Speaking of Psychology - The Internet of Things and Consumer Risk (SOP62)
Episode Date: August 15, 2018Internet of Things devices such as smart televisions and thermostats often lack adequate built-in security, leading to privacy and safety risks not commonly understood by consumers. John Blythe, PhD, ...argues that a labelling scheme for these devices will provide consumers with a clear picture of the security of an IoT device and help them to choose technology that meets their security and privacy needs. APA is currently seeking proposals for APA 2020, click here to learn more https://convention.apa.org/proposals Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hello and welcome to Speaking of Psychology, a podcast produced by the American Psychological Association.
I'm your host, Kim Mills.
Speaking of Psychology is a podcast for anyone with an interest in the science of psychology.
We talk to psychological researchers, practitioners, and educators about any and every aspect of psychology and its application to the world around us.
Dr. John Blythe is research associate at the Dawes Center for Future Crime at University College London,
where he works on the Consumer Security Index part of the Petrus Internet of Things Research Hub.
The Petrus Internet of Things Research Hub is a consortium of nine leading United Kingdom universities
that are working together over three years to explore critical issues in privacy, ethics, trust, reliability,
acceptability and security. Dr. Blythe previously held positions at the UCL Center for Behavior Change,
the Department for Digital Culture, Media, and Sport, and Pact Lab at Northumbria University.
His research focuses on exploring behavior change and cybersecurity.
Thank you for joining us, Dr. Blythe.
Thank you, for Havanaugh.
So the Center for Future Crime, that's kind of an intriguing name.
What does that mean to study future crime?
So the Centre for Future Crime, we seek to focus essentially on horizon scanning what are the crimes that may arise from technological change or societal changes of the future and try to design out these risks through policy and regulation.
So your research looks at security issues around the Internet of Things. Could you explain for people what the Internet of Things is?
Certainly. So the Internet of Things is essentially everyday objects with the ability to connect to an exchange data over the Internet.
It includes many different objects from Fitbits to Amazon Alexa, smartwatchers, all the way up to connected dishwashers, connected thermostats.
And it's essentially the ability to use these products via the internet, and it gives us many different affordances such as, in the case of thermostats, it would be personalized heating services based on our behavior and habits.
Why should we be concerned about the security around the internet of things?
These devices are in our home. They may be connected to a boiler.
they may be connected to a critical function in our house, such as a smogne alarm.
And if these are interconnected, it means that a hacker can potentially exploit that device.
So if you think about the boiler example, it could potentially be hacked and the fire could be
caused, and that could potentially lead to loss of life.
So it's no longer just thinking about security and the privacy of our personal data,
but it's also our well-being and potential life as well that can be exploited by these
inherently insecure devices.
And so what can be done to make them more secure?
So at the minute, manufacturers simply aren't given enough consideration to the security of IoT.
They are shipping these products out with essentially market failures.
An example of some of these market failures are that a lot of these products can't be updated,
so a vulnerability may be found in a product, but a large portion of the population may already purchase that product,
and there's nothing the consumer can do about that.
They now have a product that can't be updated anymore.
And that's an example of one of the market failures.
And what we call it in crime studies is a crime harvest, which is where an innovation is an
adduced in society and there's not given adequate consequences of the crime.
So the same thing happened when we started using vehicles.
Vehicles were designed, but they weren't designed with crime in mind.
So what happens is that the criminals will start to reap the crime harvest.
They recognize the potential opportunities that can be afforded by the lack of security
of the innovation.
And then what then happens is that we recognize the potential crime.
consequences and then try to design out that crime. And what incentives do manufacturers have to make
these products more secure at this point? At this point, there's very little incentive for manufacturers
to take this seriously, which is why we're not really seeing manufacturers actually ship these products
with security and built, or in the UK we call it security by design, making sure that the security
is baked into the product before you ship it out to consumers. What manufacturers are doing is to put
all the burden on the consumer, expecting the consumer to protect the device, to change lots of
passwords, to change all the settings, to essentially make the consumer protect the product
rather than them shipping it with better security in the first place.
So I understand that some of the research you've done is around labeling.
Can you talk about what that means?
How should these products be labeled?
So the labeling scheme, which is called the Consumer Security Index in our project, is it's part
of the UK government's initiative to improve the security of these products.
So March this year, the UK government, specifically the Department for Digital Culture Medium Sport
who are in charge of the SAP Security Policy, announced their Secure by Design for Consumer IOT report,
which outlined the government measures for improving the security of these devices.
Primarily, this was a court of practice that manufacturers should follow to ensure that these
products are secured by design, but a supplementary measure was to explore the role.
of the labelling scheme to first aid consumer choice because at the minute if you were
to go and buy a smart device for example a smart kettle from from a store there's no way for
you to make a distinction between a secure product and insecure product so the label
would help you make that choice and that decision the second intention of the label is to
actually incentivize manufacturers to actually ship these products for security in the first
place otherwise potentially risk reputational damage
Do consumers have any idea at this point how insecure these products are?
So a lot of research lately has suggested that the main barrier to adoption of the net of things is security and privacy concerns.
We know that people are concerned about how their data may be used from these products and how that may be shared with third party companies.
But people aren't readily protecting themselves.
So recently there's some stats by Cisco which found that 50% of people,
see the value in IoT, only 10% of them actually think their data is secure, but 42% would
continue using the products anyway. And it's what's called in the research a privacy paradox. People
value their privacy, but they don't readily take any action to protect it. And there's a number of
reasons for this. Botnet called the Morari Botnet, which was essentially hundreds and hundreds of
thousands of exploited IoT devices that took down Netflix and Twitter and disrupted service access to these
to these products. So it's not really happening to consumers so much at this point. They're
targeting major corporations from what you're seeing. They're mainly being used in what we would
call a strategic risk where they're being used to take down a company or a service provider.
