11 Comments

Summary:

The more connected we and our homes become, the more we open ourselves up to security and privacy breaches. We outline the problem and offer a solution for industry stakeholders.

homeos-smartphone

If all the connectivity efforts of today did in fact become successful, a decade from now, we are looking at connected traffic lights, sensor-laden parking lots and roads, connected everything at home, locks that can be locked and unlocked digitally, pills with digestible silicon, smart tattoos and washable sensors in fabrics. Many of these are commercial or nearly commercial today and will likely attain reasonable to massive scale over the next decade. Of course, there are several impediments to truly seamless connected everything. But, given the level of interest and efforts, we will get closer and closer to this utopian connected world for sure.

A lot of good things will come out of it – automation at home making things easier for us, personalization that will allow our devices to be so much more proactive and useful, global energy savings, better healthcare, etc. But, as we look forward to all that, what happens to our privacy and the security of the information we generate, access and share? It’s a good thing that “social” is teaching us how to be less private and more revealing – because, it’s about to get a lot worse.

Lockitron-allows-you-to-lock-door-with-phone1

The reality is that the NSA is after you. The advertisers are after you. The insurance companies are after you. With varied motivations, several entities are after your habits, your communications, your browsing history, your driving patterns, places you visit, people you hang out with in the physical and digital worlds, and a lot more. As this uber connectivity state grows, it will be easier than ever to get to more information. Yes, there will also be much more data, making finding specific and useful information harder. But, these are people with a big potential payoff and a lot of resources at their disposal to go after this problem.

So who, in this large ecosystem of hardware and software producers and eavesdroppers, is looking out for you? To borrow a phrase from the social world, it’s complicated…

Humans and digital security: A complex problem

Information security has evolved tremendously since the early days of the Internet. Encryption standards have produced techniques that are theoretically impossible to break into without an astonishing amount of compute resources and large number of points of insertion into the path of communication. TLS with certificates and SHA-2 cryptographic hash functions are capable of providing high degree of security to data exchanges. From secure databases to cryptographic search to OS hardening, a lot of advances have been made in the field of security. Yet, despite all these advancements, it is not uncommon to hear of security breaches on bank data, credit cards, user accounts at various sites, among other things. In fact, the average user is largely unaware of the thriving underground economy!

dotsvidya

Exactly why is this such a hard problem? Why is it that despite great technical advances, these threats continue to affect us? The short answer is that it is because humans will continue to be in the loop and humans are not perfect. Let’s take a deeper look.

  • Passwords of an average user are weak and reused: There’s so much more to say about this topic, but generally users are terrible at setting strong passwords and then reuse those weak passwords.
  • Convenience beats everything: Even when users know how to add security, it is simply inconvenient to take those steps. It is far more convenient to take the chance of becoming the victim of a security breach (after all, my data is drab and boring really!).
  • Not all software engineers are equal: While very talented mathematicians, security and computer scientists design the crypto algorithms and security protocols, hundreds of thousands of other humans (software engineers) implement and use these algorithms and protocols. They don’t always implement them correctly or follow best practices. The end result is that the internet is full of poor implementations of TLS and other software with serious vulnerabilities.
  • Access to highly secure certificate authorities needs to be “manned”: The most secure certificate authorities need to be accessed physically – hence, involving humans – in order to get the highest level of security.
  • Deprecated security standards hang around forever: There is always some server out there that uses an ancient crypto algorithm or security protocol. The IETF published the first version of TLS in 1999 and we still have SSL out there that TLS was meant to replace!

Here is one example that shows how it is feasible to remotely break into a connected home. There has been a lot of concern raised on this topic. And, it is as bad as it sounds!

Enter privacy, a compounded problem

In the world with so many impediments to solid security practices, privacy only compounds the problem. The age of social has really heightened the privacy problems and the upcoming age of context is going to make it far, far worse. Evidence suggests that the average user values privacy less if they get something rewarding in return. The growth of location services is a clear example of this aspect. While we still have users moaning about location sharing, a good number of them just do it and get on with their lives.

privacy.001
Nevertheless, privacy issues are thorny and the topic has been getting increasing attention with more and more users being aware of it. The growth of the surveillance culture is clearly at odds with privacy.

There is no doubt that contextual services and smarter, connected devices add value to our lives. A big problem, however, is how to keep the user in charge of all privacy decisions without making her experience overwhelming or inconvenient.

