Trust, security and privacy in IoT

I attended two workshops in February, IEEE End-to-End Trust and Security Workshop for the Internet of Things; and IEEE Experts in Technology and Policy (ETAP) Forum on Internet Governance, Cybersecurity and Privacy.

I gave a brief presentation at the IoT workshop on how what we’re doing at Resilient relates to the emerging IoT space. If we really want an Internet of Things vs. Islands of Things, we need the means to easily and dynamically form networks with the Things in our environment and not sacrifice trust, security, and privacy in order to do it.

A general conclusion from both workshops is that it is the “early days” in these spaces and there is not yet a shared foundation of understanding to provide a lot of context for these discussions. Especially, in the IoT space, there is a lot of emphasis on each “Thing” since that’s the focus of any one party’s offering, and less so on the “system” of which each “Thing” will become a part.

The topics that generated energy and argument were around how (or if) to qualify and/or certify the presumably vast collection of Things. Like the Internet itself, the “whole” can’t ever be tested and yet assurance that the collection with which any one of us interacts is trustworthy needs to be established. In the policy forum there was a lot of discussion about privacy, including trying to assert a desire for an “opt-in” default around privacy matters vs. whether that’s practical in a world with public place cameras and facial recognition software. I think societal conventions will likely determine how private our presence in public places can be, but through the use of (for example) credentials as identifiers vs. direct use of identities we have the technical means to create privacy-protecting social norms.

Comments welcome.

–Inga Weizman