THE INTERNET OF THINGS AND PRIVACY CONCERNS

Charles Joseph Koronkowski

Professor Randy Dryer
HONOR 3374-002
The University of Utah
INTRODUCTION
The Internet of Things (IoT) is an ever-expanding network of
objects connected to the Internet either through wires, or, more
commonly, through wireless sensors. These objects interact and
communicate with one another, sharing information in the form of
data. As this network grows, it offers more and more benefits to

individuals, private firms, and greater society. These benefits range

from convenience and time saving factors, to fostering efficiency, to
promoting safety and saving lives. The IoT has already become a
massive aspect of how communities are run today, and as time
progresses, it will become an essential tool for many parts of life.
With the growth of IoT, however, certain risk factors arise, most
commonly relating to privacy concerns. The more objects record data
about daily life and the habits of individuals, and the more these
devices communicate this information over the Internet, the more the
individual risks an invasion of his or her privacy. This risk comes both
from the entities that collect the information, who might sell it to
marketers or insurance companies, and from hackers who might wish
to steal information for personal gain.
The IoT is already a part of society, and will continue to be.
Individuals will need to make the choice between privacy and
convenience that is right for them. At an aggregate level, however,
safeguards and protection will need to be put into place to ensure that
the IoT is as secure as it can be. This will be a massive effort, which will
require both the cooperation of both the private and public sectors, but
to ensure any level of privacy, will need to be undertaken.
BACKGROUND
There is no widely agreed upon definition of the Internet of
Things. Depending on how it is defined, the IoT can include anything
from thermostats to automobiles, from pacemakers to cell phones. One
common definition is the connection of physical objects to the Internet

and to each other through small, embedded sensors and wired and
wireless technologies, creating an ecosystem of ubiquitous computing
(FTC, 2015, p. 5). Others argue the defining point is simply embedded
intelligence in physical objects. However, [w]hat all definitions of the
IoT have in common is that they focus on how computers, sensors, and
objects interact with one another and process data (FTC, 2015, p. 5).
The IoT is not yet a ubiquitous part of everyday life, but
estimates claim there will be as many as sixteen billion devices
connected to the Internet by 2020 (Clark, 2014; Middleton et al., 2013;
Press, 2014). In a matter of years, practically every daily activity will be
automated, connected to the Internet, and gathering data. In the
home, the IoT will start the coffee maker before you wake up, learn
your temperature habits and adjust accordingly, lower the shades to
block afternoon sun, alert you when you are low on essentials such as
milk or bread, and unlock your doors to your home as you approach in
your car, among countless other possibilities.
The IoT will extend far beyond providing convenience for the
average consumer. The increased potential for efficiency that comes
with an Internet-intergraded world is enormous. The IoT will change the
ways businesses are run and the way cities are organized. It will
change manufacturing, create safety measures previously impossible,
and through its application in healthcare, save lives. From simple
access control to predictive maintenance, the IoT will streamline the
processes of any industry in countless ways. Businesses will be able to

take real-time inventory, track assets, optimize energy consumption,

and better protect employees through a network of interconnected
machines in constant conversation with one another. In the medical
field, doctors will be able to remotely monitor their patients, track their
exercise and diet habits, and be able to remotely check on pacemakers
and other medical devices. Ambulances will get patients to the hospital
faster through real-time traffic monitoring. Cities will be made into
smart cities traffic will be controlled, potential pipeline leaks will
be detected, and public transportation can be optimized.
All of these applications only scratch the surface of the potential
the IoT has for making a more streamlined and efficient community.
These benefits will not only be timesaving mechanisms, but will also
make a society that is more productive, more resilient, and safer.
BENEFITS
The benefits of a widely disseminated Internet of things stem
from the aggregate data collection it entails. The amount of data that
can be collected by billions of devices that are connected to the
Internet will make todays big data look small in comparison. More
important is what can be done with such data when billions of devices
are connected to the Internet and to each other. Such a wide diffusion
of connected devices allows for a finer grain of dataa more complete
picture that comes from range, frequency, and prevalence. A
significant departure taken by the IoT is that unlike in a Web-based
environment, the IoT collects data which the individual does not

directly input. IoT devices learn about consumers by observing their

habits, tendencies, and preferences as well at their environments.
Learning is based on behaviors and phenomena in the natural, physical
world as opposed to the strictly online world (Weinberg, Milne,
Andonova, and Hajjat, 2015, p. 618-619). This type of data collection
portrays not only a more accurate, but also a more intimate, depiction
of an individuals habits and activities. Data collection this
comprehensive will create three main areas of benefitconvenience,
efficiency, and life saving.
A well-dispersed and well-connected IoT will save time and make
everyday life easier for the average consumer. Using a smart device,
such as a smartphone, tablet, laptop, etc., the individual will have
remote control over much of the home.
Home automation systems can provide consumers with a single
platform that can connect all devices within the home, [with] a single
app for controlling them (FTC, 2015, p. 8-9). One benefit of such
control is the ability to stay connected when away from home. For
example, people can access and utilize their home computers or cable
television service when away from home (Weinberg et al., 2015, p.
619). A diffuse IoT has more functional benefits than simply staying
connected, however. Individuals will be given the ability to essentially
run the home while preoccupied or away. For example, the IoT will
allow consumers to set [their] temperatures remotely, go from bake
to broil, [and] monitor [their] products from various locations inside

and outside [their] home[s] (FTC, 2015, p. 9). The list of timesaving
uses the IoT entails goes well beyond this cursory list of examples, and
as the IoT grows, its uses will continue to expand.
The IoT will promote efficiency for individual consumers, public
utilities, and private entities. In the manufacturing sector as well as
other sectors of business, the utilization of IoT technology will
enhance restocking or other supply chain management services
(Weinberg et al., 2015, p. 619). This will in turn save the company both
money and time through increased productivity, allowing valuable
resources to be devoted to other areas, such as research and
development. The ways in which firms make money and charge for
services can be similarly revolutionized through the IoT. For example,
pay-as-you-go could be broadened beyond mobile phone services and
automobile rentalsto almost any application, such as insurance
(Weinberg et al., 2015, p. 619). Such innovation could both save
consumers money and attract new consumers who might be wary of
long-term monetary commitments.
Additionally, individuals and public and private entities will be
able to work together for communal efficiency through the IoT. For
example, smart meters can enable energy providers to analyze
consumer energy use and identify issues with home appliances, even
alerting homeowners if their insulation seems inadequate compared to
their neighbors, thus empowering consumers to make better
decisions about how they use electricity (FTC, 2015, p. 8). Such

digital communication and cooperation could extend to practically all

areas of life, simultaneously providing more complete information and
eliminating inefficiencies.
The IoT will do more than prevent waste and save money,
however. When applied to the automotive sector, the IoT will go
beyond promoting convenience; it will foster safety and potentially
save lives: sensors on a car can notify drivers of dangerous road
conditions, and software updates can occur wirelessly, obviating the
need for consumers to visit the dealership (FTC, 2015, p. 9). The
importance of wirelessly connected sensors becomes increasingly
obvious in the event of an accident. Connected cars also can offer
real-time vehicle diagnostics to drivers and service facilities[and
send] automatic alerts to first responders when airbags are deployed
(FTC, 2015, p. 9). Driving an automobile is one of the most dangerous
activities the average individual engages in on a daily basis. The IoT
will revolutionize the way this entire part of life operates. In the shortterm, sensors in cars will be able to avoid traffic, prevent accidents,
and call emergency services when necessary. In the long-term,
however, the potential created by the IoT becomes even more
interesting. As society moves towards a completely automated
transportation system, the IoT becomes integral. A system of selfdriving cars would be impossible without IoT technology. Such
technology is projected to not only be available, but widespread in the
next decades, and at the heart of the system is the IoT.

The IoT goes beyond safety promotion; it will be employed to

transform medicine and save lives. The possibilities range from general
well-being promotion, to end-of-life-care, to the prevention and
treatment of serious diseases. As the Federal Trade Commission noted
in their 2015 Staff Report on the IoT, when applied to healthcare, it will
improve quality of life and safety by providing a richer source of data
to the patients doctor for diagnosis and treatment[,]improve disease
prevention, making the healthcare system more efficient and driving
costs down[,][and] provide an incredible wealth of data,
revolutionizing medical research and allowing the medical community
to better treat, and ultimately eradicate diseases (FTC, 2015, p. 7-8).
This will all be done through medical devices, either worn or ingested,
that are connected to the Internet. This provides either the individual
or his or her doctor with data collected in real-time. For example, a
consumer wearing a health-related IoT device may allow for constant
collection of vital information, such as pulse, body temperature, and
distance traveled (Weinberg et al., 2015, p. 619). Such wearable
devices would allow a primary care physician to monitor a patients
exercise habits, for example, in order to determine what the best
course of treatment would be for the individual. Further, connected
medical devices could obviate some need for assisted living or
retirement homes, being especially beneficial for aging patients, for
whom connected health devices can provide treatment options that

would allow them to manage their health care at home without the
need for long-term hospital stays or transition to a long-term care
facility (FTC, 2015, p. 7).
While wearable devices have a limited range of uses, injected or
ingested devices would allow [d]ata [to]be collected for finer grain
health-related phenomena such as blood flow, neural activity, or
ultimatelyprotection from life-threatening afflictions (Weinberg et
al., 2015, p. 619). Advanced uses of IoT technology such as these are
still on the periphery of current technology. However, it can be inferred
that through the ever-increasing speed of innovation, the uses for
Internet connected medical devices of this nature could be practically
endless. It could be possible, in the near future, a wearable or ingested
device and its peripherals could predict a life-threatening event such
as a heart attack or stroke, contact emergency services, and relay the
patients vital statistics to emergency personnel who are en route, as
well as the receiving hospital.
RISKS
Despite the potential benefits of a widely distributed IoT, with
such high levels of connectivity, come high levels of risk. Most of the
probable threats that come with a network of physical objects
connected to the Internet relate to the simple issue of privacy. With
tens of billions of objects projected to be interacting with one another,
the security risks become very real, as each of these communications
must be secured against intruders. The number of attack vectors

available to malicious attackers might become staggering, as global

connectivity (access anyone) and accessibility (access anyhow,
anytime) are key tenets of the IoT (Roman, Zhou, and Lopez, 2013, p.
2270). Even if one entity has its own network of objects adequately
secured, if some of those objects are interacting with an external
network without safeguards, the entitys network its theoretically
vulnerable to attack. Due to the extent of the IoT, securing all aspects
of it becomes intrinsically problematic: the inherent complexity of the
IoT, where multiple heterogeneous entities located in different contexts
can exchange information with each other, further complicates the
design and deployment of efficient, interoperable and scalable security
mechanisms (Roman et al., 2013, p. 2270).
The more ones life is connected to the IoT, the more serious of a
privacy risk the IoT becomes. Information is both valuable and
personal, and the more information that is stored in a digital form, the
more vulnerable the individual becomes. This could include innocuous
bits of information, such as when one begins to brew coffee in the
morning, what temperature one likes to keep their home at in the
night, or when one has run out of milk. However, the more ubiquitous
the IoT becomes, the more areas of ones life it subsumes. Vulnerable
data can include banking information, who one associates with, when
one is and is not at home, among countless other sensitive pieces of
information. The loss of such data leaves one open to fraud, theft,
blackmail, etc. Similarly, through the aggregation of data collected

from multiple devices, a hacker could create a full behavioral profile of

an individual, including ones habits, vices, and movement. The extent
of harmful activities a hacker with malicious intentions can do with
information contained within the IoT network is practically endless.
The first point to be considered based on these risk factors is the
inherent value an individual places on privacy. This would be unique to
each consumer. Some might mind the possibility that all of their
movements are being digitally documented, while others might not.
Even prior to a hypothetical hacking, the chronicling of an individuals
every action and preference could be disconcerting. Thus there are two
levels to privacy risk to consider when evaluating IoT innovation:
simple data collection, and the potential that that data will fall into the
wrong hands. There will be an inherent tradeoff between the
convenience created by IoT technologies, and personal privacy; the
consumer will determine the extent to which that tradeoff is
worthwhile.
One area where the data-loss risk created by the IoT comes into
stark relief is medical information. Medical information tends to be
highly sensitive in nature, ranging from things one might find sensitive,
such as activity level or diet, to things most would find to be personal,
such as procedure history, medical conditions, and the medications
one is taking. The more this information is collected and stored in a
connected digital network, the more vulnerable the individual is to
intrusions upon privacy. For example, the simple use of a wearable

medical device that monitors things like heart rate and activity could
harm the individuals future prospects: the data gathered by the
device could be used in the future to price health or life insurance or to
infer the users suitability for credit or employment (FTC, 2015, p. 16).
There are multiple facets to be considered, even when only dealing
with the most superficially connected wearable medical devices. As it
is a private firm that often creates the device and collects the data, it is
similarly often that firm that owns the rights to the data. This means
that they can sell the data for a profit, if they so choose. The consumer
must consider with whom they are comfortable sharing their personal
medical information. They should consider their devices privacy policy,
if it has one. The main problem is that consumers often do not realize
that they are conveying sensitive information through a physical
device. Many individuals today safeguard their online presence, be it
through email, social media, etc.because they understand this data
to be to some degree vulnerable. However, many consumers do not
yet understand the privacy risks of physical object with built-in wireless
sensors, increasing their vulnerability.
Similarly, as medical records become increasingly digitized, and
potentially shared between networks, there exists an increased risk of
privacy violations. Medical records can be at risk of theft and misuse
both from within a medical institution and without. While a breach of
personal health information can be inadvertent or malicious, most
individuals would consider this be a major breach of their privacy rights

either way.
On the more serious side of potential risks associated with IoT
enabled medical devices comes the hacking of actual devices. While
this is a risk that is often sensationalized, there have been recorded
instances that validate this possibility. For example, the FTC reports an
instance where an individual was able to hack remotely into
connected insulin pumps and change their settings so that they no
longer delivered medicine (FTC, 2015, p. 12). Similar threats could be
imagined: advanced hearing aids or advanced prosthetic limbs could
be disabled, and wirelessly connected pacemakers could be shut off.
Whether or not these threats will present themselves to be likely
occurrences, the IoT will at the very least make them possible, and
thus cannot be taken lightly.
Another area in which the IoT presents a serious risk to safety is
with connected automobiles. Connected sensors could transmit to
insurance companies the extent to which a driver brakes suddenly,
speeds, etc. and give motive to subsequently increase rates. However,
similar to connected medical devices, connected automobiles produce
a more serious risk. It becomes possible for an attacker [to] gain
access to the cars internal computer network without ever physically
touching the car (FTC, 2015, p. 12), in turn creating the potential for
the attacker to remotely assume control of the vehicle. This gives a
hacker a several-thousand pound weapon to control, which poses a
serious safety risk not only to those inside the vehicle, but also to

others on or near the road.

A widespread IoT also creates massive potential for abuse.
Whether it is to be utilized by federal or local governments, or by a
police force, the potential surveillance apparatus created by the IoT is
extensive. A complete behavioral profile, which includes an individuals
acquaintances, activities, movements, purchases, medical history,
preferences and predispositions, and even personality, can be formed
and exploited. An entity that wished to abuse access to such an
apparatus could use it to surveil citizens, searching for criminal
activity, perhaps without probable cause. Worse, such surveillance
could be abused to effectively frame an individual, given the massive
data that could be collected.
RECCOMENDATIONS
The IoT is an inherently complex entity, and thus securing it
against potential threats is an inherently multifaceted issue. The range
of devices that constitute the IoT is growing ever more diverse and
disparatethey are made by different firms, for different markets, for
different purposes. It then follows that there cannot be one overarching
solution to securing the IoT. A two-pronged and flexible approach must
be taken for the greatest degree of security to be achieved. The first
piece must be contributed by the private sector, which must work to
ensure they build the most stringent possible safeguards into their
devices. This can be used to market their products as safer than older
models, or than their competitors. To ensure the private sector is

holding up to their promises, and keeping up with ever-changing

innovation, the public sector will be required to pass legislation
demanding standards, protections, and accountability.
The private sector must recognize the risks that will be
associated with the connected devices they sell, and take both
adequate precautions and accountability for them. [W]ith extensive
consumer data inextricably linked to the implementation and
effectiveness of IoT and the resulting elevated importance of privacy, it
becomes critical for marketers to raise their game as regards privacy
quality, respecting consumers, and building and maintaining strong,
trustworthy customer relationships (Weinberg et al., 2015, p. 623).
The best way to do this is to promote the concept of privacy by
design. Privacy by design is a process that calls for proactive
consideration of privacy objectives and aims from the start, then
continues throughout the design and delivery process of products and
related actions (Weinberg et al., 2015, p. 623). The idea is to build
privacy protections into connected devices, and thus the entire
network of the IoT, that works proactively rather than reactively. The
highest privacy safeguards become the default. Transparency is used
throughout the process, and everything is built with the privacy
interests of the consumer in mind.
Four main principles, or privacy requirements, must be
implemented, as is well outlined in Rolf Webers (2010) piece Internet
of ThingsNew security and privacy challenges:
1. Resilience to attacks: The system has to avoid single points of

failure
and should adjust itself to node failures.
2. Data authentication: As a principle, retrieved address and
object
information must be authenticated.
3. Access control: Information providers must be able to
implement
access control on the data provided.
4. Client privacy: Measures need to be taken that only the
information
provider is able to infer from observing the use of lookup
system
related to a specific consumer; at least, inference should be
very
hard to conduct.
(Weber, 2010, p. 24).
If private entities successfully implement these measures from the
outset, as opposed to in reaction to breaches, the IoT could be a
reasonably secure platform for sensitive data. The private sector
should take the onus upon themselves to make these safeguards
standard, not only to appease consumers, but to ensure security and
longevity for the IoT, which will in turn provide benefits for firms in
numerous ways.
Self-regulation by the private sector is unlikely to be successful if
left to its own devices, however. Legislation will likely be necessary to
ensure the security of the IoT. This could range from simple incentives
that urge private firms that build connected devices to include
stringent safety measures at the low end, to regulation that requires all
firms that produce such devices to meet certain privacy and security

standards on the high end. While full regulation is preferable, it must

still take into account the preferences and requests of the industry.
Legislation should require firms to meet the above four privacy
principles in a manner that meets the privacy by design goal.
Further, a system of privacy ratings should be legislated, so that a
device can be rated from somewhat safe to very safe. This would give
consumers the information necessary to not only buy the devices
suitable to them, but also have the authority to use their purchasing
power to create incentives for firms. Legislation should also address
the potential abuse of connected networks. Civil authorities and
government agencies must be required to obtain a warrant before
utilizing any aspect of an IoT network to surveil a suspect.
Unwarranted surveillance must be prevented, no matter the scale.
With this combination of private and public effort to curtail threats and
promote security and privacy, the IoT can become the most efficient
and useful macro-network it can be.

CONCLUSION
The continued development of the IoT will undoubtedly
revolutionized the way one lives his or her life and how society will
function as a whole. It could very well turn out to be the most
important advancement since the Internet itself. This is why its
innovation must be adequately protected. The benefit society stands to

reap from a massive network of connected objects is unfathomable,

but the harm the IoT can cause, if not cared for, could be disastrous.
Individuals must not be required to forfeit their privacy rights in the
name of convenience, efficiency, or even safety. Rather, if the public
and private sectors take the necessary steps, a truly awe-inspiring
network can be built around the world. It will not only change life for
the human species, but it will make the species stronger and more
resilient. Humans have been co-evolving with technology for millennia
now, and the IoT is the next, very large, step. It must be ensured that
this next step is not into a cage, and not into chaos. The IoT can and
should be a freeing force, just as its necessary predecessor, the
Internet, was before it.

REFERENCES
Clark, D. (2014, January 5). Internet of things in reach: Companies
rush into devices
like smart doors locks, appliances, but limitations exist. The Wall
Street
Journal.
FTC Staff Report. (2015, January). Internet of things: Privacy & security
in a
connected world.
Medaglia, C., & Serbanati, A. (2010). The internet of things. New York,
NY: Springer
New York.
Middleton, P., Kjeldsen, P., & Tully, J. (2013, November 18). Forecast:
The internet of
things, worldwide, 2013. Gartner.

Press, G. (2014, August 22). Internet of things by the numbers: Market

estimates and
forecasts. Forbes.
Roman, R., Zhou, J., & Lopez, J. (2013). On the features and challenges
of security and
privacy in distributed internet of things. Computer Networks,
57(10), 22662279.
Stackowiak, R., Licht, A., Anttha, V., Nagode, L. (2015). Big data and
the internet of
things: Enterprise information architecture for a new age. Apress.
Weber, R. (2010). Internet of thingsNew security and privacy
challenges.
Computer Law & Security Review, 26(1), 23-30.
Weinberg, B., Milne, G., Anadonova, Y., & Hajjat, F. (2015). Internet of
things:
Convenience vs. privacy and security. Business Horizons, 58(6),
615-624.