The following is an excerpt from Augmented Reality Law, Privacy, and Ethics: Law, Society, and Emerging AR Technologies by author Brian D. Wassom and published by Syngress. This section from chapter three outline IoT security concerns.
PASSIVE DATA COLLECTION THROUGH THE INTERNET OF THINGS
The phrase "going off the grid" was coined to describe a lifestyle that intentionally avoids interacting with technology that leaves a trace of one's activities. As depicted by characters in popular fiction, this has heretofore been accomplished mainly by paying for things with cash instead of credit, using a false name, and talking on pay-as-you-go mobile phones. But how can one stay off the grid when every single physical device in existence has the capacity to gather and transmit digital data?
The IOT's sense of touch: beacons and taggants
As of this writing, Bluetooth Low Energy (BLE) technology is just starting to roll out to the public, most notably in the "iBeacon" feature of Apple's iOS7. It has been seen as a rival to Near Field Communication (NFC) technology (which iOS8 also embraces), or as a convenient way to pipe coupons into your phone. But history will look back at BLE as a major step forward in manifesting the Internet of Things (IOT), and in eroding any remaining illusions of privacy we have in our physical whereabouts.
BLE is a means of transferring data. "Beacons" -- devices that use BLE -- are tiny, wireless sensors that transmit data within a 10-meter range. At present, they support only low data rates and can only send (and not receive) small data packets, but these are perfect for interacting with iPhones and wearable computing devices such as smart watches and fitness trackers. In light of the current proliferation in such devices, therefore, it's safe to say that in the near future we may carry a half-dozen devices or more that are equipped with BLE or similar technology.
One of the most obvious applications of BLE is micro-location geofencing. GPS technology is great for determining your approximate location to within a few feet, but it relies on satellites that can't see into buildings very well. A mobile device running BLE technology, however, can interact with nearby beacons to determine its precise location, even indoors.
Augmented Reality Law, Privacy, and Ethics
Author: Brian Wassom
Learn more about Augmented Reality Law, Privacy, and Ethics from publisher Syngress
At checkout, use discount code PBTY25 for 25% off these and other Elsevier titles
Set up around a store, they can detect shoppers entering and exiting, and send them coupons (customized to your unique shopper profile) or even internal directions - Minority Report without the retinal scans. You will soon be able to even pay for goods without ever pulling out your phone, just like the newest vehicles will open their doors even when your key stays in your pocket. PayPal is already developing just such an app using BLE.
The real potential of BLE lies not in coupons, but in the IOT -- the burgeoning trend towards making physical objects internet-connected and digitally interactive.
Just like humans cannot meaningfully interact with the world around them without their five senses, so too will IOT-enabled objects lack interactivity without some means of sensing and communicating with their surroundings. BLE beacons are a major step toward providing that ability.
In all likelihood, some improved version of BLE technology, or its next-generation replacement with even broader capabilities, will be available either when this book is released, or shortly thereafter. Moreover, as discussed in Chapter 2, the need for digital sensors to precisely locate physical objects may lead to the deployment of beacons or taggants on the micro- or even nano-scale. Each of these devices -- including present-day beacons and RFID tags as well as taggants and other future technologies -- will be able, in theory, to have its own unique IP address on the internet. The migration begun in 2012 of the Internet Protocol address system from IPv4 to IPv6 increased the total number of IP addresses from a mere 4.3 billion -- a number we've already reached -- to 340 undecillion (i.e., 340 trillion trillion trillion). Now, literally every Barbie doll, toilet paper roll, and random chatski can have its own unique IP address on the internet. Each becomes a data point capable of reporting its exact physical location on a real-time, global map.
Once more people are using this infrastructure, its consequences will become more apparent.
Aggregating our interactions with the IOT
Digitizing our physical interactions will create a digital record of our movements and whereabouts that had never previously existed. For advertisers and retailers, this will be a goldmine of information just like social media was before it -- a brand-new trove of personal data that can be used to send out even more precisely targeted commercial solicitations. Without doubt, those providing IOT services will want not only to recognize who we are, but also to remember where we've been.
But others will be remembering that data as well. Thanks to Edward Snowden and others like him, the world is already aware of how much information private companies and the government collect about our emails and other online interactions.
Law enforcement already does all it can to track a suspect's physical movements, whether through cellular towers, IP addresses, or GPS trackers. In the near future, the government will likely have access to high-resolution, constantly updated digital maps of the entire planet's surface; the Pentagon's National Geospatial- Intelligence Agency is already at work on an "orthorectified image skin" that would provide the base layer for a next-generation map. Just like GPS and the internet itself, it will only be a matter of time before the private sector gets its hand on this geolocation data.
When the government and the private sector have access to high-fidelity geolocation data and a geolocation-aware sensor infrastructure, merely walking down the street with one or more sensor-enabled devices on our persons will leave behind so much data about our physical location that it may well become possible to create precise maps of our every step going back hours, days, or even longer. Add to that the digital data we'll leave behind in each of the physical objects with which we interacted along the way. Everything we touch -- the toothbrush we use in the morning, our clothing, doors through which we pass, the pavement we step on, even the plastic fork from the street-side falafel stand -- could potentially be capable of not only recording their interactions with us, but also transmitting that data to one or more servers, which then collect, collate, and make the data available for reporting out.
Even this possibility could one day seem tame if a system of trackable nanotaggants ever truly becomes reality. With that technology, it could become possible for the first time to literally destroy the possibility of privacy altogether -- at least when it comes to concealing your physical location. Consider: the nanotaggants that the military is reportedly developing are intended to be sprayed onto enemy combatants so they can be tracked in situations where direct surveillance is impossible, such as urban combat. Because these devices exist on a micro or nano scale, they're invisible to the human eye. Ideally, the soldier won't even know he's been tagged, let alone be able to find or remove all of the devices. The same technology could be used to track anyone. Even if you knew you were tagged, could you remove them all? A human skin pore is 200∼250 nanometers wide, which easily allows nano-scale products to be absorbed into the skin. What if you inhaled or ingested them? Like Lady Macbeth, you'd wash and wash, but never get the damned nano-spot out.
Privacy regulations and IOT
Government regulators are only beginning to draw lines of privacy around data accumulated by the IOT. Certainly, where networked devices are used to surreptisously record the words and actions of third parties, existing causes of action for eavesdropping and common law invasion of privacy will be enforced, just as they are now with the "Peeping Tom" cameras that seem to regularly find their way into changing rooms, bedrooms, and other unambiguously private places.
In September 2013, the FTC took its first enforcement action related to IOTcollected information. TRENDnet, a company that markets video cameras designed to allow consumers to monitor their homes remotely, settled FTC charges that its lax security practices exposed the private lives of hundreds of consumers to public viewing online. According to the FTC, TRENDnet marketed its numerous products as being "secure" when, in fact, the cameras had faulty software that left them open to online interception. The complaint further alleged that, in January 2012, a hacker exploited this flaw and made it public, and, eventually, hackers posted links to the live feeds of nearly 700 of the cameras. The feeds displayed babies asleep in their cribs, young children playing, and adults going about their daily lives. Once TRENDnet learned of this flaw, it uploaded a software patch to its website and sought to alert its customers of the need to visit the website to update their cameras.
Read an excerpt
Download the PDF of chapter three to learn more!
"The Internet of Things holds great promise for innovative consumer products and services. But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet," said FTC Chairwoman Edith Ramirez. Under the terms of its settlement with the Commission, TRENDnet was prohibited from misrepresenting the security of its devices or network, and was required to establish a comprehensive information security program designed to address security risks that could result in unauthorized access to or use of the company's devices. The company also was required to obtain third-party assessments of its security programs every two years for the next 20 years.
This first foray into protecting privacy in the IOT -- which came only a month before the FTC hosted its first public seminar about the IOT -- signaled that the FTC is likely to continue following its existing practices in this new technological field. That is, it will take a proactive role of facilitating public conversations on the topic, while at the same time reacting to the worst offenders in the field in order to set examples for the rest of the industry. The FTC has done the same thing in recent years with social media endorsements and other fields that catch its interest.
There is every indication that regulators will continue to have plenty of opportunities to punish lax security practices in the IOT space. A 2014 study by researchers at Hewlett-Packard "identified an alarmingly high number of vulnerabilities" in the most popular IOT devices. These insecurities ranged "from issues that could raise privacy concerns to serious problems like lack of transport encryption, vulnerabilities in the administration Web interface, insecure firmware update mechanisms and weak or poorly protected access credentials." Sixty percent of the devices were vulnerable to common hacking attacks, while 70% used unencrypted networks and 80% used extremely weak passwords. This reflects "the current nature of online services [to] provide few mechanisms for individuals to have oversight and control of their information, particularly across tech-vendors." At some point, certain unfair practices may become so prevalent that Congress will feel the need to step in with new legislation.
