Category Archives: Consumer

Privacy Breaches Lead to Significant Brand Damage

A 2015 report from the National CyberSecurity Alliance (NCSA) shows that data breaches that result in privacy lapses lead to significant brand damage.

Privacy_Breach_Cause_Brand_Damage

The report covers the experiences of IT professionals who work at a company which experienced a data breach.   41% of those employees noted that “loss of customer loyalty” (e.g., brand damage) was the second most negative consequence of the breach.

This finding reflects previous research conducted by the Ponemon Institute and should help prioritize the efforts of device manufactures to promote good security and protect consumer privacy.

Click the following link for the full data privacy consumer behavior report from the National CyberSecurity Alliance.

Data_Privacy_Day_Privacy_Is_Good_For_Business_240wide

IoT Security Lab is a Data Privacy Day Champion.

Half of All Consumers Think Security Equals Privacy

According to the National CyberSecurity Alliance (NCSA), half of all U.S. consumers think that “security” is the same as “privacy.”

Security_and_Privacy_Are_Synonymous_To_Consumers

In its recent survey, the NCSA found that:

  • 48% of the American public believes that privacy and security are the same
  • 52% of the American public believes that privacy and security are different

The survey results suggest that consumers shopping for smart devices could be just as turned off by poor security as an unclear  privacy policy.   It also suggests that detailed information about security and privacy issues (such as the security alerts IT professionals are used to consuming) could be ignored by consumers who cannot even distinguish security and privacy.

Click the following link for the full data privacy consumer behavior report from the National CyberSecurity Alliance.

Data_Privacy_Day_Privacy_Is_Good_For_Business_240wide

IoT Security Lab is a Data Privacy Day Champion.

High Net Worth or In Their Fifties Equals Privacy Sensitive

The National CyberSecurity Alliance (NCSA)  has released a new report that links demographics and privacy in technology.

Demographics_Matter_Highest_Net_Worth_Are_Most_Privacy_Sensitive

According to the report, the most “privacy sensitive” groups are:

  • 46-65 year olds
  • those with the “highest” net worth

This finding reflects previous research conducted by the Lares Institute and should help device manufacturers understand why certain groups may fail to adopt their smart devices unless information about their privacy is transparent.

Click the following link for the full data privacy consumer behavior report from the National CyberSecurity Alliance.

Data_Privacy_Day_Privacy_Is_Good_For_Business_240wide

IoT Security Lab is a Data Privacy Day Champion.

Consumers Make Buying Decisions Based on Privacy

A new report linking data privacy and consumer buying behavior was released in advance of Data Privacy Day.

Consumers_Make_Buying_Decisions_Based_On_Privacy

According to the report:

  • 39% of people said they’d made a buying decision based on privacy concerns.
  • 27% of millenials abandoned a purchase online because of security and privacy concerns in the past month.
  • 32% of US adults always conside a company ‘s privacy poliies when choosing which websites to visit or online services to use.

These figures reflect previous research conducted by the Lares Institute, Raytheon (in partnership with NCSA) and Ipsos.

Click the following link for the full data privacy consumer behavior report from the National CyberSecurity Alliance.

Data_Privacy_Day_Privacy_Is_Good_For_Business_240wide

IoT Security Lab is a Data Privacy Day Champion.

IoT Privacy Policy: Grading Lowe’s IRIS

As larger companies embrace the Internet of Things (IoT), they are starting to publish formal privacy policies that describe what data they collect and what they do with that data. Unfortunately, these policies are filled with legalese and are usually as indecipherable as the End User License Agreements (EULAs) that come with packaged software.

That’s where IoT Security Labs comes in: deciphering the policy.  Today we’ll be looking at the privacy policy of the Iris home automation system published by  Lowe’s Home Centers .

Lowes_Iris_Privacy_Policy_Evaluation

Overview

Lowe’s IRIS is a system of interconnected sensors, controls, and cameras that allow people to check on and sometimes modify conditions in their homes.

IRIS allows people to monitor temperature, door and window openings, limited video streams and other conditions remotely, and it can sent alerts when certain environmental events occur.  IRIS also allows people to set thermostat, lighting and similar controls  remotely.

Lowe’s IRIS Privacy Summary

The Good:

  • Lowe’s Publishes a Privacy Policy
  • IRIS System Alerts are “Separate from Other Marketing Services”
  • Potentially Insecure Communication Channels  are Listed
  • Reminder to Keep Passwords, PINs and FOBs Secure

The Bad:

  •  Wide Range of “Collected Information”
  • Unclear Restrictions on Partners’ Use of Information
  • Credit Card Is Always Required (And Stored)
  • Automatic Consent to Full Credit Check
  • No Time Limit on Retention of Personal Information
  • Opt-Out of Marketing Messages
  • “Do Not Track” is Ignored

The Ugly:

  • Marketing Says IRIS Could Be a Home Security System, But Legal Disagrees
  • IRIS Can Update Its Own Equipment, but Consumer Is Still Responsible for Security
  • Privacy Policy Confuses Device Communications and Web Surfing

The Good

Lowe’s Publishes a Privacy Policy

Lowe’s deserves credit for getting their privacy policy out in front of their consumers.  In fact, I found the policy just by following the standard “terms of service” link on an air filter notification.

IrisSmartHomeNotification_PrivacyPolicyLink

IRIS System Alerts are “Separate from Other Marketing Services”

Section 13.3 of Lowe’s terms of service provides a perfect example of the message consumers should look for in their IoT systems (emphasis mine): “Your Iris service includes important email and text messages relating to alerts, system status and important account updates. These are a core part of the Iris service and separate from the other marketing services Lowe’s offer.”

Potentially Insecure Communication Channels  are Listed

The IRIS policy does a good job telling consumers that the convenient communication channels they will probably use for their alerts are also potentially insecure.  These include “phone call, text message, and emails.”  For example, in section 13.1, Lowe’s states, “please be aware that emails in particular are not secure.”

Reminder to Keep Passwords, PINs and FOBs Secure

Lowe’s policy contains a reminder we would hope to see from any IoT vendor: “you are responsible for keeping any passwords and PIN numbers…confidential, and for keeping keyfobs…secure. You should log out… You are responsible for notifying us immediately if you believe that the security of your account may have been compromised…”  (Section 13.5)

IRIS_Key_Fob

The Bad

Wide Range of “Collected Information”

Lowe’s policy allows the company to collect a wide variety of personal information, including physical address, email address, phone numbers, photographs and “details about your various devices in your home.”   (Section 20)

Unclear Restrictions on Partners’ Use of Information

The information Lowe’s collects may be used to “communicate with you,” “manage our customer information database” and “customize your experience.”   Lowe’s may use this information or “may share personal information we collect on the Site with our service providers who perform services on our behalf.”  Lowe’s may also, “share your information among our affiliates and joint marketing partners, who may send you marketing information.” (Section 20)

While it may be unlikely that Lowe’s intends to ship your personal video streams off to  Mechanical Turk to mine them for hints, similarly invasive uses do not seem to be prohibited by its privacy policy.

Credit Card Is Always Required (And Stored)

Even the Basic/Free tier requires consumers to enter valid credit card information.  (Section 2.2)  This information is then stored so the service can automatically bill you if you accidentally exceed the Basic Tier limits (Section 4.3 and 8.2), or if you decide to upgrade to a higher service tier.

Automatic Consent to Full Credit Check

“You authorize Lowe’s to obtain a non-investigative consumer report, commonly referred to as a credit check or credit report, about you from a consumer reporting agency at any time that you are signed up to receive the Iris service.”  (Section 6.4)

A credit report can reveal extensive information about you, including your date of birth, your social security number, most of your employment information, all your credit cards, bank accounts and loans, and legal actions such as bankruptcies, liens and wage garnishment.

No Time Limit on Retention of Personal Information

There is a brief and vague section about how Lowe’s will protect personal information, but there is no mention of how long the data will be retained.

Opt-Out of Marketing Messages

Lowe’s terms of services make it clear that you will need to “opt out” of its email and similar promotions.  “By accepting this agreement, you agree to receive Lowe’s marketing communications both Iris specific and non-Iris specific.” (Section 20)

“Do Not Track” is Ignored

Lowe’s is similarly clear about ignoring “Do Not Track” flags.  “We do not process or respond to “Do Not Track” signals from your browser or other mechanisms that enable consumer choice regarding the collection of personal information about one’s online activities over time and across third-party Websites or online services.”  (Section 20)

The Ugly

Marketing Says IRIS Could Be a Home Security System, But Legal Disagrees

The video description of the IRIS system says that it could be used to detect prowlers, and there is an IRIS page dedicated to positioning the product against “Competitors: Cable/Telcos/Alarm Co’s.”

