The spies you'll wear: When big data gets too personal

Vendors at CES are pushing wearables as big data generators -- and possibly hammering the final nail in privacy's coffin

If half of what's coming out of CES 2014 is to be believed, the long-vaunted Internet of things finally appears to be arriving in a form that the average user can get his mind (and hands and wallet) around.

But that might be just the beginning of the next and most difficult phase yet in the struggle to protect user info, given how freely this new spate of wearable, pluggable, Internet-accessible devices flings around the data it harvests.

Consider Intel's Edison, an SD-card-sized computer powered by a dual-core Quark system-on-chip, designed for wearable-technology applications: earbuds, smart watch, a baby's onesie with a built-in baby monitor. Most of Intel's talk during its demo revolved around how great it would be to have such items harvesting our movements and even our body functions -- the more you know, as they say. Even big data -- or would that be big math? -- folks like Wolfram Research are happily jumping on board.

But there wasn't much talk of where that data would be kept or what kind of protection would be used for it. The same goes for most of the other data-gathering devices unveiled at the show, from the sleep-tracking Aura to the EverSense thermostat. "The more you know" could end up as "the more anyone else can know, too" -- and not in a good way.

It's abundantly clear that anyone who retains large amounts of casually harvested data has a responsibility to protect it, since such repositories of data held by third parties are now prime hacker targets. Rarely, if ever, is such data encrypted at rest; rarely, if ever, is it built with the assumption that someone, somewhere will try to steal it.

Even if any one piece of data seems innocuous enough from the outside, it may not be quite so innocent when aggregated and correlated against other data. Consider the recent worries about unencrypted Windows error-reporting data. A single crash report by itself isn't useful, but a whole slew of them could be used to make deductions about where weaknesses lie in given applications or in Windows itself.

Bruce Schneier has spoken out about how the Internet of things could easily transform itself into the Internet of exploits -- and may have already done so. "No one entity has any incentive, expertise, or even ability to patch [embedded] software once it's shipped," he wrote. "Maintaining the older chips and products just isn't a priority. And the software is old, even when the device is new. ... This patching is especially important because security vulnerabilities are found 'more easily' as systems age. ... the Internet of things will only make this problem worse, as the Internet -- as well as our homes and bodies -- becomes flooded with new embedded devices that will be equally poorly maintained and unpatchable."

Some would call this doomsaying, but Schneier is speaking from experience. Just as there's little discussion of how securable the data generated by these devices will be, there's equally little discussion of rigorous long-term maintenance for such devices. Then again, why would there be, when the average lifespan of the current Internet of things poster child, the smartphone, is a scant two years (at least in the minds of its marketers)?

The erosion of privacy doesn't happen intentionally or all at once; it happens by degrees, often as a by-product of the way people lean toward convenience over other factors. Hardware makers need to resist the temptation to head for convenience at every fork in the road, and think long and hard about how the data they're generating with their brave new sensors needs rigorous protection.

This article, "The spies you'll wear: When big data gets too personal," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.