Episode 255: A deep dive into NISTs new privacy framework


They hey everyone welcome to the two hundred and fifty fifth episode of the Internet of things. Podcast this is your host Stacey Higginbotham at today's Co host Chris Albrecht of the Spoon Dot Tech. That's right everyone Kevin has. The flu is tragic and sad but he will be back. And in the meantime I have my good friend Chris. Albrecht who is like you said editor in chief over at the food tech site the Spoon. So of course we're GONNA sprinkle a little food love in here but we're GonNa hit the main topics that even Kevin and I would hit so Chris. Thanks so much for doing this. Thank you for having me. It's going to be great so this week. We are going to be talking about. Woo the FTC bombshell. It's going back head years looking at small acquisitions. We'll talk about that. Plus the approval for the T. Mobile Sprint acquisition. That means for Iot Nest is calling for two factor. Authentication about time arm has new edge chips for the IOT. We've got news bits from life X. To you and Chris is going to tell us about a fancy kitchen gadget that he is loving at our guest this week is Naomi left covets. Who is from nist is the person who is behind this new privacy framework? So we're GONNA ask her all about that. And how to build privacy focused devices were also going to hear from our sponsors digital art and fairy so before we get into it. Let's hear from very. Are you looking for an Iot Development Team? Who's been there done? That varies award-winning full-service. Iot development firm will work with you to deliver your. Iot Solution on time and on budget learn more at. Www dot very possible dot com that's www dot V. E. R. Y. P. O. S. S. I. P. L. E. DOT COM. Okay Hey Chris. Let's get started with the FTC the Federal Trade Commission. This was Tuesday afternoon and all of a sudden it said Hey. Bunches of Companies Alphabet Amazon Apple facebook and kind of a surprise Microsoft. Basically we're going to need to look at the last ten years of your acquisitions and make sure they're they weren't used to stifle competition in the market. Which kind of scary I don't know. Did you have a take when you saw this like well? I want to hear yours? I so why. Why is scary? The first word that US well one because we've been talking for a year or so about like Oh tech is too big and we haven't really heard a lot of convincing arguments about how the FTC could handle breaking apart the tech firms and going after a decade's worth of emon activity feels pretty scary. Because what if a like? How would you undo those acquisitions? Would you just find people? Would you find the companies because of it? Would you seek to pull out the technology? The people I mean in some cases these are like Akwa hires and everybody has moved on so I find it scary because it feels like that has gone way far back in. What are you GonNa do if you find out? This was a problem. My first reaction in this was given the administration where currently under which is a bit vindictive. I was like well. Who What do they want to dig up? And why now? I realize that as a very sort of paranoid approach but to your point like what are they gonNa do if something like like? How do you extricate a deal from two thousand and ten or two thousand and eleven? Seems like such a. I don't know I mean a ready. Shoot name kind of approach to this. I don't know what exactly what do they do of they to your point. What are they do if they find something how much time and energy and resources are going to be put into this and how much then companies do they have to devote to fulfilling any kind of requests for information or anything like that? I mean I don't know like I'm all for transparency. I know that there's a broader discussion to be had around the tech world and the tech rel being too big but it seems like wow two thousand. Ten ally has changed since two thousand and ten. I know we were just getting lt networks in like well. We had the iphone but we just got the IPAD. But now we don't really care about it so a few details one. This is going to focus primarily on smaller deals and these are deals that are less than five hundred billion dollars because those don't typically trigger an F. T. C. investigation. So this isn't things like Haiti. Google has an alphabet has announced that it wants to buy fitbit. That's a pending deal. Not something that would go under scrutiny under this particular thing but it's all these smaller deals. They're also going to be looking at deals that the acquisitions were shuttered after the purchase. So this brought to mind actually Google through its nest. Division bought a company called revolve way back in like twenty sixteen revolve was a smart home hub and it made one of the first hubs that had Ziggy Z. Wave Bluetooth and WI fives lovely. Everyone was excited about it when Google bought it. They shut it down admit they shut it down because they didn't want to have to deal with like the extra engineering staff but the question is did that hurt competition in this space. You might say a did because it made it much. More difficult made hubs harder to guess purchase and it made it a less viable option but other deals it. I think would be. I don't WanNa say worth scrutinizing but are of interest our audience. Google purchased a couple companies other than revolve. That fuel kind of like. They're in the IOT space. They bought a company called thrive audio. That does surround sound. I've wondering if we're seeing that in the Google Max up. They've purchased a bunch of image recognition and computer vision companies. That those are of hard to say because you know are they buying an algorithm? Are they buying just smart people? My Hunch says smart people so I don't know how anti-competitive that is they bought a company called chronological. That's a smart watches company that we've never really heard from ever again. So they've done some health acquisitions. They bought a company called stenosis. A while back a couple years back that used phone for like health monitoring stuff that company was in the process of getting their funding before Google came in and got them so but the other one is just like you think about apple. Apple always makes those you know like. Oh Hey we bought this you know these very stealthy acquisitions that you don't hear about until somebody digs up something. Yeah they actually just completed one called. Exxon Moore died a an exit door. Was the back end software that provided motion detection in our wise cameras that we all know it love so apple. Did that and the assumption is they're gonNA use x`ers technology which is edge based image recognition on a battery powered or low powered device. So think about if apple can do image recognition without sucking the juice off on your smartphone war on maybe their own cameras so would something like that count apple also bought a company called bedded and bet. It is where I think a lot of the sleep tracking technology that we're GONNA see coming out in the Apple Watch is coming up with sleep apnea detection. That sort of thing. Silk Labs is another one silk labs as a company that was making a smart home hub and entire ecosystem so it was a little stealthy. So we're not one hundred percent. Sure they also had like some really beautiful hardware. The bigger point still stands. I mean I don't know I mean I guess if you're looking for a pattern of behavior but the competitive landscape of two thousand and ten is just so hard to even remember right now like it was the iphone four. I think at that point so hard to go back in time to then from an IOT perspective. We didn't have nest. Nest launched in twenty eleven. It was purchased by Google Interview Deal. That would not be part of this overview it was purchased by Google in two thousand fourteen whether any connected lights like he didn't have real didn't come out until like twenty eleven. We mow was out in two thousand eleven twenty eleven's we've started seeing a lot of connected home products just starting to hit the market. Yeah so all this. Ai Nonsense that we talk about all the time now. That was nowhere nowhere. This was before we were doing amazing things in that department. So this'll be worth watching. We'll see what happens and stay tuned because I'm sure we're going to keep talking about it for the next couple of months. The FTC didn't just like freak out the entire tech ecosystem with this other announcement. They also said that they would approve. The T. mobile sprint deal. This was actually not just the FTC. This was a judge that said Yeah. Let's just go ahead and do it. The FTC actually was a little like modern. Oh we're GONNA do us so this is going to turn the number three and number four carrier into justly number three carrier from the IOT perspective. It's worth noting that T. mobile and sprint both had NBA OT networks prince's. A little bigger sprint does have a fully functioning IOT platform. And by that I mean you could go to sprint. And by any number of connected devices that were already on their network that you could use like sensors and that sort of thing plugged them in and then use their cloud back in to like monitor that so if you were a small business it you're like oh I need some temperature sensors for my fridges. You could buy it. Plop them all in there and sprint took care of everything you just pay them. So that's I don't really think other than more spectrum probably higher bills eventually no this is going to affect consumers more than will the business customers is there anything. I was GONNA say if there's like an industrial IOT angle to this. I'm rarely on the consumer end. I don't have T. mobile sprint. So honestly it doesn't impact me directly. I know it doesn't a broader like existential way but is there anything on the industrial side that you know about that. They're doing in areas where they have service. There are corporate customers. It's not industrial. So much as it's enterprise there may be an opportunity or a challenge to companies who are reselling their service so let companies like particle or other. Iot module vendors might contract with these guys to provide the service on the back end. They might see their rates rise. But Not really. This is kind of like a nothing burger deal from the IOT perspective but in really exciting news who your nest has enabled two factor authentication in by enabled. I mean they are forcing it on you. Oh we have been talking about this because we think it's really important for things like cameras and yeah even thermostats that have control of your house. Having to factor is important by two factor. We're talking about you have a password that gets you into your account in the APP. But you're also going to have to win you log in. Not Maybe every time but some of the time. You're going to have to log in with a secondary code that comes from either taxed or maybe it will come from authenticate or APP on your phone or something else. Can you walk me through? How this would work right. So I'm just anything about if I have something if I'm controlling something with my phone. I recognize the importance of like two factor. Authentication a big believer in it and it's surprising that it has taken this long for something like this but do you have a sense of what it will be. What will it be a how it will be integrated in sort of the workflow? And how you control your Iot stuff. Sure so my hunch and I'm not a hundred percent sure. This is how it's going to work. I don't think that they're going to force you. Every time you try to log in to change the Thermostat I don't think they're gonNA force you to give your authentication code rate. Yeah my hunches. They'll either make it like every every three months you'll have to. I know ring. Has You do it every I think it's two or three months. You have to log in in nest if you are new logging. They're going to have a verification code. That goes to your email. And if you can't do that you can't look into your account so they're gonNA have to balance sort of security with usability. Yeah which is always the hard thing but what this does is for everybody out there who reuses their passwords. I know you're out there with Ryan you. I used to do that. You did before I got Hosoi advisor quietly judging you. You are actually audibly judging me. That's okay I accept it. I was wrong but I have changed and reformed and this is especially important. I'm going to tell you for cameras. The big ring quote Unquote Hack was because people reuse their passwords and then when those passwords were compromised people went in and said. Oh let's see which of these these three million passwords we have. Let's see which of these people have ring account so then. Maybe we can terrorize their children. That happened to a guy that I met here at a party. Who was saying that someone started talking to him through his security camera and I can't remember if it was raining it also happened to nest so they had it set up and somebody in France or somebody started talking to them. Yeah Oh we all right so nestled but let me ask you this real quick like you think this will spur on other people. Will this create the wave of adoption? That you're looking forward. You think I hope so for certain devices and I said in and I wonder if this is a result of California California as of January basically saying they have a device security law that says companies have to provide appropriate security for the type of data that can be gleaned from their device so for a camera that's inside they probably want