What precautions (for security and privacy) should I take when buying smart home devices which connect to the Internet? originally appeared on Quora: the place to gain and share knowledge, empowering people to learn from others and better understand the world.
Answer by Pete Staples, President and Co-Founder of Blue Clover Devices, on Quora:
Our IoT devices know a lot about us.
They hold our banking information, our health records, our family memories. They even know where we parked our car this morning (just in case we forget).
With all that personal data tucked into a 5x2-inch box, we assume we can trust the security and privacy measures deployed.
Unfortunately, with tech giants and major manufacturers working to outpace one another, some things get lost in the crossfire. Steps can get skipped in regard to privacy measures, and some user data can be kept without us knowing. That sounds scary—and it can be.
While rapidly developing legislature is working to protect users, the regulatory system just can’t keep up with the tech industry’s rate of innovation. Ultimately, it’s up to users to decide how much they want to risk in this melee.
Consider the regulations, but know you can’t rely on them yet.
Users are at the mercy of what’s available to them and what’s required through terms of service agreements.
And companies aren’t exactly prioritizing privacy. When new tech is created, businesses typically look at things like high quality, fast delivery, a good price point. Security and privacy parameters don’t automatically take precedence.
In fact, despite their increasing importance in our current information economy, security measures seem to be at direct odds with entrenched business models.
We constantly see major companies experiencing data breaches and apologizing for endangering consumers, but then doing very little after the mess dies down. Look at the whole Facebook fiasco with Russian advertisers. There was an entire national trial around user data being bought and sold inappropriately, and yet, we still have a dangerous hacker problem in the U.S.
Personally, I’ve heard CEOs lament that their goals as the head of a device company are directly at odds with their goals as device consumer. This means that the company's products and don’t match up to what users want—and the people in charge know that.
Fortunately, it isn’t like this all over the world, which gives the U.S. some regulatory models to look to for guidance.
For example, Europe's launch of the General Data Protection Regulation (GDPR) has some serious teeth. It not only creates data regulations across the entire EU but makes it so that companies have to have “watertight consent management practices.” Otherwise, they run the risk of being fined up to 4% of their annual global revenue or €20 million—whichever is greater. That’s a sizable amount, regardless of the company.
The GDPR has made it so no one can shrug and say, “Whoops, we didn’t know better.”
Stateside, we’re beginning to follow in the EU’s footprints. In November 2018, California passed a law that requires IoT device manufacturers to ensure each device is equipped with a security feature to protect user data. This means data can’t be accessed unless authorized by the user.
There’s no $20 million fine associated with the bill, but a first step is a first step nonetheless.
If you think tight regulations aren’t that important, think again.
Your device is looking at your viewing habits, your app usage, the time spent on your phone—and where you’re spending it.
In some cases, you may be happy not to manually log your habits. Say, when you’re working out, a health app paired with a fitness tracker will automatically store and report how many pushups, situps, and reps were completed, or how far you ran.
And while some background tracking of habits is welcomed, or at least known and ignored, some tracking is unsettling. For instance, home assistant devices (like a Google Home or Amazon Alexa) are essentially sensors and microphones set up throughout a person’s home. They track what room you’re in, what you’re doing in that room, and how frequently you do it. Are you being quiet and focused while working or are you collaborating with others? What type of work are you doing? Do you listen to music while you do it?
Amazon now knows all of that and more about each user. And it’s created a treasure trove of useful data. As we engage more and more with these devices, it will seem almost as if someone were simply sitting in the room with us, taking notes on a clipboard.
Which isn’t to say your devices have to know everything about you.
Careful participation allows you to use seemingly inescapable ecosystems without hand-feeding your data to a corporation.
But this requires you to give up group participation and validation. I know plenty of people who live without Facebook—yes, it’s possible to tell your friends and family what you’re up to without a social media platform. You'd simply have to give up the thrill of posting and the small claim to fame that comes along with it because that “fame” comes at a cost to privacy.
In order for companies to broadcast your information, you have to be willing to share it in the first place.
Now, when it comes to IoT devices, they’re really only useful if they’re connected to an ecosystem. And in some cases, the mere act of connecting them may be giving more data than an individual user wants. Sometimes there’s no getting around it. So you have to be a smart consumer in what devices you use and how you use them.
For example, I would rank Apple as having the best privacy measures when it comes to IoT devices. Structurally, Apple is set up to sell a premium set of devices and services. This means they can be profitable without having to eat into user privacy. Next would be Google, and absolutely last would be anything produced or offered by social platforms like Facebook.
And I don’t just know this because I’m the CEO of an IoT manufacturing company.
I’ve done my research as any consumer can. Knowing company goals, history, and future anticipations can help you get a sense of where their priorities may be. In much the same way you’d research a neighborhood before moving to it, you should be checking the background and history of a company before buying—and engaging with—their IoT devices.
Otherwise, you and your personal data run the risk of becoming the product they’re selling.
This question originally appeared on Quora - the place to gain and share knowledge, empowering people to learn from others and better understand the world. You can follow Quora on Twitter, Facebook, and Google+. More questions:
