 Hi, everyone. We'll be starting now. Please let me know if you have any trouble listening or viewing the video. My name is Sai Sarkar and I work as a senior software engineer at Red Hat. Professionally, I mostly work with web and cloud technologies. However, outside the professional environment, I'm an open source enthusiast and a privacy evangelist with an eye towards shiny new emerging tech in both the hardware and software worlds. Today, I would be talking about a subject that has been the topic of much debate in the recent few years and one that deserves a healthy bit of skepticism, conversation, discussions and much more. This topic is privacy in the age of the Internet of Things. So the first question that we need to answer before diving into further discussions is, what is IoT? Well, we've all heard about the term quite a bit and know that it's an abbreviation for something called the Internet of Things. But what exactly is the definition of it? I was curious as well. I'd heard about IoT. I knew about the term Internet of Things, but what did it exactly mean? So like any other Internet-abiding citizen, I too went to the one place for all my answers, Wikipedia. And I found out the definition. So Wikipedia defines IoT as a system of interrelated computing devices, mechanical and digital machines or objects that are provided with unique identifiers, which are also known as UIDs, and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction. So yeah, that's all really fancy, fine and dandy, but what exactly does it mean? What exactly does this definition mean for us in a layman's approach? So it's pretty simple actually. It's basically a collective term for all the interconnected smart devices that we surround ourselves with in everyday lives. From the smart watches that we wear to the smartphones that we carry in our pockets to smart TVs, smart refrigerators, smart air conditioners, automated home management systems or home automation systems. Well, anything and everything that you can probably slap the term smart onto comes under the purview of the Internet of Things. Anything that is smart and connected to the Internet and can talk to the Internet by itself without our explicit interactions is what comprises the Internet of Things. So okay, now we have a basic understanding of what IoT is. So the next question that comes in the purview of this discussion is what's privacy then? How do we define it? Is it a fundamental human right which may or may not be explicitly protected by law? Or is it a right to be left alone? Or is it about something much larger? What is it then? Well, it's a bit more complex than that. Privacy isn't really about keeping things private. It's not about secrets, but it's about the choice. Privacy is the choice to have a say in what happens to the data that is collected about us by any collection mechanism that might be a smart device that might be any other way. Devices have a lot of data about us. But what happens to this data is something that we should have a control over, that we should have a say in. It should be by our consent and by our express consent that anything can be done with this data. That's privacy. So the next obvious point of discussion that we come into is what's the impact of IoT on privacy and what do the two have to do with each other? Well, it's a pretty deep conversation actually. Recently I heard something about a statement that Mark Zuckerberg made. So he infamously said that privacy should no longer be considered a social law. What does it mean? Well, nothing good, I'm afraid. Even though it sounds disturbing, alarming even, does the statement have any merit to it? Well, that's what we will eventually find out. Let me try to explain this. Consider this. Surrounded by a world full of sensors around us, talking not just with us, but also with the internet, where the data is stored in the cloud from where it might be eventually packaged and sold. Are we the consumers, really the consumers? Or are we being converted into the product that is being consumed in the grand scheme of things? Think about it. The objects are already becoming smarter and being connected to the internet, the global network. Our computing is slowly diffusing out into our environment. From what we do online to what we do offline, everything can now be tracked, analyzed and packaged into a bundle, ready to be consumed by the biggest fish out there in the open market for purposes that might not be completely known to us. Well, mostly they're unknown to us. Do we really have a say? Do we really know what's going to happen with our data? That photo that you posted on Facebook and did not even think about twice to check the privacy setting is it public or not? Would you be surprised if that photo ends up on a billboard a few days later? Do you even have control over that data? You might think that because you are the owner of that photo, you should have a see on that, right? But do you really know that if that photo is still your property after you have uploaded it? Similarly, the conversations that you have at home, while you have a smart device listening to you 247, you really know if a recording of that conversation is being made or not. And if so, does that recording really belong to you? Or does it not? What's the legalities around it? Do we even understand that? And have we ever considered what can be the long term impact of this data going out there? Well, it turns out the consequences at times can be severe. How severe? Maybe I can give you an example about that. So this data that goes out in the global network, it has some unintended and unexpected consequences from time to time. Last November, the Silicon Valley startup Strava announced a big update to its global heat map of user activities. This map showed over a billion user activities, including running and cycling routes of fitness enthusiasts, wearing