People are really worried about IoT data privacy and security—and they should be

A new study from the Economist Intelligence Unit (EIU) shows that consumers around the world are deeply worried about in how their personal information is collected and shared by the Internet of Things (IoT). But let’s be honest, the problem isn’t that unsophisticated consumers are panicking for no reason. In fact, consumers are merely picking up on the very real inherent risks and uncertainties surrounding IoT data.

Businesses are also worried about IoT security

I’ll get into the results and implications of the survey in a moment, but first I want to note that business and professionals are equally concerned. Perhaps that’s why Gartner just predicted that IoT security spending will hit $1.5 billion by the end of the year, up 28 percent from 2017, and more than double to $3.1 billion by 2021.

Among other things, all those dollars are intended to help prevent the “catastrophic” effects of a data breach or cyber attack on IoT devices. That may sound hyperbolic, but according to the recent Second Annual Study on the Internet of Things (IoT): A New Era of Third-Party Risk from the Ponemon Institute and Shared Assessments, that’s what 97 percent of surveyed risk professionals feared would be the result of an attack on unsecured IoT devices. More than half (60 percent) saw IoT vulnerabilities to ransomware attacks.

A correct perception of reality

When it comes to an new technology like the IoT, of course, perception can matter just as much as reality. And that’s why the EIU report — What the Internet of Things means for consumer privacy — is such a red flag for companies that make and use IoT devices and networks.

According to the study, huge majorities of consumers around the world don’t think their IoT data is safe, and they want something done about it before the problem spirals out of control:

• 92 percent say they want to control what personal information is automatically collected.
• 74 percent are concerned that small privacy invasions may eventually lead to a loss of civil rights.

Companies can’t just write off these issues as mere Luddite hysteria over identity theft and consumer behavior profiles. Consumers are unhappy for good reason.

According to a statement from Veronica Lara, who edited the report, “Consumers have cause for concern, as the ubiquity of interconnected sensors through the IoT adds layers of risk that people can’t easily understand. Companies’ lack of transparency and the absence of consumer control over data exacerbate perceptions of privacy and security threats.”

There are likely to be consequences. More than nine in 10 (92 percent) of respondents want to increase punishments for companies that violate consumers’ privacy, and they are looking for commitments from government and industry to protect privacy with full disclosure of how the data will be used and shared with third parties.

Hope for a secure IoT future?

Via email, Ashley Stevenson, senior applied innovation director at ForgeRock, which sponsored the EIU survey, agreed that the problem is very real: “When you consider the types of data generated in smart home and connected car scenarios — where the number of devices, apps, and services can be extensive — the potential for misuse grows exponentially.”

Stevenson was optimistic that these problems would be addressed, whether IoT companies like it or not. The goal is to let users “own and be in control of their own data and to feel a sense of trust for the platform or company that has access to their data.”

Can we count on IoT vendors to make that happen?

“We believe we’ll see viable solutions to these concerns in the years ahead,” Stevenson said. “The technologies to make this happen exist and are maturing quickly. Organizations will adopt these in order to ‘do the right thing,’ or due to pressure from their customers, or due to regulations.”

The User Managed Access (UMA) standard is a promising approach, Stevenson concluded. “UMA supports a much more user-friendly method for managing access to control over personal data. It makes it easy to grant consent, share data, and revoke consent.”