A homeowner reports a robbery. His IoT-enabled pacemaker doesn’t indicate any change in heart rate during the robbery? Can investigators obtain that information from the service provider? Should they?
+ Also on Network World: Cops use pacemaker data to charge homeowner with arson, insurance fraud +
Issues of privacy increase as IoT sensors collect more information about us. What rights do individuals have over the information collected about them? Can the accuracy of sensor data be trusted?
Sherlock Holmes and the case of Silver Blaze
Silver Blaze was a crime Sherlock Holmes solved. It’s about the disappearance of a famous racehorse the night before a race and the murder of the horse’s trainer. Holmes solves the mystery by recognizing that the watchdog at the stable didn’t bark during the crime.
Gregory (Scotland Yard detective): “Is there any other point to which you would wish to draw my attention?”
Holmes: “To the curious incident of the dog in the night-time.”
Gregory: “The dog did nothing in the night-time.”
Holmes: “That was the curious incident.”
"The fact that the dog didn't bark when you'd expect it to do so while a horse was stolen led Homes to the conclusion that the evildoer was a not a stranger to the dog, but someone the dog recognized and thus would not cause him to bark," explains Mike Scotnicki, a freelance appellate attorney in his blog. "Holmes drew a conclusion from a fact (barking) that did not occur, which can be referred to as a negative fact.”
In the reported burglary, the absence of any change in the homeowner’s heart rate could be a negative fact.
IoT data, privacy and forensics
Forensics applies science to criminal investigations following the legal standards of admissible evidence and criminal procedure. A host of issues arise around sensor data being used in investigations.
- How accurate is sensor data?
- Is the information collected actually for the person being investigated?
- Could information have been tampered in transmission or while stored?
- Who owns the sensor data?
- Under what situations should the IoT service provider be shared?
- Does IoT sensor data constitute admissible evidence?
Online Trust Alliance
Established in 2005, the Online Trust Alliance (OTA) is a charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. It recently released its IoT Trust Framework (pdf) to help secure IoT devices and their data. Here are some of the OTA's relevant suggestions:
- Disclose the data retention policy and duration of personally identifiable information stored.
- IoT devices must provide notice and/or request a user confirmation when initially pairing, onboarding and/or connecting with other devices, platforms or services.
- Publicly disclose if and how IoT device/product/service ownership and the data may be transferred (e.g., a connected home being sold to a new owner or sale of a fitness tracker).
- Only share consumers’ personal data with third parties with consumers’ affirmative consent, unless required and limited for the use of product features or service operation. Require that third-party service providers are held to the same polices, including holding such data in confidence and notification requirements of any data loss/breach incident and/or unauthorized access.
"The rise of IoT has brought forth a new generation of devices and services representing significant innovation, yet all too many ship insecure and are not supported over their life," said Bruce Schneier, CTO IBM Resilient and Special Advisor to IBM Security, during a presentation at the recent RSA Conference. "They have become proxies for abuse with a capacity for causing significant harm."
Sherlock Holmes would be amazed by the amount and range of information collected by IoT sensors. Sherlock commented in one of his cases, "Having gathered these facts, Watson, I smoked several pipes over them, trying to separate those which were crucial from others which were merely incidental."
With IoT data, Sherlock would have smoked quite a few pipes!
This article is published as part of the IDG Contributor Network. Want to Join?