My fridge is watching my every move!
The need for an ethical framework for the Internet of Things.
Translation by Giancarlo M. Sandoval.
Illustration by Luli Adano.
Those of us who develop technology tend to rush to test its limits. Since the moment we get our hands in a new technology, we practically obsess to understand it, manipulate it, and make it work in whatever way possible. Sometimes the motivation is simply doing things “because we can”. There is no other motivation but going fast, try alternatives, and more than once, break stuff in the way. That’s how hackers, and recently makers, make the technological ecosystem advance in huge steps.
It was due to a similar impulse that personal computers first appear. During the mid 70s, the Homebrew Computer Club gathered in Silicon Valley. Their meetings comprised curious people and enthusiasts that hacked around with their computer kids. It was there that Steve Wozniak, co founder of Apple and inventor of the Apple I, started to push the snowball that would later become the central industry in advancing information technologies.
Something similar happened with the Internet of Things. The horizon of possibilities that opened the decrease of cost of sensors, processors, and connectivity, added to the miniaturization of these technologies, made possible that we could connect practically anything to the Internet. And when we say “anything” we mean it: from socks with pressure sensors that indicate how we walk to belts that adjust when we have lunch. Each of these devices, through their sensors, generate data that may be recollected forever — due to the low cost of storage. It is in front of this picture that, if we are to be connecting to socks, cars, pans, and belts to the internet, it is interesting to reflect about these issues.
In this opportunity we will focus in the fun and dangerous parts of the Internet of Things because the latter is, maybe, what is not discussed as much. As it happens with every new technology, the discourse surrounding it is filled with optimism and, most of the time, with ingenuity. “Technology will save us” is a mantra that is repeated, but at the end of the day it falls short. Of course, technology is already saving us, and while for some technology is ethically neutral (and for others it is not so clear), the development of technology certainly is not ethical. What is happening now is that we need to decide how the Internet of Things is gonna be, how it will protect our privacy (and if it goes through us, what are its consequences) and how much help do we really want on its part.
Stuck to the Screen
In the past decade we have gone from locating the Internet as a moment during the day in which we sat down in front of the screen, to directly taking it for granted much like air: we practically lived connected in the more diverse of ways. The main suspect of having generated this change in our relationship with the Internet, is a the same time the first object that really introduced the Internet of Things: the smartphone. Such is its expansion, that today Latin America at least 30% of the population has at least one, and it’s expected that by 2018, almost 45% of the population carries one in their pocket. In fact, for many people the first contact they had with the Internet was with a smartphone. But the unexpected possibilities that the Internet of Things opens up is not mere communication between humans, but communication between the devices themselves. Surely you remember the scene in the Beauty and the Beast in which the forks, knives, and clocks come out to dance when no one sees them. Curiously the difference between this enchanted object and one that is under a spell depends in how we tell the story.
What the Internet of Things proposes is that devices can talk between them in order to make easier the control and automation of tasks, but also the recollection of data. The market for IoT is huge, really huge, and basically includes all the objects that do not have internet today. There are belts with internet, socks with internet, even a pan with internet. What is true is that just after the enthusiasts and early-adopters, our beloved hackers and makers, comes the turn of the companies that want to make business, and the landscape has them more than excited. In 2020, it is expected that the market for IoT will be bigger than computers, tablets, and phones combined.
And in this growing market of connected things there is a place for everyone. On one side, the fabricators of these devices, but on the other hand is the market of manipulation and analysis of data that these devices generate.
In fact, the volume of data that we generate is such that we are obliged to talk about big data. 90% of the information of the world was generated in the past two years and this is a pattern that happens since about 30 years ago: every two years ever since 1985 we generate ten times the quantity of available information in the world.
And what happens with all that information? Obviously, us humans cannot process it, and it is there when a software takes the stage — apps and algorithms- and can analyze and manipulate this information. Generalizing a bit, the developments of IoT can be classified under two type of functions: either the devices register information about their environment through sensors constantly and transmit it; or the devices receive orders by Internet and act on their environments. Of course, there is a great number of developments in IoT that accomplish both functions.
In the first case, we could be worried about privacy: who has access to that data and why? In the second case, security might worry us: who is telling my coffee machine what to do?
One of the more worrying aspects of this situation is the behaviour of many, if not the majority, of the fabricators from the industry. It would seem that just like hackers are excited to try new things and breaking them in the road towards innovations, most of the times leaving the security as afterthought, the big players of the industry (Samsung, Sony, LG, etc) cannot wait to put “smart” products in the market without having the judgement to evaluate them with regards to privacy and security.
