Why data privacy is up to developers

With mobile devices generating and sharing ever more data, developers need to build in the privacy safeguards that standards organizations and consumers can't necessarily mandate.

"I don't think it's realistic to expect people to understand the complexities of [the Internet of Things] and to even be able to really assess the risks of their interactions with systems unassisted," said Naomi Lefkovitz, senior privacy policy adviser at the National Institute of Standards and Technology. "I really think system designers need to do a better job of building systems that first and foremost minimize privacy risks."

Lefkovitz, who was one of several federal speakers at the American Bar Association's Internet of Things (IoT) conference on March 30 and 31, added that once systems are finalized, the risks are locked in, and people have no real choice other than avoiding the system altogether.

"You can either turn them on or off," she said, using web cookies as an example. "That's not much of a choice."

She urged developers to think of privacy from the beginning, design meaningful choices for users and build in safeguards. For example, it would be helpful to have sensors that signal when they're recording to help Americans avoid "that panopticon effect of never knowing if we're being watched or not," Lefkovitz said.

Such design choices are particularly important as the IoT spreads vulnerabilities deep inside organizations and homes.

"You can't look at any device and assume it is fundamentally safe based on how it is or isn't connected," said Jeff Greene, former senior counsel for the Senate Homeland Security and Governmental Affairs Committee and now senior policy counsel at Symantec.

Citing the fact that even devices not connected to the Internet are vulnerable to hacking, Greene advised device makers to incorporate basic -- but often neglected -- security measures, such as avoiding hard-coded passwords and prompting users to change default device passwords during setup.

Various organizations have issued standards for IoT privacy and security, but industry needs to rally around credible norms, said Michael Aisenberg, principal cyber policy counsel at Mitre.

If that doesn't happen voluntarily, he told the room full of lawyers, IoT standards might be "built on the back of a cacophony of litigation" -- which might be lucrative for lawyers but bad news for public policy.