smart watches or other wearable fitness trackers. It so happened to turn out that some Strava users appeared to work for certain militaries or various intelligence agencies. What do you think happened next? Very soon, some knowledgeable security experts connected the dots between the highlighted anonymous user activity and the known basis or locations of US military or intelligence operations. Some analysts even went out as far as to say that the data could reveal individual Strava users by name. Think about it. What can be the consequence of such humongous leak? Needless to say, the biggest danger here was from potential adversaries by tracking and even identifying military or intelligence agency personnel as they go about their duties or head home after the completion of the deployment. These digital footprints that echo the real-life steps of individuals underscore a greater, much greater challenge to governments and ordinary citizens alike. Each person's connection to online services and personal devices makes it increasingly difficult to keep secrets. What happens when you have such an outburst of data? What happens when you have such massive amount of data flowing out into the worldwide web? Well, you have the great deluge of data. What happens then? Because a host of convenient smart devices now continuously gather data, process and send data to make our lives more convenient, they have also magnified the threats to privacy. Our ability to collect and process data has overwhelmed our ability to predict that information. Our smartphones, fitness trackers, smart TVs and all other kinds of smart appliances generate a massive amount of sensitive information from browsing habits to purchasing patents to real-time location to personal health information. It's no longer just about our photos and emails, but also our heart rate, respiration rate, location. How we slept and with whom the boundaries of personal spaces are quickly disappearing since we, the consumers, willingly give them the permission to sell our data when we accept their terms and conditions without even reading them properly in exchange for free services. The privacy and attention we are trading for our free services and content is now much more personal. This brings us to the big question, who wants the data? Who wants this entirety of the data that's going out there? Let's see. Is the data really anonymous? Do we really know what's being done with this data? Well, we think it's a matter of ownership. Who wants the data being collected by smart devices to make these devices smart? The footprint your devices leave on the internet tells a story. What do you think that story tells? The story is about who exactly you are, including things that you yourself might not even know about yourself. Think about that. Let that sink in for a moment. In retrospect, the responsibility for data privacy doesn't just talk about keeping your data private, but also about taking ownership of your personal data and what you want to share with the world. Think about what would be the implication of this unchecked propagation of your private data after a few years down the line, both in your personal and private life. Think about what might happen if someone can actually predict what you're about to do next. What can they do with this data about you? We already talked about the Starway example. Think about what would happen if someone had all your personal data and knew everything about your personal life. Just let that sink in and think about what they can do with that. So the responsibility of data privacy seems to be the obvious point that we should be talking about. So it might seem counter-intuitive, but data privacy does not necessarily mean keeping our data private. It means taking charge of what we choose to divulge about ourselves. We now leave a trail of data behind us that grows wider with every smart device we acquire. Billions of smarter and smarter devices will soon paint highly detailed portraits of almost everything that we do. Internet of Things or IoT devices deserve a healthy dose of skepticism when it comes to information security and data privacy. Installing a small piece of technology within your premises may not seem like a risk management decision, but a poorly configured IoT device can open your door to. Given that we do not have full control over the devices that require our data to work, we must pay very close attention to the data that we share. Carefully read the end user license agreement or EOLA before selecting that. Yes, I agree option. Protect your electronic doorway to your home by setting up a secure router. Change the default password of any new IoT device that you set up. In fact, use strong passwords, passwords that are unique for all your online accounts. Probably that would help you keep your data safe and even more private. At the end, the responsibility for data privacy comes down to the individual. If the individual is alert, if the individual is cautious, you don't really need to worry much going ahead about how much data is going out about you. Well, this topic is about something that I was really happy about when it happened. So a great thing happened over the course of the last few years. And that's the introduction of the General Data Protection Regulation or GDPR in 2016. And it's eventual implementation in 2018 by the European Union. GDPR push into effect and added emphasis by organizations all across the world in general to focus on data privacy and clearly inform consumers about how their data is being used. Since the internet by its own definition is a global entity, a major regulation such as GDPR in the European Union had global consequences. And this led to something that was very much awaited and that was very much welcomed by conservatives and privacy enthusiasts like us. So in over 30 years, we have debated over privacy in the internet