Slashdot Mirror
FCC CIO: Consumers Need Privacy Controls In the Internet of Everything Era
Lemeowski writes: Who is responsible for ensuring security and privacy in the age of the Internet of Things? As the number of Internet-connected devices explodes — Gartner estimates that 25 billion devices and objects will be connected to the Internet by 2020 — security and privacy issues are poised to affect everyone from families with connected refrigerators to grandparents with healthcare wearables. In this interview, U.S. Federal Communications Commission CIO David Bray says control should be put in the hands of individual consumers. Speaking in a personal capacity, Bray shares his learnings from a recent educational trip to Taiwan and Australia he took as part of an Eisenhower Fellowship: "A common idea Bray discussed with leaders during his Eisenhower Fellowship was that the interface for selecting privacy preferences should move away from individual Internet platforms and be put into the hands of individual consumers." Bray says it could be done through an open source agent that uses APIs to broker their privacy preferences on different platforms.
>Bray says it could be done through an open source agent that uses APIs to broker their privacy preferences on different platforms.
We tried this twice. First with P3P (which was complicated and unenforceable), then DNT (which was simple but still unenforceable). The FCC needs to get behind a platform and mandate it. Or better yet, just ban advertising-related tracking ANYWAY since literally zero people are going to opt-into that without a financial incentive. (The main reason why DNT fell through, actually: IE11 enabled it by default and the ad industry decided to ignore DNT entirely)
The government has no real interest in legislating for privacy because even if they stopped snooping on everyone (which they shouldn't be doing to start with, even though that hasn't stopped them) it would simply be a matter of filing legal paperwork to get any information that they wanted from the corporations who are collecting and storing that data for their own reasons.
If the FCC tried to do this of their own initiative, Congress would shut them down for "overstepping their bounds".
Knowledge is power, especially knowledge of a person's secrets.
Baaaaa!
Meanwhile, there are holes you can drive a truck at speeds up to 125 mph thru. Remotely. Against your will.
Mind if I slam on the brakes?
-- Tigger warning: This post may contain tiggers! --
horse out of barn. don't have one about a car.
We, the fine folks at the interactive advertising bureau, are delighted by the notion of a 'consumer preference client'. Indeed, we are so strongly committed to it that we recommend that it be incorporated at the hardware level, in order to provide additional trust in the 'Trusted Platform' that forms the foundation of the secure online marketplaces of tomorrow. With a suitably immutable GUID baked into every piece of hardware, we can finally ensure that each and every consumer receives exactly the privacy settings and offers most relevant to them!
All personal data should be presumed copyrighted by the person it describes (including email and such). And a new law is passed that requires any company that sells personal data is required to keep a record of where that data came from, and any requests to delete that data would be fed upstream to the sources of that data.
Today "privacy" can't work with things like "take me off your list". Because the company that makes the call doesn't "own" the list. They rent it from a company that keeps a master list. The master list company will *never* try to contact a customer directly, because then they'd be responsible for taking someone off the list, when required.
But if the list renter was required by law to pass the removal request to the source of the data, then "take me off your list" would have real teeth. In addition to helping the people who complain and ask to be removed, it would help everyone because it would drive the master list companies out of business. Rent-seeking middle men who profit from arbitrage caused by legal loopholes should never exist.
Learn to love Alaska
In the age of the internet of things. And not a moment before.
Fifty years of Yippie! 1968-2018
Okay, an internet connected thermostat does add functionality. An internet connected fire detector and an internet connected home security system also makes sense. (Though if you're working on a home security system that hooks up to the Internet and you don't think about software security, you're an idiot who needs to be put into protective custody and fed by a nurse so you don't accidentally poke your eyes out while eating with a plastic fork.)
But why do I need an internet connected oven, refrigerator, or toaster? Do I need an internet connected coffee maker? An internet connected microwave? What value do they add, really? Notifications?
It's probably a lot like the digital TV thing the FCC pushed, where they had a financial stake as individuals in companies poised to benefit from the new regulations. Surely Michael Powell or someone like him is invested in a company which is getting ready to offer part of the "solution".
Your company got hacked and millions of users' information (name, credit card, sexual fetishes, etc) got stolen? JAIL TIME all the way up the chain wherever there's even a hint of (ir)responsibility. If you're in the chain and have concerns, you raise questions with backed up emails or leave.
We don't need much more extra legislation than already exists. As someone already mentioned, this info might even be considered copyrighted! So the guilty company participated by their careless attitude, security, design, and/or unnecessary information retaining to the 20M+ (for example) cases of copyright infringement. So what we need is "teeth" and "will to prosecute".
Privacy is dead. Google declared it so.
I think that this is really part of a larger problem that eventually ties back to identity management and account management. That may sound like a strange thing to leap to, but hear me out.
One of the problems I've noticed for years is that it's not easy to keep track of all my accounts. Every time I sign up for a new account or trial, I have to create a new account, create a username, create a password, associate it with an email account, choose security questions, bla bla bla. Dual-factor authentication is supposed to help with some of the security problems associated with all this nonsense, but it also adds another complication to the whole thing. Once all that's done, I need to keep track of all that information that I used to sign up.
It's not so bad for individual accounts, but after a few decades of trying things out, abandoning accounts, signing up for trials that I end up not using, and all kinds of things, I really don't know what accounts I have available on which services, what the usernames are, or which email address they're associated with. When I answered security questions, I don't necessarily know what I answered with-- it asked for my favorite author, but was that my favorite author from 2 years ago or 10 years ago? Did I tell the truth when I answered it, or did I answer with a sarcastic joke answer? I honestly don't know for some accounts. I don't even know, for example, if I still have a MySpace account from roughly a decade ago, that I created, signed into a couple of times, and forgot about.
You're thinking this is completely off-topic, but here's the thing: as you have an "Internet of things", there's a good chance that each of those items are going to have their own account on their own service. You have some program to control your lights at home? That program will need an account. Someone invents a smart-vacuum, and it's internet connected? That'll have it's own account. These days, companies don't want to collaborate and develop standard APIs, common platforms, open protocols, or whatever else. Every company developing an app or a website wants to do it's own thing it's own way, while locking out the competition from interoperability. So now, every new Internet-connected thing is going to add complexity to your online life.
Asking to provide privacy controls to consumers is putting the cart before the horse. Even if you want to provide those controls, you're going to have different controls in different places in different UIs, all across different services with different accounts. Users won't be able to effectively manage those controls even if you provide them. What needs to happen first is that we need to develop some kind of identity management and SSO that begins to shrink the task of managing these various accounts. Once you have something like that, you could create APIs for managing those accounts, opening and shutting down accounts, viewing which private information is available in each account, and restricting/removing the private information as needed.
To enable security and privacy of users we do need a trusted resource to assure signing and provide revocable keys. At the risk of sounding like a luddite, I would suggest that the UP Post Office is the perfect entity to provide this service. One critical piece of security missing is a guaranteed piece cyber of identity. The Post Office has at least one office in every small town, has the authority of federal law to confirm identity (such as they do with passport applications) and has been in the information business for centuries. Having your keys signed by the post office would allow a bank or vendor to trust who is sending data or a digital signature. If you need to establish or reset keys they can check your ID and accept a new password. They have their own police force and are used to handling fraud. Ya, ya, NSA, FBI, yada, yada, yada, Snowden.... All I'm suggesting is a way to prove who you are when you ARE being public. (for example, "hey Bank, this is Foo please send $1B to Bar") No one says you have to use it all the time, but I sure would only accept signed email to keep scam spam out.
All data, no matter how seemingly innocuous, when ammassed, allows agencies to substantially abuse everything from subtle advertising, to obtaining private medical information, to downright spying. At this point, given all the breaches at every single level from government, medical, and business on down, and given that even major agencies/groups have sold information - isn't it a bit like trying to put the cat back into the bag? I mean it's a nice idea but I see it as trying to fix healthcare in America - there is no right answer we have built upon a foundation already and are entrenched. Not to mention that the NSA/CIA/FBI will just snoop any left over anyhow and likely still bungle security at some level as insane as that sounds. Or are we thinking of the children who have yet to have generated information to be stolen yet?
Consumers will only care until Google offers a free service in exchange for their privacy. Then they'll happily not care.
therefore he hates privacy. Their kind is against it except for themselves. They are such hypocrites. This study was more about how to invade our privacy and destroy our lives because they hate us.
Well, security controls sure as fuck should be placed in the hands of the individual consumer- because our esteemed Government has shown themselves to be woefully incompetent at protecting our data. My SF-86 is now floating around out there somewhere.
The idiocy of the average individual is at least roughly the same as our government. I've had it with these clowns.