Last month the largest Distributed Denial of Service (DDoS) attack in current history crippled much of the Internet in the United States. As a result a variety of large websites, such as Netflix, Reddit and Twitter, were all brought down. What made the attack so different was that instead of relying on a network of personal computers, the attack instead focused on the “Internet of Things” which are devices around your house connected to the internet. This could include anything from a television, a fridge or an energy meter. And unlike a laptop or PC, these often lack the protection that even basic anti-virus software offers whilst still handling incredibly personal data. And therein lies the risk.
Nowhere is such a risk more obvious than in the energy sector. Under current plans the UK government hopes to have smart energy meters installed in all households and small businesses by 2020 whilst many energy companies such as British Gas are already offering them to customers. Such an initiative is huge, with over 53 million gas and electricity meters being replaced, which will involve visits to 30 million homes and small businesses. The differences between a smart meter and a normal meter is that is has the ability to record information regarding energy usage and send this off to energy suppliers. These smart meters can also receive signals, and be turned off remotely by suppliers. All of this data transfer is accomplished at regular intervals of as little as hourly over a wireless connection.
The benefits of these smart meters are numerous, such as the prospect of cheaper energy bills, no longer having to physically read meters and allowing users to monitor energy usage throughout the day. However they also pose a number of security and privacy risks.
One problem arises when data is captured on shorter intervals. If this happens and a person were to examine a graph detailing energy consumption, then everything from what time you wake up, what time you leave the house and the when you turn off the lights and go to sleep can be easily deduced by a trained eye tracking electrical usage and linking it to appliances. Misuse of such data has already been reported around the world. In Australia data from smart meters has been used by debt collectors to ascertain when people were likely to be home. In the United States the police secretly collected customer data in order to bust drugs farms.
The risk is compounded by the limited computation power of these meters, alongside their need for a large operating lifespan and as smart meters can receive signals, their ability to be hacked can lead to wholesale power loss. Whilst a severe and unlikely outcome one such potential risk is the hijacking of smart meters by terrorists in terrorist attacks.
Even if the data is not hacked maliciously then consumers and companies need to consider how the data is being used. Such data may be used by companies for sales and marketing purposes and shared with other parties with consent being a key issue. From experience, tracking customer’s consent can be difficult in an industry where records can be held for upwards of thirty years and the potential for duplicate records is high.
Data Protection within the rising role of the Internet of Things needs to be a key consideration for businesses and in a world where driverless cars may soon become the norm, many more industries will also be forced to become more knowledgeable about the Internet of Things and data protection law – especially as the potential for security breaches, fines and a loss in customer confidence will soon be too large to ignore.
If you have any questions regarding how devices connected to the “Internet of Things” could affect your business, and if you would like to discuss this in more detail or seek advice, please don’t hesitate to get in touch with us at Data Protection People.