26 January 2018
by: Scott Dunmire
I have a confession to make. I love the Internet of Things.
I can preheat the oven before I head home. I can start my car from the comfort of my office to cool it down on a summer day or heat it up in the winter. I can check the temperature in various rooms in my home and, if it’s cold, I can turn up the heat. And I can even see who’s at the door. From anywhere in the world. Truly, in many ways, it is a great time to be alive.
But recently, we learned that we are not the only one who can do these things. It’s been widely reported that there is a vulnerability in the chipsets that run such devices. The fact that many did not see that coming seems a bit embarrassing in retrospect, but it is increasingly obvious that these devices, and–more importantly–the people that use them are dangerously ill-equipped to take on the best hackers our world has to offer.
But what if the focus on vulnerabilities has it all wrong? What if the problem isn’t someone freezing a pipe in the winter by turning off your heat on a particularly cold day or even the somewhat theoretical possibility of burning your house down by turning your oven on maximum while you’re on vacation?
We Don’t Know What We Don’t Know
I would argue that, although we’ve recently been reminded of how easy it must’ve been for that guard to open the gates of Troy and invite disaster, network vulnerabilities aren’t the problem either. The problem is, as is often said: we simply don’t know what we don’t know.
Which is to say that, while they increasingly run our lives for us, we’re only just now starting to figure out the ramifications of these devices.
They’re Watching You
The thing is, these devices have sensors. And these sensors are managed by software. And, in our world software is still owned by the manufacturer, even after the sale. Well, you’re starting to get the picture. Whatever these sensors are picking up about your home, your meals, your comings and goings. That data? It belongs to them. And collectively, the data can paint an astonishingly insightful look at your life.
A Roomba can, and does, map your house. The Nest Thermostat knows when there are people in the home and when there aren’t. A refrigerator, oven and even tea kettle that knows what sort of food you eat. A bathroom scale that knows how much you weigh. A DVR that knows what you like to watch.
In essence, as devices are increasingly software, not only does ownership of the device itself get murky, but also the data that lives on it.
In a recent book by Joshua Fairfield, Owned: Property and Privacy in the New Digital Serfdom, Fairfield discusses this ownership problem. You may have bought the thermostat, but the log of the times of day you are most likely to be away from the home belongs to the company that made it. He refers to this as digital feudalism. You may work the soil, but another man owns the ground.
This has not been the case in western society for hundreds of years. Since the time of feudalism, the items you purchased have been yours. And it still is the case for non-digital devices. If your neighbor bought a Chevy Tahoe, it has always been his rights to afix rhinestones to every square millimeter of surface. In fact, outside of a few regulations–mostly around environmental issues–your neighbor is pretty much free to do most anything he likes.
But the war isn’t over. Despite software agreements that seem to get longer by the day, many countries have started to turn their regulatory eyes to this notion of device and data ownership. In the United States, at least eight states have legislation under consideration that would allow individuals to repair their own devices. This may seem like a small step along the way to ownership of both the device and the data held on it, but increased attention has a cumulative effect and it may not be long before you may, once again, be free to decide how you use your device.
In the interim, enjoy the conveniences inherent in these incredible devices. But don’t assume that your data isn’t being used by someone. Perhaps to sell you something else you may only own in theory.
These sensors tell their manufacturers something about you.
Internet-enabled devices are so common, and so vulnerable, that hackers recently broke into a casino through its fish tank. The tank had internet-connected sensors measuring its temperature and cleanliness. The hackers got into the fish tank’s sensors and then to the computer used to control them, and from there to other parts of the casino’s network. The intruders were able to copy 10 gigabytes of data to somewhere in Finland.
By gazing into this fish tank, we can see the problem with “internet of things” devices: We don’t really control them. And it’s not always clear who does – though often software designers and advertisers are involved.
Our fish tanks, smart televisions, internet-enabled home thermostats, Fitbits and smartphones constantly gather information about us and our environment. That information is valuable not just for us but for people who want to sell us things. They ensure that internet-enabled devices are programmed to be quite eager to share information.
Take, for example, Roomba, the adorable robotic vacuum cleaner. Since 2015, the high-end models have created maps of its users’ homes, to more efficiently navigate through them while cleaning. But as Reuters and Gizmodo reported recently, Roomba’s manufacturer, iRobot, may plan to share those maps of the layouts of people’s private homes with its commercial partners.