IRIS_As_A_Security_System

However, Lowe’s Terms of Service make it clear that IRIS should not be used as a traditional home security system.  Specifically:

  • It cannot be used for emergency service. (Section 12.1)
  • It cannot be connected directly to police or other public services.(Section 15.2)
  • It provides no insurance protection; in fact, you agree to hold Lowe’s harmless if anything does happen. (Section 18.1)
  • It was not designed to meet building or fire codes. (Section 12.1)
  • The system can send you home security alerts, but these may be “lost” and Lowe’s is not responsible for delivering these alerts. (Section 13.1)

The contradiction is a problem for people (like us) evaluating the privacy of the system because we cannot be sure if we should look at it as a security system or not.  (Ultimately, we decided it was not.)

RECOMMENDATIONS:

  • For Consumers: Don’t buy IRIS to use as a home security system.
  • For Vendors: Square your marketing with your T&S.

IRIS Can Update Its Own Equipment, but Consumer Is Still Responsible for Security

Lowe’s Terms of Service state that that “Once your system is registered and working, we may need to access your hub or devices to upgrade the firmware.”  (Section 2.3)    That’s fine until you get to the part which states, “you alone are responsible for protecting…Iris products…from unauthorized access, viruses, spyware and all other types of malicious code.”  (Section 13.4).

As a consumer, I’m now confused: is Lowe’s going to fix everything EXCEPT security problems with my devices?

RECOMMENDATIONS:

  • For Consumers: To prevent malware at home, consider deploying ALL your in-house automation on a separate network from your home computers, tablets and other systems.  (An easy way to do this with a home router is to put all your wireless automation on your “GUEST” network.  Commercial routers can also be used to “segment your network.”) 
  • For Vendors: If you claim responsibility for updating and maintaining your deployed components, you also need to claim responsibility for keeping them secure and virus-free.

Privacy Policy Confuses Device Communications and Web Surfing

Lowe’s privacy policy starts strong, with explicit commitments to avoid co-mingling IRIS alerts and regular Lowe’s marketing.   However the “Privacy Notice” section (Section 20) appears to blur the lines.

The problem could be that the IRIS privacy notice appears to be a modification of a standard retailer’s web site privacy policy, which essentially says that the retailer can use any means necessary to figure out who you are, track you, and present you with targeted offers based on your likely purchasing patterns.

Some of that baggage remains in phrases like “web beacons” that don’t apply to device communications.  At the same time, Lowe’s also tries to carve out special protection for device communications in “Service Delivery” clauses and the like.   Unfortunately, the result is a mismash of web and device privacy rules that seem to leave IRIS data open to many uses – several of which could surprise privacy-seeking consumers.

RECOMMENDATIONS:

  • For Consumers: Seek out vendors that treat device information with special care, as outlined in their privacy policies.
  • For Vendors:  Be careful not to let overzealous web site privacy policies (which aim to identify “anonymous” visitors and address particular demographics accessing your site with specific offers) bleed into your device privacy policies (where the identity of your consumers is already known).

Lowe’s IRIS Privacy Policy

Current PolicyEvaluated Policy (PDF Nov 18, 2014)

Next Steps

Take the IoT Privacy Survey

Suggest Another Privacy Policy to Review

 

 

IoT Security Lab Becomes Data Privacy Day Champion

Data_Privacy_Day_Privacy_Is_Good_For_Business

IoT Security Lab is proud to be a Data Privacy Day Champion as we look forward to Data Privacy Day on January 28.    The date commemorates the January 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection.

On Jan. 27, 2014, the 113th United States Congress adopted S. Res. 337, a nonbinding resolution expressing support for the designation of Jan. 28 as “National Data Privacy Day” in America.
For our part, IoT Security Lab pledges to make the privacy of IoT devices and the systems that support more transparent to consumers, so everyone can make informed privacy decisions when they purchase smart devices.

Internet of Things “Smart Device” Privacy Survey

Are you terrified of your TV or other smart device? Please take our five-minute, six-question Internet of Things (IOT) privacy survey. Results from all takers will be displayed when you complete it.

Evil Smart Device

What types of smart devices might reveal too much information about you? (Check ALL that apply.)

What smart device features make you nervous? (Check ALL that apply.)

What information do you currently fear losing through a smart device? (Check ALL that apply.)