with not much success. Due to a large number of media reasons, regulation still moves at a snail's pace. Ironically, it's up to CEOs, executives and employees to reject projects that would profit over privacy. IoT and connectivity are growing rapidly and to keep up with the space, privacy regulation strategies need to be applied during the design phase itself. From design to manufacture to eventual disposal, there needs to be an effort to make more ethical design choices. Looking at the internet of things, we realize that it is still in its infancy. We can still have a say from the very initial stages about the need for regulation to allow consumers to take control of their data. It's time we take a closer look at the whole lifecycle of a smart device and focus upon how we can go even beyond the scope of GDPR and look at the broader scope for data privacy in internet connected devices. Sadly, however, legislation like GDPR rely on privacy scandals becoming PR nightmares for manufacturing companies. The issue here is that large corporations usually don't care about consumer data privacy as long as everything is just working fine and no one is complaining. What would it take to convince the decision makers to become a bit more proactive and sensitive towards protecting consumer privacy? Moving forward, we need to be careful in considering how IoT may intersect with personal privacy data protection. To start with, we can take a few small but important steps to reduce risk. 1. Isolate IoT devices with separate logical segments of the network. Make sure that you don't have your smart devices all connected to the same network. If that happens, if one of them is compromised, there's a chance that all of them might get compromised. The isolation of IoT devices into separate logical segments of the network reduces that risk by a whole lot much. 1. Monitor data flows and watch for unexpected or anomalous traffic patterns. I don't need to speak much about this. You know what this might mean. Any anomalies in your network traffic might mean that something or someone else is probably having a really nice time with the network connection. 2. Ensure that IoT buying decisions are driven by security considerations. It's just the ability to change default passwords, receive and apply patches and disable the unneeded services on any IoT device. So moving on, how do we secure ourselves then? It's not just about securing our data, but it's also about securing devices. The design of IoT technology focuses on convenience, not security, which makes our data vulnerable. Managing the risks associated with data collection begins with making the gathered data more secure. The time has come now to ask what does privacy truly require? Right now, threats include hardware vulnerabilities, network threats, ransomwares and distributed denial of service, which we call DDoS attacks. Simple steps like securing a home router can prevent vulnerable devices from being severely compromised and save you a lot of trouble and also a lot of help. So, how can privacy and security be built into services and devices? A common approach for IoT is to use factory provisioned security keys and store them in some secure OTP area in the device. These keys are then used as the basis for all encryption, authentication and OTA operations. IoT core development and architecture design allows the need to follow a secure by design approach. It means that new IoT products need to integrate security into product development as early as possible during the product development lifecycle. Device architecture and data storage should be designed in such a way that enables GDPR compliance. Finally, keys and IoT device provisioning should comply with security and privacy data management guidelines. So, as you know, the IoT ecosystem evolves and expands, how do we ensure that new levels of security and privacy provisions are implemented? Well, to make IoT solutions secure and enable privacy, architecture design and development have to include security features at the very early phases. IoT systems are distributed, so it's crucial to have unified and well-defined security guidelines to enable encryption or devices on multiple layers. Be that the transport layer or the security keys or security certificates, integration with third-party services may also introduce new security breaches. So, it is crucial to check that all components comply with security guidelines and provide interfaces that are secure and could be provisioned in a proper way. It's more and more beneficial to include security and privacy monitoring components into the IoT ecosystem. With AI and data-driven approach, these components enable not only reporting of existing security issues, but also can generate some insights to prevent security incidents, like some of what we already discussed. So, some basic, you know, some very basic steps and some very logical implementation of security and privacy provisions within the devices itself can go a long way. At the end of the day, I just want to highlight that privacy is something that comes to us from within and it's a very intimate choice. We need to be conscious about it in all walks of life, whether it's digital or analog or social. If we are not conscious enough, we end up paying the price in one way or the other. Whether we are a consumer or manufacturer, we need to be conscious about the impact of our decisions on privacy and security in general, rather than simply focusing on convenience. So, and with that, thank you everyone. That was all that I had for the session today. Any questions are most welcome. And if you want to get in touch with me, you can find more about me at my webpage at Psyche.in or contact me at Twitter and Psyche Circa, Psyche underscore Circa is my handle. So, thanks everyone for listening to what I had to present today. You have been a lovely audience. Thank you.