inexpensive devices to market, companies are creating an MVP. Unlike in sports, we aren’t talking about the most valuable product. These releases are minimum viable products. In the pursuit of market share and profit, companies have abandoned ethical concerns about protecting their customers and lowered the bar, defining minimum too low.
Security as Step One
Several months ago I debated someone about the importance of baking security into a product from day one. He argued that getting to market was more important and that market demand could determine the proper security features. My premise was that any product that ignores the risks of releasing an inadequately secured product
is inherently flawed.
The MVP for a car wouldn’t skimp on door locks or get rid of keys so anyone could enter and start a car. Product that collect payments would (hopefully) include security. So why not secure the devices that monitor every aspect of our lives?
This goes beyond simply building in security features. It means involving consumers in decisions that impact their security. Defaulting to more security and assigning complex default passwords that encourage the creation of custom passwords are critical first steps.
This doesn’t even take into account secure design concepts and elimination of backdoors.
Protecting the Consumers
The average consumer doesn't know all of the dangers that lurk in the world of technology. They don’t want to understand the ins and outs of security. Most people's requirements are simple: something that works easily and doesn't blow-up in their faces. While early tech adopters may be savvy, everyone else focuses on convenience. They don’t pay attention to how the convenience can hurt them until they see an exposé in the news.
Companies must do a couple of things to protect their customers: the first is education. Not through scare tactics, but through clear communication about why good security matters to them. Teach consumers that the IOT needs to be securable. Teach them that the threats exist, but their security can be readily protected with just a few steps.
The second step is making sure all products are secure by default. If a consumer wants to open up their security, they should be succinctly informed of the risk before they confirm. Security cannot be forced on consumers, but they can be forced to make a conscious decision to accept the risks.
Boil it Down to the Golden Rule
The Golden Rule is one of the simplest rules to follow and has never steered me nor my clients wrong.
Do unto others as you would have them do unto you.
When we approach designing security in any system with this in mind, it becomes quite simple. If you use this system, would you want anyone to be able to access the information? If your thermostat knows when people are normally not in the house in order to save on heating costs, do you want others to know that?
Do you really want people to easily watch your child sleeping?
Companies need to consider security first. The IOT and every new technical advancement can create immense value for people’s lives. It is up to those same value creators to make sure that they don’t create something that can destroy people’s lives with the same tool.