Why data privacy is up to developers

Shutterstock image: internet of things, connectivity.

With mobile devices generating and sharing ever more data, developers need to build in the privacy safeguards that standards organizations and consumers can't necessarily mandate.

"I don't think it's realistic to expect people to understand the complexities of [the Internet of Things] and to even be able to really assess the risks of their interactions with systems unassisted," said Naomi Lefkovitz, senior privacy policy adviser at the National Institute of Standards and Technology. "I really think system designers need to do a better job of building systems that first and foremost minimize privacy risks."

Lefkovitz, who was one of several federal speakers at the American Bar Association's Internet of Things (IoT) conference on March 30 and 31, added that once systems are finalized, the risks are locked in, and people have no real choice other than avoiding the system altogether.

"You can either turn them on or off," she said, using web cookies as an example. "That's not much of a choice."

She urged developers to think of privacy from the beginning, design meaningful choices for users and build in safeguards. For example, it would be helpful to have sensors that signal when they're recording to help Americans avoid "that panopticon effect of never knowing if we're being watched or not," Lefkovitz said.

Such design choices are particularly important as the IoT spreads vulnerabilities deep inside organizations and homes.

"You can't look at any device and assume it is fundamentally safe based on how it is or isn't connected," said Jeff Greene, former senior counsel for the Senate Homeland Security and Governmental Affairs Committee and now senior policy counsel at Symantec.

Citing the fact that even devices not connected to the Internet are vulnerable to hacking, Greene advised device makers to incorporate basic -- but often neglected -- security measures, such as avoiding hard-coded passwords and prompting users to change default device passwords during setup.

Various organizations have issued standards for IoT privacy and security, but industry needs to rally around credible norms, said Michael Aisenberg, principal cyber policy counsel at Mitre.

If that doesn't happen voluntarily, he told the room full of lawyers, IoT standards might be "built on the back of a cacophony of litigation" -- which might be lucrative for lawyers but bad news for public policy.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.