She also noted that if users share their fitness data with their health provider, and then the health provider gets breached, “that could be another entry point to their information.”
What to do about both risks has prompted intense discussion and is also the subject of a number of private sector initiatives.
The OTA formed the IoT Trustworthy Working Group about a year ago, and since then has published an “IoT Trust Framework” – 30 principles for building security and privacy into connected devices. Spiezle also moderated a panel at the recent RSA conference in San Francisco titled “Diffusing the IoT time bomb – Security and privacy trust code of conduct,” which discussed those principles.
The IEEE Center for Secure Design recently released a paper titled, “WearFit: Security Design Analysis of a Wearable Fitness Tracker,” which “created” a fictitious wearable aimed at showing how developers of fitness trackers can design a device that, “addresses each of the top 10 software security design flaws.”
Jacob West, cofounder of the center and lead author of the report, said he doesn’t think fitness trackers have more security vulnerabilities than other consumer devices, “but the challenge for any product company is to determine the right balance between security, functionality, and usability.”
To address that, he said, “we need to expand the focus in security away from simply finding and fixing bugs to include avoiding design flaws as well.”
West also said he thought market pressure could be effective. He said better-informed consumers who, “understand security and privacy and make buying decisions based on that knowledge,” could lead to improvements in both security and privacy.
Velasquez is a bit skeptical of market wisdom. “The market has failed (to cause product improvements) in the past,” she said. “But it does respond to losing customers.
“The way it needs to be framed is: ‘Today you’re not concerned, but at the pace we’re moving, in five years you will be.’”
Susan Grant, director of consumer protection at the Consumer Federation of America, shares the skepticism. “Bad publicity (about breaches) is helpful but not it's not enough because not everything that companies are up to gets exposed,” she said.
Grant called for a stronger “general” privacy law at the federal level, “or at the least, a specific law covering health devices and services that are not already subject to law.”
But Payton said the reality is that if consumers truly want to protect their privacy when using connected devices, “don’t wait for government or industry to do it for you. The standards are still emerging, and by the time they are adopted, they will be out of date.”
Sign up for CIO Asia eNewsletters.