 Hey, everyone good morning. I Hope everyone is well rested because I have a lot of you know text on my slides. So hi. I'm sire I am a senior software engineer at Red Hat and I Am well, I'm a bit bit of a Enthusiast about all things smart and also about all things that are related to privacy and security Which don't really go well hand-in-hand all the time, but In everyday life, I started noticing a lot of things that people take it take for granted So I thought probably this might be a good idea for a talk so Just a quick run rundown for people Who might be confused? What is IIT? I'm pretty sure everyone here knows but still IIT is basically a system of interrelated computing devices Mechanical and digital machines and objects. So the entire thing that you see over here It's basically I copy pasted it from Wikipedia because I'm so So the idea is Internet of things rely it basically talks about everyday objects which connect to each other as well as Connect to the cloud to the internet in general and they talk together to help us with our everything Everyday lives and also help us track our everyday lives Now that is a really niche and really nice concept, but yeah, it has its fair share of ups and downs so the thing with IOT devices is every as all of them have a unique identifier and They don't really require a human-to-human or human-to-computer interaction in general So having said that What is privacy? so Is privacy a fundamentally human right? Is it always explicitly protected by law or is there even a law to or maybe a right to be left alone? So the thing is privacy isn't really I heard this somewhere that privacy isn't really about keeping things private It's not about secrets, but it's about choice the choice to remain anonymous or the choice to Be able to say that hey if this is my data or this data has got anything to do with me I should have a say in that and in how that data is used One particular incident that actually Riled me up a bit back was I heard somewhere that Mark Zuckerberg had this famous He had said something which was privacy should no longer be considered a social norm Which was a bit disturbing for a few people like us Because we think privacy should be a fundamental human right But when you are saying things that it should no longer be considered as a social norm You're fundamentally putting a lot of core concepts about our personal rights at risk so Moving forward, what's the impact of IOT on privacy? so Not to go into the like textual part of things the problem is We use our smart devices nowadays. We have we are surrounded by Telephones we are always on the move and we always have our like fitness tracker smart watches we have these Smart assistance and everything so every aspect of our life is involved with some or the other internet enabled and smart device But the question is if are these smart devices? Only just responding to us or is it also that someone else is listening to every move that we make And that is a big point of concern. So if we are surrounded by a world full of sensors Are we really the consumers of those products or are we now the product itself? Because we are the commodities from whom a lot of big data companies are collecting data which we might or might not want to share all the time and There are a lot of Fundamental issues that a lot of people don't know For example, you want to what you want to order some kind of food You want you have some personal tastes in your books reading habits or anything Some of these habits you might want to share socially with the world some maybe not A recent example was in the Application letter for the visa of a certain country. There is now a mandate to share your social account details Now that is when things start getting scary Think about it. You're you have you're wearing a Smart fitness tracker which is connected to your social networks Which means that fitness tracker which is tracking your every move from where in the city to where have you gone? For how long of a time that can be tracked because it is now integrated with the social media account which You are already sharing with someone else with the government probably or with someone else Do you really want to share that and that too to some of the government that you don't even know about? so Everyday objects are already becoming smarter and being connected to the internet But how is that affecting us like what's the real impact over there? Then there comes the the entire discussion about the deluge of data like the with the entire advent of all of these data being Being stored in one single centralized place And because we have a host of convenience smart device Which are now not just this not just one single device but rather an entire army of devices that are continuously correcting or talking to you collecting our data and Pushing them to the cloud. So that really increases the scope for the threats to data privacy and Our entire ability to like collect and process this data It has literally overwhelmed our ability to protect that information. Are we really in control of that data? Who owns that data? Do we really have any personal spaces left anymore? And did you like are you sure that you did not give some XYZ company the first the price? The permission to sell your data. Did you read the terms and conditions of your devices when you were like? buying them or probably accepting the DNC to use them So it's no longer just about our photos and emails, but also our heart rate our respiration rate location The these are the costs that we are paying when we agree to use a lot of free services Most of people most of the people are very happy about the fact that you know There are some free cloud services which allow us to track our everyday movements. Oh, we are so healthy We are running from one place to another is showing us that every day We are running 