How will the internet of things impact data security?

When we hand over data to a company most people realise there is a value exchange. The organisation gets to learn more about us for future communications, but in return they are able to deliver our shopping, get in contact if there is a problem or keep us up to date with special offers.

There are very clear data collection guidelines that companies and public bodies must abide by. The Data Protection Act 1998 is detailed but the main points are that information must only be used for the reason that has been given, it must be accurate, stored securely to protect privacy, and it must only be held onto as long as it is needed.

However, it’s a different ball game when it comes to ‘things’ collecting data. Estimates vary as to how many devices are currently collecting data and connected to the internet. One recent study estimates 13bn – and that number will nearly double within five years.

For businesses, governments and consumers alike, the internet of things (IoT) brings with it a great deal to look forward to: smart cities, better healthcare through remote sensors, and better ways of targeting customers – it could be an ice cream after they emerge from a hot train or, just as likely, an umbrella.

However there are concerns that once machines start monitoring local conditions, as well as us, we’re handing over a lot of data without perhaps realising it.

Regulatory minefield

Once machines start to take data rather than humans, multiple watchdogs and regulators start to get involved.

“Just imagine smart meters which are great for reducing energy use and shrinking bills,” says Mark Thompson, privacy practice leader at KPMG. “You could have the energy regulator, Ofgem, involved as well as Ofcom, because the data’s going over a broadband connection. Then, because there’s data involved, the Information Commissioner’s Office is bound to have an interest. Then when that data starts crossing boundaries you could have a perfect storm of countries not always having the same security and privacy standards yet having multiple regulators involved.”

Security standards

Not only is there a privacy concern, but data security is an issue too. William Webb is a visiting professor at Surrey University and heads a special interest group, the Weightless SIG, which is working on standards to secure data collected and sent over the internet by gadgets. He warns that if the data is not secure, hackers could cause serious damage.

“We’re devising a way of ensuring communications are authenticated as coming from the device as well as encrypted to avoid eavesdropping,” he says.

“We’re also working on a means to ensure gadgets can be ‘patched’ like a computer if a security flaw is unveiled. Privacy aside, it’s vital we get communications secure or else terrorists could use smart city technology to send people to a particular route or train, and pranksters could cause mayhem altering settings, such as convincing a local authority bins need emptying, when they don’t.”

Privacy matters

One potential solution, on the privacy side at least, is to separate the identity of the person being measured by a sensor from the data they generate. John Taysom, a fellow of the University of Cambridge and co-founder of privacy company Privitar, believes this “disassociation” is key because companies and governments get the data without a risk to privacy. He fears, though, that organisations might rush in too soon before realising the potential for compromising an individual’s private details.

“There’s obviously a lot of concern about privacy but I think we’re in one of those situations like smoking or sugary foods,” he says.

“The gain to getting all that data is very instant but the problems seem a long way off, and so you end up not being firm enough with guidelines until further down the line and governments have to step in to set rules. You shouldn’t forget that ultimately the machines taking the readings and transmitting them are owned by companies which want to use that information. Although we’re talking about sensors, we’re really talking about the people and companies that own them.”

Smart Finns

The European commission has been very keen to start trial projects to show the power of IoT in building smarter cities. Its Horizon 2020 programme has provided a British team led by Peter Matthews, lead research scientist at CA Technologies, to work with the Technical University of Tampere in Finland. The researchers are ensuring the security of data transmitted by sensors throughout the Finnish city, which allow residents to plan journeys according to live travel conditions.

“Just like you don’t want someone to hack your pacemaker, you’ve got to make sure that sensors are what they say they are and they’re talking only to the proper service, not hackers,” Matthews says.

“We’re finding, as the project grows in scale, the real complication is starting to come from combining your own sensors with others. So, measuring how things are going on the road and rail network is one thing. It’s when you then combine it with a person’s digital diary, to arrange travel around meetings, or a weather service, so they know if they need an umbrella – that’s where you start to need the really robust systems that we’re currently developing.”

The promise of the IoT is vast, but so too is the potential for security flaws and privacy lapses. It is one of the reasons why the Data Protection Act is being replaced through the EU’s general data protection regulation (GDPR), which is expected to be finalised before the end of the year before being added to the statute books of member countries next year. It is expected to bring in tighter rules to ensure data is only used for the primary reason it has been given and also increase fines for companies who suffer data privacy lapses.

Sign up to become a member of the Guardian Small Business Network here for more advice, insight and best practice direct to your inbox.