Of course this last one is a very ingenuine reading. It’s obvious that we cannot hold the same criteria for individuals and corporations that have a civil responsibility (and in many cases, legal) to do things in the best way possible. They are not impatient, but they try to look for the way to make a quick buck by taking advantage of the consumer climate about a certain type of technology. This is where the importance of the regulatory frameworks and international collaboration comes into focus in order to limit this ridiculous impatience, a deliberate corporate negligence that is typical of unbounded capitalism.
One thing is a group of hackers playing in a garage and another thing is multinational corporation that creates products for a massive market, whose users have no knowledge to debug the device that they installed in their kitchen (besides the fact that these objects are black boxes whose functioning is completely out of the user’s reach)
Who turned on my coffee machine?
After the smartphone, the device that gained the most attention is the Smart TV, the success story of IoT. Despite that talking about television and intelligence would make any critic nervous, this “smar” variety of TVs have clear advantages over their “dumb” counterparts. Above all, they offer a notable change because of their connectivity: more Netflix and less cable Television. But in this negligent development of technology, Samsung, who in the US dominates the market, forgot to think about security when developing the product.
For example, in February 2015, the news reported that TVs with voice recognition made by Samsung were sending conversation that the microphone registered without encryption, effectively allowing them to be intercepted and read without much effort. As it happens with many IoT devices, in order to process complex data such as voice, the connectivity is taken advantage of in order to be helped by more powerful servers in the cloud. The problem is that they did not take into account the protection of what the TV registered and transmitted. The worst part? Samsung shielded itself in an obscure “privacy policy” that warned that if people talked about “sensible topics” near the TV it should be taken into account that such information could end up in hands of a third party. But if we do not talk about sensitive issues in the living room, where are we supposed to do it? The problem does not end here: there are also Smart TVs with cameras. Surely by now you’ve guessed what happens when negligent fabrication becomes an industrial standard. Two years ago it CNET showed how you could control the TV remotely and have access to the camera, that has no LED or sensor, and allows to see through it without anyone noticing.
15 years ago phones were not connected to the Internet, but you know how innovation goes: if we have internet, we put internet to everything. And that’s how long before the arrival of smart sensors, someone got the idea that putting Internet on a fridge would be a brilliant idea.
For some reason that historians in the future will know how to explain, the idea did not die and the enthusiasm of putting “the internet to everything” was reborn. And if the proposal of a fridge with Internet was not ridiculous enough, in some innovation table the idea of linking the fridge with a Google account in order for it to tell us what to do during the day was born. Security measures were badly implemented, as usual. It was during a hackathon organized by DEFCON that these measures were routed around and people got access to the Gmail accounts linked to the fridges.
In the conquest of all our devices, the IoT expanded into the bedroom, or at least the kids’ bedroom: a high number of baby monitors work now with Internet. Connected to the house’s wifi, they allow to check how the baby is doing from anywhere in the world and also include the possibility of talking to the baby. Maybe the most interesting bit is that people discovered that practically anyone could look and talk to your baby.
In research published last year, researchers found out that while almost every monitor in the market was vulnerable, eight out of nine had trivial vulnerabilities.
The worst thing about this case is that this is the kind of technology that we want to be secure. When it comes to privacy, adults take for granted their responsibility and capacity to understand the risks of putting everything they do on Facebook, like our phone, location, preferences, pictures, blood type, and our opinion about the latest handbag that Cristina Kirchner bought. But when it comes to children, the worry is different, and any decision about its security and privacy lays on us. The very purpose of the device is to make us more relaxed and not vulnerate a plethora of rights of those we wish to protect.
In the published research it is emphasized that finding vulnerabilities in such a high percentage of products is not a minor detail: just as in any industry, by developing technology there is a pattern of repetition that incorporate components in a wide variety of devices, which is why the vulnerability continues unaddressed. Of course, ethical technology should be the first to be up to the highest standards of security.
The subtle difference between an enchanted and a haunted object
In 2020, it is expected that each of four cars is connected to the Internet, while today this number is around 10%. Wired has recently published a chronicle of how two hackers managed to take control of a Jeep Cherokee 2014 in order to manipulate its entertainment system, its lights, its speed controls, its environmental controls and even pilot the vehicle, cut the breaks and stop it altogether. All of this was done due to the 4G connection inside. All of this because one of the main characteristics that users demand to have in a car is to be able to stream music.
