Logo del sito

Internet-of-Things: ethical considerations

Introduction

The International Telecommunication Union (ITU) defines IoT as ”A global infrastructure for the information society enabling advanced services by interconnecting (physical and vir- tual) things based on existing and evolving interoperable information and communication technologies”[1]. In recent years, the number of devices belonging to the IoT world has seen a consistent positive trend due to their widespread use in important sectors such as healthcare, industry, and homes. In fact, Insider estimates that by 2027, connected objects will be 41 billion[2]. While the global proliferation of these devices will undoubtedly simplify the lives of millions of people, they also pose a significant threat to the security of businesses and citizens. The main reasons for this threat are as follows:

  • Pervasiveness: IoT has the ability to permeate any sector.
  • Ambiguity: Distinguishing an IoT device from a traditional one (think of a smart boiler or surveillance cameras) can be difficult.
  • Connectivity: Within a household or business environment, a large number of smart devices can generate a significant amount of data. When the goal is to identify malicious traffic, this data volume can confuse and complicate analysis.
  • Data management: The sheer volume of data generated by smart devices and the limited interoperability between different brands hinder centralized device management. This poses a security risk because an increased number of devices implies more points of attack on data and the hosting infrastructure.
  • Autonomy: Smart devices can be autonomous and may not require user interactions. However, if the device’s behavior becomes unexpected (due to software bugs, physical damage, or situations not properly managed by the system), this can have a significantly negative impact on the environment hosting the device. This paper aims to analyze the world of IoT from multiple perspectives, seeking to identify ethical, social, and legal issues. In the first chapter, I will address the topic of privacy, in the second, the topic of informed consent, while in the third, I will focus on the physical risks associated with smart devices. In the fourth chapter, I will tackle the subject of cyberwar, and in the fifth and sixth chapters, I will discuss digital divide and IoT-related regulations, respectively.

Privacy

Smart devices are known to produce and transmit a considerable amount of data, which varies in nature depending on the type of sensors used. This sensor technology can range from a simple microphone to a heart rate monitor, depending on the device’s associated task. The sensitivity of this data clearly depends on the location, type, and potential uses of the data. Ensuring that such information is managed securely and confidentially is a significant challenge in the world of IoT because a breach of these resources can have profound repercussions on people’s lives. An example is the attack on certain Nest security camera models in 2019[3]. In that instance, hackers gained access to users’ home cameras and started broadcasting voice messages through the camera’s speakers, frightening the occupants. If that attack had been more malicious, what would have happened if instead of joking, the hackers had used the footage to blackmail the homeowners? What if a moment of infidelity had been recorded, or if footage of children had ended up on the dark web? Who would have protected the tenants, and what would have been the psychological consequences of such events? Images are an example of sensitive data, but what if data breaches involved healthcare, religious, or cultural data in countries where certain actions are punished with life-threatening consequences? Another fundamental point is whether protecting data is sufficient to guarantee privacy. Does an IoT system that implements double authentication with elliptic curve encryption ensure privacy? The answer is no. You don’t need to know the content of a letter to know where it came from and to whom it’s addressed. Metadata associated with digital resources can provide a significant amount of information, which, once illicitly disclosed, constitutes a privacy breach. It’s not enough to encrypt the content; the entire transmission process must be protected against possible leaks of information. An example that illustrates this concept well is the following: imagine owning a smart speaker that records your conversations and sends them to its servers, as is the case with devices like Alexa. The communications are encrypted, so an attacker cannot retrieve this information. However, let’s say a thief listens to the communications and notices that network traffic diminishes during the night. What can they deduce at this point? For example, that people inside the residence are sleeping. Thus, even though the information is protected in its form, the information in its essence is not protected. A thief could then determine when the house is empty by analyzing outgoing data flows. The point is to recognize the importance not only of the data generated but also of the data that can be derived from it. In the world of IoT, this is crucial to ensure individuals’ right to privacy.