higher levels of security so nest may be reacting. Actually to that to proactively saying alright. This needs a higher level of security than just a password especially since we know people reuse their passwords. So let's force people to do to factor. I also think if this becomes standard across the industry we're GONNA see more convenient and easier ways to do to factor so it won't be quite such a pain in the butt later with nest sending you an email. That's all right. That's not the worst thing that can happen. I always get frustrated when you know you've gotTa Find Your Rsa Key Log. It hit reface. Ide- do it so face ideas are really interesting one. It could work. Yes because that is a multi. That is another way to fact like to make sure that you're you. And so those are the kinds of things that I think would be really compelling going forward maybe even voice match. Yeah I mean face idea so quick APP that I have that I had that uses it like it is not an inconvenience at all right. I think yes. We're going to see more companies. Roll this out pushed by both the market and by laws. But I also think as that happens. Companies are GONNA invest in making it easier so that could be good all right. Are you ready to talk about chips? I'm just GONNA go out and get a snack while you go ahead. And that's chapter up. That is fair so arm. They launched this week. Two new designs and arm is you guys are probably familiar. They are a chip licensing firms. So they license architectures for chips and they're super popular in the Internet of things because they work really well at doing a lot of processing low power consumption. So what arm has done is. They've created two new chips for edge IOT specifically at the edge. Do all those all those fancy words basically mean these are two designs that will let you do machine learning just the inference not the actual learning at the edge in this'll be good for things like image recognition arm. Talk to people about building a cane for someone that can detect falls or maybe can detect things like see things that are in the way so it would vibrate alert. Someone did by the way. There's a curb here by the way. There's a tiny lego on the floor. That's going to cause you immense pain all of those things. The first design is the CORTEX. M fifty five that is traditional arm technology and then they created entirely new architecture. Called the ethos you fifty five and that is actually going to be like a neural network co-processor so all that's GonNa do is any sort of neural network so that could be a the constitutional neural networks that we use for computer vision it could be like the long term short term networks that or the recurrent neural networks that we use to teach things like how to play. Video Games. So all of that's going to be out there. Companies are going to be licensing it as of now and we won't see it in products until about twenty twenty one. I think this is a trend. Obviously that we've been everything pushing the edge we were talking before about some PA- company at the spoon. We cover just food technology. And sort of the convergence of those two things but a company called sensory and I'll never forget them because they sent out their release on Christmas Eve which I thought was and it was embargoed so I wrote it up and then released it on Christmas Eve which was happy for me because then I had a story that was up on Christmas Eve but like they created a voice assistant on the edge and part of the appeal with this stuff is sort of the privacy consideration and things aren't being beamed back to the cloud right like you. Can you can have all this stuff at the edge. And because I don't cover it as much maybe a dumb question but just asking like are you seeing the sort of this. Ai Pushing to the edge so that all of the devices that are coming out are what are you seeing in that in terms of that? There's actually a kind of interesting by -CATION HAPPENING. So Google is like local local in there doing it less so for privacy more for latency but it is nice for privacy. Perspective Apple is doing it for privacy perspective. Meanwhile Amazon isn't really pushing very much to the edge. So far hasn't talked about it so yes I am seeing that it is hugely important and one hundred percent. Were totally going to see more of it. So in the cool thing about these chips is that they're actually really powerful. So you're GONNA be able to do things that you haven't been able to do before which is like the story of silicon but it's worth mentioning that like with good. Silicon comes amazing possibilities. That's all on chips chip corner. Okay let's talk about quick news. Bits very fun stuff to Ya. Which is a Chinese IOT platform? They're behind a lot of big name brands. They are actually announcing an NBA OT MODULE NBA OT is a low power wide area networking technology. It's cellular and to use module is going to be certified for Europe North America and Asia. So it's going to have all the approvals it'll work everywhere and you could buy one module in stick it in all of your devices that will be sold then around the world. Yay Ray lay facts the company behind. Why Light Bulbs that are. Brilliantly brilliantly colored. I feel like that should be a motto. But that's just how I think of them. An advertising tagline a motto like this is should be advertising town this is our motto as a company. Brilliant should be brilliant. They're very pretty her quite frankly. I think they're prettier. The colors are prettier than Hugh. I'll be honest but I do have huge Oliver. My House and I only have one life expert but if you have bought into life ex probably because their Wifi and you didn't need a hub. They are now making a switch. It will be out in March right. Now it's going to be on sale for a hundred bucks. This switch is beautiful. I'm just going to tell you. But it is a switch that has to be wired into the wall and it is kind of expensive compared to the other wired. Switches out there but it has four programmable switches. So do without what you will. It's very minimalist very sleek it is. It's so pretty. I probably use that as the art for the show notes. So you can look for it. Okay there is a new drug in town. No it's not there yet but you re Louis. No but there's a company called Smart Tab and they are making a connected hill for Crohn's disease which is a GI issue. The cool thing is this. Pill is connected. It'll connect to your watch or to your phone and it will disperse. It's medicine when it's in the right part of your Gi tract which to me is crazy. So it'll tell your phone will be like I guess I passing through the Iliomar. The duodenum in I don't know my my biology all that well so I'm hanging out in one part of one intestine. I should release now. And you'll be like yes in it'll