July 22, 2015

Is your wearable selling you out? Data Privacy in an IoT World — Bastille

Is your wearable selling you out? Data Privacy in an IoT World

Big Data. Cloud Computing. The Quantified Self. The Internet of Things. These things are not just marketing buzzwords, they are concepts that are fueling today’s IT ecosystem. And the one thing that they all have in common is the consumption and analysis of large quantities of data for better decision making. Whether you’re looking at consumer or business markets, one thing is certain, we want to know more about what we do and when we do it. The sensor industry is changing business landscapes and adding efficiencies and improvements to automation. The wearables market is allowing everyday people to examine their daily activities through constant data accumulation served up as digestible intelligence on phone apps. With all this data being aggregated, how much of it is being used outside of its originally intended purpose? Are we – the users, consumers and businesses – for sale? And if we are, would we knowingly put ourselves out there as much as we do?

Employers are turning to wearables as part of their corporate wellness programs. These small devices are being leveraged to incentivize employees into a healthier lifestyle. On the surface, the increased steps, better sleeping habits and friendly competition all seem like a win-win for both company and employees, but there could be a hidden danger in the massive data dragnet. For instance, many wearable companies have openly admitted to sending data – anonymized – to third parties for a variety of reasons. Privacy policies rarely call these cloaked third parties by name, though many will define the purposes for sharing your data. These are similarly vague, citing things such as product improvements or customer experience enhancements. Regardless of the purpose, you can rest assured (consult your wearable for your actual sleep metrics), that your private health data is making the rounds on the Internet.

With this said, let’s explore some questions that I have surrounding this data traffic:

  1. Who owns the data? This is data about YOU. Is it yours, or does it belong to the device manufacturer? While some devices allow you to have a choice in your sharing policies, many, if not most, come with maximum sharing as a default setting. Likewise, terms like “third party” are vague enough that it can encompass just about anyone, including data brokers and companies looking to better target products to your activities.

  2. Who is responsible for securing the data? Encryption and de-attribution are important, at rest and in motion. How is it being sent to third parties? Are those third parties then able to store it or send it elsewhere and are they doing so safely? What about apps that consumers elect to use with their wearables? Again, this is your personal health data, and while many makers state that they disassociate personal information from the data, will we really know until there is a breach? After all, I’m sure that the Feds thought OPM was taking great care of their social security numbers, which we now know was being housed unencrypted.

  3. Will you be on the side of profit or punishment? These wearables will give insight into daily activities that can be used to adjust the costs – for consumers and businesses – on things like medical and car insurance. If you’re donning a wearable for your corporate wellness program, don’t call in sick and then hit the ski slopes or you could find yourself in trouble come Monday.

These questions just scratch the surface of data security. As IoT devices become more ubiquitous, our thirst for data and insights will only increase. And, as recent news has proven, the underground market for stolen data has an insatiable appetite. I suppose time will tell as to who will be picking up the tab.

Close your cybersecurity gaps with AI-driven wireless visibility

See Bastille in action with a live demo from our experts in wireless threat detection.