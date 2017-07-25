Just as your “smart” television records user statistics about your viewing habits, is it so inconceivable that your refrigerator might record your purchasing habits?

I have often asked, do you own that computer if both the hardware and software vendors have almost unfettered access to your system under the guise of keeping you safe from hackers (even though you may have a third-party anti-malware program) or improving the so-called “customer experience.”

Now, with the emergence of the IoT (Internet of Things), we can ask the very same thing of those who make our appliances and other electronic devices.

It all comes down to three factors: privacy, convenience, and laziness …

Most people claim that they don’t care if their whiz-bang wonder device is collecting their information as long as they are entertained, educated, or euthanized. That is until they see how this information might be combined, manipulated, and re-purposed to affect your insurance premiums, credit interest rates, or even future rentals of apartments or vehicles. Or, in an extreme case, whether or not you will receive that life-saving medical treatment because you appear to have a sub-par lifestyle. What happens to the medical information accessed by their makers? With one device, comes a built-in cellular connection that allows the vendor or their representative to track your machine usage and data – to be used to demonstrate compliance with insurance requirements (both private and Medicare) and to collect research-quality data that can be sold to device-makers, universities, and other researchers. And, even more troublesome, the system has two-way communications that allow clinicians to adjust operational parameters that can have a significant effect on your wellbeing. You are not told, except in general terms, what data is being collected, when it is being collected, and what is being done with your specific data.

The real demon: that unilateral click-install contract and the unwillingness of heavily-lobbied politicians to put forth rational privacy laws …

Most people accept the unilateral conditions of those users’ agreements, terms of service, and privacy statements, all written in a curious form of readable English that absolves the vendor of an intentional or unintentional harm, and conveys the right to monitor your data for various and sundry purposes. Of course, you are assured that your privacy will be respected because your name and account number will not be included with any data being transferred or sold to third-parties. However, researchers have demonstrated that anonymous data with simple location information could be used to isolate and identify users when combined with other databases.

Hacked appliances …

Beyond the capture of user information lies the potential ability to manipulate device performance, possibly to the point of being able to weaponize your appliances. How many people would know that someone turned off their refrigerator for a long enough period to allow food to spoil and then turned on the power to hide the dirty deed? All the while knowing nobody was home by monitoring your home temperature and electricity usage. Or simply allowing a device to ignore its internal safeguards and operate beyond safe parameters where devices may overheat and burst into flame.

Is it possible for a device like the ubiquitous floor-cleaning Roomba robot to map the rooms of your home and transmit them to the iRobot company? Possibly containing sensors that identify other interment-enabled or Bluetooth-connected devices? The answer to the first question is “YES,” it is collecting data. The answer to the second question is “probably not yet.”

High-end models of Roomba, iRobot’s robotic vacuum, collect data as they clean, identifying the locations of your walls and furniture. This helps them avoid crashing into your couch, but it also creates a map of your home that iRobot could share with Amazon, Apple or Google. That prospect stirred some alarm when Reuters quoted iRobot’s chief executive, Colin Angle, saying that a deal could come in the next two years. But iRobot disputed that account, saying in a statement on Tuesday: “We have not formed any plans to sell data.” Reuters issued a correction, saying Mr. Angle was hoping to share the maps free with customer consent, not sell them. <Source>

Can you imagine the police subpoenaing the information to check if there might be any contraband? Or an insurance company to verify your claim after an alleged loss?

Protecting the government first …

Internet of Things (IoT) Cybersecurity Improvement Act of 2017 Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would: Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry-standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities.

ensure their devices are patchable, rely on industry-standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities. Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality .

. Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.

to be required by contractors providing connected devices to the U.S. Government. Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines.

and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines. Require each executive agency to inventory all Internet-connected devices in use by the agency. The Press Release The Proposed Legislation

Bottom line …

Will opening that box serve as a unilateral contract that will allow the manufacturer to collect data from your appliances “with your consent” and which could be available to anyone with a court order or subpoena? Or even worse, can an ill-engineered device open a direct pathway into your home network that exists behind a protective firewall.

How far will people allow the digital age to intrude into their private lives is unknown? But, it appears that most people are lazy enough not to care unless disaster follows.

We are so screwed.

-- steve