do. It is miniaturized ship with Raquel Welsh and a bunch of other guys that has been injected into you. Is that what we're talking about? We are not talking about that movie. What is really fantastic? Voyage? That's fantastic. We are not talking about fantastic voyage. That'd be pretty cool. This is not real. You can't buy it yet. They're beginning human studies into twenty and the goal is to get FDA approval sometime this year or next but talk about really cool. I think okay other news. This is for you Chris. Pico brew bigger. Yeah so peekaboo again. So the spoon we cover basically food tech stuff and Pico brew is something we've been writing about for a number of years. It's a crowd. Funded homebrew appliance. Right so it can fit on your countertop and you can make your own beer with it and Pico brew. Long Story Short was looking for funding. They had a bridge loan and then they were put into receivership so the company is the the loan was called in and they're being put up for sale. So what's interesting about? This is just that they were a crowdfunding. They did a number of projects on kickstarter and they raised millions of dollars and shipped products. So they were sort of gold standard in the food world about being able to create a homebrew system that that came to market there are a number of other ones that were funded that never came to market but now they're being put up for sale and part of the issue was sort of that they were going in a lot of different directions. But it's sort of what it makes us wonder what we were talking about. Today on our own podcast at the spoon was just. Does this mean that there isn't really a market for homebrew like high-tech homebrew appliances because so many of them are no longer ongoing concerns. Or is it like just this sort of implementation of it? I don't know like I've never brewed beer. But the appeal of a device to me is that I don't have to deal with other buckets and bleaching and all the sterilization it seems like if I can just push a button and have it done then that would be one thing but maybe the people who like it really like it for that reason don't want an appliance and there aren't enough people who wanna make their own beer when they can just go to the corner and grab six pack. I'd I don't know. I think the resurgence and craft beer good craft beer in the. Us may be causing the problem. How much was the PEEKAPOOS? They had a bunch of different ones. They had ones so part of the problem was that they had like design. Matic that what it was called that was four. Small brewers so it did larger batches and then they had the Pico brew See I think was the home device and then they tried to come out with a you. Which would do like cold brew? Coffee and Golden Milk and all this other stuff. But then they suspended that and so they They had a still at one point and they were all would. Evidently with the guy was told us was that they had a really complex cantabile. And that they you know they weren't so far into one market to wear a buyer would come in and want you know take over that particular kind of business and they were all over the place. they even get under like they have this cask forage product which ages newt grain spirits overnight or quickly. I should say so. You could create a whiskey in no time flat instead of having agent for eight years if you're a small distillery you don't have to wait that long until you have a product. So they were kind of all over the place. It's sad to see and it's you know there's a lesson in there somewhere for someone looking to create their own spirits based product shy. Take anything away from Blake. The failure of Barrow. The failure of let's see jewel. Which got bought? I think it was kind of fire. Sale shy take anything out of like the dedicated connected kitchen appliance market. So I think what you're seeing is that there is sort of a a shake up the industry mature. So you know jewel had to be you know. They laid off people they made the Suva Connected Suva device. That was beautiful and worked really well and Novocur is another Savita appliance that you know these were all your controller with your phone but SUV. Eating takes a long time and people I think were amit of it because it was finally a device where you could do it at home and oh the steak tastes amazing. But like I don't WanNA spend one hundred minutes putting it in a warm bath and then having to sear it right. So you're seeing now you're also. There are a bunch of connected ovens and Bravo got bought by middle be and they had this high tech oven that worked well. But do you want to spend eleven hundred dollars on another oven that sits on your countertop and cooks with light and you can't even see into it except through fish eye camera right like there. Are you know? We'll see some what's happening with what's going to happen with the June or Vala like is there enough of now that the the kind of wow is there is there enough of a market there to sustain it over the long haul or are they just going to get subsumed into other larger companies and had their tech incorporated into traditional like more like wall ovens and refrigerators and stuff like that. And you'RE GONNA pry June out of my cold dead hands or they're GONNA have to learn my tune into a cold dead oven. I I'm right there with you. I've unlock the Brussel sprouts on the June. And they are like eating candy. It is amazing. There you go all right you. Chris have a device for us. That is not a fancy oven and should because it's a major brand maybe be here for a while. But what are you playing with? So I'm up here in the Pacific northwest and it's been cold. It is not typically barbecue season up here but I've been using this trigger Wi fi connected grill. The pro five seventy five. The company sent me to send it to me to test it out it's a Wifi connected pellet smoker and what's Nice about. I've never smoked in my life because I'm like Krill or a smoker. It's a I think you can use it for because you can turn it up but it's not like a direct heat kind of thing like it is a wood pellet smoker with an Auger. Automates everything. But I have cooked like steak on it. I have cooked ribs I have cooked brisket. There are a number of things and it comes with the guy even said I should Cook Bacon on it because they have this coffee. Rub for Bacon. That is supposed to be amazing. I would like to be there when you do that. I will invite you over. I've never smoked anything because it the idea spending nine hours tending to a fire to make sure it's the right temperature for the amount of time just seemed like a nightmare. But this automates everything and it runs it through an APP on my phone and I can see if I need if the recipe calls for adjusting temperature at a particular time. I can do it. I can monitor the pellet level in case it runs low. I can set timers or adjust timers or set it for a notification if it hits a certain temperature and literally. I've just been putting me on this thing and just letting it sit for hours and it has come it has been. I've not had a bad experience with it yet. Where smoked Turkey for Thanksgiving and then ribs over the weekend and may have just been. It's just been so nice to have just look at the phonograph. Okay everything's fine. You know probe is still in the thing. It's getting to the right temperature. Everything's working and it is just. I say that because I am not a good griller my wife does all the grilling in the house. Cooking meat on open any kind of flame. I usually don't do it but now now if you like I can okay. And this is a seven ninety nine ninety nine device. It's Wifi and you have to buy the pellets rate. Yeah you get the pellet those that like a hardware store even Safeway. Oh Wow it has a drive train. Y'All okay all right thank you. Chris. That's that's awesome. Did Not something. I would try myself although I will tell you. I have eaten the ribs that I the rips I at Your House were. They were cooked on this thing right there. They were amazing. Pretty good yes in. My heart is still going. I can't believe it. Okay now it is time for the Internet of things. Podcast hotline. That's right. This is the section of the show where we take your questions and we attempt to answer them and if you have a question that you'd like us to answer give us a call at five one two six two three seven four two four and the Nice News is you will be entered to win a prize for our February drawing if you call in leave a message before the end of this month may not one hundred percent sure what the February drawing prize is. But it's GonNa be good. You're going to want it and it's free by wouldn't you okay? This week's question is from Rebecca okay. This week's voicemail is actually an email which we don't often do. Sometimes we make an exception so this week's email is from Rebecca. Hello I'm a new listener of your podcast. It's cool. I love my madame devices. I have a physical disability and use a power wheelchair so having the ability to see. Who's at my door and talk to them via my phone or ECHO. Spot is really intriguing. I may end up upgrading to a show. Not sure yet anyway. I know you've talked a lot about ring. But with all of the privacy concerns I nervous to try it. What would your recommendation be for video? Doorbell that's easy to set up safe not easily hackel and compatible with ECHO devices. I've been trying to do research online but my brain keeps getting overwhelmed because everyone has a different opinion. Thanks so much for your help. Rebecca you're trying to do something that should be really easy in practice. It is not and the reason is Amazon's ring. The best way to get the best experience is actually to have both an Amazon show an Amazon Echo. Show in a ring doorbell. I'm GonNa tell you. We have talked a lot about ring ring. His now with through their privacy control. They've made it easier for you to not respond to police requests for videos. If that's something you're worried about from a security perspective ring does get you the option of turning onto factor authentication. So you should do that especially. It's an outdoor camera. But if you are worried about people talking to you are looking in on your camera than this would make sense to do to factor. I just bought my in law. My sister-in-law a ring camera and Irving Doorbell and so. I don't think it's terrible if you have the right precautions so that's going to be your best bet simply because when the doorbell rings you can set it up so it will pop up on your echo show or echo spot and it's fast easy. It works now. My favorite doorbell is actually the nest. Hello in you can use the nest. Hello with your ECHO GEAR. You can actually use other doorbells like the. Up or the remote plus the trade off is when someone rings your doorbell. Your Echo show is not going to be like. Hey someone's at the door instead. You're going to hear the doorbell. And you're going to have to say Madam a show me front doorbell camera or display front doorbell camera. And when Madame may here's that she's GonNa wake up she's GonNa call for the API the API call seven to maybe even twenty seconds. We'll pass then you will see who's at your door but that's a long time so that's kind of trade off there that you're looking at. I encourage you just because I like the Google system a little bit more to do a google home hub with some sort of Google smart display and a nest. Hello Doorbell if you're still like if you're not married to the echo ecosystem that's my advice to you. That's a seamless and really excellent experience. I look forward to the musical. My favorite doorbell to hit Broadway sometime soon. Dunton Tonton Tonton and the song is Ding Dong. The cartel is dead note. The monopoly is dead. Okay terrible terrible. Remember if you have a question for us give us call five one two six two three seven four two four. That concludes this portion of the Internet of things podcast. Please stay tuned for our guest. Naomi left covets of nist. Who is going to be talking about what you need to know from the new privacy framework? And I'm GonNa give a big thank you to Chris. Albrecht for Co hosting the show with us. Thanks Chris Thank you for having me. This was a lot of fun. I really appreciate it and learned a lot all right and now a message from our sponsor we are taking a quick break from the Internet of things. Podcast per message from our sponsor this week sponsor is digital art and I have vp of Iot security. Mike Nelson here from digit cert-. Today we're talking about low power devices and how to secure them so according to a juniper research study service revenue from low power IOT devices will grow eight hundred percent over the next five years. That means it's going to exceed two point six billion dollars by twenty twenty four. This begs the question. So what are low-powered IOT devices? And what kind of applications are going to be used for low powered IOT devices or devices that have limited computing power. They're deployed in all industries. We see a lot of these low part vices really tracking sensors in the smart city. We see traffic lights parking stalls utility sensors in healthcare. We're seeing some really innovative uses for medication. Consumption location tracking for patients and even devices the track patient vitals from a remote location. What kind of data are these devices? Transmitting three types you data. The first is automation data and data. That helps facilitate the automation of a decision such as settings on a thermostat status data that tells you the status of something such as is the