Informed consent

Another fundamental aspect of IoT is the concept of ”informed consent.” The American Medical Association defines informed consent as ”the right to receive and ask questions […] so that they can make well-considered opinions.”[4] The basic idea is that individuals should be in a position to choose what they believe is best for themselves with a full understanding of the tools and implications associated with what they will use or do. In IoT, informed consent is important because smart devices manipulate and acquire, through their sensors, sometimes highly sensitive data. In 2018 [5], it emerged that Ama- zon’s Echo devices had accidentally recorded a private conversation between two users and subsequently sent the audio file to a contact without the consent of the individuals involved. This incident raised privacy concerns and highlighted the importance of obtaining user consent for the recording and storage of audio conversations. Since the early 2000s [6], informed consent has also been applied in the digital world, and in particular, as early as the 1980s, there was the End User License Agreement (EULA), a license contract still widely used, containing all technical and legal information regarding the user. The problem with this contract is that, on one hand, it contains an excessive number of technicalities and legal formalities that lead end users to skip reading it, and it does not consider any content differentiation based on the context in which it will be applied [7]. These two factors ultimately make the EULA ineffective and hinder informed consent in the case of IoT devices. In general, a good informational document should provide comprehensive and straightfor- ward answers to questions such as:

  • Who collects the data?
  • What happens if the user wants to remove their devices? Are the associated data removed, or do they remain in some database over time?
  • What happens if the manufacturer stops supporting a particular device?
  • What happens if the device behaves unexpectedly for some reason? Is user responsibility clearly defined?
  • Who is responsible for device maintenance, and what are the policies for doing so?

It should also include references to possible physical authorities to contact or reach out to in case of doubts and concerns. Furthermore, this document should allow for multiple courses of action, as opposed to traditional documents where informed consent seems to mean ”either you accept this, or don’t use my product,” a policy that hinders genuine consent.

Physical risk

The risk associated with IoT devices is not limited solely to the social or digital level but also encompasses fundamental physical aspects. The danger of a compromised device is not restricted to the dissemination of information or resource abuse; it can also stem from the intrinsic capabilities of the device itself. IoT objects are essentially common objects to which components have been added to enable them to communicate and ”reason.” For instance, a smart boiler is, first and foremost, a boiler with all the typical risks and hazards of a traditional boiler. If an attacker were to compromise its operation and disrupt its stability, the consequences could range from benign to catastrophic depending on the nature of the interference, and these consequences would not be confined to digital outcomes. Moreover, the risk is not solely tied to the device’s inherent physical characteristics. For example, a boiler that manages methane or other gases is clearly more dangerous than a smart speaker in terms of potential harm. However, even physically less hazardous devices can have serious implications. For instance, in an emergency situation such as a fire, if a smart speaker were to distract or misdirect a firefighter through sound or messaging, this could have significant consequences. In the best-case scenario, the firefighter might emerge from the situation more smoke-filled, while in the worst-case scenario, they might not make it out at all. ”Safety in IoT means being able to reason about the behaviour of IoT devices, especially actuators, and being able to detect and prevent unintended or unexpected behaviour”[8]. It is

therefore evident that the implications of an IoT device extend beyond the digital realm and can reach into the physical world. Consequently, these devices must be designed with consideration for the environment in which they will be used and the interactions that users might have with them. IoT device security must encompass not only data protection but also the prevention of potential physical harm or incidents.

Cyberwar and cybergangs

The world of IoT and its insecurities are inherently linked to the reality of cyber warfare and cyber gangs, groups of cybercriminals sometimes funded by government agencies that are increasingly prevalent and dangerous in today’s context. Smart devices marketed globally are offered to an audience typically lacking in cybersecurity awareness, which should be a prerequisite for using such devices. This, coupled with the fact that IoT technologies are often developed without native security measures, provides an ideal breeding ground for malware dissemination and the threat of amplifying the number and effectiveness of malicious cyber incidents. The events of October 2016, involving the Mirai botnet used to launch a massive Distributed Denial of Service (DDoS) attack against the DNS provider Dyn, serve as a clear demonstration of this. On that occasion, around 100,000 infected devices, including surveillance cameras, PCs, smartphones, and other smart devices, executed a targeted DDoS attack on Dyn, a DNS service provider. This resulted in an overload of Dyn’s resources, rendering many major websites and services relying on their DNS servers inaccessible, including Twitter, Reddit, Netflix, and others. The direct and indirect consequences were immeasurable. It is clear, therefore, that IoT devices must be viewed not only for their primary purpose but also for the potential uses that can be made of them. Cyber gangs exploiting ransomware (malware that represents a significant portion of global cyberattacks today and is based on resource locking through encryption) can particularly benefit from the insecurity of the IoT world for several reasons:

  • Smart devices can be exploited as command and control (C&C) servers[9].
  • IoT devices are generally used by individuals unaware of the importance of updating their systems, so known vulnerabilities, correctable through periodic tool updates, could be used as access vectors.
  • In the future, as IoT devices become more widespread, cybercriminals could target ordi- nary individuals rather than businesses, potentially making significant profits by demand- ing even modest ransoms from individual users.
  • As smart objects take on critical roles within homes (thermostats, locks, lighting systems, etc.), it becomes more likely that victims will pay rather than wait for their systems to become operational again, especially if the requested ransom is less costly than system restoration.