10 kilometers or six kilometers and yeah, but Is that free service really free? What are you really paying for it is the question? Then there comes the enterprise aspect to it when we look at it from the developers perspective or from an enterprise point of view who might be Creating such a device What is the what are the big challenges that they face one of the biggest thing is with identity management? Are the big enterprises really thinking about the security aspects of these devices? Most of these IoT devices. They have some of the other default passwords If you go to YouTube and if you search for say how to break someone's smart lock There are these videos which show you that probably from a mile away You can point a laser at them and you can just send in an encrypted data and try to Directly brute force your way into that lock and just like that Your main door is now open for anyone to come in a lot of people user use a smart garages Someone as soon as your car gets in the driveway the garage door opens. How does that work in the background? there are Certain security aspects to it. How is the garage knowing that it is your car in the driveway and not someone else's? Are you sure that that particular? System cannot be tricked into saying that no that's not your car, but that's mine so All of these again goes back to the question that Who owns this data? So we are talking about sending in a lot of data to the cloud But do we really know that is that data anonymous is there anyone who can tell you that? What is being done to this particular data and who really owns this data? And the biggest concern is the footprint that your devices leave on the internet They tell a story and that story is about exactly who you are things that even you might not know about yourself So in the rest retrospect the responsibility for data privacy it does not Just mean that you need to keep your data private But it's also about taking ownership of your own data. It means taking charge of what we want to share with the world and What will happen in say five or ten years when we might have billions of smart devices? Which start profiling you you're you're walking through the road and everyone knows like what exactly? You want to do next? What if someone actually can't predict what you're going to do next and what can someone do with that data? So I'm not trying to scare anyone or I'm not trying to scare anyone with the idea of IOT or you know Your data is being collected, but the idea is you need to be kept a skeptic you need to be a bit of You need to have in mind that If you are not cautious you might not know where your data is going and you might not know how to deal with it so a healthy dose of skepticism is required when it comes to Information security and data privacy The thing is Going back to the slides probably it might seem a bit counterintuitive, but data privacy does not necessarily mean keeping your data private That means that you don't essentially a lot of people actually come and say that hey all of my life is just it's an open book I don't care who's Like getting access to my data. I would just want to publicize my life So how does data privacy? impact me then the the question is it is not about that it's about like taking charge of What we want to like share with the world Given the fact that we don't really have a good amount of control on How these devices work how GPS location is tracked and everything? Be careful be always you always read through the end-user license agreements that you sign when you sign up for this services or These smart devices or whatever, but be careful GDPR so The good thing that has happened in the last few years is the is Probably GDPR and its implementation which means that There is a added emphasis on the organizations in general To for really focus on data privacy and really inform the users of how their data is getting used So that is a very big Win probably but the question is If you look over the the history of the last 30 years We have debated a lot about data privacy on the internet and like how How can our our data how is our data being used? How can it be protected and After 30 years, we have something called a GDPR now think about IOT in general. It's still a baby It's still in its infancy We can still have a say from day one saying that you know what if there are smart devices and smart Anything's how do we take control like there should be regulation and someone needs to push it. So someone needs to look for an effort to look at the whole life cycle of a smart device and How do we go beyond just the scope of GDPR because GDPR probably looks at a very limited scope on a very Well not limited but rather on a specific topic But the the the broad scope of IOT might go way beyond it and the last thing is like Sadly legislature like GDPR. They rely a lot on privacy scandals becoming PR nightmares for manufacturing companies So the issue over there is until and unless there's a White-scale PR nightmare for a company. They don't really want to do anything They usually go with the with the fact that okay, it's working. No one is complaining Well, go ahead with it. Do what the hell you want to with people's data. We don't really care but until and unless Something like a major scandal happens. None of these people really care and that's a that's a really big issue and You know and the the problem here is because this this Entire ecosystem of regulation they move at a really Snail space like at a really slow rate it It comes down to pushing the executives and the CEOs like what would it take for them to From day one think about it. The good thing is we have a lot of really good examples of People in leadership positions who are committed to this but on the other hand, there are also not other people So what would it take for us to really convince them to go up and up there