Lastly, another one of the fields in which IoT promises to “revolutionize everything” is health. The field with the highest consumption rate for objects related to Health is that of fitness, with devices that monitor every step like Fitbit, or apps that can be installed in our phones and tell us how much time we spent sitting down. But inside the rubric of health tech there exists other type of devices that are much more delicate, like insulin bombs. This is why work that security researchers like Barnaby Jack, who died recently, is so important. Hackers like Jack are dedicated to show how these devices are also insecure and that sometimes their insecurity is lethal. His first big hack was to show that an ATM could be forced to spit out its money. But next year he upped the ante by showing that with a homemade, DIY antenna and his computer he could track insulin bombs within a 100 meter radius, identify them and hijack them. He could control them to give an overdose. All of this without having the device be turned off.
However, for the FDA, this did not represent a real threat, putting the advantages of the technology over its risks. We can assume that someone that has this technology with them does not feel the same way. And what if instead of an insulin device we have a pacemaker? Barnaby JAck was going to show in a conference how a hack similar to the insulin one worked, but could not do it, passing away one week before his presentation.
Just as in the case of the baby monitors, the work of the community of researchers in information security is highly important so we can have an ecosystem of IoT that is marginally safer. Corporations should incorporate the Infosec community before launching their products, with benefits given for the capturing of bugs, such as the reward program to capture bugs by Google or Facebook.
Papa don’t preach
We have mentioned previously the monstrous volume of data that these devices create. It’s very interesting what happen when we add these monumental quantities of data to algorithms which can make inferences starting from it. The task of a data scientist is to make the data tell a story. With regards to this it is worth taking a look at big data.
13 years ago, the supermarket chain Target hired a data scientist to improve their marketing team. Ten years later this scientist dedicated himself to finding patterns and isolating “client groups” according to their purchases. In these groups he found out that pregnant women are one of the most valuable groups for supermarkets. The target of brands is to show advertisements and generate fidelity with the mothers, starting with discounts and benefits. If you can convince a pregnant women before anyone else, it is possible to have a client for years.
When the Target scientist started tests about the people that made purchases, he found that while many people buy lotions, pregnant women bought lotion without perfume at the beginning of the second trimester than the average person. Simultaneously, another analyst discovered that in the first twenty weeks the pregnant women bought many supplements. While many other demographics bought those items, when people buy them out of nowhere, following certain patterns, something happens. As it was to be expected, this huge volume of data plus analysis algorithms and prediction mechanisms worked wonders.
It worked so well than after a year of pregnant women detection, a person went to Target and complained that they were sending promotions for baby clothing to his teenage daughter. Weeks later, the same person called the store, this time with an apology, “it seems that there are things in my house I know nothing about. She’s due in August”
While there’s controversy surrounding this case, it serves as an example of the articulation of big data inside the market. Having in mind that this is realized just buy storing and analyzing purchases of a supermarket chain, we can understand what Eric Schmidt said in 2010:
“We don’t need you to write anything. We know where you are, with your permission; we know where you were, with your permission; and we can kinda know what you are thinking”
And do you know who also loves Big Data?
Big Brother is watching you
A few years ago, Edward Snowden revealed to the world the state of privacy online. He got in contact with The Guardian to give information about the NSA program called PRISM, that basically demands every corporation with servers in the United States (Google, Facebook, Twitter, OkCupid, etc) to give data to the NSA without a peep. We also came to know that GCHQ in the UK can intercept our information through intercepting submarine cables.
One of the problems that come out of these revelations is in the difference between the internet in theory and the internet in practice; the protocols of the internet allow the web to be “decentralized.” On the side of the government that created the Internet, the interest was focused on the issue of a possible nuclear war: it was necessary to have a network that did not have a centre, in order for it to keep functioning in case of attack in different parts of the US. The interest on the side of Hackers was different: establishing protocols (rules of communication) that guaranteed equality between the nodes and the impossibility of having central authorities that filtered, censored, or controlled the network.
Continuing with the Snowden revelations, we found out that the NSA spied on other countries, we found out that with a development program called “XKeyscore” they could trace practically everything a user does online. As Bruce Schneier points out we don’t have to think that the NSA one day woke up and decided to compile all the information of the people of the Internet, what happened is that it said “all these corporations have all this data, we would like to have a copy” Besides this, the NSA actively works to weaken encryption systems, under the excuse that they could intercept communication from the “bad guys”.
But the problem is that if make technology insecure, we cannot make it insecure just for the bad guys, we make it insecure for everyone. We cannot put backdoors in our devices and expect just the good guys to use them. We have to expect the worse. And really, the advantages of having secure technology are many more than the ones we have by allowing American spies to have access. On the other hand, some data scientists say that some time we can have better results with less information of better quality that simply catching everything in front of us “just to check”. And if the discussion of privacy doesn’t make us worried enough, the huge expense that the US government incurs by maintaining these programs are themselves a motive to reconsider several things. And how does everything we learned from Snowden reflect on the Internet of Things?
