IoT privacy and the tricky question of data ownership
Wednesday, September 6, 2017
Posted by: ACEDS Marketing Team
Extract from Brian Buntz's article "IoT privacy and the tricky question of data ownership"
Collect data first, ask questions later. That seems to be the unofficial motto for many organizations when it comes to data gleaned from IoT devices and other connected devices like smartphones.
But the fact is, we are now living in a big data world, and organizations across the world are seeing that they can realize unexpected benefits to data gleaned from IoT devices. “My view generally is all of this data is being used against us,” said Ari Scharg, a Chicago-based partner at the law firm Edelson PC. “Companies might say they are using it to benefit their customers, but that’s just a tagline. What they really mean is that they want to know everything they can about their customers’ personal lives so that they can predict and capitalize on their needs and behaviors.” The market for such insights is considerable. The U.S. data brokerage industry generated some $202 billion in revenue in 2014, according to the Direct Marketing Association, and it’s poised to expand in tandem with the Internet of Things. “Just think about how valuable the data collected by your smart refrigerator about what you eat and drink every day would be to a life insurance company that is pricing your policy,” Scharg explained. “In many ways, personal data is being weaponized and used to help corporations manage their own risk.”
IoT data, crime and punishment
One example of the potential of IoT data to be used in unexpected ways comes courtesy of Ross Compton, an Ohio man whom police have charged with aggravated arson and insurance fraud. Compton claimed a fire broke out in his house, and that he quickly grabbed a few things before escaping. Police were suspicious early on, according to a Washington Post article. He didn’t just grab a few things — he grabbed 15, which seemed like a high number for someone fleeing a fire. And investigators smelled gasoline at the site where Compton’s $400,000 house had burned, and also identified gasoline on his shoes, hands and shirt. Investigators also noted that the fire appears to have broken out in multiple locations across the house, which could be further evidence for arson.
But the most damning evidence against Compton came courtesy of biometric data gathered from his pacemaker, a medical device that is an early example of the Internet of Things in medicine. Investigators got a search warrant to download data from the connected device. According to court documents cited by the Middletown Journal-News, a cardiologist, after examining the pacemaker data, testified that “it is highly improbable Mr. Compton would have been able to collect, pack and remove the number of items from the house, exit his bedroom window and carry numerous large and heavy items to the front of his residence during the short period of time he has indicated due to his medical conditions.”
Compton has pleaded not guilty in the case, and the judge in the case has allowed the data from the pacemaker to be used in the trial. The defendant’s attorney had argued that, in obtaining the pacemaker data, police intruded on Compton’s Fourth Amendment Right against unreasonable search and seizures.
No matter what the outcome, the case could be a harbinger of things to come in the legal field, as IoT data becomes an important class of evidence, explained Peter Tran, RSA's Advanced Cyber Defense general manager and senior director. “There's a forensics principle known as Locard's exchange principle that applies across the board to cyber including for IoT,” said Tran. “The principle basically states that whenever criminals walk into or leave a room, they leave something behind, whether they see it or not,” Tran explained. “In essence, the cyber version of the principle states that whenever data or a connection is made or transmitted, there is trace evidence that's left behind, whether it is at rest or in transit, stored or in other memory.”
Read the full article here