The Internet of Things is a long-cherished dream. Until recently, it was logistically difficult, if not impossible, to pull it off. According to Mehal Rajput in his post, “IoT and Home Automation – Is it the Future?” advances in tech have not only made the IoT possible but also more affordable.
We’re a society that’s becoming increasingly interconnected. IoT is a natural progression of that interconnectivity. Companies in the know are building in internet capabilities into a range of appliances. It won’t be long before every device that we own is connected online.
Whether or not the internet is equipped to deal with this onslaught is another story. Mark Fairchild dealt with that more fully in his post, “The Automation Boom is Coming. Will the Internet Be Ready?” so we’re not going to get into that question here.
Interestingly enough, though, IoT is playing a big role in web development in the future. Read more about how in Chirasee Bose’s article “IoT is Impacting the Future of Web Development, but How?”
There are definite benefits. Your smartwatch could, for example, call an ambulance for you if you had a heart attack. Your fridge could automatically add milk to your shopping list when you’re running low.
Companies are tripping over themselves to try and reap the benefits of a tech-driven society. In their rush, though, are they opening themselves up to severe liability issues? How will stricter privacy regulations impact businesses who’re a little freer with their data? How much responsibility does a company have in protecting its consumers? Is the IoT nothing more than a sophisticated spy network?
In this post, we’ll look at those questions and more. We’ll also throw in a few wild scenarios that most of us would never consider. Could they be in your future? You’ll have to read on to find out.
Consumer Privacy Concerns
One issue that always comes to the fore is the issue of how the IoT will impact privacy. There’s no question that it will. Sergei, in his post, “Internet of Things Makes it Easier to Steal Your Data,” cites several real-world examples of where companies have already violated their client’s trust.
We already know that our smart speakers listen constantly. They have to so that they’ll pick up commands that you might give. The question then becomes, is anyone listening in on the speakers? Do they record conversations?
It may seem a little paranoid, but what happens if someone hacks the smart speaker? Why would anyone want to do that? There could be many reasons:
- You’re in the middle of a messy divorce
- You hold a high up position in a company
- Someone wants to learn your schedule to be better able to commit a crime against you
- A company is conducting market research
We could go on all day coming up with potential reasons that people might want to listen in. You get the idea, though. Now let’s take this a little further. It’s not just smart speakers to be concerned about.
According to TechCrunch, the FBI recently issued a warning about the latest smart TVs. If your TV is equipped with a camera and microphone, hackers could use these items to spy on you. Why? They can use the camera and microphone to:
- Scope out your house.
- Take embarrassing pictures of you and your family.
- Take photos of your children for child traffickers.
- Legitimate companies might spy for market research purposes.
- Spy on boardroom meetings and business conversations through smart devices used to present data.
Now Imagine 64 Billion IoT Devices Spying On You
By 2025 alone, we can expect to see around 64 billion IoT devices. According to the World Bank, there were 7.53 billion people on the planet in 2017. That’s an average of just over eight devices per person. There’ll be virtually no place to hide.
Any voice-activated device has the potential to listen in on communications. Considering the increasing popularity of voice searches, we can expect more smart devices that can be commanded using your voice.
Even if the devices aren’t voice-activated, they pose a threat. Most of these devices have very basic cybersecurity measures in place. After all, who’d want to take over your smart kettle or your home thermostat? Cybersecurity for these devices seems unimportant.
But let’s look at a simple scenario here. A thief wanting to rob your home could mess with the temperature of your thermostat so that you think it’s broken. They might intercept the call to the repair person, or simply just arrive before the real technician does.
That part doesn’t matter. What does matter, is that they’ve gained access to your home quickly and easily.
What’s the Solution?
At the moment, we’re in mostly uncharted waters here. Whose responsibility is it to secure these devices? After all, if your phone or computer gets hacked, you can’t hold the manufacturer responsible.
At the same time, though, devices like phones and computers do come with decent in-built protection. Your smart kettle is another story. At the moment, securing these devices is something of a grey area.
There’s not a lot of legislation regarding IoT devices yet. But that is changing. Take a look at California’s IoT Security Law, for example. The law that came into effect at the beginning of this year puts the onus on companies to take reasonable cybersecurity precautions.
The bill has stirred up some controversy because it’s a little vague. What constitutes “reasonable cybersecurity precautions?” What isn’t vague, though, is that the Californian government expects companies to take more responsibility when putting IoT devices onto the market.
Future legislation will likely be grounded on the same principle.
What Does that Mean for Companies Producing IoT Devices?
Companies will have to consider the potential for their devices to be breached. They’ll need to take measures to safeguard the devices that they have against hackers. And, considering that a Smart TV has similar capabilities to a computer, they’ll have to up their game.
Every kind of smart device will need to incorporate higher level protection.
What Potential Liability Issues are There?
Considering the current lack of legislation, we’re going to analyze the provisions of the Californian IoT Law.
