The Internet-of-Things has for years promised to usher in a new wave of innovation. It has sometimes been called the Internet-of-Everything or Internet 3.0—grand language illustrating its potential. That potential would also seem to offer new opportunities for law enforcement and intelligence services. But the promise has thus far not materialized.
I prefer, somewhat glibly, to use my own term for this wave of technological change: the Internet-of-Things-That-Are-Marginally-Useful-for-Surveillance (IOTTAMUFS). I use this term because the IOTTAMUFS is not going to be the boon to law enforcement and intelligence services that some suggest. Here is why.
The IOTTAMUFS presents two fundamental privacy and security challenges. First the privacy problem: consumers have no ability to understand the way in which IOTTAMUFS devices will collect and use data about them. As a result, they can’t provide meaningful consent to the collection. This problem already exists across the Internet today, but when consumers visit a website or use their iPhone, many at least have some idea that data collection is occurring in the background. That isn’t the case when everyday devices, like refrigerators or thermostats, collect data. Second, the security problem: for these everyday devices, it is going to be difficult to update or patch software or even to build strong security in the first place. As a result, many are going to be extremely vulnerable to compromise.
A consumer privacy problem coupled with a product security problem are the two most fundamental ingredients for a surveillance opportunity, whether that surveillance is carried out by an intelligence agency, law enforcement, or a malicious hacker. And as privacy and security issues go, these two problems are massive. Industry isn’t anywhere close to figuring out how to solve them.
But much of the data that is going to be collected by these everyday devices—and potentially going to be available for surveillance purposes—just isn’t going to be that useful. It is low value data. The data likely to be exposed isn’t often going to be data that intelligence and law enforcement agencies actually want.
I agree with the general argument made in the recent encryption debate that law enforcement has access to huge amounts of data today that can allow it to compensate for a lose of access due to encryption. But this argument rests on an assumption that isn’t always true – that the data law enforcement is gaining access to is as valuable for investigative purposes as the access it is losing. In some cases, such as the growing volume of geolocation data available, the argument holds up. In other cases, such as the IOTTAMUFS, it might not.
For example, consider data collected and used by the adtech industry. The Internet has brought a revolution to the advertising industry that is as consequential as the rise of the iPhone. Ad tech companies now collect vast amounts of data about Internet users that can be used to build consumer profiles and target advertising. The scope of this collection is staggering. However, despite the quantities of that data collected, this revolution in technology has not been nearly as consequential to law enforcement. The data in question simply isn’t that valuable outside of the context in which it is collected and used.
The same is going to be true for much of the data collected by IOTTAMUFS devices. The data from your thermostat or refrigerator just isn’t going to be as valuable as the data on your phone.
What does this mean for the privacy and security challenges mentioned earlier? It means that the surveillance opportunities created by these two fundamental problems are only going to be useful in a small number of cases, involving extremely motivated attackers targeting key individuals. It is only in those cases where someone will invest the time and effort to exploit vulnerabilities in IOTTAMUFS devices and figure out how to derive some value out of large quantities of mostly useless data. These new devices will create opportunities to collect information about heads of state but won’t be as helpful when it comes to standard criminals or lower level intelligence targets.
This is consistent with the general tend that we’ve seen in recent years and that is likely to continue: highly targeted surveillance that takes longer to execute will become easier even while quick, more broadly applicable surveillance becomes harder. Simply put, the attack surface for the products and systems we use has broadened and diversified. And while this provides an abundance of niche opportunities, it also means that there will be fewer simple surveillance solutions in the future.
