Data Security in the Smart Home

This article was written by Jordan Stone, the Chief Software Architect at Notion.

Your refrigerator can you tell you when you’re running low on milk and automatically order more to be delivered the next day. It can count the calories you’ve consumed by tracking what goes in and out, and send that information to your fitness tracker. All of it syncs to your smartphone, is available on your laptop, and posts to Facebook when you reach your exercise goal.

Your friend is supposed to meet you at your place before you go out for drinks, but she gets there before you get home from work. You send her a temporary key to your front door that expires in the next 30 minutes. After you get home and you both leave for your night out, your doors all lock, the porch lights turn on, and your alarm system arms itself. When you get back home late that night, the alarm system disarms, your entryway light turns on, and your thermostat sets itself to your favorite night time temperature.

This is the future of the connected home. This is the Internet of Things.

Your fitness tracker, provided by your health insurance company is sending them data when you exercise. And when you don’t. And what if your refrigerator gets compromised by a hacker? Now your fridge, once responsible for ordering groceries, is buying all kinds of things all over the internet on your dime. Your door lock, which is connected to your thermostat, which is connected to your fridge, unlocks itself, giving the hacker easy access to your home and all that it contains.

This is also the future of the connected home. This is also the Internet of Things.

So, how do you ensure the former scenario without inviting the latter? How do you gain both security and privacy in a world where everything is connected to and talking to everything else? To understand how you can achieve these things in a connected world, it’s important to first understand these things and what they mean for you.


Security and Internet of Things

What’s the quickest way to some free press if you’re a burgeoning new company on the forefront of a new and exciting industry? Just get hacked! And while it may seem a bit counterintuitive to think about getting hacked as a means for some PR, security breaches make the news. Fast. According to a 2014 study sponsored by IBM, a security breach cost a company $3.5 million on average, and rose by 15% from the year before[1]. Target, The Home Depot, and Sony are just a few of the high profile data breaches that have made headlines in the last 2 years or so. But as more devices gain access to both the internet and to your personal information, how do you make sure that these corporate data breaches don’t become personal ones? With the Internet of Things projected to be a multibillion dollar business, it’s no wonder there are so many startups popping up trying to get a piece of the pie. After all, Gartner predicts 2.9 billion consumer-focused devices will connect to the internet in 2015 alone[2]. In the rush to get to market before anyone else, security is often an afterthought for too many companies.

Part of the problem is the infancy of the industry. In a space as new as the Internet of Things, there hasn’t been enough time for standards and industry best practices to emerge. We’re doing our best to pull from what worked well in the telecommunications and SaaS industries, but those industries are not IoT. Arguably no other industry has seen the rapid growth and proliferation of internet-enabled devices since, well, the Internet. And nothing speaks the same language. Rapid growth and a lack of standards makes it difficult for companies to do the right thing. And the potential to get to market quickly has promoted a complacency in security that can only harm the growth of the industry as a whole.

As a consumer, it’s often difficult to know which product is the right one to choose. There’s a multitude of options when it comes to smart thermostats, door locks, light bulbs, and even sensors. How do you know which to pick? Well, you wouldn’t buy a car without researching its crash test safety rating. You wouldn’t buy a house without having it inspected. The same goes for your connected products. Do some research into not only the products that interest you, but the companies that build them. Do they list clearly on their website or their packaging what kind of security they use? Do they explain not just how your data is transferred securely, but how it is stored securely, as well? How long do they keep your data around for, and who, if anyone, do they share it with? Sometimes it’s not the company itself that leaks your data, but the company that company works with. Edward Snowden was a third-party contractor, after all.

Most of all, just ask. You don’t have to be an engineer or have a degree in data security and encryption to understand when a company has or has not given thought and effort to how they plan on protecting your most sensitive information.

Privacy in a Connected World

Security is only part of the battle when it comes to connected devices. Your data may be secure, but who has access to it? Who is it being shared with? What is that data being used for? Unfortunately, we live in a world where the answers to these questions live buried in long, overly complex End User License Agreements (EULAs), Terms of Service, and Privacy Policies. How many times have you read through the entirety of these documents before just clicking “Accept”? Companies like Terms of Service; Didn’t Read aim to simplify these complicated waters and rate companies based on the simplicity and clearness of their Terms of Service. There seems to be a trend happening in the startup world where companies are viewing their Terms of Service and Privacy Policy documents as yet another touchpoint with their customers. This means that these documents are becoming, in many cases, more conversational and less obscure and lawyer-esque. But, it’s ultimately up to the consumer to understand how their data is being used by the companies they bestow it upon, and to make sure that they are comfortable with those ways. Sure, Google Photos is an incredible new service from the team in Mountain View, but are you comfortable with them using data from your photos (like what you’re wearing) to better target ads you may find relevant? Yes, Nest can determine if you’re home or not. But do you want Google showing you an ad for some new blue jeans because they know you like to wear jeans? Do you want Nest to be tracking if you’re home or not, and making that information available through their API?


Privacy and convenience are all-too-often at odds in the technology industry. We want technology to enhance our lives; to make us eat better and exercise more. To set our home to a comfortable temperature when we arrive home, and to reduce energy consumption and increase security when we leave. And yet, we’re apprehensive to open up the flood gates of information that all of these devices actually need to gain the valuable insights that result in those comforts we seek. As companies salivate over the potential value of all of this data, there’s a social responsibility that these companies must shoulder in order to ensure that their customers feel safe sharing with them all of this personal information. As a consumer, look for companies that are open and honest about what data they have access to and what data they don’t. Does your WiFi-enabled security camera upload video clips without encryption? Do employees have access to these video clips? Make sure you are comfortable with not just the ways the company who makes the product you are buying uses your data, but that you are comfortable with who else they give that data to, and how they are going to be using it. By demanding this kind of transparency, and making it known that this is included in your buying decision, more companies will be forced to think about how much they truly need access to, and about making sure they are collecting data in a responsible way.

As an industry, the Internet of Things must include security and privacy in its top priorities. Security cannot be an afterthought or a bolted-on feature. Privacy cannot mean collecting more information than you need and being unclear about how you plan to use or distribute that data. But these are not hard problems to solve. All it takes is some forethought and a commitment to building a product and company that value security and privacy. Only time will tell how we come to live in a connected world; what things we are willing to give up and what things we refuse to budge about. But I, for one, am hopeful.


About the Author : Jordan Stone is the Chief Software Architect at Notion. Previously, he was building software at Deloitte Digital’s mobile development studio, Übermind. To learn more about Jordan, check out his company bio. For more information on how Notion is dealing with data security – click here.




Image Source:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.