Forum founder Gilad Rosner gave a presentation on the IoT Privacy Threat Landscape at NIST’s IoT Cybersecurity Colloquium on October 19, 2017. Gilad presented some of the key findings from a forthcoming research report he is authoring with Forum Co-Director, Erin Kenneally:

The IoT allows the mature tracking and analysis practices that happen online to occur in the physical world

“Inferences from collected data plus the merging of purchased third party data yields deep, deep profiles about people, augmented in real time. Such tracking has been endemic to the online world of desktops, laptops and mobile phones, but it’s making the leap to the offline world. This trend has been happening gradually, as we can see with the use of in-store retail tracking technologies, CCTV, and WiFi detection. But the increasing amount of cameras, microphones and other sensors into consumer goods will fully enable the mature tracking practices we see online to make the leap into our physical, social world.”

The IoT portends a diminishment of private spaces

“If you accept that private spaces are essential to the human condition, then we must cast a critical eye on the proliferation of sensors in spaces we retreat to and believe to be a secluded domain. A key danger is what the privacy community calls ‘chilling effects.‘ … If you are persuaded by the argument that people need private spaces in which to thrive, and that the connected devices appearing in the marketplace have the potential to diminish those spaces, we must bring policy, technological, and design strategies to bear upon the issue.”

The IoT challenges bodily and emotional privacy

“Cameras on your nightstand, in your television, in retail stores, in the eyes of your children’s toys, on the front of your phone, coupled with biometric sensors of fitness devices and other wearables is slowly ushering in emotion detection technology… Given the advertising industry’s growing hunger for the fullest range of human data, the incorporation of emotion detection across of a range of industries, the value of emotion data in creating richer gaming and entertainment experiences, the broadening capability of sensors and penetration of those sensors deeper into private and public spaces, it seems likely that we will face questions about our emotional privacy.”

The IoT challenges children’s privacy

“How does an increase in the monitoring of human activity relate to children? What will awareness of always-on devices do to children’s behavior? If private spaces are under threat, what does that mean for child development? Adults can ostensibly consent to some of the IoT being introduced, but a) is that consent sufficiently meaningful with regard to the collection of children’s data, and b) what of the nonconsensual capture of data that occurs in public and retail environments?”

View the slides for the talk at this link (PDF).

There were three other presentations of particular interest in terms of IoT privacy, with valuable Q&As. Andrew Sullivan (Oracle Dyn) talked about the Internet of Infrastructure Threats (PDF slides) in the opening half hour. Yasser Shoukry (University of Maryland) followed with a talk about attacking IoT devices via their sensors (PDF slides), and Jeremy Grant (Venable) spoke about Identity for IoT (PDF slides). All talks can be viewed on the event homepage.