Yesterday was already tomorrow… The Internet of Things: The need for an adequate information security and privacy framework

Remarks at the Information Security Rendez-vous (ISR) 2014

Montreal, Quebec
May 7, 2014

Address by Daniel Caron
Legal Counsel

(Check against delivery)


Introduction

Good morning everyone. I'm excited to be here in Montreal this morning and, above all, to be here at this conference.

I'm thrilled to have this opportunity to speak to you about a topic that is of great interest to me: the Internet of Things, or IoT. It's a fascinating subject that affects all of us, perhaps more than you might realize. It's also a subject that, in my view, raises more questions than answers.

I would like to address a few of these "questions" today. However, I should tell you from the outset that I am not an IT or information security specialist. At the Office of the Privacy Commissioner, technology issues are handled by our experts—in our Branch, we have specialists who analyze technological advances and the impact technology has on privacy in the digital world.

For my part, I am a legal counsel who specializes in the area of privacy and personal data protection. So, with that caveat, please allow me to humbly proceed with today's discussion.

The hackable car

To start off, I'd like to give you an example that illustrates the extent to which the security of the Internet of Things already affects all of us… or at least, those of us who drive a car.

Last year, in the US, two IT experts, Charlie Miller and Chris Valasek, showed how easy and relatively inexpensive it is to hack a car's Controller Area Network ("CAN") bus. Doing so involves sending malicious messages that can make the car brake, prevent it from braking or even make the driver lose control of the steering wheel. The automobile industry developed this type of bus to simplify and improve communication among the various components of a car. The CAN bus has been mandatory for all cars in the US since 1996, and in Europe since 2001.

The two researchers were able to demonstrate not only how a car is made up of a network of hackable smart systems, but also the extent to which the manufacturers of these systems ignored these information security vulnerabilities.

But the Internet of Things is not just a world made up of cars. We are already familiar with a wide range of industrial and domestic devices connected to the Internet, such as TVs and fridges. There are, however, other examples from the world of the Internet of Things that are quite unique: I can think of smart diapers, and wireless or Bluetooth toilets (if you don't believe me, look up "hacked toilet" on an Internet search engine). We already have smart medical devices—everything from instruments for managing diabetes to wireless pacemakers. In a world where it is possible to hack a car, it is perhaps not surprising that former Vice-President of the United States, Dick Cheney, deactivated the Wi-Fi function on his pacemaker in 2007, admitting he was afraid someone might hack it.

Despite the potential benefits of the growing interconnectivity of various devices, these examples lead us to wonder if we are prepared to tackle the major privacy and information security issues brought on by the Internet of Things. As I noted at the beginning of my presentation, I'm not an IT or information security expert. You are the experts and it is you who will be finding appropriate solutions in the future. This morning, I would like to touch on three main points:

  1. The challenges we face in terms of securing IoT systems, and the major privacy issues related to doing so;
  2. The features that must be included in solutions to these challenges; and, finally,
  3. The regulatory and legal framework that will best address these challenges.

The development of the Internet of Things

First of all, let's try to understand what we mean by the "Internet of Things." The expression appears to have been used for the first time in a presentation given by Kevin Ashton of Proctor & Gamble in 1999. At this time, Ashton used the expression to refer to a world in which devices are connected to the Internet via a range of smart sensors. Basically, the Internet of Things is a system where objects with sensors are connected to a wired or wireless Internet network and can communicate with other objects in order to transmit information. Physical objects become an integral part of the Internet and thus facilitate the sharing of information with other objects.

The evolution towards the Internet of Things has progressed for a number of years now. We already bear witness to an enormous capacity for interconnecting objects and internal networks. In 2008, the number of objects connected to the Internet was already greater than the number of people on the planet. According to Cisco, by 2020 there will be over 50 billion objects connected to the Internet.

This explosion can be explained by the growing number of sensors, processors and communication device components that are becoming ever smaller, smarter and cheaper. We also have more advanced wireless networks that use Wi-Fi technology, radio frequency, Bluetooth technology and Near Field Communication. We are quickly running out of IP addresses on the current IPv4 system. However, there will soon be more "space" on the Internet: since every device connected to the Internet needs an IP address, the new version, IPv6, will allow billions and billions of addresses to be assigned. Even though mobile communication devices currently account for the lion's share of the connected device market, technological advances will mean that different types of objects, such as medical devices or cars, will also become mobile devices.

People are already referring not simply to the Internet of Things but rather to the "Internet of Everything," where the promise of the Internet of Things leads to the inexorable conclusion that everything will be connected to the Internet. In 2013, Helen Duce, the director of the radiofrequency identification centre at the University of Cambridge, explained her vision of the Internet of Things as follows:

"We have a clear vision: to create a world where every object—from jumbo jets to sewing needles—is linked to the Internet. Compelling as this vision is, it is only achievable if this system is adopted by everyone everywhere. Success will be nothing less than global adoption."