Where privacy meets security is in that sound and flexible (note that these adjectives are almost oxymorons in this context) security mechanisms are necessary to support privacy requirements. But, as we discussed earlier, sound security mechanisms are hard to deploy and maintain across a wide base of interoperating parties. So, as we click away on pages of privacy policy or ponder carefully over the settings to choose, it is not clear that the underlying technologies that will be used to honor these are really going to remain foolproof. Obviously, this leads to a chicken and egg problem and the end result is fuzzy policies with complex settings that are not intended to be understood by the user.

Back to the connected future

This begs the question – when it is our house and family security that is at stake and when we don’t know what risks the convenience of remote locking our front doors would in fact pose, how many of us would be willing to use it? Do we really want so many connected devices that will have access to our most personal data and ties to our physical security to be taking over our lives?

I don’t conclusively know the answer, but I’m also a big believer in the world of connected and personalized everything. So, the viable path is for all stakeholders in this world (hardware manufacturers and software infrastructure providers alike) to make a commitment to invest in real security and be willing to perform uncompromising deployments, even at the cost of mercilessly killing backwards compatibility to less secure systems in some cases.

That is a level of commitment we have not seen thus far. But, as the threat moves from moderately threatening information security breaches to a much larger scale invasion of physical security, can we move the needle to make a difference in our commitment? Humans will continue to be in the loop, (unintentionally even) leading to weaker security wherever possible. But, can we implement and deploy hardware and software, to have rigorous security and correctly trade that off with convenience and simple and terms? I certainly hope we start making an effort in this direction, or we are in for a really tangled value proposition in the new ubiquitously connected world!

Vidya Narayanan is an engineer at Google. Previously at Qualcomm and Motorola, she has been working on internet and mobile technologies for more than a decade. She blogs at techbits.me and on Quora. Follow her on Twitter @hellovidya.

  1. With all the scooping around, nothing is actually private or secure anymore. So instead of simply moving ahead in technology in the terms of gadgets, solely, tech giants must also start providing security solutions in whatever possible way.

    However, one point I’d like to keep here is, what if entire security systems are digitalised? In this age of computing there are all kinds of people all around. So will it be safe to allow security digitally?

    Anyway, nice interesting article! Good read!

    Share
    1. Thanks! Sadly, the fundamental aspect of security is a “secret”, which ultimately needs to tie to something the human knows and can keep. We do need to do everything possible to develop strong software that will assume human errors and slips and still provide reasonable security.

      Share
      1. Torr project is something interesting in regard to maintaining a low profile in the world of internet :)

        Share
  2. Might it not be the case that this connected future will emerge to be fundamentally different from the interconnection of people that we have witnessed in the last several decades such that privacy may not be the big security issue in this new regime but instead it will be authentication of these connected objects. If that proves to be the case then it seems to me that a prerequisite for the IoT (Internet of Things) will be the Authentication of Things! In the words of Bob Dylan – “… every hair is numbered like every grain of sand.”

    Share
  3. Interesting article, however, I would expect an article from such a high calibre facility as yourself to check your spellings.

    “The more connected our HOME SAND ourselves become, the most we open ourselves up to security and privacy PREACHES. We outline the problem and offer a solution for industry stakeholders.”

    Share
    1. Hi Darren,
      Thanks for catching this. Sadly, I didn’t get to preview the summary before they published it. I’ve brought it to the attention of the editors and asked for correction.

      Share
  4. I totally agree that there’s less and less privacy today and the bigger role technology plays in our life – the less privacy we have. And this is a problem tha can be solved only if the users (not just software engeneers) pay attention to what info they share and think twice before sharing anything sensetive, even with “friends”

    Share
  5. It’s pretty scary what you can put on line without realising it. It’s challenging enough sometimes to get a device added to your home network even without considering the security aspects as well.

    Share
  6. It’s easy to get scared by projecting the implications of today’s increasingly connected world on our most private spaces, like the home. The connected home is not fertile ground for this transformation. However, for instance, events and entertainment venues provide plenty of opportunity for cutting-edge connected experiences with minimal privacy and security concerns. Over time, these experiences can migrate to increasingly more private spaces as they gain collective acceptance.

    As we see it, there are at least two critical factors for acceptance:
    1) Opt-in
    2) No single vendor control or lock-in of data

    Share
  7. interesting to note that nobody noticed the supreme irony of an employee of google, one of the companies that does its fair share of snooping on internet users, writing an article like this.

    Share
  8. @$#@ing spammer

    Share

Comments have been disabled for this post