The NSA isn’t The Only Thing Spying on You

“Smart” devices make good spies, if you’re not careful.

Infoworld ran a story today that will be old news to the paranoid, good news to self-obsessed fans of the data-driven life, and heresy to those who believe quantification and metrology are the only ways to know anything at all.

Most of it is in words, so I’ll summarize for hard-core quants intolerant of information encoded in things whose presence, but not meaning can be quantified: The latest wave of convenience gadgets announced at the Consumer Electronics Show (CES) and elsewhere come with a cost most of us can recognize, but to which few respond.

Gadgets built into our phones and cars and clothing and eyeglasses and Things (Internet thereof) may let us track our fitness, monitor the safety of our homes and keep us from getting lost while running errands, but also create astonishingly detailed databases of everything we do, everywhere we go and, often, everything we spend and on what.

Those enormous, unappreciated pockets of extremely personal data – to the extent they existed – used to be irrelevant to concerns about the violation of our privacy, theft of our identities and availability as marketing targets.

Pedometers might have recorded every step we took, but didn’t know where we were going and had no way to tell anyone about it anyway.

Cell phones had to keep track of our location and the phone numbers we called, but didn’t know anything about our bank account numbers, secret correspondences with paramours (or accountants), or the details we might consider private even about events that weren’t.

Now, every class of newly intelligent device is not only able to keep track of things we ask them to count, but can store that information (and lots of other things about us) on public networks over which we have no control… even if we knew what data was being recorded, where our gadgets were sending it and why.

That may sound like the same knee-jerk paranoid reaction that comes from somewhere after every new advance in automation or personal convenience, but only because that’s exactly what it is.

Unfortunately, as we become more heavily measured and quantified, it doesn’t make us more attractive targets for companies or criminals that want to exploit our private information. It makes us, literally, unavoidable targets for many of them.

Automakers who respond to customer demand by adding better antennas and multiple-network connections to their products so we can talk, text and browse online while in traffic, put themselves directly in the flow of all the information via those networks the entire time we and our families are on the road.

Rather than just ignoring the content and letting the data flow past to the ISP, GPS network or other service provider for whom it is intended, car companies have been copying and storing at least some of that information, along with metadata identifying the customers involved, according to a Government Accountability Office (GAO) report published Jan. 7.

There’s no explicit rule that automakers can’t store copies of the GPS data that shows everywhere a customer has driven, of course – because car companies have never been in the position of being able to spy on the movements of their customers before.

“Modern technology now allows drivers to get turn-by-turn directions in a matter of seconds, but our privacy laws haven’t kept pace with these enormous advances,” according to a statement made by Minnesota Senator Al Franken in response to the report. “This report shows that Minnesotans and people across the country need much more information about how the data are being collected, what they’re being used for, and how they’re being shared with third parties.”

A coalition representing automakers told the Detroit News that privacy policies are described in purchase documents given to customers, but few customers look there for information about whether a carmaker is doing full-time location surveillance, let alone what is being done with the data or how to prevent its collection.

The report generated a stink that will escalate into a conflict quickly enough, but carmakers are only one early example of whole industries that could suddenly find themselves in the surveillance business, whether that was their intention or not.

Insurance companies often know things about us we’d rather were not made public. Until Progressive Insurance and a few others started to offer discounts to customers willing to get a tiny discount in exchange for bugging their own cars with GPS trackers that show everywhere they’ve gone and how fast they drove on the way there. However, no one was choosing to give the right of 24-hour, seven-day-per-week surveillance to their insurance companies.

Infoworld cited a sleep-monitoring and “optimization” System called Aura, baby-monitoring clothing made using Intel’s Edison wearable-computer-on-a-chip, a smart thermostat from EverSense and other products as smart devices that collect private data but have no disclosed plans about how to protect it.

That selection is essentially random, though. As the Internet of Things grows, so does the Internet of Things keeping an eye on you and recording your activities without your knowing it.

That’s creepy, but not obviously illegal or even necessarily invasive (though it would take drastic data- and access-controls to keep it from becoming invasive).

Things can be made intelligent and network-connected pretty easily, but it’s much more difficult to make them secure, according to security guru Bruce Schenier. Writing in Wired Jan. 6, Schenier warned that smart devices are almost all insecure, would be difficult to be made to be secure, and send data along unsecure networks to unsecured databases accessed by mostly-insecure applications.

Each of those insecure steps is vulnerable to anyone unethical enough to want to, say, watch everyone coming and going through the employee entrance of a bank or big government office building by tapping into the CCTV network or other IoT-connected sensors.

At any other time in history, Schneier would sound like a raving paranoiac. But recent revelations actually make it sound as if he’s trying to underplay the whole thing to keep from sounding crazy. Is it paranoid to think carmakers are watching everywhere you go in your car when there’s no evidence they have any reason to care? Normally, yes it would be. Right now, it’s just the truth.

The fear the CIA or NSA is spying on your every move is a classic symptom of paranoid schizophrenia.

But documents actually written by and belonging to the NSA – which is forbidden by law from spying on U.S. citizens or U.S. residents – show that the NSA is doing its best to develop the ability to spy on every single computer user and network in the world by adding private backdoors to the BIOS and firmware of computer makers who may or may not know what it’s doing.

From those realities, it’s not actually a reach to think service providers that link your smart pedometer to the cloud might be keeping a little more information about your movements than you’d prefer.

Since there’s no clear law requiring them to admit it, however, how would you know?

Relatively few people are going to avoid cool convenience tech just because of the risk to privacy in one area of their lives, and most probably shouldn’t. If the benefit of using a new gadget isn’t greater than the cost, in money or privacy or other cost, most people will quit using it as soon as the novelty wears off. That doesn’t mean we should stop inventing new things, or trying new things, even when they come with risks we can’t control.

That doesn’t mean we shouldn’t change old rules to take new technology into account, or that we should give the inventors free rein to exploit the information and privacy and concerns of customers to make a successful product even more profitable.

We’re moving forward into a world whose risks and potential risks are much different from the rules we created to limit the risks we faced before. The problem, well, one problem, is that we haven’t done much to bring those laws up to speed with the potential smart, insecure devices offer to those willing to use our excitement at new technology and impatience with security to exploit us in ways we haven’t quite accepted as genuine threats.

It may not be a surprise that giving intelligence to inanimate Things gives them the potential to act in ways we don’t like, or be used to hurt us in ways we don’t expect.

It shouldn’t be a surprise when it actually happens, either. Unless we change the laws and usage regulations and expectations about the behavior of vendors to make clear that, no matter how crazy it sounds to say out loud, we don’t want every smart Thing in our lives to be collecting information for the benefit of someone else.