The law states that companies have to consider what data their devices collect and take suitable cybersecurity measures to prevent breaches. Again, this is a vague recommendation. Would a basic anti-virus program be considered sufficient or must companies do more?
A thermostat, technically, monitors the climate within your home or office. It might also store location and usage data. That’s not precisely high-value information. So how much security would the manufacturer be forced to install?
That said, an enterprising hacker might use the thermostat as an easy way to access the home’s smart hub or wireless internet. Through that, they could potentially access other devices operating off the same network.
Devices like your smart car, for example. They might access the controls and track your movements. They could switch off the security while the car’s parked so that they could steal it. And, once self-driving cars are the norm, they might even steal the vehicle from a remote location.
In a case like this, who’s to blame? Is it the car manufacturer because their software was hackable? Not if they took every reasonable precaution. Is it the internet provider’s responsibility because the network was less secure? Not really, as the hacker gained access through the thermostat.
It’s not a strong leap of the imagination to see a court siding with the client against the thermostat manufacturer here.
Could Companies Lose Suits Related to IoT Liability Issues?
Clients expect the products that they buy to be safe to use. If a defect in the thermostat’s wiring causes a short-circuit, and the house burns down, the homeowner has a case against the manufacturer.
While we’re in somewhat new territory here, it’s not a stretch to say that poor cybersecurity on a device is endangering the consumer’s welfare. Let’s have a look at how this could play out in a business and home environment.
Let’s say that company A has developed a cure for the common cold. It’s ground-breaking, and the formula is worth billions. The research department relies on smart boards to work out complex calculations.
Company B manages to hack one of those smart boards. They’ve got everything that they need to reproduce the formula. Company B beats Company A to market and can undercut their price because they spent a lot less on research.
Company A could have a case against the manufacturer of the smart boards in terms of privacy laws.
In a home situation, a hacker might take control of your smart TV. They might wait until your kids are watching TV alone and expose them to inappropriate content. They might try to message them through the TV and arrange a meeting.
Several potentially disturbing scenarios in the home and office could play out.
What Consequences Could Companies Face if Found to be at Fault?
At the moment, reputational risk is potentially the worst consequence. A breach at any time is bad news for a business. Companies that expose data through negligence take a real beating in the press.
There’s also the potential for fines or penalties to be levied against companies found to be in contravention of privacy laws. The GDPR, for example, imposes a fine of the greater of 4% of global annual turnover, or €20 million.
Now, this legislation doesn’t specifically deal with IoT devices. It could, however, apply to a breach caused by an IoT device.
In places where the legislation hasn’t quite caught up yet, companies are unlikely to face penalties. They may, however, face damaging civil suits.
Problems with Determining Liability.
It’s not all smooth sailing for the consumer, though. You’d have to prove beyond a shadow of a doubt that the IoT device was the source of the breach. That becomes tricky when it comes to connected systems being hacked.
An IoT device manufacturer might argue that it took reasonable precautions. They might also say that the internet service provider should have provided a more secure solution. They might argue that the home’s smart hub should have provided better security.
It’s entirely possible that these cases could drag on for years.
Then there’s another completely separate issue to consider – the consumer themselves. Don’t they have some responsibility here too?
Do Consumers Bear Responsibility Too?
Another thing that we haven’t considered is the consumer’s role in protecting themselves too. We’re essentially looking at the software here. If a consumer is lax about keeping their software up to date, they might miss security patches.
If a breach happens as a result, is the company still liable?
Let’s get back to that example of Company B stealing Company A’s formula. It could be argued that Company A should have taken better precautions. They could have isolated the smart boards so that they operated on an internal system rather than being connected to the web.
While legislation seems to be placing more responsibility for cybersecurity on manufacturers, consumers also have to take precautionary measures.
Is the IoT Nothing more than a Sophisticated Spy Network?
We’re not ready to label it as such. It’s true that the more connected devices there are, the easier it will be for us to spy on one another. But let’s face it, the concept of complete privacy ended when the internet became so popular.
It’s a little too late to cry foul when it comes to IoT devices. Unless you’re willing to disconnect from everything internet-related, the personal privacy ship has sailed and sunk.
What we can do, however, is to be more careful in how we apply the technology. Do we really need our thermostat to be connected to the internet 24/7? It’s fun to be able to play with the settings on your phone when you first get it. How soon will it be before the novelty wears off, though?
Perhaps we can take a cue from cryptocurrency experts here. With cryptos, it’s safest to keep the bulk of your coins in cold storage. Or, to put it more simply, offline. Ironically, safeguarding our IoT devices might ultimately mean running them on a closed system, cut off from the internet.
This will pretty much defeat the object of an IoT, so is it practical? Probably not. For now, consumers and manufacturers have to start taking cybersecurity for these devices more seriously. Manufacturers will have to create more secure devices. Consumers will have to do their part by ensuring they follow good cybersecurity practices.