As everyday objects become increasingly connected, the threat posed by hackers grows. But as Executive Global Master’s in Management student Vera Nicotra discovered upon researching her dissertation, the corporations who are pioneering the Internet of Things are remarkably lax when it comes to protecting privacy.
Commercially, the Internet of Things (IoT) is experiencing exponential growth. Soon, these connected devices are likely to have an increased presence in our everyday lives. From refrigerators to refuse collection, households will be transformed by the technology. Yet IoT devices have aroused serious concern about users’ privacy, especially in regard to the way in which data are collected and used by the corporations behind the technologies.
Researches have shown that IoT systems are poorly implemented, and that their weaknesses could leave users open to being hacked. The uncertainty about who actually owns the data generated by IoT devices, and ultimately who can obtain the access to those devices and users’ data, is more alarming still.
As an EGMiM student, I decided to investigate the problems relating to IoT device privacy by reaching out to the engineers involved with the design of commercial IoT appliances. Often, the thoughts and feelings of those constructing the technologies are ignored. I wanted my research to help ensure that the voices of the engineers are heard. Ultimately, I wanted to understand the extent to which technicians are at odds with traditional concepts of market share and profit generation. I also wanted to explore how engineers frame potential privacy issues when working on conceptually definitive new IoT devices.
Leveraging qualitative data gathered from IoT engineers operating in companies with a global footprint, my research focused on clarifying three main points.
Firstly, to what extent are companies and executives demands opposed to the needs of privacy and security as seen by IoT engineers? In the best-case scenario, collected data can be used to generate business ideas supporting the creation of new products or services. Collected user data is a useful and profitable commodity, and therefore companies are not incentivised to offer an adequate level of privacy. Instead, corporate interest is focused on how data can be monetised, hiding the true purpose of data collection behind complex legal jargon and deliberately limiting users’ options. For example, businesses may propose a service where users are asked to accept all conditions or are blocked from using the services, effectively forcing the user to accept potentially onerous terms. Balancing companies and users’ interests is not always well aligned.
When interviewing consumers, privacy and security featured as one of the most important elements in IoT devices for seven out of nineteen interviewees. But most engineers quoted other elements as their top priorities. Again, this reveals the misalignment of interests between designers and consumers.
Secondly, my research investigates the importance of treating privacy and security as an interconnected topic requiring a holistic approach. Most engineers have mentioned the words ‘privacy’ and ‘security’ jointly, using them interchangeably.
Security and privacy are also regarded as a major concern due to the sheer number of IoT appliances collecting vast amounts of data. The exponential growth of collected data will expose millions (or billions) of users’ private data, making security and privacy demands driven by customers’ fear of being breached.
Finally, my research investigates whether there is an integrated supply chain capable of addressing privacy concerns. From the early stages of IoT device development through to the end users’ behaviour, an integrated supply chain has the potential to impact and shape the privacy of individuals.
My research reveals a fragmented approach in tackling end users’ privacy, one which may potentially inhibit the creation of a shared protocol to deal with privacy in IoT.
Internally, companies have shown a siloed approach to addressing privacy, and it has been documented by the lack of a standardised global awareness in addressing privacy issues via universal protocols. Lack of security and privacy is present at several hardware and software layers, and different sectors (i.e. banking, healthcare and government) may be more regulated than others. Achieving global standardisation is challenging.
The concept of fragmentation derives also from the fact that companies are not offering an end-to-end solution. Different components of the IoT device (i.e. software, hardware, networking, communication, etc.) are created by different companies, meaning that the final product lacks a homogenous approach for privacy.
On the other end, consumers are often recognised as weak points in achieving a secure and privacy-oriented IoT application. In some cases, user ID and password set up for IoT appliances are never changed, making Username and Password easy guesses for network hackers. As the changes introduced by the digital revolution have happened in a short time, educating the older users with the basic concept of privacy protection remains a challenge.
Overall, my findings suggest that companies involved in the conceptual definition, development and commercialization of IoT devices lack a systematic approach for consumer privacy. IoT companies are often driven by the potential of generating revenues and increasing their portion of market share. When evaluating the development of new IoT devices, privacy and security are not their central concerns.
However, both the diffusion of IoT appliances and the increasing focus of local governments and the European Union on privacy (such as the recently introduced GDPR regulation) may play in favour of IoT consumers. Companies have started (or will soon be forced to start) investing more in privacy and compliance to avoid heavy fines and a potential damage of their reputation. Moreover, user demands for greater privacy may influence executives’ behaviour, potentially making privacy a vital consideration during the development phases of new IoT devices.
Disruptive new technologies could also play an important role. Blockchain and opensource software may influence the development of secure, privacy-compliant consumer IoT devices. As these new technologies proliferate, they may shift consumer expectations of privacy protocols.
Perhaps the most crucial point that my research revealed relates to the behaviour of company executives. As they seek to maximise the potential of their technologies, company business models usually demand exploiting user data through monetisation. To counter this, users must be more proactive in protecting their right to remain anonymous. However, the level of knowledge required to do so may leave a huge chunk of the population unable to protect their privacy.
As we approach a super-connected world, the consequences for our individual privacy remain uncertain.
Learn more about the Executive Global Master’s in Management programme.