Saturday, September 30, 2017

You and the Internet of Things

 This fall, the SU iSchool has begun to offer Graduate Immersion Milestone Seminars. The first one is on the topic of "You and the Internet of Things."  Graduate students across the iSchool's graduate programs are in attendance, including MSLIS students.  

From my perspective, the the pros, cons and pitfalls of Internet of Things (IoT) is not a topic that is widely discussed in library circles.  Yes, we recognize that devices are capturing information, but:
  • Do we think deeply about what data is being captured by or in the library? 
  • Have we thought about how the Internet of Things can make libraries better?  
  • Have we thought about how the collected data is being stored and secured in the cloud?  
  • Have we thought about what could happen if our data is hacked?
The speakers this morning were not focused on libraries, but that doesn't mean we can't apply their topics to our library environment.  Below you'll see I've inserted some "library thinking" into my notes.  Please add comments if you have information to add or questions to ask.
 
Megan Snyder - Internet of Things and Cyber Security

Concerns:
"Things" can live long, software does not.
  • New vulnerabilities are addressed with new software
  • While you might replace your phone, for example, every two years, it will receive several software updates during that period.  Of course, people might not apply all of the updates, which could leave a security gap.
  • Imagine people being able to hack into a car or other things, which could be used to do harm
Things with sensitive data are connected
  • While you immediately think of banks, there are low tech devices which can capture sensitive data
  • Securing sensitive data
    • proactive ethical data stewardship
    • end to end security processes
    • innovate with new technologies 
Things are making decisions
  • Think about smart locks, smart homes, and smart grids
    • need built-in monitoring and then identifying of risks
  • There have been attacks on infrastructure worldwide, which was done by attacking the software
The future of securing IoT
  • Both customers and businesses need to focus on this
  • Need to look at the entire supply chain
While Snyder did not talk about libraries, consider that libraries are using software which is stored in the cloud or software as a service (SaaS).  That software could be storing information on library users/patrons, including private information such as books borrowed.  A security breach could make that information public.  Or a security breach could be used o alter the user data or alter the information on the library's collection.

Is the personal data stored in libraries a vulnerability that needs more attention?
  • Imagine a child changing his/her personal information so the person can check out adult books.
  • Imagine someone hacking an library system and wiping out fines.
  • Imagine a library's collection information being altered or deleted.
  • Imagine the software being delivered as SaaS being altered at the source, rendering all of its implementations useless.
Snyder noted that the U.S. Is behind in passing laws which would cause non-for-profits to pay attention to their cyber security concerns.

Radhika Garg (@gargradhika) - Does privacy disappear with IoT?

Are the implications that we as consumers are not aware of, in terms of cyber security?

IoT is not a single technology,  it is a combination of sensors, devices, networks, and software that work together to unlock valuable, actionable data.  If you are interacting with any part of that ecosystem, you should be concerned with cyber security. 

Garg asked if people use Dropbox and then asked if people know where the data is actually stored.  We use Dropbox to store a variety of different data, but we have no idea where that data really is and how it is being secured.

Data in the cloud can be used by the cloud service to learn about you, and then use that data, for example, to send you advertisements.

IoT dilemma - the information collected by sensors can be used for services that benefit and simplify people's lives, or it can be used for data mining and other use cases that raise security and privacy concerns.

Imagine the habits that your sensors know about you.

Garg noted that a sensor may only collect data, but then transmit the data to the cloud where it can be analyzed, shared, used, and abused.  Once the data is in the cloud, you have no idea what third parties that data might be shared with.

Although we do anonymize data, data gathered on a person from different sources may contain enough information to de-anonymize all of the data.

Can we collect less data?  Is there a minimal amount of data that is needed for a specific function?

While Garg talked about sensors, it occurred to me that video cameras in our cities and buildings are collecting our images.  Software can be used to identify people in those videos and it can be done automatically.  Software can also then track where people are traveling and when.  Imagine combining that information with sensor data, which could disclose more about your state/health when you were traveling through and between locations.

Garg noted that companies assume that people do not read privacy policies.  She also asked how are we expected to read the privacy policy on sensors, if sensors do not have screens?

Both Garg and Snyder noted that the privacy rules in the EU are better than in the U.S. The EU rules do affect U.S. residents because of U.S. companies doing business in Europe and needing to comply with EU policies.

In the U.S., state and federal laws are not harmonized on what is personal data.  We need to harmonize our laws in the U.S. and then harmonize our laws with the EU.

Next steps for organization in IoT ecosystem include:
  • privacy by design
  • privacy notice and transparency 
Garg ended by talking about the right to be forgotten, which has been written into EU law.

Kim Rose - How hospitals are embracing IoT

Rose talked about privacy legislation related to healthcare, such as the HITECH Act.

Medical devices inside the hospital
  • vital sign monitor
  • surgical procedures
  • intelligent bed
  • medical imaging
Outside the hospital
  • home sleep study
  • CPAP machine
  • cardiac monitor
  • diabetes blood sugar monitor
IoT has changed how medicine is being practiced.

Rose didn't connect her talk to libraries, but I can imagine a patient opting in to having their medical data shared with the hospital's medical library.  That would allow the library to deliver information to a patient which relates to the person's reason for being in the hospitals. Yes, that would raise huge privacy concerns.  Would the benefits outweigh the risks?

The talks this morning have made we wonder about cyber security, the Internet of Things (IoT), and libraries. Is this an area that we're really talking about?  Who are the library leaders in this space?  What conferences are talking about this?

On Twitter (#IoTSUiSchool), Jason Griffey said he is writing a library tech report right now on sensors.  It should be available late 2017 or early 2018.

No comments: