March 23, 2017

Archives for January 2017

Concerned about Internet of Things Security?

There is no shortage of warnings about the need to improve security for the Internet of Things:

Certainly these messages must be raising concerns in organizations that are working on Internet of Things projects.

But it doesn’t seem so.

In our recent research at MIT Sloan Management Review, we found that only 34% of the respondents felt that they needed to improve their IoT data security. If you are trying to decide if the glass is full or empty, that glass seems two-thirds empty to me.

The research included responses from 1,480 executives, managers, and IT professionals working in a wide variety of industries. It focused on the perspective of organizations, not security professionals, and tried to understand their challenges and opportunities associated with the Internet of Things.

One optimistic interpretation of these results is that the reason the 66% are not concerned about IoT data security is that they have heeded the warnings and have taken steps to reduce security concerns. But we also asked respondents about how effective their organizations were at security for IoT data. Figure 1 shows the relationship between concern for IoT data security and the organization’s perceived data security effectiveness. Reporting of a need to improve IoT security changed little with the perceived effectiveness.

Figure 1: Concern for IoT Security and IoT Security Effectiveness

An alternative, more pessimistic interpretation is that organizations need to improve IoT security, but that it is not an important concern. Instead, in order to take advantage of IoT, respondents felt more need to improve their overall analytics capability (58%), analytics talent (52%), IoT specific talent (49%), executive team’s understanding (46%), ability to communicate with customers (45%), and relationships with other groups who understand IoT (40%). In fact, need for improvements in data security (34%) and sensor-data security (27%) were selected less often than any other option we gave respondents to choose from. And in this scenario, respondents could select as many as they felt described their organization, without cost.

Our respondents had a variety of experience with IoT projects. It could be that those who are not active may not yet be aware of potential security issues. Given that most organizations are not yet active with IoT projects, our results could be driven by those inactive organizations. Figure 2 examines organizational concern for IoT data a security as they gain experience with IoT. Concern is higher for organizations active with IoT with some drop as they gain further experience. But it seems that inactive organizations are not solely responsible for the low overall need to improve IoT data security.

Figure 2: Concern for IoT Security and IoT Experience

While IoT security is inherently important, it may be even more salient when combined with another key result from our research—business value from the Internet of Things is related to the amount of data sharing between customers, suppliers, and even competitors. As organizations find value in sharing data with other organizations, they are likely to increase connections with other organizations, leading to increased potential for negative externalities.

Unfortunately, the low perception of need to improve IoT data security coupled with increased IoT deployments and interconnections between organizations seem likely to lead to more headlines that report on IoT security downfalls, not fewer.

 

AdNauseam, Google, and the Myth of the “Acceptable Ad”

Earlier this month, we (Helen Nissenbaum, Mushon Zer-Aviv, and I), released a new and improved AdNauseam 3.0. For those not familiar, AdNauseam is the adblocker that clicks every ad in an effort to obfuscate tracking profiles and inject doubt into the lucrative economic system that drives advertising-based surveillance. The 3.0 release contains some new features we’ve been excited to discuss with users and critics, but the discussion was quickly derailed when we learned that Google had banned AdNauseam from its store, where it had been available for the past year. We also learned that Google has disallowed users from manually installing or updating AdNauseam on Chrome, effectively locking them out of their own saved data, all without prior notice or warning.

Whether or not you are a fan of AdNauseam’s strategy, it is disconcerting to know that Google can quietly make one’s extensions and data disappear at any moment, without so much as a warning. Today it is a privacy tool that is disabled, but tomorrow it could be your photo album, chat app, or password manager. You don’t just lose the app, you lose your stored data as well: photos, chat transcripts, passwords, etc. For developers, who, incidentally, must pay a fee to post items in the Chrome store, this should cause one to think twice. Not only can your software be banned and removed without warning, with thousands of users left in the lurch, but all comments, ratings, reviews, and statistics are deleted as well.

When we wrote Google to ask the reason for the removal, they responded that AdNauseam had breached the Web Store’s Terms of Service, stating that “An extension should have a single purpose that is clear to users”[1]. However, the sole purpose of AdNauseam seems readily apparent to us—namely to resist the non-consensual surveillance conducted by advertising networks, of which Google is a prime example. Now we can certainly understand why Google would prefer users not to install AdNauseam, as it opposes their core business model, but the Web Store’s Terms of Service do not (at least thus far) require extensions to endorse Google’s business model. Moreover, this is not the justification cited for the software’s removal.

