598x544-19-12-19

Challenge.gov, the official organizer of US federal tech/science competitions, has unveiled the Privacy Policy Snapshot Challenge with a top prize of $20,000 (runners-up: $10k and $5k).

Submissions are being accepted until April 10, 2017.

In their own words, they

call for designers, developers, and health data privacy experts to create an online Model Privacy Notice (MPN) generator. The MPN is a voluntary, openly available resource designed to help health technology developers who collect digital health data clearly convey information about their privacy and security policies to their users. Similar to a nutrition facts label, the MPN provides a snapshot of a product’s existing privacy practices, encouraging transparency and helping consumers make informed choices when selecting products. The MPN does not mandate specific policies or substitute for more comprehensive or detailed privacy policies.

An effective MPN would have to simplify nuanced information about multiple stakeholders’ complex data collection, retention, sharing and usage practices. It must also prioritize the importance of a variety of objective facts about devices, their documentation and methods of consent acquirement. Crucially, it should foresee ways in which manufacturers might attempt to game the evaluation system, and mitigate those possibilities.

Though this challenge only considers technology collecting health data, it will be instructive for similar initiatives in many other IoT fields. It’s a useful step in supporting the right of consumers to have transparent information about diverse privacy and security practices.

Full conditions and requirements can be found on the contest homepage.

Data Protection Health Privacy Policies Security Transparency User Control Wearables

Day 2 of CES comes to a close, and two trends from Day 1 remain: I saw more robots that do face recognition, and I remain underwhelmed. Today, I walked the cartoonishly huge Las Vegas Convention Center (LVCC), which was dedicated to automotive technology, more robots, more health tech, displays, and accessories. The LVCC is different from the Sands, which I walked on Day 1, in that it’s full of big, established manufacturers: Panasonic, LG, Samsung, Mercedes, Jaguar, Qualcomm, Volkswagen, and so on. The Sands had smaller companies, startups, and university-supported products. After two full days of walking the convention, the technology that made the strongest showing was:

  • Virtual Reality
  • Drones
  • Robots
  • Camera products
  • Automotive (inside the cockpit)

Honorable mention goes to gesture control. I was surprised by the poor showing of health-oriented products. There were plenty of fitness products, but these were the ho-hum Fitbit-like wearables we’ve seen for some time now. I’m not a gamer, but I was quite impressed with the immersive VR tech I played with.

At the intersection of health and automotive was Mercedes. They put sensors in the steering wheel of one of their cars to detect heart rate. If the car determined that you were stressed, it could alter the interior conditions: lighting, music, and – I kid you not – aroma. The glove box contains a scent cartridge that it would introduce into the airflow system to aromatherapy you back to your happy place. Mercedes took the idea that ‘technology companies are really lifestyle companies’ a bit too far – the car offers you suggestions on how to live a fitter, healthier existence based on what it detects and knows about you. Being alone in a car can be a place of respite… I sure as heck don’t want to be nagged about my sloth while I’m driving an expensive car to In-N-Out Burger.

aaeaaqaaaaaaaac6aaaajdk1ngvmnwq5ltmxmzytngq4ys1intkzlwe3mgvlmzjiodrhoa

Day 2 was replete with robots. LG seems to want to bring WALL-E to life with its airport information robot, lawn mower robot, and household ‘Hub robot.’ Robots from less well-known manufacturers were also in full force, and as I mentioned in yesterday’s wrap-up, face recognition appears to be de rigueur. Wavebot, which looks like something you squeeze to plop out cookie dough or raw falafels, was being marketed as a butler/watchdog that continually roams your house. Both it and other robots on display were not working because of the usual convention WiFi failures, so I didn’t really get a sense of their value… or likelihood of killing me and my family because the face recognition broke. My big takeaway was: The Age of Household Robots is nowhere near.

However… virtual assistant technology seems to be galloping at a rapid clip. I saw several integrations of Alexa into non-cyclindrical devices. Volkswagen introduced it into their cars, LG put it in a fridge, and a small robot named Lynx allows Alexa to bumble around your house and wave at you. Toyota built its own chirpy virtual ‘companion’ named Yui that merges the virtual assistant with self-driving. Unsurprisingly, this was merely a concept demo. Sidebar: all of these virtual assistants are so nice. I’m from New York originally – will someone please build me an Alexa/Siri mod that makes it cranky and profane? “Siri, what’s the temperature?” “Stick yer friggin’ head out the window and check yourself, ya schmuck.” “Thanks, Siri… you feel like family.”

Qualcomm showed off a super tiny camera and sensor, which seemed ideal for integration into… well… anything. The person I spoke to mentioned toys, and after December’s ugly story about wildly insecure IoT toys that can be used to spy on children, this development made me more concerned than excited.

