> Ethics in the world of the Internet of Things
Ethics in the world of the Internet of Things
February 14th, 2020
The Internet of Things (IoT) includes devices, platforms and systems that can be broken down into various ecosystems. These ecosystems are made up of components that connect IoT devices and include electronic and mechanical things like wearables, health devices, sensors, surveillance networks, autonomous cars, home automation gateways, servers, and analytics services that build data storage visualizations. This collection of data provides insights into personal information, consumer behaviors, timeless historical routines and human preferences. These systems work together to enhance knowledge as well as follow behaviors and track the human connections that contribute to the development and promotion of new and original communities. Without properly applied cybersecurity an Insecure Internet of Things can introduce major risks to business networks, exposure to sensitive data, opportunity for sabotage, serious loss and destruction of personal data and privacy information. Given these significant risks, the industry needs the ability to apply a set of moral, ethical, and legal principles for deploying and managing the IoT and how the “Things” of the IoT interact with and affect humans.
Devices, Sensors, and Actuators
The IoT is a dynamic system of changing and multiplying interrelated computing devices, digital machines, objects, animals, and people collectively known as “Things”. IoT end-point devices share foundational common components, such as radios, sensors and actuators. Device types include wearables, medical devices, surveillance cameras, autonomous cars and home automation networks. Many devices now discoverable on the internet have existed for decades as disconnected, standalone devices. For example, the calculator wristwatch was first introduced in 1975 and has now evolved into a mini-computer that connects data and people. Today, there are thousands of devices available for IoT applications such as health and medical monitoring, personal safety and awareness, sport and fitness, home monitoring and machine diagnoses. For example, watches today not only provide the time-of-day, but also location and health monitoring as well as access to emails and text messages.
These technologies enable the capture and collection of their users’ personal information, including daily routines, lifestyle choices, personal health, location and movement. Mobile devices are full of sensitive information about users and the minute-by-minute actions they perform. These devices use the same wireless communications techniques as smartphones and also engaged short-range networks and gateways. So, without the right set of privacy controls, important and sensitive information from these devices could be compromised and eventually misused in harmful ways never imagined or intended. Without the right security controls, data gathered could enable identity theft, stalking, fraud and other cybercrimes.
The recognizable risk of the IoT is the vast expanse of the World Wide Web and the ability of the system to function independently without direct human control. If programmed, designed, and implemented without security and privacy standards the IoT risks loss of control and mayhem. Without policies that are aimed specifically at helping to protect users, IOT deployments will put users and their data at risk. The IoT by design lacks user controls, namely the ability of its users to proactively control their identities and experiences. In this way, the architecture of the IoT inherently lacks the ability to function in a way that safeguards and preserves an individual’s right to privacy and anonymity. For example, if implemented without secure controls, health related technologies pose a higher risk for loss of sensitive data and a higher risk to loss-of-life if the devices sustain a cyberattack. Traditionally, device providers and manufactures have taken the position that the responsibility for security lies with the user of the device rather than with the device manufacturer or provider. So when IoT devices are not actively controlled by specific users, the responsibility for that device’s security becomes even one step farther removed, thereby increasing cybersecurity risks not only to that device and its user, but also to the security of the IoT ecosystem itself.
The Internet of Things and Ethical Challenges
The responsibility of securing the IoT falls on the shoulders of the cybersecurity workforce. Cybersecurity as a discipline has now entered the occupational mainstream and consists of analysts, incident responders, engineers, architects, administrators and software developers. Collectively these roles represent cybersecurity as a profession.
Ethical needs lead to moral dilemma. A moral dilemma is different than applied ethics. “Morals” refers to an individual's own principles regarding right and wrong. Examples include honesty, respect for property and others, courage to do the right thing in conflicting situations, ability to uphold your promises. Whereas, “Ethics” refers to a set of rules established by a governing body that is recognized by that body’s community. Professional conduct in workplaces or principles in religions are examples of ethical requirements. Ethical considerations have always lagged. Ethical design is often not a priority for emerging technologies. The speed of deployment and the widespread footprint of the IoT have created a significant need has broadened for new policy and legal requirements for IoT security controls and new legislation. Humans affected by the IoT lack the ability and resources to accept or decline participation in the IoT ecosystem. The major ethical issues spearheaded by the IoT underscore the lack of informed consent in its participation, failure to protect its users from potential harm, the absence of a pledge of anonymity and confidentiality for unaware users and a genuine commitment to privacy protection.
Today’s cybersecurity profession lacks a formal and ratified Cyber Professional Code of Ethics. Many professions are regulated and governed by a “Professional Code of Ethics”. Attorneys take an oath as a requirement as licensing to practice law. This lawyer’s code ensures that the practicing attorney will provide competent representation to all clients and requires that they continue to maintain up-to-date legal knowledge and practicing skills so they can provide thorough representation needed to serve and protect a client’s best interest. In comparison, the “Physicians Code of Ethics” binds and guarantees that medical doctors are dedicated to providing competent medical care, always with compassion and respect for human dignity and rights for all patients. Many organizations and corporations require employees to attend yearly training on ethics, and in some cases to sign statements promising to adhere to all ethical guidelines established by the company. In addition, individuals abide by personal codes of ethics that originate from moral beliefs derived from religious and secular philosophy beliefs as well as simple rules of behavior When you consider the risk of personal harm, including loss of personal data, that may occur if the IoT is mismanaged and unsecure, it is reasonable to believe that the cyber profession needs its own Hippocratic oath.
What would a Cyber Professional Hippocratic oath include? The aim of such an oath is to prevent undue harm and help ensure that protections are applied before such harm develops. There are numerous examples of negligible security practices and cascading failures leading to user harm. Security failures include, lack of data encryption, the use of default passwords, unpatched network components and software and publicly exposed design flaws. Consumers have been victims to compromised credentials, hijacked cameras, Denial of Service (DoS) attacks and the exposure and loss of their identity and personal privacy.
A Cyber Professional Code of Ethics would force a sincerely needed “think before you deploy” mentality. Cyber Professionals must accept and pledge that the practice of security is foundationally as important as the practice of Medicine and Law. This professional oath must consist of a full and unwavering commitment to strictly adhere to a common body of core knowledge that is not only shaped by new technologies, regulation and governance but also checked and balanced by collectively established ethical requirements. Professionalizing the field of cybersecurity will involve setting and adhering to a set of protection criterion. These conditions must give thought and consideration to design-stage platform development and seek not to allow injury to humans or property. Until this Cyber Professional Code of Ethics is defined, realized and accepted, the IoT will continue to be plagued with insecurities with great potential to adversely affect our personal and public safety and security.