Security and privacy breaches are built in
Like the Roomba, other smart devices can be programmed to share our private information with advertisers over back-channels of which we are not aware. In a case even more intimate than the Roomba business plan, a smartphone-controllable erotic massage device, called WeVibe, gathered information about how often, with what settings and at what times of day it was used. The WeVibe app sent that data back to its manufacturer – which agreed to pay a multi-million-dollar legal settlement when customers found out and objected to the invasion of privacy.
Those back-channels are also a serious security weakness. The computer manufacturer Lenovo, for instance, used to sell its computers with a program called “Superfish” preinstalled. The program was intended to allow Lenovo – or companies that paid it – to secretly insert targeted advertisements into the results of users’ web searches. The way it did so was downright dangerous: It hijacked web browsers’ traffic without the user’s knowledge – including web communications users thought were securely encrypted, like connections to banks and online stores for financial transactions.
The underlying problem is ownership
One key reason we don’t control our devices is that the companies that make them seem to think – and definitely act like – they still own them, even after we’ve bought them. A person may purchase a nice-looking box full of electronics that can function as a smartphone, the corporate argument goes, but they buy a license only to use the software inside. The companies say they still own the software, and because they own it, they can control it. It’s as if a car dealer sold a car, but claimed ownership of the motor.
This sort of arrangement is destroying the concept of basic property ownership. John Deere has already told farmers that they don’t really own their tractors but just license the software – so they can’t fix their own farm equipment or even take it to an independent repair shop. The farmers are objecting, but maybe some people are willing to let things slide when it comes to smartphones, which are often bought on a payment installment plan and traded in as soon as possible.
How long will it be before we realize they’re trying to apply the same rules to our smart homes, smart televisions in our living rooms and bedrooms, smart toilets and internet-enabled cars?
A return to feudalism?
The issue of who gets to control property has a long history. In the feudal system of medieval Europe, the king owned almost everything, and everyone else’s property rights depended on their relationship with the king. Peasants lived on land granted by the king to a local lord, and workers didn’t always even own the tools they used for farming or other trades like carpentry and blacksmithing.
Over the centuries, Western economies and legal systems evolved into our modern commercial arrangement: People and private companies often buy and sell items themselves and own land, tools and other objects outright. Apart from a few basic government rules like environmental protection and public health, ownership comes with no trailing strings attached.
This system means that a car company can’t stop me from painting my car a shocking shade of pink or from getting the oil changed at whatever repair shop I choose. I can even try to modify or fix my car myself. The same is true for my television, my farm equipment and my refrigerator.
Yet the expansion of the internet of things seems to be bringing us back to something like that old feudal model, where people didn’t own the items they used every day. In this 21st-century version, companies are using intellectual property law – intended to protect ideas – to control physical objects consumers think they own.
Intellectual property control
My phone is a Samsung Galaxy. Google controls the operating system and the Google Apps that make an Android smartphone work well. Google licenses them to Samsung, which makes its own modification to the Android interface, and sublicenses the right to use my own phone to me – or at least that is the argument that Google and Samsung make. Samsung cuts deals with lots of software providers which want to take my data for their own use.
But this model is flawed, in my view. We need the right to fix our own property. We need the right to kick invasive advertisers out of our devices. We need the ability to shut down the information back-channels to advertisers, not merely because we don’t love being spied on, but because those back doors are security risks, as the stories of Superfish and the hacked fish tank show. If we don’t have the right to control our own property, we don’t really own it. We are just digital peasants, using the things that we have bought and paid for at the whim of our digital lord.
Even though things look grim right now, there is hope. These problems quickly become public relations nightmares for the companies involved. And there is serious bipartisan support for right-to-repair bills that restore some powers of ownership to consumers.
Recent years have seen progress in reclaiming ownership from would-be digital barons. What is important is that we recognize and reject what these companies are trying to do, buy accordingly, vigorously exercise our rights to use, repair and modify our smart property, and support efforts to strengthen those rights. The idea of property is still powerful in our cultural imagination, and it won’t die easily. That gives us a window of opportunity. I hope we will take it.