again? For developers who might ask like What might we do to reduce security risks in our devices or something First thing, please If you are a developer do include IOT specific language in data privacy agreements And it's important The importance is if you are the publisher if you are the developer you don't want to really have to deal with the You know lawsuit five years down the line because you did not really think about the data privacy aspects Even though you might not be using someone else's data in a in a negative way There might be some loophole, which can come back to haunt you How do you isolate IOT devices? Into separate logical segments on the network that is something that needs to be thought about if your devices Is interacting with multiple other devices? How vulnerable does it make the entire network or how vulnerable does the network make your device? You need to monitor data flows always keep an eye on what kind of traffic is going up and down and Keep an eye on those traffic patterns And ensure that IOT buying decisions are driven by security considerations Instead of just plain okay demand supply is good and everything Yeah, I won't really go much into how to secure devices instead of just data. This is more like common sense that Should be Thought about by the developer developers as well as the consumers, but yeah the device You need to think about this from the design aspects. You need to focus on convenience not just about security Sorry, you need to actually for focus on the security rather than just the convenience of things The last Probably the second last slide that I have is on built-in privacy and security for devices. So How do you build in like? How do you ensure that smart devices are? privacy and security Reliant they are really focused on the users From the security standpoint. So one of the things is use if you're a developer, especially use factory provisioned security keys And then use some kind of OTP mechanism for that if you don't You don't you don't really want to enable users who try to just keep Default passwords and then be done with it. It becomes it makes it very easy for people to actually break the security of that devices Use these types of security keys as the basis for all encryption Authentication and probably OTA operations. So even though you know that users might be lazy how do you actually Make sure that even the lazy users are protected and And From really that architectural design standpoint of those devices keep like focus on How do you make it as secure as possible? While thinking about the architecture as well as the data storage So as the IOT Ecosystem keeps evolving and expanding. How do we like? Make sure that new levels of security and privacy provisions are needed So I don't have much time now. So I'll probably just quickly go through this so Well as the ecosystem keeps evolving we need to really look at the security and privacy provisions of things And we need to have unified and well-designed security guidelines to enable encryption for Your devices on multiple layers be that the transport layer or security keys or certificate generation and so on So at the end of the day, I just want to say that you know Privacy is something that comes to us from within like we need to be Conscious about privacy and if you are not Well, we pay pay the price one way or the other so whether we are a developer or we are just a consumer. We need to be really Conscious about that and make conscious decisions on how do we improve security in general rather than just focusing on convenience So yeah, that that's all from me. So thank you If you have any question So if there are any questions, I'm still here Okay Yeah Yeah, it's not just US agencies, but any government or any non-government agencies, you don't want to have your meta data being collected by some central XYZ corp and Being processed and kept ready for someone else to use it So you should be careful about that You never know when that particular data might be used against you or to manipulate your Decisions making process Yes So as per the GDPR you should be informed if you're not being informed by certain vendors or Organizations whose services you are using there are certain rules There are certain actions that you can take but in general if it's on the internet, there are a few tools that are readily available for your browser for your Applications which you can use to track where your data is going There are some internet websites, which actually let you do that by what they do is you just give your name and email ID and they actually go through the list of all major Data vendors on the internet and check what data is out there for you So there are some tools on the internet that you can easily use for that I don't have the links Here, but I can I'll be glad to share it if you So yeah, so the thing is the difference is Yeah, that's a valid question like tool after tool after tool But the only difference is these are open-source tools To which you have code level access if you want to check the code you can go and check it and Then take an informed decision whether you want to use that or not So that that's the difference Yeah, yes, yes, so The good thing about Yeah, yeah, so he was saying that GDPR States that your terms and conditions need to be readable and understandable by the end user Instead of just being some legal jargon so the good thing with GDPR and what it has led to is Companies are now becoming Very of lawsuits and everything so they have made a very conscious effort to make to make their TNC is as brief as possible and as Readable human readable as possible which this is a good thing And probably we will see more of that coming in as the time goes so yeah Anyways, I think I am out of time probably if you have questions I am right here after the session we can talk Okay. Thank you