So we are left to speculate as to the underlying cause for the takedown. Our guess is that Google’s real objection is to our newly added support for the EFF’s Do Not Track mechanism[2]. For anyone unfamiliar, this is not the ill-fated DNT of yore, but a new, machine-verifiable (and potentially legally-binding) assertion on the part of websites that commit to not violating the privacy of users who choose to send the DNT header. A new generation of blockers including the EFF’s Privacy Badger, and now AdNauseam, have support for this mechanism built-in, which means that they don’t (by default) block ads and other resources from DNT sites, and, in the case of AdNauseam, don’t simulate clicks on these ads.

So why is this so threatening to Google? Perhaps because it could represent a real means for users, advertisers, and content-providers to move away from surveillance-based advertising. If enough sites commit to Do Not Track, there will be significant financial incentive for advertisers to place ads on those sites, and these too will be bound by DNT, as the mechanism also applies to a site’s third-party partners. And this could possibly set off a chain reaction of adoption that would leave Google, which has committed to surveillance as its core business model, out in the cold.

But wait, you may be thinking, why did the EFF develop this new DNT mechanism when there is AdBlock Plus’ “Acceptable Ads” programs, which Google and other major ad networks already participate in?

That’s because there are crucial differences between the two. For one, “Acceptable Ads” is pay-to-play; large ad networks pay Eyeo, the company behind Adblock Plus, to whitelist their sites. But the more important reason is that the program is all about aesthetics—so-called “annoying” or “intrusive” ads—which the ad industry would like us to believe is the only problem with the current system. An entity like Google is fine with “Acceptable Ads” because they have more than enough resources to pay for whitelisting[3] . Further, they are quite willing to make their ads more aesthetically acceptable to users (after all, an annoyed user is unlikely to click)[4]. What they refuse to change (though we hope we’re wrong about this) is their commitment to surreptitious tracking on a scale never before seen. And this, of course, is what we, the EFF, and a growing number of users find truly “unacceptable” about the current advertising landscape.

 

[1]  In the one subsequent email we received, a Google representative stated that a single extension should not perform both blocking and hiding. This is difficult to accept at face value as nearly all ad blockers (including uBlock, Adblock Plus, Adblock, Adguard, etc., all of which are allowed in the store) also perform blocking and hiding of ads, trackers, and malware. Update (Feb 17, 2017): it has been a month since we have received any message from Google despite repeated requests for clarification, and despite the fact that they claim, in a recent Consumerist article, to be “in touch with the developer to help them resubmit their extension to get included back in the store.”

[2] This is indeed speculation. However, as mention in [1], the stated reason for Google’s ban of AdNauseam does not hold up to scrutiny.

[3]  In September of this year, Eyeo announced that it would partner with a UK-based ad tech startup called ComboTag to launch the“Acceptable Ads Platform” with which they would act also as an ad exchange, selling placements for “Acceptable Ad” slots.  Google, as might be expected, reacted negatively, stating that it would no longer do business with ComboTag. Some assumed that this might also signal an end to their participation in“Acceptable Ads” as well. However, this does not appear to be the case. Google still comprises a significant portion of the exception list on which “Acceptable Ads” is based and, as one ad industry observer put it, “Google is likely Adblock Plus’ largest, most lucrative customer.”

[4]  Google is also a member of the “Coalition for Better Ads”, an industry-wide effort which, like “Acceptable Ads”, focuses exclusively on issues of aesthetics and user experience, as opposed to surveillance and data profiling.

 

GIS Analysis as a Research Communication Tool

The power of geospatial analysis lies in the new ways it provides to look at datasets and the relations among them. It allows you to explore more nuanced questions and discover correlations previously hidden. Used properly, geographic information system (GIS) tools can increase the saliency of a policy issue by expressing your argument visually and often much more effectively. Below is my recent experience in using GIS tools to broaden the audience for my research.

Property Assessment Disparities

Municipalities across the country are under fiscal duress due to cuts in state/federal aid, property tax levy limits, and rising employee fringe benefit costs. Often limited in their ability to generate new revenue streams, municipalities have become overly dependent on property taxes to “keep the lights on”.

Taxes are always a contentious issue and nobody wants to pay more than their fair share. To get a sense of how equitable the property tax burden was in Milwaukee, a city wrestling with all of the challenges noted above, I analyzed 33,000 property sales transactions over a 10-year period and compared them with their corresponding assessment values. By regressing the assessment value/sales price ratio on a host of predictors including building condition, lot size, geographic location, etc., I was able to get a sense of how equitable the city’s property taxation system is. While the findings presented an interesting disparity in who was paying their fair share, the results were neither accessible to the average citizen nor actionable for the policy maker. They required an understanding of my model specification and an ability to interpret coefficients expressed in terms of log odds. [Read more…]