This fall, the SU iSchool has begun to offer Graduate Immersion Milestone Seminars. The first one is on the topic of "You and the Internet of Things." Graduate students across the iSchool's graduate programs are in attendance, including MSLIS students.
From my perspective, the the pros, cons and pitfalls of Internet of Things (IoT) is not a topic that is widely discussed in library circles. Yes, we recognize that devices are capturing information, but:
- Do we think deeply about what data is being captured by or in the library?
- Have we thought about how the Internet of Things can make libraries better?
- Have we thought about how the collected data is being stored and secured in the cloud?
- Have we thought about what could happen if our data is hacked?
The speakers this morning were not focused on libraries, but that doesn't mean we can't apply their topics to our library environment. Below you'll see I've inserted some "library thinking" into my notes. Please add comments if you have information to add or questions to ask.
Megan Snyder - Internet of Things and Cyber Security
Concerns:
"Things" can live long, software does not.
- New vulnerabilities are addressed with new software
- While you might replace your phone, for example, every two years, it will receive several software updates during that period. Of course, people might not apply all of the updates, which could leave a security gap.
- Imagine people being able to hack into a car or other things, which could be used to do harm
Things with sensitive data are connected
- While you immediately think of banks, there are low tech devices which can capture sensitive data
- Securing sensitive data
- proactive ethical data stewardship
- end to end security processes
- innovate with new technologies
Things are making decisions
- Think about smart locks, smart homes, and smart grids
- need built-in monitoring and then identifying of risks
- There have been attacks on infrastructure worldwide, which was done by attacking the software
The future of securing IoT
- Both customers and businesses need to focus on this
- Need to look at the entire supply chain
While
Snyder did not talk about libraries, consider that libraries are using
software which is stored in the cloud or software as a service (SaaS).
That software could be storing information on library users/patrons,
including private information such as books borrowed. A security breach
could make that information public. Or a security breach could be used
o alter the user data or alter the information on the library's
collection.
Is the personal data stored in libraries a vulnerability that needs more attention?
- Imagine a child changing his/her personal information so the person can check out adult books.
- Imagine someone hacking an library system and wiping out fines.
- Imagine a library's collection information being altered or deleted.
- Imagine the software being delivered as SaaS being altered at the source, rendering all of its implementations useless.
Snyder
noted that the U.S. Is behind in passing laws which would cause
non-for-profits to pay attention to their cyber security concerns.
Radhika Garg (@gargradhika) - Does privacy disappear with IoT?
Are the implications that we as consumers are not aware of, in terms of cyber security?
IoT
is not a single technology, it is a combination of sensors, devices,
networks, and software that work together to unlock valuable, actionable
data. If you are interacting with any part of that ecosystem, you
should be concerned with cyber security.
Garg
asked if people use Dropbox and then asked if people know where the data
is actually stored. We use Dropbox to store a variety of different
data, but we have no idea where that data really is and how it is being
secured.
Data in the cloud can be used by the
cloud service to learn about you, and then use that data, for example,
to send you advertisements.
IoT dilemma - the
information collected by sensors can be used for services that benefit
and simplify people's lives, or it can be used for data mining and other
use cases that raise security and privacy concerns.
Imagine the habits that your sensors know about you.
Garg
noted that a sensor may only collect data, but then transmit the data
to the cloud where it can be analyzed, shared, used, and abused. Once
the data is in the cloud, you have no idea what third parties that data
might be shared with.
Although we do anonymize
data, data gathered on a person from different sources may contain
enough information to de-anonymize all of the data.
Can we collect less data? Is there a minimal amount of data that is needed for a specific function?
While
Garg talked about sensors, it occurred to me that video cameras in our
cities and buildings are collecting our images. Software can be used to
identify people in those videos and it can be done automatically.
Software can also then track where people are traveling and when.
Imagine combining that information with sensor data, which could
disclose more about your state/health when you were traveling through
and between locations.
Garg noted that
companies assume that people do not read privacy policies. She also
asked how are we expected to read the privacy policy on sensors, if
sensors do not have screens?
Both Garg and
Snyder noted that the privacy rules in the EU are better than in the
U.S. The EU rules do affect U.S. residents because of U.S. companies
doing business in Europe and needing to comply with EU policies.
In
the U.S., state and federal laws are not harmonized on what is personal
data. We need to harmonize our laws in the U.S. and then harmonize our
laws with the EU.
Next steps for organization in IoT ecosystem include:
- privacy by design
- privacy notice and transparency
Garg ended by talking about the right to be forgotten, which has been written into EU law.
Kim Rose - How hospitals are embracing IoT
Rose talked about privacy legislation related to healthcare, such as the HITECH Act.
Medical devices inside the hospital
- vital sign monitor
- surgical procedures
- intelligent bed
- medical imaging
Outside the hospital
- home sleep study
- CPAP machine
- cardiac monitor
- diabetes blood sugar monitor
IoT has changed how medicine is being practiced.
Rose
didn't connect her talk to libraries, but I can imagine a patient
opting in to having their medical data shared with the hospital's
medical library. That would allow the library to deliver information to
a patient which relates to the person's reason for being in the
hospitals. Yes, that would raise huge privacy concerns. Would the
benefits outweigh the risks?
The talks this
morning have made we wonder about cyber security, the Internet of Things
(IoT), and libraries. Is this an area that we're really talking about?
Who are the library leaders in this space? What conferences are
talking about this?
On Twitter (#IoTSUiSchool),
Jason Griffey said he is writing a library tech report right now on
sensors. It should be available late 2017 or early 2018.