The IOT will also implicate subject-specific privacy laws. Without question, IOT advancements will allow a greater range of devices to do such things as storing personal health information or sending messages that are intended to be private. When they do, new questions will arise about applying existing, subject-specific privacy laws like HIPAA and the Stored Communications Act. For example, the refrigerator is a device that many IOT enthusiasts talk about being networked. They often cite such advantages as the fridge being able to tell you when you're out of a particular item, or what other ingredient you might need for a recipe. But what if an insurance company sought access to our fridges' data logs to determine how healthy our diets are before determining what our health insurance premiums should be? The same could be asked of the panoply of health statistic-monitoring wearable devices that are now all the rage. In light of how strict many of the current regulations concerning health information already are, it would not be surprising to see the government severely limit who can access such information. The counter-argument will be made, however, that insurers should have access to this data in order to set rates that are fair to everyone.
Geolocation data is something the courts have been trying to wrap their arms around for a few years now, with no clear boundary lines yet emerging. In January 2012, the United States Supreme Court decided United States v. Jones, in which it unanimously ruled that the attachment of a GPS tracking device to an individual's vehicle by police, and subsequent use of that device to monitor the vehicle's movements on public streets, constituted a "search or seizure" within the meaning of the Fourth Amendment. Contrary to many news reports at the time of the decision, however, the Jones Court reached no conclusion on whether that search was unreasonable, or whether it required a warrant. The case produced three opinions from overlapping groups of Justices, some of whom found any degree of GPS tracking without a warrant legally dubious, while others would limit only long-term tracking, and still others so no problem with collecting such data as long as the police committed no physical "trespass" onto the person's property. This mish-mash of views illustrates the difficulty in applying eighteenth century legal principles to twenty-first century technology.
At least with regard to data collected by mobile phones, then, courts have generally concluded that "[u]nder existing law, … a user does not have a reasonable expectation of privacy as to geolocation data." This is because, unlike the police imposed "tracking devices" at issue in Jones, consumers carry mobile phones with themselves voluntarily, and are presumed to agree to their carriers' privacy policies that allow collection and sharing of this data. Presumably, mobile AR devices will come with the same broad policy provisions, and the same legal principles will apply to the data they collect.
Regulatory bodies are also paying attention to geolocation data privacy. On May 25, 2012, the Federal Communications Commission (FCC) released a report with the opaque title "Location-Based Services: An Overview of Opportunities and Other Considerations." The report outlines the growing use of location-based services (LBS) in navigation, tracking, social networking, gaming, retail, real estate, advertising, news, weather, device management, and public safety applications, and government and industry efforts to address the privacy issues surrounding such services. It stemmed from a June 2011 workshop that the FCC hosted on the subject.
Like the FTC's efforts, this FCC report offered more general principles than concrete rules. In this case, the report highlighted "notice and transparency," "meaningful consumer choice," "third party access to personal information," and "data security and minimization" as its primary concerns. The FCC ended its report with a warning that it will "continue to monitor industry compliance with applicable statutory requirements and evolving industry best practices," and that "additional steps may be necessary if privacy issues are not met as effectively and comprehensively as possible or within reasonable time frames."
About the author: Brian D. Wassom litigates disputes and counsels clients concerning copyright, trademark, publicity rights, and related intellectual property and advertising issues. In particular, he focuses his practice on social media and other emerging forms of digital communication. Brian has several years' experience assisting media companies in exercising their freedom of the press, obtaining access to information, and defending claims of defamation, invasion of privacy, and eavesdropping. He chairs his firm's Social, Mobile and Emerging Media Practice Group. He also authors a popular blog on this topic, as well as the online treatise "Wassom on Social Media Law" and the ebook "Augmented Legality 1.0," which examines the law governing "augmented reality" technologies. He is also a highly sought-after public speaker. Brian regularly speaks to industry groups, legal education seminars, and conferences across the country on social media, augmented reality, and related topics. He is also the Secretary of, and legal counsel to, AugmentedReality.Org, a nonprofit trade association for the AR industry and organizer of Augmented World Expo, the largest annual gathering of AR professionals.