What does a lack of Internet privacy mean for IoT?

Last week, Congress eliminated the Federal Communications Commission’s ability to govern what Internet Service Providers can do with their consumer data. This means that ISPs can now track and sell your web browsing data on both your wired and wireless broadband connections. So what will this mean for the internet of things?

To understand, let’s first talk about what ISPs can see. Your broadband provider runs software that can see where you go on the web and the type of applications you are running. This deep packet inspection software was a source of high drama almost a decade ago, as ISPs rolled it out with plans to use it to track web browsing so they could insert ads into sites that people visit.

ISPs also use this software to understand what types of traffic are running across their network. This lets them see trends like a rise in Netflix streaming as opposed to peer-to-peer movie sharing sites. It also lets them see what devices are on your network. When you install a device like a Nest thermostat, for example, the traffic from that thermostat will come back and forth from Nest servers. Based on that traffic pattern ISPs can assume that this particular customer owns a Nest.

Because ISPs know your IP address and can associate it with your physical address, many of the installed devices on your home network are indelibly tied to your name.

So the ISPs knows you have a Nest, a Wink hub, a Chamberlain MyQ garage door opener, and now if they want they can share that information with marketers. What’s more concerning is whether or not an ISP can see the specifics of your home IoT devices. Do they know when your motion sensors are triggered or what temperature it is inside your home?

I asked Brian Knopf, who is senior director of security research & IoT architect at Neustar, about what ISPs can and can’t see. He agrees that ISPs will be able to see the destination of your traffic and make guesses based on that, but said further details would depend on the type of encryption the company making the connected product used.

He wrote in an email, “As for the question about motion being detected or a camera has started recording, it’s purely based on how that device works. If you have a Dropcam/Nestcam, they are recording all the time. The ISP would certainly see that data is going from a camera to Google. As for whether there is motion, it would depend on what kind of analysis they are doing on the traffic. I don’t think they would see this, but couldn’t guarantee it.”

I asked Nest if ISPs would be able to detect motion and if it encrypted its data, but Nest did not return my request for comment. Other companies did. Wink, which makes a smart home hub, confirmed that it encrypts all of the data coming from its device.

Wink CTO Nathan Smith confirmed Knopf’s thinking. Wink emailed me the following statement, “The only data an ISP would be able to report is whether or not a Wink user was communicating with one of our servers. An ISP would not be able to see the underlying state of smart devices (if they’re on or off, for example), which devices are connected to the Wink Hub, or actions taken in the Wink app (a Shortcut firing, etc). That information is encrypted between the Wink Hub/Wink app and our servers – ISPs have no insight there.”

A WeMo spokeswoman also says that communication between WeMo devices and Belkin (it owns WeMo) are encrypted. However, she also said that Belkin was exploring adding VPN protection to its Linksys routers. But until that point, a consumer would have to use their own, and if they go that route it can mess up certain geographic specific functions, such as television services.  Linksys does offer VPN routers for the Small Business.

In the near term, ISPs probably aren’t harvesting device data to try to sell to someone who owns a connected oven cooking magazines or retargeting them with the ubiquitous Blue Apron ads, but they might. And as connected devices become more personal (think medical devices or even connected sex toys) ISPs will have access to even more delicate data.

At that point, regulators might see value in getting involved. Brian Peters, a partner at Washington DC lobbying firm Franklin Square Group, says regulators and Congress are probably not really aware of the data that connected devices can share.

“Much of the ISP privacy debate has very simply focused on email and more traditional basic web activity, and I don’t think it has gone to the depths of understanding IoT traffic,” Peters says. “But we will keep having this conversation and it will become more intense because there are so many devices that are part of the fabric of our daily lives.”

Peters’ firm represents several tech companies that have IoT products, so he’s watching this area closely. But he brought up another point. Historically, ISPs have looked at technology firms and tried to emulate parts of their business. But they haven’t always succeeded.

It’s true. ISPs have tried advertising against user data before. They’ve also tried to build app stores, messaging apps, cloud computing businesses and more. All without success.

So, as it stands, try to find a VPN and look for connected devices that encrypt your data from the device to the cloud.