The challenges

In light of this vision of a ubiquitous Internet of Things, how can we ensure that these systems are adequately protected? This is an important issue. Indeed, even though we were already talking a few years ago about the need to integrate information security and privacy, predictable security issues arising after a hasty product launch have been an all-too-common occurrence.

The vision of an omnipresent Internet of Things clearly prompts the question: how can we protect smart systems that have numerous connection points and sensors without otherwise rendering them unusable? I'd like to first address some of the challenges in the area of information security in general, and then address the inherent difficulties associated with protecting privacy.

Information security

In a speech he gave in December 2013, IT security expert Joshua Corman suggested a simple way of understanding the scale of the security issues associated with IoT systems. According to Mr. Corman, if the word "software" appears in a given system, replace it with the word "hackable;" if the word "connection" appears, it replace it by the word "exposed." It thereby becomes readily obvious that a new information security paradigm needs to be adopted for the new IoT system technologies.

And it is not just hackers who could benefit from a more "exposed" Internet of Things. In 2012, the former director of the American CIA, David Petraeus, talked about the enormous potential that homes equipped with IoT systems present for monitoring agencies:

"Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters-all connected to the next-generation Internet using abundant, low cost, and high-power computing (…)"

Clearly, the vision in which all objects are connected to a network gives rise to a new reality in terms of information security, and sets the stage for a sober discussion. Do we have a clear vision of the solutions needed to better secure the new world of the Internet of Things?

By its very nature, the Internet of Things involves the sharing of a range of information (sometimes personal in nature) by means of a multitude of information sensors. Since, under this model, each object becomes a potential point of entry to the network or even the system itself, the primary challenge is to secure these entry points. Hackers can take advantage of these connection points, or rather these vulnerabilities, to penetrate a system, thus allowing an infiltrator to take control of the connected objects or access personal information.

In the IT security field, the traditional approach involves setting up walls and firewalls to protect a system. However, the Internet of Things calls this approach into question. In an article about the Internet of Things published in April 2012, IBM noted that, for implementation to be viable, we need to focus on the issues of authorization, authentication, access control, privacy and confidence-building measures, without compromising system usability. As we saw with the Heartbleed bug, a tiny breach hidden inside a software program can sometimes have an enormous impact on individuals and even on the confidence of the market in a specific product or service that uses a certain type of technology.

The Protection of Personal Information

Although it is a separate issue, the protection of personal information is nevertheless linked to the security of information in the Internet of Things. Obviously, to begin with, we need to know what steps are required to adequately protect personal information shared on an IoT system. However, privacy concerns are not limited to security issues.

As highlighted in the examples I mentioned earlier, the Internet of Things implies the exchange of personal information that can sometimes be quite sensitive. Indeed, these systems involve the sharing and saving of small pieces of information that, together, allow us to paint a fairly accurate picture of an individual's habits or preferences. And nowadays, in this age of "big data", the capacity to store and analyze a wealth of information is no longer the exclusive domain of data analysis experts. It is gradually becoming easier and cheaper to store and analyze data, which means that it can even be done by individuals as long as they have a computer and an easily accessible software program.

Take, for example, smart grids. These grids regulate the distribution of electricity to homes based on the amount of energy typically consumed. However, this technology also has the potential to reveal some rather sensitive information about the occupants of the home, and it allows for the use of specific appliances to be tracked, thus providing information about the occupants' habits and their personal information.

The Internet of Things involves the continuous collection and sharing of information, which increases the risk that a system may gather more than just the data required to provide a specific service or product, and that it might use this data for secondary purposes, or sell it to a third party, without the consent of the individual involved.

For example, the use of telematics in vehicles raises important questions about the eventual use of the information gathered. Besides indicating the location of the vehicle, telematics also provide information about driving features, such as acceleration, speed, braking and other driving habits. Can this information be used solely in the event of an emergency or theft, or can it also be used to determine insurance premiums? What specific information will be gathered, and who will control it?

The Internet of Things also raises questions about who has control over the information in question. As was noted by the Supreme Court of Canada, "privacy is the claim of individuals (…) to determine for themselves when, how, and to what extent information about them is communicated to others." Thus, control over one's own personal information is a key aspect of privacy.

In an IoT system, will individuals have "control" over their personal information? Certain questions need to be asked: Who does the information "belong" to? How can its accuracy be ensured, especially if the information is being used for administrative purposes or as evidence? Where is it stored? In Canada or abroad? By whom? Can the information be accessed and updated? Does the contractual agreement between the user and system vendor address these types of questions? How can the individuals concerned give their informed consent or withdraw their consent?

Addressing the challenges

Faced with these challenges, how can information security professionals be sure that technical measures meet expectations and provide appropriate protection for Internet of Things systems? Do we have an appropriate regulatory and legislative framework?

