Privacy of internet of things

PRIVACY

The Internet of Things devices that we own aren’t the only ones that should
concern us when it comes to matters of trust. With more sensors and devices
watching us and reporting data to the Internet, the privacy of third parties
who cross our sensors’ paths (either by accident or design) is an important
consideration. Designers of an Internet of Things service will need to
balance these concerns carefully.

KEEPING SECRETS

For certain realms, such as health care, privacy concerns are an obvious
issue, However,
even seemingly innocuous applications can leak personal information, so
you should be alert to the danger and take measures to avoid it.

This advice is perfectly illustrated with an example from an early instru-
mented car park in a Westfield shopping mall in Australia. Each parking bay
is overlooked by a small sensor from Park Assist, which uses a cheap camera
to tell whether the space is occupied. The sensors are all networked and
presumably can provide analytics to the owner of the car park as to its usage.
A light on the sensor can help guide drivers to a free space. All useful and
harmless stuff.

The problem came with a more advanced feature of the system. The
shopping mall provided a smartphone app for visitors to download so that
they could find out more information about the facilities. One of the features
of the app was a Find My Car option. Choosing that, you were prompted to
enter the first few characters of your licence plate, and the app would then
return four small photos of potential matches—from optical character
recognition software processing the sensor data on the mall’s server.

The returned images were only thumbnails—good enough to recognise
which was your car, but not much else, and the licence plates were blurry
and hard to see. However, security professional Troy Hunt found that the
implementation method left a lot to be desired (www.troyhunt.com/
2011/09/find-my-car-find-your-car-find.html).
With a fairly simple, off-the-shelf bit of software, Troy was able to watch
what information the app was requesting from the server and found that it
was a simple unencrypted web request. The initial request URL had a
number of parameters, including the search string, but also including
information such as the number of results to return.


That request returned a chunk of data (in the easily interpreted, industry
standard JSON format), which included the URLs for the four images to
download, but also included a raft of additional pieces of information.
Presumably, it was easier for the developer of the web service to just return
all the available data than to restrict it to just what was needed in this case.

The extra data included, for example, the IP addresses of each of the sensor
units, but more importantly, it also included the full licence plate for each
vehicle and the length of time it had been parked in the space.

By altering the search parameters, Troy found that he could request many
more than the four matches, and it was also possible to omit the licence plate
search string. That meant he could download a full list of licence plates from
all 2550 parking spaces in a single web request, whenever he liked.

Obviously, all that data is already publicly available, but there’s a pretty large
difference in ease of gathering it between staking out the entrance to the car
park and watching cars come and go and setting up a script on a computer
to check at regular intervals.

Once alerted to the problem, Westfield and Park Assist were quick to disable
the feature and then work with Troy to build a better solution. However, that
situation came about only because Troy was generous enough to bring it to
their attention.

Don’t share more than you need to provide the service.

As founder of WikiLeaks, Julian Assange, has said, “The best way to keep a
secret is to never have it” (www.pbs.org/wgbh/pages/frontline/
wikileaks/interviews/julian-assange.html

See also:

Internet-of-things-magic-as-metaphor

internet-of-things-magic-as-metaphor

calm-and-ambient-technologytech-wise