On Oct. 21, 2016 a denial of service attack on nearly one hundred thousand pieces of equipment, including webcams, security cameras and other Internet of Things devices, resulted in the temporary inaccessibility of major websites such as GitHub, Twitter, Reddit, Netflix, AirBnb, to name a few. This interruption, largely caused by Mirai malware, had significant economic impact and highlighted the vulnerability of users of Internet of Things devices. Perhaps most frightening however, is the fact that little or no public policies exist to regulate those devices.
In today’s world, it is virtually impossible to separate our lives from Internet of Things devices. As the Internet of Things and smart devices become more ubiquitous and run the gambit from phones to earbuds to children’s toys, we must honestly assess both the value and risks that come along with a world in which security and digital privacy are constantly under threat of being compromised. And as new technologies and the scope and scale of these devices continues to grow, we must ask what role the government should have in setting public policy on technology issues surrounding them.
Before you can answer the question of what the government’s role in privacy and cybersecurity should be, you first have to ask the question of what is a reasonable expectation of privacy in a cyber world. Traditionally, personally identifiable information (PII) has been limited to relatively static items, such as social security numbers, home addresses and fingerprints. However, the proliferation of technology capable of capturing new and dynamic things about how you operate in the world makes the question of what is PII more complicated.
For instance, most modern cars contain technology which captures and records driving patterns. Keyboards can be set to identify you by the way in which you type. Cameras can be equipped with face, eye or even voice technology. These types of equipment only scratch the surface of a burgeoning field of technology where seemingly innocuous pieces of everyday life are now thrust into the foreground of the privacy and cybersecurity discussion.
"In today’s world, it is virtually impossible to separate our lives from Internet of Things devices"
Furthering this discussion is the fact that technology which allows anyone to capture and potentially compromise one’s PII and in turn privacy, is becoming readily available and more affordable every day. New earbuds allows people to hone in on specific frequencies in focused directions, allowing their users to listen in on private conversations from a great distance away. Another device allows law enforcement to take the technology used to scan travelers at their airport and use it in the streets to assess what is in vehicles in real time.
While these technologies can be used to serve the greater good, it also raises the question of not only what regulations are required for private citizens using it, but also what limitations should be placed on government against the average citizen. Is having a conversation with a friend in a public place, such as an airport, private? Are the contents of your car and home private? And at what point and with what cause can that privacy be reasonably breached?
Currently, there is a dearth of laws regarding privacy in the United States. Constitutionally, the fourth amendment forms the basis for those laws in America. Further acts and policies have been put into place at the federal, state and local level to address matters of privacy. However, in a time where we cannot agree on what constitutes a reasonable expectation of privacy, or what information even constitutes information which must inherently be protected, governing these matters is a difficult task. As the Internet of Things and smart technology continues to evolve and proliferate, these issues will only grow more complex and controversial.
In a lecture given to the London School of Economics, European Union Parliament member Claude Moraes said that digital privacy “is the new frontier of human rights.” As we all go through the course of our day, talking on smart phones, driving GPS enabled cars, receiving weather reports from internet connected speakers and listening to music on Bluetooth earbuds, we must all understand the ramifications of this technology and the potential for privacy and cybersecurity issues which are incumbent in their use. While the government has had a limited role in these issues thus far, the ability for that to change and what that change looks like depends upon all of us. In order to protect citizen’s data and the continuity of commerce, we have to all understand that cyber security and digital privacy are not simply IT issues, but they are also public policy issues.