IoT: The Coming Storm
The last several years have brought a veritable blizzard of technical acronyms and buzzwords that almost immediately lose any precise meaning, for example: “Big Data”, “Cloud”, “BYOD” (or its companion acronym “MDM”, and no, that doesn’t mean “master data management” anymore!), etc. etc. And just when you think that your buzzword cup is full, a new one emerges.
One of the hot new ones is “IoT”, or “Internet of Things”, but the term isn’t really all that new. Cisco CEO John Chambers has been talking about it for several years as the “2nd generation of the Internet” (although lately, Cisco Systems has upped the ante by re-buzzwording the concept to “IoE”, or “Internet of Everything”). I explained the very real concept behind IoT in RSR’s January 29th “NRF De-Brief” webinar this way (quoting Whatis.com as my source): “The Internet of Things (IoT) is a scenario in which objects, animals or people are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.”
Cisco’s buzzword update isn’t far off from the state of affairs. All kinds of “things” are being attached to the Internet beyond auto-ID technologies like RFID chips (it was during the RFID “mandate” period around 2005 that I head the term “IoT”). IoT now has enveloped other technologies and devices, such as automobiles, appliances, cameras, home automation systems, the locks on your doors, and most notably that smart mobile phones that you probably have in your possession every waking moment of the day. And therein lies the rub. While it’s understandable for retailers to want to connect with consumers directly even while they are shopping in the stores, in the process of doing so companies can collect a lot of information about consumers that goes well beyond their payment information, for example, where they are at any given time and how long they stay there. The RSR team saw an example of this on the NRF 2015 Expo floor; mobile network operators can track very detailed information about the phones (and who possesses them) that are connected to their networks. They in turn can (and do!) make that information available to companies that then use the information to analyze markets. To put it bluntly, it was a real eye-opener.
The problem is that even if a company is ultra-ultra careful about its use of all that consumer data, every device attached to a network creates a new opportunity for that network to be breached – and that’s when things could get really, really ugly. And the issue has been percolating to the top for awhile. Last March, my RSR Partner wrote a Retail Paradox Weekly column entitled In-store Tracking and Data Security: The FTC Is Getting Involved (March 11, 2014) that argues for the Retail Industry to proactively address the issue before the U.S. government did.
Well, the FTC (U.S. Federal Trade Commission) hasn’t been idle. In January, it produced its report entitled Internet Of Things – Privacy And Security In a Connected World. The report was a recap of a workshop conducted in 2013, and summarized “the potential security risks that could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety.” But the FTC is not quite ready to commit to a legislative response to those threats. Instead the report concluded by saying that “The Commission staff recognizes that this industry is in its relatively early stages. Staff does not believe that the privacy and security risks, though real, need to be addressed through IoT-specific legislation at this time… However, while IoT specific-legislation is not needed, the workshop provided further evidence that Congress should enact general data security legislation. ”
If you’re cynical about the U.S. Congress’ ability to enact any legislation, you may think that there’s still time for the retail industry to step up and agree to some standard practices, just as Paula suggested nearly one year ago.
Stirring the Pot
There may not be too much more time, however, notwithstanding Congress’ inability to agree on the color of the blue sky. There are several dynamics that are pushing businesses and consumers towards a security and privacy cliff.
First of all, technology is advancing at a dizzying rate. Virtually anything can be connected to the Internet. But what if the Internet was never designed for it? CBS’ 60 Minutes correspondent Leslie Stahl asked the U.S. Department of Defense’s Dan Kaufman (the head of the agency’s software innovation division) that question in an interview aired February 8th:
Stahl: “Can the Internet be fixed? Or do we just have to throw this one out and build a whole new Internet – from scratch- with security built in?”
Kaufman: “I don’t think the Internet is broken. I think the things we put on the Internet are broken. What we’re doing is we’re putting a lot of devices on it that are un-secure… pretty much everything… today, all the devices on the Internet – the Internet of Things, are fundamentally insecure, there’s no real security going on.”
Stahl (voice over); “So, a connected home could be hacked and taken over.”
60 Minutes then proceeded to show how a home or a car could be hacked.
But, point #2: in spite of all of this, consumers are pushing the Retail Industry for more relevant solutions to their lifestyle needs, whenever and wherever they need them. With their mobile devices in-hand, consumers are more-and-more demanding and less-and-less loyal. Our studies have shown this to be a top concern for retailers since the early days of the Great Recession that coincided with mass consumer adoption of smart mobile devices. And so retailers and the technology companies that service them are responding, and continuing to push the envelope of “connectedness” – and thus security and privacy – whether or not the connection and the data that comes from the resulting “dialogue” are secure-able. And they very clearly are not.
This brings up point #3: as the 60 Minutes interview demonstrated, the media has gotten hold on this issue. This could become the biggest privacy panic since Edward Snowden revealed the NSA’s (U.S. National Security Administration) shenanigans.
Again, With Gusto
In spite of those dynamics, where we are as an industry right now is pretty much where we were when Paula wrote her piece nearly one year ago. So I’ll end by quoting my partner: “I feel like we’ve been getting into the warning business lately and I don’t want to sound like Chicken Little. But we’re at a dangerous inflection point. Even as we’re trying to learn how to act on what’s now called “Big Data” there is real potential that the industry will find itself awash in new regulations. That’s not going to be fun. So let’s start self-policing now.”