I prefer using the phrase “Internet of Everything” when discussing what most people call the Internet of Things because in many ways, the latter term isn’t enough. What makes the Internet of Everything so powerful is the data about you and me that these devices can gather.
Consider how these devices actually work. They almost always need to “phone home” to some central server run by the service provider. This means that anything that you do on the device is seen by the provider. You have to trust that they will keep your data secure and not misuse it or neglect it over time.
Unfortunately, there are many ways your data can be misused or compromised. For example, the devices themselves can be insecure and be compromised by an attacker. The modules that are used by these devices, likely borrowed from open source, are susceptible to exploitation over time, and the vendor may not have thought too much about how to get them quickly and seamlessly updated. The servers themselves can be compromised and breached in a targeted attack.
Privacy policies will at least be able to say what data is collected, but in general they don’t disclose the full reality of what can be done with your information. As an example, many will have provisions stating that the data will be used to deliver the services provided. In practice, this broad generalization can be used as a legal basis to justify many different ways to use and possibly exploit your data.
So, what should users do? Before purchasing an Internet-connected hardware device, make sure that you are comfortable with the fact that any data you provide them with, could potentially be stored on unsecured servers in data centers situated in different countries, over a long period of time. Your personal “data at rest” on the manufacturer’s servers represent an increased risk to you over time. Some risks include the possibility of data breaches, sharing or reselling of your data, along with general neglect of the data in scenarios such as company security lapses, or events such as sale or merger of the company.
Consider, too that many startup funded companies may not have fleshed out their business model yet. Your data is a key part of how they may be initially, or additionally monetize the service that they provide. These pressures can result in the misuse of your data. One could argue that a company that is charging more for their service up front would be less prone to attempt to monetize further employing your data, but again there is no guarantee — data is a key element of IoE. A more reputable company that has a brand to protect may be a better choice, though this neither is fully guaranteed as well. An example is the recent gleaning of data from USB drives plugged into LG TVs.
To know more on how to be safe in the Internet of Everything, read our “Security Considerations for Consumers Buying Smart Home Devices,” which can guide you in making decisions on the Internet connected devices you introduce into your daily life.