Not so much. We haven't seen many attacks against consumers themselves.
What should consumers be worried about? I mean, I'm just imagining, and I've said this before
to my friends and colleagues, you know, you get a smart TV, you watch it, it watches you back.
What's it doing with this?
So the smart TV example, a couple of years ago,
it was announced, well, it was revealed actually
that governments were potentially,
well, the secret agencies of the government
could potentially take sensitive data
from the microphones in your smart TVs,
which could reveal quite private conversations
that you maybe have with family members.
So there's that aspect to it,
the privacy side of your life,
but also, like I said earlier,
the safety side as well,
if it's a children's toy,
that's connected to the internet
and a predator can potentially talk to your child.
You know, that's very, that's very concern.
Well, it sounds like there are implications for law enforcement, you know,
where they might start asking if they can get records from these corporations,
you know, say you're suspected of some kind of a crime.
I mean, is this what consumers should be thinking about right now
as they're purchasing these items?
Yeah, and that has happened.
There is an example of this in America where they have used data from a guy's Fitbit
to show that he committed the murder of his wife.
Scary stuff.
Are there particular devices that we should be leery about?
And I'm thinking, I mean, one device that's out there right now
that kind of, I have to say, gives me the creeps is the Amazon is distributing this lock system
that you can supposedly can watch the delivery person arrive at your house,
but basically that person can go in your house to leave a package.
Is that the kind of thing we should be concerned?
about. Yeah, so I think there's the concerns in terms of what what is the kind of device? Is it
linked to something that's safety critical? For example, your front door, is it linked to something
that may have a heating element, such as your boiler, or something that may be security
related, such as your security cameras? I think people should be concerned about potentially what
is it, what is the device linked to? What might it reveal about your house, your occupancy? For example,
smart thermostats can let somebody know whether you're in the house or not, and that can be
used to facilitate burglaries and other crimes as well.
What are the next steps for you in terms of the research that you're doing?
So we're looking to work with the UK government to develop a labelling scheme.
It's going to be co-designed with both experts and consumers.
So the consumer side of it is working with consumers to understand their preferences
around what they want communicated on a label.
What value do they see in a labelling scheme?
Would it actually influence their behaviour?
We'll also work on with experts to actually identify the underpinning technical content of the label
because we're assessing objectively what security means.
So all of our work is a lot more on the technical side of that.
We'll also run a series of experimental studies to look at the design aspects of the label
and whether that nudges people's behaviour and whether it would actually lead to them purchasing
a more secure product.
Because ultimately we want the label to act as a market lever and as a market differentiator so that people,
would be nudged to buying a more secure and private device in a one that isn't.
But your work is focused on the UK, right?
So, I mean, as far as the United States, are we doing anything similar here?
So the UK government is in talks and collaboration with the USA
because recognizing that actually these products are built across a global supply chain,
they're not made primarily in the UK, they're made across the world,
so it's very important that governments do collaborate.
The UK government are looking at consumer IoT and have released reports,
on this. What internet of things products do you have in your home? I don't own any. I guess
you would know. Yeah. I don't want to, I mean, I've been very negative here. I don't want to scare
people into not buying these products, but there is a huge potential crime risk associated with
these devices. And particularly, I mean, the major manufacturers like Apple, Amazon, they do take
security seriously. So if you're going to buy an IoT device, maybe go for one of the bigger
providers rather than a cheaper one by a manufacturer who don't have a competency to a, to understand
security and be, bake it into the product. Given what's happened recently with Facebook, for example,
can we trust these manufacturers? I mean, that's one of the biggest corporations in the world. And yet,
you know, their data, who knows where it went. Exactly. I don't want to say don't trust these
companies I think people I think what needs to happen is that there needs to be a
better way for people to understand what's happening with their data and not to
rely on people to read terms and conditions because it's just impossible to expect
people to read that people just tick the box and then they move on so how are
people are ever going to really be able to protect themselves with protect their
personal data if we're relying on people to read those terms and conditions in
the UK in the EU we have the upcoming GDPR legislation which is really good
piece of legislation is going to put more power back to consumers around how their personal data is
used and hopefully that will start to see attraction towards privacy being taken more seriously
as we are more internet-connected.
Anything else you'd like the public to know about the work that you're doing?
Ultimately, we want the label scheme, because governments aren't regulating the other things,
they're not enforced on manufacturers to actually ship these products with security built in.
The UK government have said that if they are given manufacturers the opportunity to,
to address this through the code of practice
in the UK government.
And if they aren't going to address it,
then they might look at regulation
for some manufacturers to do it.
But in the absence of that, we need,
for example, the labeling scheme
to actually help people make a distinction
between a secure and insecure product.
Otherwise, there's no way for people to actually make
that product choice unless they're gonna go out
and research the security of the product,
which the average consumer probably won't do.
All right, well, you've given us a lot to think about.
Yeah.
Thank you very much for joining us
today, Dr. Bly. Thank you very much. Speaking of Psychology is part of the APA podcast network,
which includes other great podcasts such as APA journals dialogue about the latest and most exciting
psychological research and progress notes, which discusses the practice of psychology. You can find
all APA podcasts on iTunes, Stitcher, or wherever you get your podcasts. You can also go to our
website, www.combeatingof Psychology.org to listen to more episodes.
and see more resources on the topics we discuss.
I'm Kim Mills with the American Psychological Association,
and this is Speaking of Psychology.