For years we have had an expectation of privacy while using our computers, tablets, phones, email, etc. However, with the advent of big data analysis and everything being on the internet, the internet of things, there is no longer the veil that makes up an Expectation of Privacy. Big Data has allowed us to be tracked in new ways and as we add more devices onto the internet, more of our habits will be tracked: Such as location of boats, planes, your mobile device. Purchasing habits, your location within a store, or theme park. Perhaps even your usage of  your toaster, house doors, your refrigerator, etc.

Where do we draw the line?  Is there such a thing as personal privacy anymore or do we assume we are being tracked everywhere? When does our social media life end and privacy begin? What is considered to invasive? At EMCworld 2013 this year, Trust was a major message, but how can we achieve Trust? The issue that came up over and over was Privacy, how can you ensure privacy of big data and how it is used? But not the privacy of the data itself but instead what it reveals about an individual. Security traditionally encompasses confidentiality, integrity, and availability from the business perspective, but it does not generally pertain to privacy except when it refers to personally identifiable information (PII) and the business must meet a compliance standard such as PCI DSS.

But should not a new bit of data be added to PII? The behavior of the subject under analysis? Let us look at an example:

A toaster is now talking home to the producing company about its usage, settings, and whether or not toast is burned or not as well as how soon after the toast is completed, the toast is picked out of the device for consumption.

This example shows several privacy issues in my mind

  • Since nearly everything has a timestamp these days, the toaster would be able to track meals that could begin to identify possible times a person starts work, given that toast is generally a breakfast/just woken up food which could identify the user of the toaster by work schedule.
  • It could also identify the type of bread, if you eat something specific, this could also be used to identify you.

Or this example, you start searching for baby clothes or other types of specific use clothes.

This example shows several privacy issues in my mind

  • Google today uses this data to determine what adds to show and on a multi-use device, your ads could show others what is happening in your life: Such as being pregnant when you have not told anyone yet?
  • These ads could show up at work as well as home depending on how you use Google, which could lead to embarrassment and potentially loss of face within the work place.

Individually, these may not seem like a lot, but they could be used to determine the current happenings in your private life. Life that should be private from big business. These tools make it impossible to maintain privacy. How can we opt out of such analysis? If we could opt out at will, this would improve my feelings about big data analysis and collection. However, today it seems all or nothing. At most we strip out what is commonly referred to as PII but leave in those other items that can be used to identify the person, location, and habits.

Given all this, there needs to be a fourth leg to our definition of security (confidentiality, integrity, and availability) and that should be privacy. Not privacy of the data which is covered already, but privacy about whom the data represents and not just individual chunks of data, but data that could infer specific people.  We should provide the Expectation of Privacy instead of expecting it to no longer exist as the new generation seems to think.

Pivotal is one such company that has the chance to bake this level of privacy directly into their application stack. Ingest data scrubbing but also the ability to opt-out of analysis or opt-in on demand for such analysis or targeting. Granted, the ability to opt-out could impact some businesses, but only those that go to far and impact a consumers thoughts on privacy. The ability to control what the consumer considers to be private is one way to build Trust in a product.

Share this Article:

Share Button
Edward Haletky (380 Posts)

Edward L. Haletky, aka Texiwill, is the author of VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization.

[All Papers/Publications...]

Connect with Edward Haletky:


Related Posts:

5 comments for “Internet of Things: Expectation of Privacy

  1. May 16, 2013 at 11:46 AM

    As I told you on Twitter, the only two ways we can have privacy baked in are by 1) Market Pressure 2) Regulations

    Market Pressure will only happen if the end users demand it or a company with financial muscle push it through to disrupt the industry. I don’t see the latter happening because of natural market vulnerability (aka profitability breeds lethargy). You don’t see the former happening. I guess regulations are the only way to keep the term privacy relevant. Let us see how things turn out but we need to keep the awareness going. Good post.

  2. May 16, 2013 at 12:24 PM

    Hello Krish,

    Market pressure is there now. Privacy is a HUGE concern, so why not take that to heart and build it in now instead of trying to bolt on tools? This needs to be baked into platforms not necessarily the app.

    Best regards,
    Edward

  3. Dguyadeen
    May 17, 2013 at 9:34 AM

    If you want privacy unplug. Seriously. Your ISP keeps track of every site/ip, the govt is tracking you, and if you use a free web service they need to monetize the data.

  4. May 17, 2013 at 10:24 AM

    Hello Denis,

    However, agreed but there is the legal precedent of ‘Expectation of Privacy’ that exists, regardless of what the ISP is doing. But should the new breed of apps not have User Privacy in mind when they are built instead of trying to bolt it on after the fact? Allow me as the user to dial it down or up, or dial it down or up based on new legislation and possible backlash from monetizing seemingly private data.

    Best regards,
    Edward Haletky

Leave a Reply

Your email address will not be published. Required fields are marked *


seven + = 8