Your Privacy and the IoT

Your Privacy and the IoT

IoT and Modern Life

To gain more conveniences in our lives, we have all been filling our homes with new technology, devices, appliances, and other electronic machinery. The IoT or Internet of Things has arrived in our homes through upgraded technology in the consumer markets. The IoT encompasses a variety of connected computing devices, mechanical and digital machines. These technologies are given a UID or Unique Identifiers, much like an IP address on your computer. These ‘smart home’ appliances and technologies can transfer data over the internet and do so without human interaction. There is no human to computer interaction to start the transmission of data, or even in many cases to turn on the device.

If you wonder if the IoT has invaded your home, you might just look at how many smart appliances you own or even smartphones that are continually in your presence. Many of these new technologies include real-time analytics, machine learning, sensors, and embedded systems. These integrated systems combine with wireless sensor networks, control systems, and automation, and all these devices work together and over internet connections to form the Internet of Things.

Many items and new technologies in your home, car, or person can be connected to the IoT. You may not even be aware that these items are related to any system outside of your home. Some of the everyday things you may own or have in your home that are IoT capable include:

  • Cellphones
  • Televisions
  • Connected Vehicles
  • Home Automation Systems
  • Lighting, Heating and Air Conditioning Systems
  • Media and Security Systems
  • Major Appliances
  • Security and Camera Systems
  • Apple Watches and Other Connected Time Pieces
  • Wearable Technology
  • Many more devices are not mentioned here.

Some platforms or HUBs can connect a variety of technology systems to the internet via a single device. These hubs often connect a home’s smart appliances through a single source. Some commonly used IoT hubs include Amazon Echo, Google Home, Apple’s HomePod, and Samsung’s SmartThings Hub.

Streaming Data from Your Home

As IoT begins to take over most of your at-home appliances, there should be some concern about the data created by these devices and where the information is going. The amount of data collected can be complicated because you need to know how many tools in your home create information and how they send the data. Is the data being sent in real-time or in packets or batches? Realize that many of these devices provide real-time analytics and exchange data about you, your home, and other personal information without a human-computer connection.

Devices within your home go through three stages of data creation. Phase one of data creation is the collected information that occurs on the application or device and is then sent directly over the internet. Stage two occurs at the location of where the data is sent. This step refers to how the central structure or databases collects and organizes that data for sorting purposes. Stage three occurs when that data is accessed and used to benefit the device provider or the consumer who provided the information.

Each data event for a device will create data. The computer experts who build IoT devices then have to decide how that data will get sent back to the central hub or provider. There are several standards for data and information, and each has its way of sending data packets through the internet. The experts decide which standard will best work for the device they create and the data they seek for their central database. Generally, Rules that allow for the transfer of data from these smart home devices usually follow HTTP, MQTT, and CoAP protocols.

  • HTTP – Hypertext Transfer Protocol A commonly used protocol for transferring data through the internet. It was created to handle client/server data transfers. While many devices use this form of data sharing, it becomes less suitable in low bandwidth situations.
  • MQTT – Message Queuing Telemetry Transport This protocol expands upon the HTTP while allowing for the low bandwidth and solid data transference. Based on a publish/subscribe module, it delivers data to a central system location where the data is then processed and forwarded. The primary system is considered then a data broker, and once the data has been stored, other devices can seek out the data from the centralized broker. The data stored and sent is lighter in size and more comfortable to work with; however, it does not include encryption.
  • CoAP – Constrained Application Protocol This protocol was designed more for one to one system data transfer. The benefits of CoAP are that it easily integrates with HTTP and handles the stricter demands of low bandwidth situations.

Regardless of the transfer protocol used within the smart home devices or other IoT electronics, the risk to data privacy occurs.

Google Home

A recent example of the loss of privacy through personal data transferred by IoT devices has occurred with Google Home systems. Google Home devices are supposed to work by starting up by voice command of “OK Google” or “Hey Google.” The system is alert for these words and does not record any other sounds or data that it hears. However, Google now says that they may have been inadvertently listening and recording all the sounds and conversations in your home. These recordings have been made without your authorization or permission, thus violating your right to privacy in your own home.

Google’s explanation was a glitch in a recent software update switched the listening feature to ‘on.’ Some suspect that this update occurred to work as a security feature that may or may not become an integrated part of the devices. The ‘accidental’ error in the update began right after Google spent 450 million dollars to purchase 6.6% of ADT security systems. We can now imagine that these devices could ‘listen’ for an intruder and report directly to ADT. However, this type of feature has not been announced.

The point of knowing this information, understanding that your smart home features are tracking and listening to the sounds in your home, and recording them is to make you as a consumer and user of these types of products aware that your privacy rights are being violated. Where is the information being recorded, and who has access to it? Has Google taken the time to work and redact from the data any PII or Personally Identifiable Information?

Is the fact that Google confessed to this problem enough? Or should there be penalties for all those who have been impacted by the data being stolen from their homes? Privacy regulations such as the CCPA or California Consumer Privacy Act allow individual consumers recourse for privacy violations. This ‘mistake’ would surely be considered an offense of California’s residents, or possibly federally. Listening and recording individuals in their home for law enforcement requires a warrant. To do these things without a warrant is a crime of wiretapping.

“It is a federal crime to wiretap or to use a machine to capture the communications of others without court approval unless one of the parties has given their prior consent. It is likewise a federal crime to use or disclose any information acquired by illegal wiretapping or electronic eavesdropping.” According to a congressional report entitled Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping, it is a federal crime to eavesdrop on anyone to wiretap or capture sound with a machine or recording device.

The congressional report says explicitly: “It is a federal crime to wiretap or to use a machine to capture the communications of others without court approval unless one of the parties has given their prior consent. It is likewise a federal crime to use or disclose any information acquired by illegal wiretapping or electronic eavesdropping.” The report says that anyone caught doing this can be charged and, if found guilty, can receive up to five years in prison and a $250,000 fine. As an organization, the penalty is increased to $500,000.

Other outcomes for a violation include civil liability for damages, attorneys’ fees, and possibly punitive damages. Suppression of any evidence collected by wiretapping or if an attorney is involved in the actions, then other disciplinary actions can occur. As one of the largest corporations in the United States, is Google being let off the hook for their mistakes? Recently, Google’s android COVID tracking application Care19 was found to be stealing data from consumers to sell to other companies and organizations.

Google is on repeat for violations of consumer privacy. Should citizens turn their backs on Google if it sells their information? The bottom-line profit margin seems to mean more to the computing giant than keeping their own terms. According to Google and Care19’s privacy policy, “This location data is private to you and is stored securely on ProudCrowd, LLC servers. It will not be shared with anyone, including government entities or third parties unless you consent or ProudCrowd is compelled under federal regulations.” However, code was found in the application by Jumbo Privacy, who conducted a security review, consumer’s GPS locations and other personal data are shared with FourSquare. The data being sold to FourSquare is being used to database and monitor consumers, their actions, purchasing habits, and location data. Once revealed, the company decided not to change the date-stealing code, but to update its policy statement to acknowledge that your information may be used.

In understanding how much your privacy matters to you and your family, it may be that some of these devices and applications are not even worth the risk. If you are concerned and you are using these types of technologies, try to remember that you are monitored continuously if the device is turned on. If you are finished using the machine, be sure to turn it off. There is the adage; the safest computer is one that is unplugged.