light green parking stall open and the final one is location data and that tells you the location of something that can be a truck on the road that can be a medical device in a hospital or a patient that his potentially left those are the three types of data that is being generated by them. That's a lot of data. So how should we think about securing these low power devices? Yeah so I think. The data is the topmost concern for these and making sure that there's integrity and confidentiality of the data governments and businesses and even consumers are consuming this data and using it to make decisions and so the security in the privacy of that data is really important. Okay and how can these devices be protected or secured so most IOT devices have one of three vulnerabilities of the first one is authentication? And that's really about keeping the bad guys out second one is about confidentiality. And how you handle. The data in a secure way and encryption is the best practice for that. The final one is the integrity of the data. And knowing that you can trust the data that hasn't been manipulated and leveraging security best practices like digital signatures and code signing is best practice for ensuring integrity great and where can our listeners. Go to find out more about digital art and how it secures low-power Iot devices your listeners can go to dot com and we have an entire section on Iot. Hey everyone welcome back to the Internet of things podcast. This is your host Stacey Higginbotham and today's guest is Naomi left covets. Who is a senior policy advisor at nist? Hello Naomi how are you today? I maybe I'm great. Thank you for having me. I always tell people I'm so excited but in this I really am because nist released last month. A privacy framework in its very in depth. I read it. I read it again. Read articles about it and I was like it's a lot so I'm glad to have you on the show to help. Kind of explain this at a high level for us and maybe go a little deeper on some of the things. So thank you so this is out talk to us about why nist put out this framework so I think this has been working in this area of privacy engineering and risk management for a number of years. Now I read our privacy engineering program and been very interested in the issues of round trustworthiness. And how do we make products and services more trustworthy which you know I think traditionally has been sort of thought of as equating trustworthiness insecurity? And you know. We see that as adding other characteristics like privacy in terms of how people perceive trustworthiness. But it's a summer of twenty eight. You know we started getting inquiries from industry and administration given the environment with all the new regulation coming on like the European. Gdp are in California Law As well as major privacy incidents news people are wondering whether insisted that the successful job the cyber security framework whether we could do something similar for privacy on so we really set out on that journey and then really thought we would model the process at at a minimum after the cybersecurity framework because we think that open transparent collaboration with stakeholders when we're talking about a voluntary tool really need that stakeholder buying because needs to be something valuable that they wanna pick up and you so we thought we would follow that process. And you're that took us and now we have the end result bright now. Let's talk about those end results actually before we get to that. We should really clarify because you've talked about this being voluntary. This is not something a company has to do. But why would they want to do it? Yeah absolutely we really like to emphasize that point. This is a voluntary tool. And you know. We think that it can help. Organizations first and foremost we see this as a privacy risk management tool that can help organizations sort of bring privacy into better parody with other types of risks. They might be managing at the enterprise level in so doing help them to really build customer trust. The framework can support them in sort of ethical decision making about how to optimize beneficial uses of data while minimizing adverse consequences for people and even society as a whole. Because that's sort of you know the heart of the purpose of the framework but that said we absolutely recognize that privacy has evolved in a very regulatory requirements driven type of environment and and so we do see. The framework is also being able to help organizations fulfill their their compliance obligations. And by that we mean not that you know using the framework will necessarily make you compliant with any particular law or regulation or standard. But rather that you can you know. Use The activities and outcomes in the framework to demonstrate. What types of measures you might be meeting to meet your legal obligation and then that actually leads to what we see as sort of maybe the third he value proposition. I said this tool really can help to communication about privacy. Privacy Risk Privacy Practices both inside the organization other organizations customers you know in even potentially Thursday and regulators okay. It is a noble goal. Let's see how it does it all right. This is like you mentioned earlier. Modeled on the cybersecurity framework which I know. Many of our listeners are at least somewhat familiar with but there are three big areas. Do you want to kind of broadly? Go over those three areas and then we'll dig a little deeper into them. Sure so exactly. These said we've modeled this. After the security framework we heard that very clearly from stakeholders as we were developing it the key contracts or is it the core which we call it the core which really provides sort of an increasingly granular set of activities and outcomes that enable and organizational dialogue about managing privacy risk the second component There's what we call profiles and that really helps to make sure that the core doesn't become some kind of checklist so profiles are essentially just an organization selection of different parts of the core which is comprised itself of functions categories and subcategories and. Then these are the what the organization prioritizes to help them manage privacy risks and then the third piece is what we call implementation tears. We really see that as a set of benchmarks we use or one to four years that help an organization communicate about whether it has sufficient processes and resources in place to manage the privacy risk but it's identified and ultimately achieve its profiles. Sir You know something to do with the profiles is going to have sort of this current profile which is sort of what you're currently doing in terms of privacy and activities and outcomes and then you can