IoT Security Blog

Articles and Posts on IoT Security, Embedded Systems, and the Internet of Things

Privacy versus Security

If you have been affiliated with Automated Identification Technology (AIT), Machine to Machine (M2M) communications or the Internet of Things (IoT) in any way, you are probably very familiar with the worldwide concerns that have been raised around privacy and security. In fact, we often think of privacy and security as a single issue and we even talk about solutions that will address privacy and security. However, privacy is different than security although very often connected.

Privacy has many meanings in different contexts. In the physical world, privacy may mean something as simple as closing a window-blind or door so you cannot see in from the other side. In the technology world, privacy often refers to our concern over the ability to identify, collect, control, and distribute data related to a person or object (we could write pages and pages on a full definition of privacy but this will serve our needs for now). Of course, it gets even more complicated when you can tie two or more data sources together to create information on a person or object where the separate sources did not reveal as much. Finally, privacy is typically a matter of definitions expressed in the form of policies and laws based on the customs and social norms of the local society. This leads to situations where what is considered a privacy violation in one country (e.g. cameras widely recording the public in the United States) is not a privacy issue in another country (e.g. cameras widely recording the public in the United Kingdom). Now think of the privacy challenges facing a technology or device that can physically move from country to country.

The word security also has many meanings in different contexts but, for this blog, we will think about it as it relates to small computing devices, including wireless sensors, M2M, NFC and RFID. When I tell people we develop security for these platforms, they often reply, Oh, you do data encryption. Yes, but security is so much more than this. Security is encryption, but it is also the ability to authenticate, repudiate, provide permissions, and even detect and prevent intrusions. The security industry has developed a wide range of methods and tools, some going back thousands of years, but the continuously changing definition of privacy seems to have put security in a race that has no finish line.

Even if you put aside the issue that a device may need to meet the privacy needs of two or more societies as it travels around the world, AIT tags present a physical challenge for most of the security functions we take for granted today. This challenge comes from the limited computing resources we typically find, whether the power be passive (i.e. from radio waves), active (i.e. from a battery), or something in between. A tag’s limited computing platform or gate-count, limited power (even on an active tag), and the available computational time have all proven to be significant hurdles to strongly securing an AIT tag. Similar limitations apply to other types of wireless sensors, M2M applications and embedded devices. SecureRF has developed public-key cryptographic security protocols to address these issues and secure these resource-constrained environments.

As the Internet of Things expands these security and privacy concerns will need to be addressed during the product design and development phases, not as an afterthought.

Note: The original version of this post was written by Louis Parks in 2010 and appeared in an industry association blog which is no longer online.