The security of the IoT world represents an essential piece of the puzzle for advancing digitization, but it poses a challenge that traditional endpoint protection systems cannot guarantee for several reasons, primarily limited detection capabilities. TrendMicro reports that detection statistics for malicious actions among 2958 IT Decision Makers in 26 countries were alarmingly low in 2021, as seen in Table 1.

Table 1: Percentage of detection of business security solutions

Action Percentage of Detection
Ransomware’s payload 63%
Use of tools like PSExec and Cobalt Strike 53%
Data exfiltration 49%
Initial access 42%
Lateral movement 31%

These data are extrapolated from business contexts but provide insight into the level of detection effectiveness of current home solutions against ransomware and the tools present in the characteristic malware attack chain. Corporate EDR solutions, on the other hand, are designed for business environments, making them unsuitable for application within domestic systems, both due to cost and the technical knowledge required for installation and product maintenance. An important aspect to consider is also the limited computing capacity of smart products: traditional EDR tools like AV, web control, and web protection tools become unsuitable when applied to the IoT world.

These and other factors pose a significant challenge for the search for new protection methods. Furthermore, following the Edward Snowden scandals related to surveillance by US intel- ligence agencies, the issue of IoT device insecurity should be, if not a top priority, at least a highly debated one. Leaving an indefinite number of IoT devices unsecured can pose a real risk to a state’s citizens. During the war in Ukraine, there were cases where, due to a smartphone left on, Ukrainian soldiers were tracked, leading to entire platoons being eliminated [11]. Meanwhile, Russia used its botnets to amplify disinformation by spreading fake news through major social media channels [12]. These events raise an important question: what distinguishes a washing machine from a weapon? And what distinguishes a smart washing machine from a weapon? The idea is that a traditional washing machine is unlikely to escape its domain of action. Its physical characteristics indeed prevent it from being remotely exploited to carry out attacks on third parties, especially if those third parties are not in its immediate vicinity. The difference is that, despite its weight, a smart washing machine can communicate with other objects or people hundreds of kilometers away, thanks to the computational and communication capabilities that were added when it was labeled ”smart.” Is it fair to consider a smart washing machine as just a regular washing machine when there is a risk that it could be integrated into a botnet? And where does the risk associated with such devices end? The problem is that security implies strict rules and compartmentalization, while IoT en- visions devices with limited hardware resources (not always but in the vast majority of cases), low cost, and ease of use. So, is there a real balance that can be struck between these two worlds?

Digital divide

We are facing a new era of illiteracy. Now, everyone can speak, write in one or more languages, and use a smartphone, but how many are literate when it comes to cybersecurity and network infrastructure management? Perhaps the boldest are, but certainly not everyone [13]. This triggers a series of significant consequences in the context of the proliferation of IoT devices, falling within the phenomenon of thedigital divide. Is it acceptable to think of having 10 billion connected IoT devices with even just 1% of the population being ignorant of cybersecurity? Producing easily configurable smart objects is risky because it implies that no specialist will be needed for installation, leading to an overall increase in cybersecurity risk. In 2016, the Mirai botnet had just over 100,000 devices. If 1% of 10 billion devices were compromised, it would mean having 100 million compromised devices. Perhaps a DDoS attack would be thwarted, but what if these 100 million devices were used for large-scale phishing attacks or other next-generation attacks? The scenario would be nothing short of catastrophic. What would be the market consequences? Would the population be educated about applying rules to secure their infrastructure? Would consumers be aware of the origin, supply chain, and policies of the company when purchasing IoT devices? But most importantly, is this something we should be concerned about? When we eat a sandwich from vending machines, we don’t really know what’s inside, nor do we worry about reading the label. The problem is that when we consume food products, the damage is usually localized. When it comes to digital insecurity, the situation changes because most of the time, the harm is directed towards third parties; the device owner is just one node in the applied attack network.

