IoTuesday: What Does the Internet Privacy Repeal Mean for IoT?
The tech news world has been buzzing with the recent congressional vote to overturn FCC privacy rules that were passed last year. We look at how ISPs can access and use data from your IoT devices.
The simple answer to the question: not much.
In October 2016, the FCC passed a set of rules (here is a copy of the press release and the full text) specifically forbidding Internet Service Providers (ISPs) from using and sharing what was deemed as "sensitive customer information," unless the customer gave explicit, affirmative consent. This included things like location, social security number, browsing history, app usage history and the contents of messages.
Something that was not often reported from the FCC rules is that the "notice and choice" portion of the rules (the part dealing with the opt-in sharing of consumer information), was to take effect 12 months after the ruling. That means consumers would not be afforded protection until October 2017.
Last week, Congress voted to repeal these rules. Assuming the President signs it into law, then in reality, nothing has changed (except for the minor fact that the new law would prevent the FCC from creating similar rules in the future).
Now that we're back in the Wild West where our personal information can be sold to the highest bidder (as if Facebook and Google didn't already do that), how does that affect your privacy when it comes to your ever-growing collection of Internet of Things (IoT) devices?
To start, if you don't care that your ISP can collect, use and sell your personal data, you have nothing to worry about. However, if you have some concern about ad agencies getting your social security number, then you might want to think about how you are using your IoT devices.
Some of the more robust and popular devices, like the Amazon Echo (relying on the Alex Voice Service) and the Nest, ensure that user data is encrypted and sent over SSL. This means that, in theory, ISPs would not be privy to the details of messages sent to and from their respective servers. However, there is enough metadata in these messages that a potential purveyor of user information could figure out:
- You own an Echo, as most DNS requests are unencrypted, meaning someone sniffing your traffic could tell which IP addresses you were trying to reach (e.g. https://avs-alexa-na.amazon.com).
- When you are home (based on the time of your requests to the Alexa voice server or Nest server).
This can be powerful information to marketers who want to know individuals' habits to create better targeted advertising.
What about smaller devices, like the ones you might be creating with an ESP8266-based board? The bad news is that many of these low-power devices do not support or have a difficult time supporting SSL/TLS communication, which means you're probably stuck sending data in the clear, open for ISPs to collect, analyze, use and sell. The good news is that unless your living room temperature data messages become a widely used protocol, ISPs and other marketing firms likely won't care enough to interpret that data. But I wouldn't rely too much on security through obscurity.
The lesson here: Use SSL/TLS/HTTPS to avoid having the internals of your internet communications sniffed. But you knew that already, right?
What other tips can you offer to keep your traffic out of reach of ISPs? Have you had luck using Tor and VPNs to encrypt your traffic further?
