SXSW

SXSW: The hidden - and growing - risks of Internet-connected devices

Don't count on the federal government to create a solution, lawmakers and industry experts say

Posted March 12th, 2016

That Internet-connected "smart" TV you are thinking of buying might have the ability to take pictures of you and your family -- and send those pictures around the world.  

It might also be able to read and record data from any electronic devices that plug into the TV.  

Consumers are only dimly aware of the extra capabilities and potential vulnerabilities that manufacturers can build into their smart-connected devices products. And many of those devices are potential targets for hackers and other online miscreants who are bent on invading consumers' privacy or causing mischief or monitoring their behavior.  

The rapid accumulation of smart devices aimed at consumers, businesses and others is part of what the electronics industry calls the Internet of Things (IOT), which is expected to result in the sale of tens of billions of devices worldwide over the next four years.  

Those "things" are outside of the realm of traditional computers, but they do have Internet connectivity. Many of them are vulnerable to hacking and invasion of people's privacy inside their homes or maybe inside their bodies.  

Some experts gathered at the SXSW Interactive festival in Austin say the brave new world of increasingly connected home devices makes consumers more likely to be targets of snooping by businesses, criminals -- or even governments.  

The problem, several of them said, is that consumers are largely unaware of the risks they are taking when they buy and use such products. Manufacturers are often not taking even rudimentary precautions to keep their customers safe. Nor do they keep customers clearly informed about the potential hazards of having their home appliances or their cars or their health monitoring devices connected to the Internet.  

"We are all responsible for security (of IOT devices) and it is really hard," said Jen Ellis, a public affairs director for Rapid7, a data security and analytics company that consults with business clients. "These things do cool stuff. We make trade-offs when we use them and we don't always know what the risk is."  

Ellis brought a children's toy with her to Austin -- an Internet-connected monkey that can talk to its users.  

"It is easy to hack," she said, explaining that the toy connects easily with WiFi and Bluetooth devices and uses a version of Google's Android operating system software that probably hasn't been updated with security patches to fix known hacking vulnerabilities.  

Hackers "can write code in this," she said, holding the monkey, and the result might be new messaging from the toy that is inappropriate for children.  

Ellis and other experts say consumers typically fail to read the software licensing agreement that comes with such purchases and that may identify potential user risks. Such licensing agreements give manufacturers at least some legal protection if customers' are harmed from hacked devices.  

So far, both the court system and the government are lagging far behind in creating consumer protections from Internet of Things mishaps, the experts said.  

Andrea Matwyshyn, a law professor at Northeastern University, said the courts and regulators need to create a standard of "reasonableness" that ensures that product makers and software suppliers are held to some reasonable standard of of security in the products that they sell.  

Don't count on Congress to create a legal solution for the problem, said Republican U.S. Rep. Blake Farenthold of Corpus Christi. Both Congress and government agencies move too slowly and awkwardly to keep up with the ever-changing challenges of Internet technology, he said.  

Farenthold said any new rules that Congress or federal agencies make will likely be overly complex and restrictive and potentially could slow down product innovation.  

"There needs to be a higher level of security awareness," Farenthold said, "But be cautious about government solutions for all of your (Internet of Things) problems. The government solution is probably not going to be one you like."  

Phil Howard, a professor at the University of Washington who studies the social effects of technology, is more optimistic.  

He said he believes some civic organizations, such as the Electronic Frontier Foundation and others, could force new IOT standards through advocacy and lawsuits.  

"There is going to be a long sorting out process" on IOT consumer protections, Howard said.  

"Congress will move slowly and the courts will move more quickly. I think the best hope for the IOT is in Europe. Most European countries have privacy commissioners and Europe will probably make policy on this before the U.S. does. If the European market says that every IOT device must have the ability to forget all of its user data, then manufacturers will have to comply if they want to be in the European market."  

Those benefits, he said, will probably extend to users outside of Europe as well.

Comments