By Jonas Schwartz, Head of Infrastructure, Monstarlab Berlin.
IoT is starting to show up more and more these days. It is taking over most mundane tasks in people’s homes. This makes it more important than ever to make sure to think the ethics into modern IoT solutions.
Mozilla has made a “Privacy Not Included” list, which ranks various smart devices based on the data they store and send. You can see the list here: https://foundation.mozilla.org/en/privacynotincluded/ and get an idea of existing devices and how privacy-focused they are.
As you read through this piece, there are two key abbreviations you should be familiar with; IoT and MQTT.
IoT stands for Internet of Things. It is often used to describe common items that are connected to the Internet and/or Bluetooth Technology. This can be things like Philips Hue lights, Amazon Alexa, washing machines, refrigerators and much more.
MQTT is a message queuing system. Meaning it works by devices sending messages to MQTT. The backend system is then listening on and receiving the messages.
Let’s get started
Before we begin let me be completely honest; I am not a big fan of IoT and don’t have any IoT devices in my home. Yet, I am often tempted by various devices. My rule of thumb is: I won’t own any device where I can’t be in control of the data stored. This is the driving force behind this piece, to value the privacy of IoT projects.
This article will go through some of the potential considerations you’ll face when doing IoT. We’ll touch on privacy, security, and ethics among others.
It is more important than ever to think about the privacy aspect, as IoT is taking over a lot of the functionality in our homes. The most important thing, when it comes to protecting people’s privacy, is limiting the data collected and stored by your device.
These days data is money and power. Hence we need to consider this very carefully as an industry. Just consider the various bad publicity that has come out recently from Twitter, Facebook, and many others regarding collecting data and handling users’ information.
When it comes to privacy; There are some key points that are important to focus on, to make good and safe products for everyone.
Don’t collect more data than needed
I know it can be tempting to store a lot of data. For example, if it’s needed at a later point. But this can cause serious problems down the road. IoT devices can be very invasive to people’s lives. So it’s important to make sure that you only store the most important data.
There are some important considerations to take into account when making IoT devices:
- Store as much data as possible on the device itself. Only send absolutely necessary data to cloud storage.
- Make it a habit to go through all data stored and sent frequently. Do reviews, and if data isn’t needed, stop collecting it.
- If data is needed for verification only, hash it so it can be verified but not reversed.
Store your collected data safely
When building IoT, you will often build a system where your device will send data to MQTT which is a publicly available system on the Internet. To secure the data storage, it can be an idea to send the data to a different system, that isn’t as accessible.
Below are some key points to help you store your data safely:
- Store persistent data from MQTT in MySQL, Postgres, Redis, MongoDB or similar, which don’t have direct Internet access.
- Data you only need for verification should be hashed, so it can’t be reversed.
Handling sensitive data from people’s homes requires a special level of security. Make sure that your data is communicated over secure connections.
Security should always be the primary focus of any online system and it’s the same when looking at IoT devices. IoT devices often have very limited resources and very little locale storage capability. This means that optimizing security on your devices becomes more difficult.
As with all systems that store data, there are some general security advice, which are good to adhere to:
- Use certificate authentication for connection between device and MQTT
- Setup per-device authentication to separate them
- Make sure to follow general security best practices.
There are several examples of situations where security in IoT went wrong. There is a case from 2019 where security researchers found a cheap popular smartwatch for children was found exposing children’s locations
Or if we go to the category of sex toys, a more recent case of Qiui Cellmate, “smart” chastity, that can be locked and unlocked via Bluetooth, which was found to have a security flaw, which could cause permanent lock-in 
These are just two examples, but there are many more. Which underlines how important security is in these types of devices, and it can cause very serious problems.
For smaller solutions, using IoT solutions from cloud providers can be a good way to get started. If you have larger plans for your project, it might be a good idea to roll out your own solution. This gives you complete control over the entire system and allows you to customize the solution and keep ownership of your data.
In the heart of most IoT setups is MQTT. There are a lot of open source solutions, which allows you to roll out complex IoT projects.
We recently started to look into cloud providers IoT systems versus building the features we needed. We specifically looked at AWS IoT, which definitely is a good offering. However, for our specific use case, we found it to be more expensive and provided some unnecessary vendor lock-in.
We instead built a small internal library that provides the specific features for MQTT we needed. This way we control every part of the network setup which allows us to protect our customers’ data. We also get a high degree of flexibility, allowing us to tailor the system to the specific use cases.
Impact on people
Another factor to weigh in when talking about IoT is the same problem when talking about AI. IoT devices take over from “dum” devices. This requires a high degree of transparency in what these devices do when it comes to data and impact.
As an industry, we should be very careful about not closing in on ourselves. Instead, you should work towards becoming more open and honest about your impact on people’s lives. Your device may make their life easier, but at what cost?
It’s therefore very important to consider the ethical consequences, as we start having more and more devices in people’s homes such as when we add cameras and microphones through televisions, baby monitors etc. But also when we start having devices analysing and impacting people’s decisions. For example fitness trackers and health devices in general.
For health devices, pacemakers especially spring to mind. This is an area where it’s very important to consider the impact and optimize security. Imagine a situation where an internet-connected pacemaker gets hacked, and false information gets sent to the device. This could have deadly or very severe consequences. This is of course an extreme example but outlines how important the ethical and security discussion is every time we connect a device to the Internet.
IoT can help make people’s lives easier, but we need to make sure it doesn’t come at a high cost to people’s privacy. Going through all data collected by devices might be a large task, but will definitely be worth it in the end. It can be tempting to store various data points for later analysis. But we need to keep in mind what this could mean for the people. Ask yourself, what would you like a device in your home collecting?
To sum it all up; Let’s make sure that future IoT devices are secure, safe and care about people’s privacy. This will help our entire industry have a reputation for helping people.
 CDNet, “Cheap kids smartwatch exposes the location of 5,000+ children”, 2019
 TechCrunch, “Security flaw left ‘smart’ chastity sex toy users at risk of permanent lock-in”, 2020