In my previous blog I explained the benefits of IoT, I provided some examples and gave some reasons why we cannot ignore this IT trend. This blog will discuss the information privacy and security IoT challenges. However in order to properly deal with the topic, the concepts of information privacy and security have to be defined.
Abomhara defines security as “an organised framework consisting of concepts, beliefs, policies, procedures, principles, techniques and measures required to protect individual system assets as well as the system as a whole against deliberate or unintentional threat” .
Gudymenko provides a more common definition of information security, which is the measures taken to protect the confidentiality, integrity and availability (CIA) of information . In addition, SANS  gives the following explanations about the CIA terms used in the definition of information security:
- Confidentiality – is needed to ensure that information is disclosed to only those who are authorised to see it.
- Integrity – is needed to ensure that information has not been changed by accident or deliberately and refers to the accuracy and completeness of information.
- Availability – is needed to ensure that a system is accessible to those who need to use it in accordance with its purpose.
In the case of information privacy, Tavani explains that there are a number of definitions for information privacy, and sometimes not all provide a comprehensive explanation of the concept. Tavani proposes that information privacy can be defined as “in a situation with regards to others, in that situation an individual is protected from intrusion, interference and information access by others.” .
On the other hand, Weber states that the right to privacy can be considered as a basic non-negotiable right that every individual owns and controls .
According to Chigumba , in the South African context, the country’s constitution defines privacy as “an individual’s right not to have their person or home searched, their possession seized or their communications infringed.” .
Based on the above definitions, one can reason that information privacy is achieved when an individual has control over their personal information. This, by the way, is not the same as secrecy or information confidentiality as commonly believed .
While IoT benefits have been highlighted, information privacy and security challenges for this emerging and most probably soon to be pervasive technology are a concern for business, governments, experts and society in general as highlighted in my previous blogs, and they need to be understood. These can be summarised as Privacy for Humans, Accuracy and Completeness of data within the processes used, and Dependability of the technology used .
Below is a listing and brief explanation of the key information privacy and security challenges facing IoT  :
- Eavesdropping, passive monitoring, traffic analysis and data mining. These attacks can result in personal information breaches. Abuse of the information obtained through these breaches can impact the physical and psychological well-being of the individuals who are affected. Consider situations where crimes such as fraud, robberies or even murders can be committed if criminals had access to confidential health information, correspondence from banks and insurance companies, stolen identity records or information about one’s location.
- Uniformity of privacy laws concerns. The way in which various countries treat privacy concepts and regulations vary, and to make matters worse IoTs is a technology that is deployed mainly through the internet with no geographical boundaries.
- Privacy laws are often non-existent and sometimes out-dated in terms of their application to technology. This creates a situation where there is reliance on companies who build or use IoTs to self-regulate, which generally does not happen.
- Interception or intrusion of data, information and messages being transmitted across IoT devices, be it physical or logical.
- Denial of Service attacks (DOS). This kind of attack tries to makes devices unusable. IoT devices generally have low memory and computational capabilities, and are susceptible to DOS attacks suck as jamming of devices and consumption of bandwidth and disk space.
- Physical damage and attacks on devices. IoT devices are generally left outdoors and unattended so they are sometimes vulnerable to weathering of deliberate damages, theft, etc.
Below is a listing of some serious and possibly terrifying examples of IoT privacy and security breaches :
- The US National Nuclear Security Administration experienced 19 successful cyber-attacks between 2010 and 2014. The main method of attack was through a computer virus called Stuxnet that was designed to infect industrial programmable logic controllers (PLCs). PLCs allow the automation of electromechanical processes such as factory assembly lines, amusement park rides and centrifuges that used in separating nuclear material.
- A company called TrackingPoint makes a smart rifle that uses IoT technology that allows individuals to digitally mark a target in order to take a perfect shot from about a kilometer away. The “smart rifle” also connects to smart phones or tablets to view the rifle’s scope. However, security researchers have discovered software flaws in the smart rifle that allows anyone with access to the internet to remotely adjust the rifle’s controls.
- In some cases, IoT breaches that recently occurred in the United Kingdom where hackers attacked IoT-connected devices in homes. Smart appliances, entertainment systems, including heating systems are being shut down.
Hopefully the breaches mentioned above will kick-start industry, academia, governments, regulatory bodies, non-profit organisations and other influencers into realising that IoT challenges need to be addressed as a matter of urgency.
Studies show that one of the key factors impacting IoT adoption is a lack of confidence around how personal information will be protected. Below is a listing of the implications for adoption of IoT by organisation, practitioners or any other individuals  :
- Countries need to harmonise and agree on privacy laws or define baseline policies, standards and guidelines for proper handling of personal information.
- Adoption of globally accepted technology design practices that consider information privacy and security implications from the onset. For example, Privacy Impact Assessments (PIAs), Privacy by Design principles and the International Organization for Standardization (ISO) 27001 for information security management system (ISMS) specification.
- IoT involves people, things and data, this means that interoperability amongst disparate and distributed systems is essential. Abomhara suggests that there is a need to develop an open architecture standard that will address this issue. Furthermore this architecture standard should be made up of well-defined abstract data model, interfaces & protocols that will be able to support a wide range of uses.
- Technology development standards for creating tamper proof devices. This includes exploration of effective physical and logical access protection mechanisms such as encryption protocols, etc.
- Development of standards, procedures and technologies correctly identify IoT objects and devices. This includes standards to manage authorisation, authentication and access control.
- Enforcement of compliance to information privacy and security laws and standards.
 M. Abomhara and G. M. Køien, “Security and privacy in the Internet of Things: Current status and open issues,” in Privacy and Security in Mobile Systems (PRISMS), 2014 International Conference on, 2014, pp. 1–8.
 I. Gudymenko, K. Borcea-Pfitzmann, and K. Tietze, “Privacy implications of the internet of things,” in International Joint Conference on Ambient Intelligence, 2011, pp. 280–286.
 “Glossary of Security Terms,” SANS - Information Security Resources, Mar-2017. [Online]. Available: https://www.sans.org/security-resources/glossary-of-terms/. [Accessed: 05-Apr-2017].
 H. Tavani, “Philosophical theories of privacy,” Metaphilosophy, vol. 38, no. 1, pp. 1–22, Jan. 2007.
 R. H. Weber, “Internet of Things – New security and privacy challenges,” Computer Law & Security Review, vol. 26, no. 1, pp. 23–30, Jan. 2010.
 Chigumba, “The employee’s right to privacy versus the employer’s right to monitor electronic transmissions from the workplace,” University of Kwazulu Natal, 2013.
 Constitution Of The Republic Of South Africa. 1961, p. 19.
 J. Grubman, “Privacy vs. Secrecy,” More Than Money Journal, p. 12, 2001.
 B. Montgomery, “The 10 Most Terrifying IoT Security Breaches you aren’t aware of (so far),” 13-Sep-2015. [Online]. Available: https://www.linkedin.com/pulse/10-most-terrifying-iot-security-breaches-so-far-you-arent-montgomery. [Accessed: 24-Apr-2017].