Legal aspects

To ensure data privacy principles, informed consent, and to limit the proliferation of potentially infected or vulnerable devices, the role of the government and key state agencies is one of the most decisive tools. The manufacturing and data generated by IoT devices currently lack standardization[14], which is, in fact, needed. This absence not only severely limits the potential of such devices (as interoperability between devices from different brands requires common communication and data management standards) but also the trust that consumers can and should place in them. In this regard, regulations should govern: how data is manipulated and transmitted; how consumers are informed about risks and data management; supply chain, maintenance, and product decommissioning; how consumers and manufacturers should react in the event of a cybersecurity incident or the discovery of bugs and vulnerabilities. Governments, therefore, have a dual role[15]:

  • Infrastructure Provider Role: Governments should issue licenses based on their security and compliance standards. The goal is to ensure that products are used solely for their specific purpose.
  • User Role: Governments should specify the requirements and usage modalities of IoT devices to ensure security, reliability, and robustness of IoT devices.

Currently, the main European regulations include:

  • EU Directive 2013/40: This Directive focuses on ”Cybercrime,” which includes actions against information systems. It establishes definitions for criminal activities and enforces suitable penalties for offenses targeting information systems.
  • EU Directive 2014/53: This directive is concerned with standardization matters critical for the collaborative and synchronized advancement of technology within the EU, partic- ularly regarding ”On the harmonization of the laws of the member states relating to the marketing of radio equipment.”
  • EU NIS Directive 2016: The Network and Information Security (NIS) Directive centers on matters related to ”Cybersecurity.” Its objective is to establish legal measures for achieving a consistent level of cybersecurity (network/information security) across the EU and improving coordination among EU Members..
  • EU GDPR (European General Data Protection Regulation) 2016: This regulation per- tains to matters concerning privacy, ownership, and data protection. It offers a unified set of rules that are directly enforceable within EU member states.

Conclusion

The analysis has highlighted many critical issues with IoT devices. These problems risk un- dermining people’s trust in these technologies and represent a significant threat to the security of citizens and businesses. Therefore, it is necessary to reconsider the role of IoT and its pro- liferation, aiming for a security-oriented production approach, as well as awareness campaigns promoting the ethical and conscious use of smart devices and all the principles listed throughout this document.

References

[1] C Zavazava. Itu work on internet of things, 2015. ictp workshop, 2015.

[2] Peter Newman. The internet of things 2020: Here’s what over 400 iot decision-makers say about the

future of enterprise connectivity and how iot companies can use it to grow revenue, Mar 2020. https://www.businessinsider.com/internet-of-things-report.

[3] Alex Sundby. Hacker spoke to baby, hurled obscenities at couple using nest camera, dad says, Feb 2019.

[4] World Medical Association. World Medical Association Declaration of Helsinki: Ethical Principles for Medical Research Involving Human Subjects.JAMA, 310(20):2191–2194, 11 2013.

[5] HDblog.it. Amazon echo registra per errore una conversazione e la invia ad un contatto, May 2018.

[6] Gunther Eysenbach and James E Till. Ethical issues in qualitative research on internet communities. BMJ, 323(7321):1103–1105, 2001.

[7] Ricardo Neisse, Gianmarco Baldini, Gary Steri, Yutaka Miyake, Shinsaku Kiyomoto, and Abdur Rahim Biswas. An agent-based framework for informed consent in the internet of things. In2015 IEEE 2nd World Forum on Internet of Things (WF-IoT), pages 789–794, 2015.

[8] Yuvraj Agarwal and Anind K. Dey. Toward building a safe, secure, and easy-to-use internet of things infrastructure.Computer, 49(4):88–91, 2016.

[9] Mark Manahan Marco Dela Vega, Jeanne Jocson. Emotet adds new evasion technique, Apr 2019. https://www.trendmicro.com/enus/research/19/d/emotet-addsnewevasiontechniqueandusesconnected- devicesasproxyccservers.html.

[10] TrendMicro. Everything is connected: Uncovering the ransomware threat from global supply chains a global study. Technical report, https://www.trendmicro.com, 2022. https://www.trendmicro.com/explore/glrans.

[11] https://www.cbsnews.com/news/ukraine-news-russia-military-blames-cell-phones-strike-soldier-deaths/.

[12] https://edmo.eu/2022/04/28/a-pro-russian-bot-network-in-the-eu-amplifies-disinformation-about-the-war- in-ukraine/.

[13] Alex Zeeuw, Alexander J.A.M. Deursen, and Giedo Jansen. The orchestrated digital inequalities of the iot: How vendor lock-in hinders and playfulness creates iot benefits in every life.New Media Society, 11 2022.

[14] https://www.comparitech.com/internet-providers/iot-statistics/, Jun 2023.

[15] https://www.bbvaresearch.com/wp-content/uploads/2016/07/deojul (^16) cap 3 .pdf.