We cannot shy away from this discussion given everything that is being done with technology right now.
An ethics for the Internet of Things? Or an improved Internet of people?
It is not that the Internet of Things is just about stupid products, negligent implementations, and an unlimited quantity of hype. There are amazing implementations like the Nest ecosystem that signals the direction in which this technology can have a precise impact in, for example, energy consumption, or SmartCitizen, an app that can collaborate with the development of public policy.
Technopessimism, just as techno-utopianism, is an extreme position and very unreasonable. It is not about avoiding innovation, or fighting to boycott it. It is about working actively, and avoiding simplifications, to develop the critical success of the technology. It is for the appropriation of technology, for the legitimation of technological disobedience, that the efforts around the “internet of everything” must be centered around.
Do we really want to multiply so much the devices we use? One of the advantanges of smartphones is that they allow us to carry and use one device that is multi-functional. The future that is promised paints the picture of going back to the house to charge our belt, our pan, our socks, our phone, and who knows what else? We need a genuine reflection about what we what technology to solve. And what happens with the data that these devices generate? What can we do?
About security, there are corporations that are generating good practices, like BuildItSecure.ly, a coalition that looks to elevate the standard of security in IoT. Corporations should not be impatient to launch products, since they put their users in danger.
About privacy, the topic is more complex. The dialectic between privacy and security is not simple. Many times we argue that to have security you have to violate privacy. If we really are gonna have an Internet of Things that registers each of our movements and actions, including predecting our thoughts, we need a robust legal framework that protects us from persecution.
We need to demand our governments to have transparency about what it’s done with our data. Frank Pasquale, Law Professor in the US, wrote Black Box Society (2015) where he argues that if the governments are not transparent about how they work, we live interacting with systems that we know nothing about. If we don’t know how things work, it’s very difficult to change them.
Sometimes the problem is that not even the developers know well how things work. How do we make sure that no one can take control of our belt and does not strangle us while we are in a meeting?
What is in danger here is also the difference between acting freely and acting with autonomy.
A free decision but not autonomous happens when we buy something online due to an impulse. But we really not reflect about what this means or whether we need it. In contrast, an autonomous decision is a decision that we take and commit to, and we are clear on why we take it. In case of privacy, by not being able to choose the information that others have about us weakens our autonomy, and in consequence, we are less free.
We have to develop legal frameworks that go in tandem with our technological advances, or it may be too late. Privacy is all about having the power to make a decision and control about what facts of our lives are shared and whom to, free from the eyes of states, corporations, and neighbours. Privacy gives us the freedom to develop in the world. That’s why we should act as educated, responsible consumers that critique and denounce these issues, besides striving for a better education for those who don’t see this situation yet. The key to the issue with digital technology is that our ability to take decisions and control our personal information gets lost. Without our knowledge, corporations and governments gather our information in the interests of “national security” without care about the legitimacy of the claim. Corporations gather our data because, in effect, information is power; and the recollection and storage of our information are ways to acquire power. But while knowledge can be transparent, power rarely is.
The problem with the privacy of the Internet of Things is that it reduces us from subjects to objects, in so far as we are not autonomous nor free with regards to what is public and private about us. And the consequence of losing this autonomy and freedom is that it weakens the very basis of democracy. Then, if we want the Internet of Things to mature, we must work within the ethical frameworks of technology.
An interesting framework is proposed in Ethics of Big Data (2012) The questions we need to answer when developing technology that generate information are around the four axis: identity, privacy, possession, and security.
- About identity: what is the relationship between our offline identity and our online identity? Are we trackable?
- About privacy: who should have access to our information? Why?
- About the possession of information: who does information belong to? Can it be sent to third parties, sold or do something with it? Should it be permanently stored or could the user choose to delete their data?
- About security: how safe is my device? Can I be transparent about the security so the user has an active role? Are we incorporating good practices or rushing?
Last year, researchers discovered that part of a botnet -a network of zombie computers that are controlled for illegal means — consisted of various fridges with Internet. What the group of researchers found is that in less than a month 100 thousand devices, like routers, TVs, and fridges, had sent around 750 thousand spam emails. In this case, what do we do with our fridge?
This essay was originally published in Genio Maligno and translated by Giancarlo M. Sandoval for the HOLO publication.