Technical solutions

Back in 2010, the Computer Law & Security Review was already looking at the issue of how to deal with security issues associated with the Internet of Things. The authors of an article published in January 2010 noted that the Internet of Things had an impact on information security and the privacy of the stakeholders involved, and that, consequently, measures needed to be introduced to improve not only the architecture's resilience to attacks, but also data authentication, access control and client privacy. They also believed that an adequate legal framework would have to take the underlying technology into account, and would be best established by an international legislator, using tools developed in the private sector.

A project entitled "Internet of Things Architecture" was recently developed in Europe for the purpose of creating a backdrop for the Internet of Things, thus ensuring the ongoing integration of various technologies through a coherent architectural plan. The project resulted in the definition of a vision for the required IoT architecture and proposed guidelines relating to the planning of IoT systems. One of the key objectives of the project was to

"holistically embed effective and efficient security and privacy mechanisms into IoT devices and the protocols and services they utilise."

Project officials realized that information security and privacy were key concerns. The goal of the project was to embed appropriate mechanisms into the IoT architecture, covering the actual hardware of the devices, the protocols for communication between the objects and the network, and the necessary information level.

In February, at the RSA Conference held in San Francisco, James Kobielus, a technologist with IBM, explained that IoT security measures must be comprehensive and multilayered. In his view, the appropriate framework must include three corners of a triangle: 1. the security of the objects as connection points; 2. the security of interaction between these objects; and 3. the security of the ecosystem itself.

With respect to the security of objects, Mr. Kobielus advocates embedding appropriate security measures in each object right from the production planning phase, in accordance with existing standards, and conducting the necessary audits. In terms of the security of interactions, he suggests using various types of application services to secure communications between objects and the network, such as authentication, access control, encryption and intrusion detection measures, to name but a few. Finally, given the range of players involved in the Internet of Things, including the businesses that participate in the development of the architecture and infrastructure, the ecosystem itself must be secured.

The appropriate regulatory and legislative framework

Over and above technical solutions, an appropriate regulatory and legal framework is needed. To remain relevant and effective, such a framework must take into account the technological, interconnected and global nature of the Internet of Things.

Organizations in Canada that put on the market information systems that collect, use or disclose personal information are bound by law to protect such information by putting into place security measures corresponding to its level of sensitivity. In addition to the obligation to put in place appropriate security measures, the organizations are accountable for the personal information under their control, must only use such information for appropriate and predefined purposes, and must provide a right of access.

In Canada, personal information is primarily safeguarded through legislation. At the federal level, the Personal Information Protection and Electronic Documents Act, or PIPEDA, applies to organizations that collect, use or disclose personal information in the course of a commercial activity. In Quebec, a statute substantially similar to PIPEDA applies to private-sector organizations. Appropriately enough, this act is called An act respecting the protection of personal information in the private sector.

Although they contain differences in wording, these two statutes enshrine fundamental privacy principles, including accountability, limiting collection and use of personal information to that which is necessary, the right of access and, of course, safeguards.

But are these statutes robust enough to deal with the challenges associated with the Internet of Things? The Quebec statute dates back to 1994, and PIPEDA came into force in 2004, before the days of social media, mobile apps and, of course, the Internet of Things.

Our Office has indicated on a number of occasions that PIPEDA is meant to be a technology-neutral law. We have also proposed reforms aimed at making organizations more accountable for the personal information in their possession.

Furthermore, with the technological advances that facilitate communication, international borders seem to be becoming more porous. Which leads us to another important question: Can domestic legislation alone sufficiently protect personal information in the world of the Internet of Things? How can privacy regulators coordinate their efforts despite a multitude of domestic legislation?

One thing seems clear: public institutions responsible for protecting privacy have a keen interest in the problems associated with the Internet of Things. Our Office is definitely interested in these issues. We are currently conducting various research projects related to the Internet of Things. A few days ago, we announced projects that will be funded through our Contributions Program, including a study on intelligent vehicle technology that will look at the impact on privacy of the use of telematics by automobile manufacturers and insurers.

The US Federal Trade Commission held a workshop in November 2013 dealing with the Internet of Things, and is still trying to figure out the best way of regulating the Internet of Things. In Europe, the European Commission has undertaken a number of research projects related to the Internet of Things, and I've already mentioned the Internet of Things Architecture initiative. One thing is certain: the Internet of Things will continue to capture the interest and imagination of privacy regulators.

Conclusion

The Internet of Things promises a very different era. In a world where everything is connected, the scope of possibilities is limited only by our imagination. The Internet of Things aims to be a universe in which each new technology is connected with other existing technologies. This momentum creates specific challenges in terms of information security and privacy. And it will be professionals like you here today who will be addressing these challenges and coming up with effective solutions with the help of an appropriate technical and regulatory framework.

Obviously, appropriate security measures vary from one system to the next, and we are a long way from having the key that would open the door to all the solutions relating to IoT security. Nevertheless, to ensure the success of the Internet of Things, we need to assure the general public that we have examined the risks associated with the Internet of Things and have identified judicious solutions to address them.

Date modified: