The privacy risks of the Internet of Things

Share this page

The Internet of Things has come a long way since the turn of the century when it was a buzzword used by futurists and entrepreneurs. Although not yet as ubiquitous as some predicted a decade ago, Internet-connected devices have crept into many aspects of our daily lives.

Now, with everything from vacuum cleaners to climate control systems connected to our phones, IoT is creating a world of extreme convenience. That, in itself, sounds like a great thing, but there are several issues regarding how these devices handle your data that you should be aware of.

Here at Proton, our number one concern is the privacy and security of our users. This article will examine the main issues with individual IoT devices, the idea driving the creation of the IoT, and present the case for why you should be skeptical of any “smart device.”

Alexa, what is the Internet of Things?

The term IoT refers to all things (or even animals or people) that can be hooked up with a chip that lets them be connected to the Internet, share data over a network, and communicate with each other.

The combination of these devices makes it possible for them to gather information, analyze it, and perform specific tasks. For example, your house alarm system could connect to a mobile app that lets you arm or disarm the alarm, even from a distance.

However, the emphasis placed on ease of use and functionality means that other key aspects, like privacy and security, are often secondary to convenience for the people making these devices. 

New data, same old devices

One thing that is often overlooked with IoT devices is that they usually need to connect to your other devices in order to work. So, by proxy, they operate under the same email address, IP address, and phone number as your laptop and mobile devices.

This means that IoT privacy is still dependent on the privacy of all your other devices. So if you have a bad privacy policy or weak privacy settings on your smartphone, for example, your IoT device will have the same data leakage.

For that reason, it’s better to think of these devices as parts of a bigger network. A washing machine, coffee maker, or television… what if someone could put the data from these devices together? If the Internet of Things reaches its full potential, you will be surrounded by devices that act as a surveillance network that can constantly monitor you and monetize your data.

For example, if you have a smart lighting system at your house that you control with your phone, companies could know when you’re home and when you’re sleeping. If you fill your kitchen with smart devices, they will be able to know what you bought (via a smart refrigerator that helps you with your grocery list) and what you have eaten and how long you cooked it (via a smart microwave that chooses the perfect setting when you tell it what food you are warming up). These things are surely convenient, but it should be your choice whether to let companies know such personal information or sell it to third-parties.

There are risks beyond privacy scandals and data breaches. This new flood of data would give corporations the power to reach even further into our lives. A health insurance company could increase your rates if they see you are heating up extra buttery popcorn. In a dystopian future, they could shut your microwave off to prevent you from eating food they deem unhealthy. The IoT could allow companies to take a much more active role in shaping your life.

New points of vulnerability

If each device is now a computer of sorts, then it can be hacked. There’s an episode of Mr. Robot in which the protagonist’s hacker crew compromises a person’s entire home to drive her out of it. Well, it’s not that far-fetched (we know how Mr. Robot’s writers are pretty good at being technically accurate). But smart homes aren’t the only thing at risk here. In this CNN story, cybersecurity engineers demonstrated how they could take control of a car by hacking the dashboard’s computer.

The reason for that, at least in the case of cars, is that most of the protocols and system architecture inside them were built in the 1990s when the car was a closed box. Security experts have pointed out that because they were never meant to be connected to anything, the 50 to 100 tiny computers that control the moving parts of a car don’t hold up to modern security standards. They’re easily manipulated, rarely conduct authentication, and the hacking of one part could potentially compromise the entire car.

While these are nightmarish examples, there are far more subtle attacks that could potentially wreak even more chaos in your life. According to Frank Abagnale (the con artist from Catch Me If You Can, now an FBI cybersecurity agent), most smart home systems can easily be taken over, and whoever owns them could listen to everything that is said in your house. The same goes for security cameras.

The usual problem is that while most computer systems are able to patch security flaws via regular updates, most IoT devices aren’t designed with this ability, so their security flaws stay there indefinitely. Furthermore, when it comes to devices with long shelf lives, there is the risk that their manufacturer could decide to discontinue their technical support, stop issuing updates, or even go out of business. 

Business data breaches 

All the vulnerabilities we just covered not only apply to individuals and households, but to every organization, from a five-person start-up to a multinational business. Suddenly, it’s not just about a single person compromising their privacy for the sake of convenience. When it comes to a business, you’re talking about potentially thousands of people at risk, including customers’ data.

Just last year, a study by the Ponemon Institute concluded that data breaches rooted in unsecured smart devices increased from 15% to 26% in only three years. The problem, as the study points out, is that most organizations don’t have security policies regarding IoT devices or a team responsible for implementing them.

Learn more about cybersecurity for small businesses

Privacy versus convenience 

It’s becoming apparent that both people and businesses are getting lured into the world of IoT without giving much thought as to what it may do to their privacy and security.

Manufacturers, sensing a business opportunity, are ignoring privacy and security concerns to focus on how to pair data collection with increased convenience and functionality. Since most consumers don’t seem to consider this when purchasing, it’s not that surprising that companies are neglecting privacy and security concerns, at least as much as government regulations (when applied) allow them to. There’s also, of course, the fact that all the data they gather is most likely another source of revenue.

While privacy concerns persist in the IoT space, there are exceptions. iRobot, the company behind the Roomba automatic vacuum cleaner (that you can program with your phone), has a very transparent privacy and data sharing policy. They claim to never sell customer data, they only share it with third parties if the user chooses to do so, and they’ll delete all of it upon the user’s request.

More and more, companies are being forced to be more upfront about their security practices and how they handle data. So if you need or want one of these devices, make sure you understand the particular risks of connecting them to your network and putting them inside your home before purchasing.

Maybe for you, the convenience of having Alexa tell you the weather while you cook breakfast is worth the risk of someone listening to you plan your day. But if enough people demand that these sorts of devices take privacy seriously, as has happened with browsers, email, calendars, and other products, maybe the companies behind them will listen, and privacy won’t be the luxury or niche option, but the default.

Best Regards,
The Proton Mail Team

You can get a free secure email account from Proton Mail here.

We also provide a free VPN service to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support.

Share this page

Related articles

  • Privacy Basics
Gmail is not end-to-end encrypted, and Google retains access to all your emails. Here are five steps to make Gmail more secure and the best alternative if you’re looking for genuine privacy. We explain why Gmail is not completely secure or private,
October is European Cybersecurity Month, making this the perfect time to assess your security. We’re sharing some of our most important cybersecurity guides to help.  At Proton, your security is our top priority. We believe your data belongs to you
Emails you send with most email providers aren’t private. We explain how to add password protection or enhanced encryption to messages in Gmail and Outlook and how to send a genuinely private email with Proton Mail. You can password-protect emails i