IoT – Beware the spy in your fridge

The internet of things means that the opportunities for massive surveillance and intrusion into our lives by governments and large organisations will reach ever-greater proportions – it will potentially be an ‘Age of Data Surveillance’ or ‘dataveillance’.

An important point to note is that the data gathered about us may well not come from information that we have chosen to give to governments or financial organisations. It may well come from information that we have made public elsewhere in the digital world.

To give an example, at a recent meeting organised by the big data analysis company Splunk – which has built a database ‘mining’ tool that can run real-time analysis of Twitter at the same time as incorporating other databases – they noted how attempts by the German government in 1980s to increase its census data had met significant popular resistance and had to be shelved. Yet the German government is now able to gather information about citizens that is significantly more detailed than that sought by the proposed census questions, simply by analysing social networks and other databases.

According to many of the experts we have spoken to, the capacity already exists to take information from such sources and create highly detailed pictures on behaviour, location, health, finance, buying patterns, driving habits and internet searches. This ability to ‘map’ us will only increase as the internet of things grows in scale.

A worrying aspect of this is how little consumers and citizens realise the importance of the data trail we leave in the digital world. As far as the algorithms and software machines are concerned, we are our data – warts, inaccuracies and all and it will be virtually impossible to hide from our data.

Beware the spy in your fridge

Should we be worried by the risk of household appliances such as fridges being linked to the internet?

Quite simply, yes.

In November 2013 it was revealed in Hacker News that devices secretly fitted with remote sensors had been found in Russia – the source for these was given as China.

While the aim of the exercise is unclear, one theory is that it could have been an attempt to introduce a radio spying system capable of logging onto internal communication systems, as a way of gaining access to an important network containing vital information.

Such subterfuge is not new. USB sticks still in their shrink-wrapped packaging have been found to contain Trojan computer programs, and Microsoft computers made in China have been found to contain malware systems.

On one device, given to the authors — a USB stick bought in China by a top engine designer for a UK car company — programs stored on the stick had attempted to take engine blueprints from the company and then hide them out of sight of the Windows operating system.

Given that there are already many documented cases of similar attempts to steal data it is inevitable that the internet of things will become a target, due to the speed of introduction of new sensors, the lack of thought given to securing them and their potential to be reverse-engineered as spying devices.

Unfortunately it can also highlight people who, for perfectly legitimate personal reasons, are seeking to keep something private, such as their sexual orientation.

Smart meters are one such system. They not only give a unique insight into who lives in a house through their power use but also allow anyone else logging onto them a detailed picture of what is being done in a home by monitoring power usage against particular rooms.

The data processing industry is able to overlay large amounts of data from a variety of sources, which will then throw up what’s known as anomalous data. This is a very effective way of finding people who are trying to hide; for example, fraudsters. Unfortunately it can also highlight people who, for perfectly legitimate personal reasons, are seeking to keep something private, such as their sexual orientation.

This level of sophisticated analysis will become even easier as the internet of things gets bigger. Mobile phone and locational information will reveal location and patterns of behaviour that can be cross-referenced against people who are not so reticent about their sexual leanings – in other words, the data will ’out‘ people.

This is particularly worrying for people who may have a genuine need to hide such as former spouses, people evading organised criminals and many other individuals who have a legitimate reason to escape detection. Already many cases exist of people using social media networks to stalk people. The authors have been told by the police in the UK of a worrying upsurge in cyber-stalking that involves the manipulation of social media data. We have also been told by the police in the UK that during an investigation by UK Customs into a drug smuggling gang operating in Southend in south-east England, the gang had become aware through using mobile phone scanners that it had been infiltrated. It then used hackers to try to break into the phone company’s database to discover the identities of the informants using the phones.

Professor Viktor Mayer-Schönberger, Professor of Internet Governance and Regulation at Oxford University, notes how in the United States a technology company has bought the entire US offender list and published it online. Many would argue that those people who have already served their sentences should really be given another chance. But as the law stands that data can be mined to show where they are living, having a detrimental effect on their employment opportunities and their efforts to try to rehabilitate themselves.

These former offenders can pay a sum of money to be removed from the list which, according to Mayer-Schönberger, amounts to blackmail on an already economically-challenged group. In any case, even removing themselves from such a list may not give them much protection in the future. By using big data, analysts can easily discover economically-inactive individuals, people who do not appear on electoral rolls and so on.

After discovering people who have not shown up on any sensor for a while and mapping the typical pattern of inactivity of an incarcerated criminal, this data can be fed to credit companies and others offering financial services. So our data-driven profiles do not always require us to have data recorded by one of the internet of things’ sensors. Not tripping a sensor will be something that software robots will pick up on and use to make decisions about us.

Thus the combination of credit reference software robots and other AI robots working on behalf of other institutions will need to be scrutinised – and questions raised about just how should they use data. Professor Fred Cate says a key issue is what permissions you can put on that data and what protections – not for the machine, but for the individual that the machine is governing. Both Cate and Mayer-Schönberger argue there has to be a legal lifespan built into the data.

This article is part of a series of articles published from the Netopia report Can We Make the Digital World Ethical? Exploring the Dark Side of the Internet of Things and Big Data, by Peter Warren, Michael Streeter and Jane Whyatt.