Sure, encrypt your email – while your shiny IoT toothbrush spies on you
Harvard's internet arm frets about gizmo security
FBI just wants your phone data, not your smart toaster's analytics
While the paper makes some interesting observations and provides a useful reference for the ongoing encryption debate, it does seem a little desperate to arrive at a conclusion, and so stretches the IoT analogy to, and a little beyond, its logical breaking point.
The fact is that the FBI doesn't want encryption on phones because phones provide crucial intelligence on specific individuals. It is a single device, it contains information, and it can be used to build a prosecution case.
It is hard to imagine an FBI agent picking up a phone at the scene of a crime, realizing it is running iOS 8, calling HQ, and saying: "It's all encrypted – wait! Quick, get me a feed of all the baby monitors in a two-mile radius."
The situation is different, of course, for the security services, which tend to want to track things in the background and keep tabs on people. Plus they have vastly greater resources and the authority to do things like hack toothbrushes. It's also the case that people are going to be less wary – or aware – of devices that they don't own, or which serve different functions. So in that sense, it is possible that those at the end of an investigation may reveal more than they would over a mobile phone.
Even so, the fact is that rather than work with one limited set of companies – telcos, for example – equivalent surveillance using IoT products means either hacking devices or building relationships with a significantly larger number of manufacturers.
As to the user data/advertising argument to explain why encryption won't be used very broadly: that also appears to take the assumption that mass surveillance is more useful than targeted surveillance.
There is a market for specific devices and apps that provide a high level of security, and the prices for them is coming down. When they come down to a low-enough level, a large number of the general population will value their privacy sufficiently to pay for it and then the people using them for nefarious purposes become harder to pinpoint.
Just because some companies prefer to monetize through data and so offer a lower cost to consumers, it doesn't mean that there won't be a large and expanding market for companies that do it the other way around.
What would be interesting to see is the comparative cost and availability over time of products and services that provide high levels of security, and the degree of use of those technologies.
It seems highly unlikely that the number of people carrying out criminal or illegal acts would increase with the general increase in use of technology: that would suggest technological advances drive people to perform criminal acts.
And so you are looking to keep eyes on roughly the same number of people. The difference is: they have better and cheaper tools for skirting surveillance. And no amount of hacked toothbrushes is going to compensate for that. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- NSO Group
- Palo Alto Networks
- Trusted Platform Module
- Zero trust