Ultimately, I found Day 2 less satisfying than Day 1, in large part because the big manufacturers are trotting out incremental product advancements, rather than the risker, more interesting technology that smaller companies are launching. On the whole, CES failed to excite me; I am aware that writing that puts me at odds with lots of other analysts who want to tell you how amazing everything is. Still, a few things inspired me, a few surprised me, and some products just seemed stupid.

With regard to privacy, this was a Consumer Electronics Show, and so the products were mainly ones that we would bring into close contact with our lives – on our person, in our cars, and in our homes. So, for me, the privacy issues raised are:

  • Encroachment on intimacy: household robots, toys and other near at hand objects with cameras and other sensors means increased collection of intimate moments and activities.
  • Further disappearance of surveillance technology: smaller cameras means less awareness of being monitored and recorded.
  • Normalization of child surveillance: cameras in the home and toys means much more collection of children’s behavior and interactions.
  • Expansion of stakeholders: decreasing costs to include cameras, microphones and other monitoring devices means it’s easier for new entrants into technology markets to introduce monitoring features. Will those new entrants know how to handle intimate personal data respectfully?

I expand on these concerns in my report, Privacy and the Internet of Things, which you can download for free from O’Reilly. And, while CES didn’t impress very much, I at least did not see things that filled me with terror. I did find a bust of Siegfried & Roy, which made the whole trip worthwhile.

Conference Connected Cars Data Ownership Drones Intimacy Security Smart Home Toys User Control Wearables

arxan-connected-cars

I like this infographic (click above to expand image) though with due respect to the authors, I’m skeptical about the claim that ‘connected cars’ (as if there’s only one thing called a connected car) have 10 times the amount of code in a Boeing 787. But I’m nitpicking. I appreciate that this graphic specifically calls out the OBD-II port as a worry spot as well as noting that insurance dongles lack security. It would be great to do security analysis on all existing dongles in significant circulation to see how bad things really are. I also quite liked this: “LTE coverage and Wifi in the car expose you to the same vulnerabilities as a house on wheels.” That’s simple and effective writing – bravo Arxan.

The Recommendations at the bottom are aimed at consumers. They’re all reasonable and this is the first time I’m seeing “Don’t jailbreak your car.” Again, good on you, Arxan. I’m amused by the suggestion to check your outlets periodically and make sure you know what’s installed. It’s like a combination of encouraging safe sex for your car combined with ‘watch out for spoofed ATMs.’

Arxan is, however, a B2B company, so I would like to see, in addition to consumer recommendations, industry recommendations. Of course, those suggestions are part the services they offer so they can’t give away too much for free, but still – a few pearls of wisdom would be welcome. I know it’s too much to ask for policy-oriented suggestions – especially ones that raise costs – so here are a few:

  • Security Impact Analysis should be a regulatory requirement for all cars that rise above a certain threshold of connectivity (a topic for exploration)

  • Strengthen data breach notification laws (a general suggestion, not just for cars or IoT)

  • Car companies should be required to have CISOs

Data Ownership Data Protection Policy Security User Control

“Implementing transparency and control in the context of IoT raises a number of challenges. Addressing these challenges is the main goal of the UPRISE-IoT European (CHIST ERA) project in which this PhD will be conducted.

Among these challenges, specific attention will be paid to the following topics:

  • Analysis of the physical environment of the users to get an accurate picture of the devices surrounding them and the data that they collect.
  • Analysis of the purposes of these collections (how the data are supposed to be used) and their legal basis (e.g. the privacy notices of the entities collecting the data).
  • Analysis of the potential privacy risks posed by these data collections.
  • Definition of a framework for interacting with the users. This framework should make it possible for users to get a good understanding of the above information and to express their wishes (e.g. through user-centric privacy policies) in a user-friendly and non-ambiguous way.The PhD project will be conducted in collaboration with the members of the Inria PRIVATICS group and the other partners of the UPRISE-IoT project. It will not necessarily address all the above topics, and the specific focus will be adjusted in agreement with the successful candidate, based on his expertise and motivation.

    Location:

    The thesis will be located in the Inria Rhône-Alpes Research Center, either in Grenoble or in Lyon (south-east of France).

    Required skills:

    The candidate should have a Master’s degree in computer science or a related field. Knowledge and motivation for one of the following fields would be appreciated: networks, privacy, security, human computer interaction.
    Knowledge of French is not required.”

https://cappris.inria.fr/wp-content/uploads/2013/03/PhD-position-UPRISE.pdf

Academics Transparency User Control