If I’d been home, this would have been obvious to me. But I wasn’t, and it was the middle of 2014’s Midwest “polar vortex.” I opened up my thermostat’s smartphone app and saw 32°F in big white numerals. Cursing, I phoned the man who sent the email.
He wasn’t a friend or neighbor. Rather, he was a heating and cooling dealer who had installed our furnace just a few months before, and he reached my house well before I did. It turned out that the unusual, thigh-high snow in our backyard had drifted over the intake and exhaust pipes of our new high efficiency heating.
I didn’t have a key hidden anywhere, but he didn’t need one. After he had shoveled the snow away from the pipes, I turned the furnace off and back on again through the app. Once I’d given him our Wi-Fi password, he checked that the furnace was indeed running and made his way home. The house was well on its way to a habitable temperature by the time I arrived. No frozen pipes.
Okay, so I was only about two hours away by the time the house got down to the freezing point, so I probably didn’t need the emergency service. But if that had happened the day before, when I had an 8,000-mile journey ahead of me? Well, I could have counted myself extremely lucky that my furnace was sending out distress signals to the installer (and theoretically me too, but it looks like those went directly to the spam folder).
Still, if the installer knows what’s happening with our furnace, then who else does – and what does it mean for the expanding world of smart devices?
Read a few privacy policies and it quickly becomes clear that they are (no surprise) typically geared toward protecting the company rather than providing assurances to the consumer. Some describe targeted advertising schemes that users are automatically opted into, allowing the company to share the user’s personal information with marketers.
The policy for my thermostat washed the manufacturers hands of any duty to protect my security, acknowledging that home networks are typically not secure. As for privacy, it did at least promise not to sell my data to anyone. And the reason the installer couldn’t reset the thermostat? He and the manufacturer have view-only access – theoretically at least, they can’t change the settings.
With Google’s data-hungry business model, you might expect that the company’s smart home brand Nest would be feeding user information to the search giant. However, Nest was conscientious about customer data before the Google takeover, and it promises to stay that way. In fact, Nest says its data stays on dedicated servers – it doesn’t rub shoulders with the rest of Google’s information holdings.
So, will the smart device companies of the future respect our privacy or treat our data however they please? Hard to say. It could even be that the consumers, rather than the companies, eventually own user data.
Imagine using a table saw in a shop class where only 27 percent of the students take safety training. Security education is playing catch-up.
“We’re sort of at a tipping point for what the Internet of Things is,” said Erik Hofer, chief information officer and clinical assistant professor of information at U-M’s School of Information. “We’re challenged to appropriately balance the need to protect individual privacy with the huge potential that exists for innovation.”
Prabal Dutta, a Morris Wellman Faculty Development Associate Professor of Computer Science and Engineering at U-M, agrees that connected devices will soon be all over in our everyday lives. “This is even more Orwellian than Orwell predicted. It’s incredibly invasive. Then you layer on the other things – NSA surveillance,” he said. “Really, privacy is dead.”
And if privacy is dead, security is in the ICU. “It’s the wild west,” said Kevin Fu, an associate professor of computer science and engineering at U-M. “My students find that many Internet of Things products in shiny boxes with slick marketing merely pay lip service to security and privacy.
“But we’re not saints either. Over 1,500 U-M students take our programming course each year, but only 400 take our security class. Imagine using a table saw in a shop class where only 27 percent of the students take safety training. Security education is playing catch-up.”
Vulnerabilities are already compromising even modestly connected homes, as a PhD student demonstrated when he investigated my home network. Fu predicts that in ten years, we’ll be cleaning up the mess we’re making today, closing all the security holes that opened in this explosion of connected devices. Because the Internet of Things isn’t the future. It describes the Internet today.
And let’s face it – we haven’t really thought it through. At least, I hadn’t when I said, “A thermostat we can set while we’re away? Sounds good!”
RISE OF THE MACHINES
Originally, the phrase “Internet of Things” referred to the point when “things” connected to the Internet, such as sensors, alarm systems and automated devices, outnumbered people on our computers, tablets and smart phones. People are thought to have become the minority sometime in the last five years. Now, it’s often used to describe the connected things.
These devices run the gamut from activity trackers to smart ovens to glucose sensors and insulin pumps. A century ago, humans were wiring our homes with electricity. Now we’re computerizing them with automated light bulbs and thermostats connected to motion sensors, deadbolts that can be unlocked remotely, refrigerators that keep track of our food, washers that know when to order more detergent and security cameras we can view from anywhere.
As we incorporate these gadgets into our lives, we should be asking questions. What information are we giving away? What can be done with it? Are the companies taking more than they ought to? Are the services enough of a return for it?
And on the security side, is this data adequately protected and how much more vulnerable to hacking do these new devices leave our home networks?
A home automated to the full extent available today may be able to tell when you get up, when you go to bed, how many people are in your house at a given time, what rooms they are in, what your diet is like, how often people in your household bathe or flush toilets, how often you wash your clothes or vacuum the floor, how much time you spend in front of the television and what you watch. Add that to the data collected by smartphone apps and activity trackers.
Invasive as that may seem, we’re quite accustomed to companies having access to our conversations through social networks, email, text messages and call logs. They stick cookies into our browsers to track where we go online and only recently have they begun to declare this when you arrive at the website (after the European Union passed regulations requiring that web users be notified about tracking).
Although a recent survey from the Pew Research Center shows that Americans claim to care deeply about privacy, we’re not very good at acting on it. We tend not to clear the caches on our web browsers very often or fork over a little extra cash for encrypted services.
So, honestly, would the level of data collection I just described motivate you to avoid linking up your life, or would it just give you a vague sense of unease as you enjoyed the convenience of your connected world? And would your feelings change if you had more control over your data?