IoT technology must still overcome privacy, security issues among consumers

While much has been written about how the Internet of Things and the proliferation of connected devices is going to have a transformational impact on peoples’ everyday lives for the better, there remain significant concerns about how this trend will affect individual privacy and security. The number and scale of data breaches that have occurred in recent years has certainly made consumers more attentive to issues surrounding the security of their data, but a recent study conducted by the Ponemon Institute found that privacy issues still loom large.   

The “Privacy and Security in Connected Life” study, which polled just over 1,900 consumers in the U.S., Europe and Japan, placed people into three different categories – privacy centric, privacy sensitive and privacy complacent – based upon the importance they placed on privacy. Those considered to be privacy centric were people that would change their behaviors when they experienced events that made them feel concerned about the privacy and security of their personal information; privacy sensitive individuals were those who said they believed privacy was important, but were unlikely to change their behaviors or information sharing practices following an event, such as a data breach; and privacy complacent described those persons who are the least concerned about privacy and security.

Although the study, which was sponsored by Trend Micro, found little change between the percentage of people who fell into each one of these categories today versus five ago, Larry Ponemon, chairman and founder of the Ponemon Institute, said that people today feel like they have little control over their personal information. In fact, 75 percent of study respondents indicated they felt this way.   

 “The issue that we see in a lot of our research isn’t the privacy issue directly, it’s a control issue and how much control do people want to have over their personal and how much control do they actually have or, at least, what they perceive they have,” said Ponemon, who also serves as the chairman of the Visual Privacy Advisory Council. “What we find over time is that people feel they are losing control. So, privacy is important, but the reality is they recognize that they have fewer and fewer choices that will help them preserve their privacy in both the online and offline universe.”

Ponemon said it is a “myth” that people today care less about their privacy than they did five or 10 years ago and that the reality is they care as much, if not more. The results of the study back up that sentiment. Despite the highly touted benefits of IoT, 42 percent of respondents said these benefits do not outweigh their concerns about privacy or security, while another 14 percent said they are unsure. Among some of the study’s other key findings include:

• 47 percent of respondents say they have become more concerned about the privacy and security of their personal information in the past five years. The reasons people said they were more concerned about their privacy were: the increased use of mobile devices (63 percent), they were a victim of a data breach (61 percent) and they use social media more often (53 percent).
• More respondents were concerned about security than privacy in IoT and social media. Eighty percent and 74 percent of respondents are concerned about security in IoT and social media, respectively. A smaller percentage of respondents were concerned about privacy in IoT (52 percent) and social media (54 percent).   
• Respondents were also concerned about the lack of information they’ve received about how smart devices protect and use personal information. Just over 80 percent of respondents reported that they either did not or were unsure if they received information from the manufacturers of these devices about how their personal data would be used.

Ponemon believes that most people don’t really differentiate between security and privacy when it comes to how their personal information is safeguarded by companies.

“They don’t see it as a separate thing. They see privacy as the organization’s commitment to protecting their information and making sure it doesn’t leak outside or get stolen,” he said. “I think a lot of people kind of confuse the two and it is fine if they see it as one thing because, in reality, you can’t have good privacy without good security.”

In addition, Ponemon said it is incumbent upon manufacturers to make sure the products they’re putting into the hands of consumers are inherently secure.

“Even though you may have the latest and greatest smartphone, you don’t want it to be the target of malware that could infiltrate from the smartphone to other smart appliances or even a smart automobile,” said Ponemon. “Security is never perfect, so there needs to be some kind of notification or warning label to people who are using devices that can be not just annoying to use if they’re infected with malware, but potentially very dangerous. Specifically, I’m thinking of medical devices - a pacemaker or some other device that it is implanted in you for health reasons – if malware enters your smartphone it could enter that device.”

Perhaps the biggest misconception about IoT technology on the part of developers, according to Ponemon, is that privacy and security have to be sacrificed for the sake of innovation.

“There is a general view by some people that the security issues and the privacy issues can be resolved after the IoT connections are working. In other words, post-implementation of IoT is when you start to think about privacy and security rather than having it built in at the early stage,” he explained. “The general view is then by many application developers is if they start making things too secure, too private then it’s going to cut innovation and they’re not going to be able to create the things they want to. They want maximum use of information for analytics and so on. That misconception among developers unfortunately is driving the train.”

Just as big a danger to the privacy and security of people’s personal information as an outside hacker is a malicious insider who has access to confidential data by virtue of their role within an organization. That’s why the issue of visual privacy and limiting what authorized personnel can obtain access to will become just as paramount moving forward.

“One of the things we’ve observed and we’ve learned through discussions with law enforcement is that the bad guys, the very serious cyber-criminal, has inside and outside (operations). You have people on the outside, the hackers, and you have malicious insiders who are really striving to find the places that are very vulnerable and they look for information. It may be in view on a desk or on a computer screen and those kinds of issues can be the start of a very, very large and serious cyber-attack. Fortunately, we’re starting to see companies recognize that the visual privacy issues - things in the environment that can be read or grabbed by a malicious insider - are a serious problem that needs to be shored up.”