Mitigating privacy risks in the Internet of Things

As the Internet of Things (IoT) becomes increasingly ubiquitous, organisations from all industries are beginning to explore ways to develop and utilise their own IoT network or service offering. In his new book, Internet of Things, for Things, and by Things, author Abhik Chaudhuri explains how this can be done effectively and safely, while mitigating the privacy risks inherent in dealing with large amounts of end users’ personally identifiable information.

IoT devices have the potential to collect detailed personal data and communicate with each other. This data can then be aggregated and analysed to extract information about people’s traits, habits, welfare and movements. As IoT networks grow, Chaudhuri argues that lack of consumer awareness or curiosity about privacy settings could lead to abuse of their data, leading to a breakdown of trust in the technology and ultimately reducing its potential for a positive impact on society.

With privacy concerns one of the most fundamental risks to organisations adopting this emerging technology, Chaudhuri advocates seven principles of IoT privacy by design that he says should be built in at the earliest stages of developing IoT devices.

Built in privacy enhancement

In order to anticipate and prevent data compromise, Chaudhuri believes that IoT devices and smart services should have privacy-enhancing capabilities already built in at the ideation and development phase. This preparation reduces the risk of companies being forced to respond reactively to privacy breaches, which, as the Facebook and Equifax scandals have recently proved, cause significant distrust amongst users.

User data should be protected by default in any IoT device and smart service, with responsibility and accountability for protection resting with the device manufacturer. This builds wider trust among users and greater adoption of IoT offerings.

The staggering number of IoT devices and their prevalence worldwide means privacy breaches can come in any number of different guises. Chaudhuri’s answer is to identify sensitive data components early and embed privacy-enhancing features to ensure the devices comply with privacy requirements without affecting core functionality.

Full functionality with maximum security

Another of Chaudhuri’s principles is that every stakeholder in an end-to-end IoT service should be enabled to provide full functionality without sacrificing privacy, security or safety. He proposes that to prevent it being used for malicious purposes, any contextual data collected should be preserved with the appropriate security and privacy measures throughout the entire data lifecycle and then completely destroyed.

Chaudhuri recommends allowing all stakeholders to independently verify IoT operations, explaining that this provides visibility and assurance that the functions are operating according to their stated objectives. He concludes that the requirements of end users should be central to the design of any IoT device or service, with privacy being a major requirement.

Learning from mistakes

With the vast array of opportunities afforded by IoT technology, Chaudhuri believes that organisations must learn from past mistakes and consider security and privacy requirements at the earliest stage. The penalty for ignoring those lessons is one that businesses will pay in reputation, trust and cost.

Internet of Things, for Things, and by Thingsis available now through CRC Press. Members can receive 20 percent off the retail price by entering the discount code FLR40.

  • About Enterprise Risk Magazine

    Enterprise Risk Magazine is the leading quarterly title for risk managers and enterprise risk, with a print circulation of over 5,500.

    Enterprise Risk is published on behalf of the Institute of Risk Management (IRM). The majority of IRM members receive their copy of Enterprise Risk at their home address, meaning the title... Read more
  • Categories

  • Tags