Friday, October 17, 2014

IoT Technology Trends, Part 2 - Repercussions

In the opening installment of this series two weeks ago, we examined the major wireless standards that are competing to dominate the airwaves for the IoT. Though they all clearly have their own peculiar strengths and weaknesses, it is clear that there is as yet no decisive superiority attributable to any of the protocols that would indicate which one of them would be the optimal choice going forward.

Yet what was left unexplored in the editorial was a defect that these standards had in common - a flaw of such magnitude that it fatally compromises the ultimate acceptability of them all. The failing, however, does not lie in any particular technical parameter such as power, data rates or any of the other usual design details.

Unintended Consequences


Let's return to an illustration from a previous post that posits the sort of digitized world envisioned by the IoT's most ardent advocates - one where the individual becomes a virtual deity over every controllable aspect of his/her life. In this scenario, a person could use some sort of personal processor (quite likely a more sophisticated and computationally potent descendant of today's smartphone) for a multitude of tasks - file sharing and data streaming with work colleagues to exchange information and discuss plans in a video conference, telemetry feeds from the home refrigerator that help an individual decide what to pick up at the grocery store for dinner using the PP as a combined scanner and e-wallet, navigating to destinations with the automobile tied into and controlled by the municipal traffic grid, interacting with a "smart home" access point to schedule and manage the thermostat, oven and house lights, etc etc. 

All knowledge, when separated from justice and virtue, is seen to be cunning and not wisdom. - Plato

There are, of course, ramifications to opening this Pandora's Box of possibilities - a set of consequences that follow from the streaming of personal data across the internet. These streams include what a given individual is communicating with others, where they like to go, what they like to do and a time stamp of when all these activities are occurring. 

Some of this 'data leak' to the public sphere is unavoidable, of course. When making a phone call, the service provider is bound to have a log entry of the time and duration of the call. Shopping for groceries leaves the grocer with a telltale record concerning one's preferences - information that has been collected and used by retailers and wholesalers for decades. Nonetheless, there is a fantastic volume of other personal data being transmitted and received in an IoT world - an individual's movements in both time and place, what exactly they communicate in an email, phone conversation or video conference and other details of their daily activities that are, quite simply, nobody's business but their own.

The following slide show illustrates with alarming clarity how we have unwittingly opened our private lives to scrutiny thru our headlong adoption of electronic products and services:

All three of the aforementioned wireless standards seek to address security concerns by employing the Advanced Encryption Standard (AES) - 128b in the case of W-USB & BT 4.0 and 256b for Wi-Fi Direct. Such a level of encryption has been widely proclaimed to be sufficient for commercial applications. 

Yet this assumption doesn't stand up to even a first order level of scrutiny. Both 128b and 256b AES keys have been penetrated multiple times over the years, both directly and obliquely, by individual hackers and researchers. Focused efforts by more villainous organizations, with greater resources and funding, is bound to become a major endeavor for organized crime as the IoT proliferates and penetrates more and more of our lives. Electronic fraud, identity theft and various other forms of Cyber crime have grown into a major worldwide black market industry over the last decade, as described succinctly in the following infographic:

If incorporating AES into wireless protocols was truly sufficient to ensure commercial and personal levels of security, we would not have such a worldwide electronic crime problem. Evidently there is something vital that is missing in the security sections of these protocols.

We've arranged a global civilization in which the most crucial elements — transportation, communications, and all other industries; agriculture, medicine, education, entertainment, protecting the environment; and even the key democratic institution of voting, profoundly depend on science and technology. We have also arranged things so that almost no one understands science and technology. This is a prescription for disaster. We might get away with it for a while, but sooner or later this combustible mixture of ignorance and power is going to blow up in our faces. - Carl Sagan

The issue of security, though, is not just restricted to a user's smartphone transmissions. The recent celebrity photo hacks from the iCloud and the data breaches of K-Mart, JP Morgan Chase,, AT&T, Target, Home Depot and others incontestably attest to the fact that the entire security architecture of our electronic world is deeply flawed. An individual could be assiduously practicing safety procedures with one's credit cards, smartphone and internet-accessible accounts and still be vulnerable to Cyber crime. 

To make matters worse, government organizations worldwide are not taking steps to strengthen and fortify the world's electronic security architecture to render it safe, secure and usable for all, but seem determined to preserve and even expand its points of vulnerability in order to actively exploit these weaknesses for their own purposes. Any efforts to address the current architecture's structural flaws are being met with energetic resistance by the same government institutions that are supposed to be concerned with national security, criminal investigation and law enforcement:

Knowledge without integrity is dangerous and dreadful. - Samuel Johnson

Both the FBI and the Department of Justice appear to sincerely believe that "phones should not be secure against us." The brazenly authoritarian tone of such a stance is shocking and outrageous. What is worse is the implications of the position - that in its pursuit of narcotics smugglers, organized crime syndicates and terrorists, everyone is viewed as a potential perpetrator or collaborator. Stated differently - our law enforcement agencies seem to view personal electronic data not from the viewpoint of an individual's privacy, but as a source of evidence. I find such a frame of reference to be chilling, to say the least.

Such a filthy concept does not belong in government departments which are dedicated to protecting the civil rights of citizens, but fits perfectly within the organizational code of a dictator's internal security forces. "Every citizen a suspect" might echo approvingly in the hallways of the Lubyanka or #8 Prinz Albrecht Strasse in Berlin, but should be an utterly alien and reprehensible idea in the offices of the FBI, Justice Department and Homeland Security. To be frank, I never thought I would live to see the day that such an idea could be voiced by the government of my country.