develop a target profile which is where you WanNa go and create this kind of action plan and that's really an important part of that communication piece that allows you to talk to senior management and say. Hey these are the kinds of resources and budget that we're going to need to get to our goals okay. So that's a lot. Let's try to apply this. Maybe to an example. Let's say that I am a company. I am developing a connected refrigerator because everyone loves. Internet connected refrigerators. So let's start with a connected refrigerator which I feel like probably doesn't have as much privacy risk but let's let's walk down the process that we're supposed to go through with this. Sure absolutely one of the things that we did. In the framework we provide sort of a little bit of a few different ways. You could use the framework and one it. We've sort of created this simple ready set go model and so that we could be that with this example so sort of under ready you know you start by looking at what we consider the foundational function so there's five function identify governed control communicate and protect. And you know what we found with. The cyber security framework was that this is sort of part of the increasingly granular concept. You know you start with these high level functions and they're very good for communicating with the C. Suite or the board. We're not GONNA be privacy or cybersecurity experts and they're not gonNA WANNA get down in the weeds and talking about corruption or privacy notices or what have you but they wanna you know sort of generally understand. Okay I can understand these five simple rules in how to power managing privacy and security so we start with those sort of five high level functions and identifying govern or what we would consider foundational now. We don't look at this as a hierarchy because we think of this initiative you can go in at any point. Isn't meant to not replace anything that you might be doing any kind of processes you're doing but really to augment but let's just say let's just say for argument's sake. You really don't have much of a privacy program okay so it was just sort of start at the beginning and so you might start with identifying govern because they really are sort of helping with the sort of foundational organizational level practices and activities identified. Early starts with inventory and mapping. You'RE GONNA WANNA understand with your refrigerator. What data's being collected and then what happens to that data so you know? How do you follow that? Through the data life cycle is that data being stored somewhere that data being transmitted disclose to any other entities. Are you analyzing it in some way? Aggregating it transforming it you know and then you know how do you ultimately dispose of it in by dispose of it? You mean like I'm GonNa keep this data for this amount of time and then I'm going to destroy it. Yeah you're you're just gonNA delete it from aws and hope that that gets well. Yes hopefully in that we have that also in the framework that you have contracts with your service providers and hopefully you're putting into your contracts the policies and requirements that you need so that you know if you send a message. I want to stay deleted. Then that data should be deleted and that's kind of really interesting because in a lot of companies you might have like an engineer whose responsibility is to make sure like your APP works on a mobile device and a lot of these applications that try to check for quality on a mobile device. They might get a lot of data about the person's device and home address or Wifi address in in. That may not be something you want to share with them but you have to communicate that to the people who are responsible for signing those contracts. That feels daunting. You know it is and you know this is where there's a lot of work to be done And I you know I could see some of the places in the framework where we earn courage outcome around you know to transmit recall processing permissions right so do not disclose this Wifi router or whatever and you know and or not mingle co mingle this data with that data right and so. There's a lot of work to be done going forward. We don't have very with the exception of I think the most sophisticated company that you know. It's not widely done and used that kind of data tagging so then. That's one of the reasons we've actually called that out as a roadmap area. We have a companion road math of challenge areas. That need more work so that will be some ongoing collaboration that we do. But I digress slightly. So we'll go back to the fridge. No that's that was a useful digression but let's go back to the fridge so we go back to the fridge so now we sort of you know understood all the processing about that data and we've kind of created hopefully a nice little illustrative came out so we can be where things are going and who's involved all. That could be very important for figuring out your Privacy Risk Assessment which is because privacy is so contextual right. You know if you you know you do nothing with the data. That's going to be one saying if you suddenly start sharing it with milk companies. Who get to say. Hey not only did you forget your milk. But have you tried like our fabulous milk and very different set of privacy? Risks between just simply Internal Analysis and message about you know. Hey you forgot your so and you know and oh by the way. Here's a coupon right right. And and again you know that that might be very desirable but it might not and I think that's the privacy risk management question that needs to be a so. We work our way to identify really want to understand the business environment. Which is just what I was describing like. What's the organization sort of overall business? Priorities is simply providing a more convenient friends. You know making money with partner straight on this data understanding that It's important because you can have the best privacy solution in the world but if it's going to be a barrier or obstacle to your organization meeting you know cheating it's business or mission priorities then. No one's GONNA adopt that solution right so so we went to find a solution that helps organizations look forward but also protect privacy at the same time you know. I will say when we and now that we're sort of the next stage is getting to risk assessment. We've developed a risk model that is really centered around the individual and the kinds of problems that they could experience from from the processing of their data processing. I mean that that full information life cycle that we talked about so you can analyse houses fridge collecting information. You know what to disclosing are people likely to feel like you know. There was some sort of unanticipated