UL creating standard for wearable privacy and security
Founded in 1894 and more commonly known for certifying appliances for electrical safety, UL is developing draft requirements for security and privacy for data associated with Internet of Things devices, including wearables. A pilot program is underway, and UL plans to launch the program early in 2016, UL told Computerworld.
UL first announced its interest in wearable compliance services in January.
"When we think how wearables are used, there are a lot of different implications for security," said Anura Fernando, principal engineer for medical software and system interoperability at UL, in a recent interview. "It might be financially relevant data, but it also could be social engineering: If you use a medical device and happen to be addicted to drugs and are a good programmer, you may be inclined to alter data that provides information to a clinician to get the drugs you want."
Because most wearables will be wireless, UL's concerns include whether the personal data acquired by a smartwatch or other wearable that's associated with a Social Security number or name is secure over Wi-Fi or Bluetooth.
"Fraud could result if data is not properly maintained and authenticated with a proper level of assurance," Fernando added.
UL wants to "begin to raise the bar for how security should be addressed...and establish a minimal baseline for what should be addressed much like we did with electricity 120 years ago," he said. "We want to reach the point [of certifying IoT data security] without having to second-guess it."
Without offering many details, Fernando said that "the jury is still out" on how data privacy and security with wearables will be ultimately protected, or even how strictly it will be regulated by the government. Given the U.S. government's recent apparent willingness to let industry regulate itself in such matters, UL's role becomes more important.
In January, the U.S. Food & Drug Administration issued draft recommendations that say the FDA's Center for Devices does not intend to "examine low-risk general wellness products" like wearable devices and apps that monitor health and exercise under its duties outlined in the 1938 federal Food, Drug and Cosmetic Act.
After that draft appeared, President Obama's cybersecurity coordinator, Michael Daniel, went on the record in April calling for a UL-style industry certification model for security of connected devices. "We are very much interested in voluntary models," he said in an interview with Dark Reading at the time.
Without clear government regulations about wearables' data security and privacy, "a lot of manufacturers are nervous about innovating and [determining] what their liability is," Fernando said. Thus, UL's role becomes important.
"At UL, we recognize two kinds of manufacturers," Fernando said. "One group understands cybersecurity or safety and has a good robust product on the market, but on the other end there are manufacturers who have never heard the world 'cybersecurity' before and don't know what they should be doing before marketing a product. So, we are trying to get a baseline of minimal requirements to level the field."
Fernando said UL's certification will be a "minimal level of acceptable safety or security" of products. "You either have that UL mark or you don't."
Once products are certified, they will all be publicly listed, he said.
One area of concern to UL and many lawyers in the privacy field is how personal data is collected from smartwatches and other devices, and then how it is used or sold.
Privacy advocates are especially worried that personal data from devices and apps won't be kept anonymous or ever erased when it is collected in bulk in databases and then sold to third parties for marketing or other purposes.
"There need to be standards for anonymizing data, and we're the first ones trying to do some of that," Fernando said. Some privacy advocates argue that even if a smartwatch user never gives his or her name, Social Security or credit card number to a smartwatch or app vendor, a hacker can still successfully invade the user's privacy. One way of doing this would be to use several pieces of publicly available data on the Web to compare with a user's smartwatch GPS location or mobile payment history to identify the user and, potentially, commit fraud against the user.
"Most experts continue to be concerned about the security of wearables, including smartwatches," said Irina Raicu, director of Internet ethics at the Markkula Center for Applied Ethics at Santa Clara University, in an email. She cited research at the University of Illinois demonstrating how motion sensors on smartwatches were monitored to show what a person was typing with a keyboard.
"The fact that DefCon had a whole 'Internet of Things Village' to discuss ways to hack into IoT devices speaks volumes, I think," she added.
Fernando said he's familiar with the concerns of cybersecurity experts with wearables. But he's also optimistic the UL can set minimal standards for anonymization of personal data from devices as well as tackle other related security worries.
"We see a lot of innovation and lot can be done with the correct technology," he said. "I'd be hesitant to write off anything as impossible."