Why the Internet of Things Must Be Decentralized

The metaphorical pages of Commsrisk contain endless stories of networks being used for surveillance, flawed security designs, enormous privacy breaches and people in positions of responsibility promising that past mistakes will never be repeated. Each week there is always some news that repeats the same formula, which helps to explain why the readership of Commsrisk is always growing. Meanwhile, the internet of things (IoT) promises to create a world where cars record where we have driven, fitness devices record where we have walked, refrigerators record what we have eaten and light bulbs record when we sleep. Access to all this data would be irresistible to emotional cripples who only care about profit, or to utopian maniacs who have convinced themselves they know how to perfect human beings by eradicating the flaws inherent to our design.

The usual suspects who threaten our privacy and freedoms are no longer limited to sociopathic CEOs and the Chinese Communist Party. They now include every blundering fool given responsibility or access to technologies they are ill-equipped to understand. The threat is also posed by governments in ‘liberal’ democracies, such as the Canadian government which used emergency powers to freeze the bank accounts of peaceful protestors. And it comes from happy, smiley, insanely deceitful business executives who pretend no harm was done by a leaky API that allowed hackers to obtain data about millions of customers and other people who were not even customers of their company any more. Kelly Bayer Rosmarin, CEO of Optus, falls into the latter category; she recently insisted that nobody had been a victim of a crime because of her company’s privacy breach before asserting that more attacks on her business were ‘inevitable’. How can an executive that was not aware that her own company had a huge security vulnerability be confident that not a single person was harmed? Even the subject of an identity theft may remain unaware of the crime.

So on the one hand, history has demonstrated that idiots and tyrants often get into positions of power by making up stories about their own brilliance whilst making life horrendous for the rest of us. And on the other hand, even your toilet brush will be networked in future. These are portents for a world that will look like a cross between George Orwell’s Nineteen Eighty-Four, Terry Gilliam’s Brazil, the robot that passes the butter in Rick and Morty and the Borg from Star Trek. By the time the IoT enthusiasts and privacy-haters have finished, we might as well volunteer to have Elon Musk’s brain-computer interface implanted because everything we think and do will be public knowledge already.

It is not like the internet of things had a good track record when the technology was still primitive. In 2016, the Dyn botnet compromised IoT devices and used them to carry out a massive DDoS attack. In 2017, the CloudPets data breach compromised user data and voice recordings from connected toys. In 2018, user location data was shared publicly by the Strava fitness app. But in 2023, the typical executive will explain that the one-sentence solution is to “take privacy very seriously” before explaining why everybody should have a networked anal probe permanently fitted at the low cost of $999.99. And if you think that nobody would ever stick an insecure networked device up their rectum, consider the true story of the penis cage that hackers could remotely lock.

Or, we can decentralize. The powerful people like data to be centralized because centralized data makes them even more powerful. And that is exactly why networked devices should be designed to be decentralized. If your toilet brush really needs to talk to your anal probe then make sure it is a peer-to-peer conversation, and not one which is relayed through a server that can be accessed by corporate head office. Let the device, and hence the user, maintain full sovereignty and ownership over the data collected, and where it is transmitted.

Neither corporate entities nor governments needs as much surveillance data as they will inevitably attempt to capture. Consumers need to push back, turning ubiquitous IoT surveillance into a thing of the past and not a rational fear in the present. Then Kelly Bayer Rosmarin can refocus on the skills that secured her the job of Optus CEO in the first place: spouting inane platitudes about optimism and success to young people who can be persuaded that owning the right mobile phone will make them sexier, stronger and richer, without the need for any natural ability, application or hard work.

Decentralized technologies are already gaining traction, such as the focus on creating self-sovereign identities for European Union citizens who access services online. But they will not be encouraged by the clods and autocrats who want to see all your data and want you to buy, install and carry a million devices that they will use to spy upon you. Bumbling executives like Kelly Bayer Rosmarin never get sacked following a privacy breach because they have corporate masters who shy away from the public spotlight but who maintain an even greater hunger for data than she has. That is why consumers have to demand the decentralization of networked devices whilst we still have the freedom to challenge authority and still have some privacy worth holding on to.

Tackling the vulnerabilities that surround networked consumer devices will be the topic of conversation for today’s episode of The Communications Risk Show, which features an interview with David Rogers, Chair of the GSMA’s Fraud and Security Group and a leading contributor to the IoT Security Foundation. Join us at 4pm UK time at tv.commsrisk.com to see the live broadcast and ask questions of David. You can also watch the video replay or listen to the audio podcast of today’s episode immediately after the live show has finished.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.