I discussed this topic with some old friends last week over an excellent dinner of kabobs and beer. My comrades, sober and rational family men all, had this to say about my views on personal electronic security:

"Oh, come on, baldie, you're making too much of it. Shut up and have another beer."

"It's really not that big a deal. Hey, you gonna finish that?"

"So? My smartphone is too convenient. I don't see that the downside is big enough to matter."

"Who cares? I have nothing to hide."

Nevertheless, all the above statements were uttered with an underlying tone of unease. Instinctively, my friends were quietly troubled about both their privacy and security in a digital world, as well as officialdom's opportunistic reaction to the existing state of affairs.

Glenn Greenwald captured the dangers of our present digitally enhanced lives with an extraordinarily insightful presentation just a few days ago. I urge all of you to view it in its entirety:


We've already observed how our new digital instruments vest us with the kinds of powers over our personal activities that previous generations believed were solely within the purview of the Gods. But if we are to truly become virtual deities over our individual digital domains, we need to appropriate even more of the prerogatives of these mythical figures.

Source: Wikipedia

The Bhagavad Ghita is a seminal work in Hinduism, and is perhaps the earliest text to introduce a concept of the 'virtualization' of deities in the Hindu pantheon - an abstraction of form and purpose which eventually was captured by the term "avatara", passed down to us and anglicized as the word "avatar." Often associated with Vishnu, an avatar is an abstraction of a Hindu god that is sent down from the heavens to the earthly realm, tasked with realizing some specific purpose or to "set the world right" (from which stems the concept of "dharma.")

It is from this ancient principle that the standards committees for Wireless USB, Wi-Fi Direct and BT 4.0 should draw inspiration. Their specifications need to be expanded to include nothing short of a personal SDN. By allowing a user to simply and easily create & control an avatar that can interact with the cloud, a layer of abstraction can be interposed between the individual and the greater digital universe. Private enterprises already use SDN to virtualize their presence on the internet and provide a buffer between the firm's datacenter and internet malefactors; what I'm proposing is bringing this same technique to the level of the individual.

Naturally, opposing commercial interests will attempt to circumvent such an obstacle or penetrate virtual defenses thru the use of cookies, code surreptitiously embedded in software updates and other clandestine methods of infiltration. As a consequence, the personal security section of the IoT wireless specifications will need to include provisions for dealing with attempts at bypassing the avatar, including filters for identifying and rejecting anomalous code, the capture and monitoring of transmissions other than those directly instigated by the user's activities (along with the isolation and purging of code responsible for such undercover transmissions), and perhaps even automated routines that prompt the user to reset or otherwise scramble his/her keys on a weekly basis. 

Stated differently: the personal security section of each wireless specification needs to make every effort to preserve the anonymity and privacy of the individual and the 'sanctity' of their avatar. Whether using one's smartphone to surf the web, place a call, use GPS, retrieve information from a website, participating in social media or interacting with a digital home access point, a user should be just as unidentifiable and untraceable in time and location as Vishnu in the heavens is beyond reach while directing an avatar of his on earth to smite evildoers.

Smartphone system and chip vendors will grumble at these new requirements, but will likely comply. Software businesses will have to adapt their product updates and maintenance to conform to the new mandates and limitations. Certain companies will resist these initiatives tooth and nail - in particular, social media, packaged goods and advertising firms. After all, the personalization of ads and promotions to the individual consumer is the Holy Grail for mass market businesses. 

To be honest, though, I don't give a fig if this throws a wrench into the gears of someone's plans and ambitions. They'll just have to adapt and cope. Instead of dealing directly with Pete from New Jersey, Krishna from Bangalore and Vanessa from Sao Paolo, they will all simply have to accept that they are instead stuck interacting with "YankeesFan", "Shivaji" and "Capoeiragirl" and will never know the true identity of the person behind the digital stand-in.

The fear-mongering in Washington D.C. will undoubtedly shift into high gear, however. Grand speeches from practiced orators will be delivered with baritone voices and grave demeanor, exhorting the political class to 'think of the security of Americans first' and preposterously proclaiming that 'without security their can be no freedom.' It will then fall to all of us to insist - on threat of expulsion from office - that our senators and congressmen make sure to identify such people in the legal, espionage and criminal investigation apparatus of government, promptly fire them and replace them with individuals who understand that though it will make their own job harder, they will gladly assume the extra burden so that the guarantees of freedom for the nation's citizens are paramount. 

Granted, the ability to snoop on any phone conversation or email is extremely convenient for an FBI agent trying to uncover the nefarious machinations of mobsters and drug runners, or an NSA employee trying to find and track Al Qaeda operatives, their communications & plans. But all that means is that detectives, agents, U.S. marshals, intelligence analysts and police officers will have to return with gusto to the old fashion methods of tailing and interviewing suspects, gathering evidence and obtaining warrants in open courts. The FBI broke the back of the Mafia in the 1970's and 1980's using such techniques.

What we need is a new mindset in government. A fresh crop of directors for federal & state law enforcement agencies needs to be found - men and women who live and die by the following creed: that the rights of citizens to life, liberty and the pursuit of happiness trump any impetus to curtail those rights in favor of notions of collective security thru government oversight. It is on our shoulders, though, to insist on such a change. Perhaps our 34th president said it best:

If all that Americans want is security, they can go to prison. They'll have enough to eat, a bed and a roof over their heads. But if an American wants to preserve his dignity and his equality as a human being, he must not bow his neck to any dictatorial government. - Dwight D. Eisenhower

Next week, we'll examine some new IoT products and technologies to see what else we can discern regarding technical trends in the space.

No comments:

Post a Comment

Feel free to comment or critique!