Internet of Things: Expectation of Privacy

For years we have had an expectation of privacy while using our computers, tablets, phones, email, etc. However, with the advent of big data analysis and everything being on the internet, the internet of things, there is no longer the veil that makes up an Expectation of Privacy. Big Data has allowed us to be tracked in new ways and as we add more devices onto the internet, more of our habits will be tracked: Such as location of boats, planes, your mobile device. Purchasing habits, your location within a store, or theme park. Perhaps even your usage of  your toaster, house doors, your refrigerator, etc.

Where do we draw the line?  Is there such a thing as personal privacy anymore or do we assume we are being tracked everywhere? When does our social media life end and privacy begin? What is considered to invasive?

At EMCworld 2013 this year, Trust was a major message, but how can we achieve Trust? The issue that came up over and over was Privacy, how can you ensure privacy of big data and how it is used? But not the privacy of the data itself but instead what it reveals about an individual. Security traditionally encompasses confidentiality, integrity, and availability from the business perspective, but it does not generally pertain to privacy except when it refers to personally identifiable information (PII) and the business must meet a compliance standard such as PCI DSS.

But should not a new bit of data be added to PII? The behavior of the subject under analysis? Let us look at an example:

A toaster is now talking home to the producing company about its usage, settings, and whether or not toast is burned or not as well as how soon after the toast is completed, the toast is picked out of the device for consumption.

This example shows several privacy issues in my mind

  • Since nearly everything has a timestamp these days, the toaster would be able to track meals that could begin to identify possible times a person starts work, given that toast is generally a breakfast/just woken up food which could identify the user of the toaster by work schedule.
  • It could also identify the type of bread, if you eat something specific, this could also be used to identify you.

Or this example, you start searching for baby clothes or other types of specific use clothes.

This example shows several privacy issues in my mind

  • Google today uses this data to determine what adds to show and on a multi-use device, your ads could show others what is happening in your life: Such as being pregnant when you have not told anyone yet?
  • These ads could show up at work as well as home depending on how you use Google, which could lead to embarrassment and potentially loss of face within the work place.

Individually, these may not seem like a lot, but they could be used to determine the current happenings in your private life. Life that should be private from big business. These tools make it impossible to maintain privacy. How can we opt out of such analysis? If we could opt out at will, this would improve my feelings about big data analysis and collection. However, today it seems all or nothing. At most we strip out what is commonly referred to as PII but leave in those other items that can be used to identify the person, location, and habits.

Given all this, there needs to be a fourth leg to our definition of security (confidentiality, integrity, and availability) and that should be privacy. Not privacy of the data which is covered already, but privacy about whom the data represents and not just individual chunks of data, but data that could infer specific people.  We should provide the Expectation of Privacy instead of expecting it to no longer exist as the new generation seems to think.

Pivotal is one such company that has the chance to bake this level of privacy directly into their application stack. Ingest data scrubbing but also the ability to opt-out of analysis or opt-in on demand for such analysis or targeting. Granted, the ability to opt-out could impact some businesses, but only those that go to far and impact a consumers thoughts on privacy. The ability to control what the consumer considers to be private is one way to build Trust in a product.

Posted in SDDC & Hybrid Cloud, SecurityTagged , , , , , ,