IoT Security & Personal Privacy
IoT security has needs that go far beyond the current scope of cloud and mobile challenges: use cases where dynamically introducing devices to each other is the highest goal, others where strong chip-backed security is essential, and still others that unavoidably mix the two. With recent security breaches and DDoS attacks, everyone can imagine scenarios that have disastrous consequences for industrial IoT infrastructure: traffic light hacks creating dayslong gridlock and crashes, compromised dams or flood control systems threatening public health and safety, or deliberate power blackouts. For IoT in healthcare, smart homes and more, however, the consequences are different but no less severe, and a killer requirement comes to the fore: privacy. The most mature part of the IoT security and privacy technology stack comes from its web API heritage, with protocols such as OAuth and OpenID Connect playing a key role. With the FCC tightening privacy rules for broadband providers in the U.S. and the GDPR looming in the EU, the adoption of the OAuth-based consent and delegation standard User-Managed Access (UMA) protocol is likely to accelerate.
The New Era of Personal Privacy – the FCC Has Elevated the Privacy Rights of the Individual Over Commercial Interests, and Business Will Need to Change
Requiring broadband providers to secure consent from their customers before sharing their personal data with third parties brings the US into a new era where the ability of the individual to keep their browsing data and other personal information private is now more broadly protected. This move by the FCC brings the US more into line with Europe, where ISPs and telecommunications carriers have long been subject to regulations that elevate the privacy of the individual over commercial interests. The new FCC rules present ISPs and communications firms a great opportunity to use strong privacy protections as a competitive differentiator to cement customer loyalty. Strong, scalable customer identity technology will be a critical element in those efforts.
User-Centric and Self-Sovereign Identity Solutions
The history of customer-facing identity standards and collaboration efforts is full of noble, but failed, attempts to change ecosystem behaviors in order to empower individuals. InfoCard and OpenID, to name two, sought to deliver “user-centric identity” solutions but didn’t catch fire. Where did they go wrong? They delivered on a vision that delivered too few hard benefits. Now, several solutions based on blockchain/distributed ledger technology are seeing digital identity experimentation, with the Sovrin Foundation at the forefront of “self-sovereign identity” work. Are we seeing the same pattern all over again? Yes, we’re in danger of a repeat because of a built-in assumption that users want “identity sovereignty” versus service value and convenience, and that service providers will accept such credentials. Users and organizations alike must see more direct benefit given the new costs being imposed. To this end, solutions must enhance the “three Ps”: protection (security, privacy, control over sharing leading to trust and/or compliance), personalization (custom experiences leading to mutually beneficial engagement), and payment (support for transaction value flow).