revelation. Like they didn't realize that data about their milk you know usage would be sent to you know dairy companies or something and and the orders all coupons. Will people be happy about that or will they feel embarrassed? Or you know Uncomfortable in some way those kinds of risks. And then you know under that impact is really part of the risk assessment which then get to the final point of figuring out how you're going to respond and so you know you might decide that that the risk that people will not like your product outweighs you know any potential benefits to your business model and you might decide to a different type of processing right. How can a- do coupons or or you'll let them choose whether they won't coupons or not or you know that's the sort of form of mitigation and so you know there's different responses that you can do but now you've actually had a what we called sort of Eyes Wide Open process that you've walked through. You've identified the risk the best of your ability. We we look at privacy like security. There's no perfect security. No perfect privacy. But you've identified the risks. The best that you can and you made some decisions that everybody can understand and presumably accept and I like that idea of. There's no perfect privacy which is true but it is very scary to imagine or to to see what's happening which is a lot of data gathering around us about us and then it gets shipped to so many different places we have no control over as consumers. So it's nice that basically this is coming in and saying. Hey let's be thoughtful about the data. You're collecting who you're sharing it with an how that behaves in what are the repercussions from that had. Let's talk about. I want to say how you know you've succeeded in this to me. Sounds like the implementation tears because there are four different levels there. Where you're I think of it like an I am trying. I am on my way in. Yeah I've got a strong program but you guys call it something else but can you kind of talk about where that comes from in. Maybe we should. Everyone be striving to be like. I have got the goods. You know we see this as again. It type of communication tool kind of benchmark that organizations can use to help discuss do I have sufficient resources and processes in place and to manage my privacy risk and if not what do I need and so no I will say that. In general we feel that if if you are at tier one you probably should be at tier two but but beyond that. It's not sort of a the the kind of maturity model aware there's sort of a relentless march from you know two to four It's really again about the type of privacy risks that you need to manage so depending on your risk. Let's take one of the elements of the tears is workforce and so at tier two. You know we look at their workforce is yes you might have somebody who you know understand privacy risks or you know has responsibility for it but they might wear multiple. Hats might not be the only thing they do in depending on your type of Privacy Risks. That might be absolutely fine or it might not. And maybe you need to move to three or four where you know up at four. You have a very multi-layered Diverse type of privacy workforce probably have somebody at the senior level like a chief privacy officer down through having privacy engineer. Obviously that's a very different resource allocation for a workforce like that. Got It okay. What is the goal for this framework? Is it stable in time or do you expect to revisit in five years and add I guess new things to it? I don't know like how do you expect privacy to evolve over the next few years we consider this a living document again very similar to the cyber security framework. So that's why we call this version. One Point Oh this is a you know. Stable document for the time being we're going to be focusing and then the next year or so on implementation getting feedback so that we can understand from stakeholders how we might need to evolve it to continue to meet their knees particularly in a changing policy and technology environment. Got It all right now me. I have to ask having worked on this and understanding where we are the State of privacy right now. How do you feel about connected devices and your overall privacy right now my own home? I very connected devices. And they're very slow adopter. I don't have a lot of. I WanNa see Organization doing more privacy. Risk Management doing more innovative types of solutions. You know one thing that we well. We didn't get into you know we start over. At the basis and the foundational sort of governance structure certainly part of our governed function is identifying your legal requirement. And that's very important but today a lot of those legal requirements are focused around. You know notices that I personally you know I know. I'm not alone even as a private expert. I don't have the time to read. And frankly they don't tell me a whole lot that I really WanNa know anyway. And so you know what I WANNA see. You SORTA more innovative solutions. And so what? We've tried to put into our control and communicate functions or you know more about the kinds of capabilities that you could build in. So we have outcomes like naval your device to make data processing more visible right. I'M NOT GONNA go to some website on privacy policy about my refrigerator when it's doing. Maybe you could just tell me and you know. Let's nagging me about the mill. Could just tell me something or just. Give me a blinking late or or some other type of visual that. Something's going on with with data. You know I would like to see. Sort of more communication feedback we pray. The we put in some outcomes around. How do you get that feedback for example surveys focus groups to understand your customers privacy interests more? We know that they will certainly be testing that fridge. From a functionality standpoint with focus groups say could expand that to understand people's privacy interests or on that bridge as well so of the ways that we are trying to give you know again. I WANNA emphasize if voluntary tool so we're really see this as a set of outcomes that enable more discussions so I'd love to see organizations having that conversation internally. How should we design this this refrigerator and then to see that evidence that might induce me to put one of those for my home got it? Well yes in I. I've gotta say the Connected Fridge does not spark joy as at work for me so Naomi thank you so much for coming on the show for going deep into the privacy framework for us and everything else. Thank you great thank you. That's it for this week. Thanks so much for listening and remember if you'd like more iot no sign up for my newsletter at Stacey on Iot Dot Com. We'll see you next week.

Coming up next