This document summarizes efforts to address privacy, security, and ethics issues with internet-connected devices (IoT). It discusses (1) the Trustable Technology Mark, which evaluates IoT products on privacy, security, and other factors; (2) the Better IoT principles for designing more responsible connected devices; (3) US regulations like the California IoT security bill and federal IoT TIPS Act; and (4) challenges in addressing future IoT problems given rapid changes in connectivity and assumptions that may not hold. The document urges consumers to be informed, demand accountability from companies, consider device lifecycles, and get involved in policy debates to help shape responsible development of IoT technologies.

1. Towards a
responsible
Internet of
Things
January 2019 – Sandusky Ohio

2. Hello!
I am Jeff Katz
I live in ! and I work on
connecting devices, data,
and people
You can find me online
@kraln
2
Please remember to rate/review this session!

3. 1.
Things, connected
to the Internet
What is even the problem?
3

7. Functionally insecure
◎ Security System with No Security
◎ Unfixable
No repercussions, no legal action,
no problem.
7

8. Abusive of privacy
8
"Please be aware that if your spoken words include
personal or other sensitive information, that
information will be among the data captured and
transmitted to a third party through your use of
Voice Recognition.“
"Samsung takes consumer privacy very seriously.
In all of our Smart TVs we employ industry-
standard security safeguards and practices,
including data encryption, to secure consumers'
personal information and prevent unauthorized
collection or use."

9. Unethical Behavior
9
◎Taking previously free or
expected functionality and
charging recurring fees or
microtransactions
◎Changing the concept of
ownership
Seeking to change consumer
behavior in a detrimental way
for society

10. IoT
The “S” stands for security,
the “P” for privacy, and the
“E” for ethics
10

11. Efforts to
solve this
IoT Problem
11

12. 2.
Trustable
Technology
Mozilla and IoT Thought Leaders
https://trustabletech.org/
12

13. “
The Trustable Technology Mark empowers
consumers to make informed decisions &
enables companies to prove their connected
products are trustworthy.
13

14. Trustable Technology Mark
◎ Privacy & Data Practices
○ Is it designed using state of the art data practices, and respectful of user rights?
◎ Transparency
○ Is it made clear to users what the device does and how data might be used?
◎ Security
○ Is it designed and built using state of the art security practices and safeguards?
◎ Stability
○ How robust is the device and how long of a life cycle can a consumer reasonably expect?
◎ Openness
○ How open are both the device and the manufacturer‘s processes? Is open data used or
generated?
14

15. Trustable Technology
◎ No-cost self-assessment
◎ Backed by Mozilla
◎ Good media and communications strategy
Only two products are listed as of today L
15

16. 3.
Better IoT
Designers and Experts
16
Buy her book! http://designswarm.com/book/

17. “
Better IoT is a community-led effort to make a
free, accessible, open assessment tool aimed
at startups and SMEs to help them design
better connected products (internet of things).
17

18. Better IoT Principles
◎ Privacy
◎ Ownership
◎ Transparency
◎ Security
◎ Lifecycle
◎ Interoperability
◎ Openness
18

19. Better IoT Principles
Privacy
MUST HAVE
◎ Allow users to access their collected data, free of charge.
◎ Make clear to users how the collected data is used.
◎ Allow users to delete their collected data.
◎ Allow users to migrate their collected data to another backend.
◎ Allow users to easily opt out of direct marketing based on their collected data
◎ Allow users to restrict the use of their collected data.
◎ Allow users to update their collected data.
◎ Allow users to stop automated decisions being made, if there are personal legal
or significant consequences.
19

20. Better IoT Principles
◎ Privacy
◎ Ownership
◎ Transparency
◎ Security
◎ Lifecycle
◎ Interoperability
◎ Openness
20

21. 4.1
Senate Bill No. 327
California Regulations
21

22. “
This bill would require a manufacturer of a connected device to
equip the device with a reasonable security feature or features
that are appropriate to the nature and function of the device,
appropriate to the information it may collect, contain, or
transmit, and designed to protect the device and any
information contained therein from unauthorized access,
destruction, use, modification, or disclosure, as specified.
22

23. 4.2
S.2234 — 115th Congress
IOT Consumer TIPS Act of 2017
23

24. “
This bill requires the Federal Trade Commission (FTC) in
coordination with the National Institute of Standards and
Technology and relevant private sector stakeholders and
experts to develop voluntary educational cybersecurity
resources for consumers relating to the protection and use of
the Internet of Things (devices, applications, and physical
objects that are Internet-enabled, networked, or connected).
24

25. 5
@internetofshit
the “Shitdex”
25

26. “
26

27. All of these
efforts are
great!
But they can’t begin to address
future issues…
27

28. 28

29. 29

30. 6.
What are they missing?
Trying to solve tomorrow’s issues based
on problems with today’s devices
30

31. What brand
of electrical
socket is in
your home?
31
Light switch? Power meter? Wiring?

32. 32

33. 33

34. Visible Problems
Invisible Problems
• Security vulnerability unpatched
• Data sold to advertisers
• All data sent to China before going to your phone
• Encryption keys shared with anyone who asks
• Foreign government listening to your baby
• Security Camera is visible to everyone
• Light bulbs stop working after three years because company went bankrupt
• Your smart fridge is part of a botnet attacking Japan
• Security system broadcasts when you leave for vacation
• Old tenant still has access to the smart lock
• Amazon knows you’re pregnant before you do
• Your data is used to profile your friends and family
• Denied for a loan because your car insurance company shared data with bank 34
• It’s not connecting or the app doesn’t work
• Service is down or company went out of business
• Someone is extorting me for money
• It’s just not working

35. Common (Wrong) Assumptions about IoT
◎ Consumers can choose which devices or services they use
◎ IoT devices will stay the same over time
◎ Companies understand what their devices are doing
◎ The market will punish bad actors
◎ Governments (Smart City) or Companies (Smart Buildings,
Smart Fleets, Logistics, etc.) have better insight than
consumers
◎ IoT devices are “optional” and there will always be “dumb”
versions available
35

36. Potential Pitfalls with IoT Devices
Experiments in
Production
Facebook has already shown they
are willing to run experiments on
their users. What happens when
your washing machine does the
same?
Advertisement
Targeting
Appliances reporting back what
brand consumables are used, in
order to improve advertising
Company Services
When all the devices in your house
are fully or partially dependent on
the existence of a third party to
function, what happens when one
of the companies disappears?
Data Inferences
Your smart meter measures how
much power you are using, but it
can also tell what appliances are
being used and even what channel
you are watching on TV
Unexpected
Connections
Different devices can
communicate with each other to
coordinate activities and share
data
Firmware Updates
Can add features, can remove
features, can change how features
work, can brick your device…
36

37. Connectivity Changes
Today
◎ Most devices WiFi, or connect to bridge
◎ Most devices explicitly labelled “Smart” or “Connected”
◎ Devices are visible, or at least touchable
37

38. Connectivity Changes
Today
◎ Most devices WiFi, or connect to bridge
◎ Most devices explicitly labelled “Smart” or “Connected”
◎ Devices are visible, or at least touchable
Soon
◎ Most devices NB-IoT or LTE-M (Direct Connection)
◎ Most devices lose “Smart” branding, smart is the new
normal (See: TVs, Cars)
◎ Devices are built into walls, cars, medical implants
38

39. 39

40. What can we you do?
◎ Be informed!
◎ Demand accountability!
◎ Consider the lifecycle of your products!
◎ Write your representatives in Congress!
And don’t buy any device which you don’t control.
40

41. Thanks!
Any questions?
You can find me online
@kraln
Please rate this session!
41