Statement on Internet of Things Privacy and Security

 

by ACM U.S. Public Policy Council and ACM Europe Council Policy Committee

Internet of Things (IoT) systems have rapidly assumed important roles in daily life by providing new capabilities to streamline diverse tasks. IoT catalyzes new capabilities and creates opportunities for increased productivity and societal benefits.

As the IoT ecosystem unfolds, this wide range of functions and components will result in significant privacy and security challenges that should be addressed. Large-scale, pervasive networks that collect data about the world around us and new predictive technologies and algorithms enable innovative IoT uses. Yet, the data collected from IoT devices and algorithms that use this data for decision-making can result in unintended consequences. The ubiquity of IoT also presents new security and privacy concerns, making it important to incorporate privacy and security controls into the life cycle of IoT devices.

Certain IoT components have minimal functionality, limited computational power and storage, and low energy resources, which can sometimes make conventional security and privacy protections difficult to deploy. Such deployments may need to take advantage of new protocols and system designs that are better equipped to operate in resource-limited environments.

Policy and technical approaches to emerging IoT privacy and security challenges should continue to encourage innovation while ensuring that consumer confidence in these devices and systems is bolstered by strong privacy and security practices. The principles outlined in this statement provide an approach for addressing privacy and security challenges in the IoT ecosystem:

Support Privacy and Security Throughout the IoT Device Life Cycle

  • Address privacy and security risks throughout the IoT device life cycle: Addressing IoT privacy and security challenges from requirements specification to end-of-life, including across changes in maintenance ownership, can help prevent systemic vulnerabilities and avoid difficult retrofitting. Manufacturers and solution providers should conduct scheduled privacy and security assessments and ensure the efficacy of privacy and security measures prior to deployment and regularly over the course of a device’s life span.
  • Ensure continuous, reliable device operation: The failure of IoT systems can cause irreparable damage and have serious implications for physical safety. The pervasiveness of IoT systems in the everyday lives of consumers raises the stakes. IoT device manufacturers should aim to deploy reliable and dependable systems.
  • Provide regular patches, upgrades, and software updates: IoT components may ship with vulnerabilities, and new vulnerabilities may be discovered over time; manufacturers are encouraged to provide mechanisms to maintain the privacy and security of IoT components throughout their life cycle. It is similarly important to build consumer understanding and awareness on the importance of software upgrades and to encourage manufacturers to deploy patching and software updates whenever possible.
  • Consider issues with abandoned, orphaned, and legacy components: Manufacturers should monitor concerns related to abandoned or legacy technology that can pose privacy and security threats to existing or new components as new vulnerabilities arise.

Develop New Technologies to Support IoT Privacy and Security

  • Support flexible access control: IoT components, especially those without user interfaces, should support secure and private interactions and updates. The IoT ecosystem needs flexible approaches to access controls that foster privacy and security.
  • Leverage advances in cryptography and cybersecurity: Technically-limited IoT components may benefit from advances in “lightweight” cryptography and new encryption implementations. These options are less resource intensive and therefore more usable within the constraints imposed by many IoT components.

Protect Consumer Data

  • Address data ownership: The ubiquity of IoT components means an increase in the scale of data captured, shared, collected, and analyzed. Stakeholders should plan for future challenges of data ownership as they relate to privacy, security, and intellectual property.
  • Build consumer awareness about privacy and data sources: As IoT permeates consumers’ lives, it will be important to educate consumers on the privacy and security issues that IoT presents and on how to best protect themselves from attacks. Organizations should be transparent to consumers about how data about them is collected, used, retained, and shared.
  • Protect data integrity: IoT components should receive, process, and create data that is accurate, consistent, and relevant for the purposes for which it was collected or produced.

Foster Cooperation Among Stakeholders

  • Promote an interdisciplinary approach to trust: Hardware and software engineering, cryptography, human factors, and social science can all contribute to fostering a safe, secure, and trustworthy IoT ecosystem.
  • Encourage coordinated efforts among stakeholders: Improved coordination between the public and private sectors can foster IoT innovation and protect privacy and security. Cooperation among governments and other stakeholders, including businesses, academia, professional societies, consumer advocates, nonprofits, and other civil society organizations will help drive and realize IoT innovation. Similarly, technical issues cross borders and require international coordination and cooperation.

PDF available here.

Members help shape the Committee’s action agenda, author its official Statements and other materials shared with policy makers and the public, and spot emerging issues on which the Committee might engage. Join USTPC today!