Cybersecurity of IoT: challenges for freedoms
The eighth Agora du FIC took place on June 27, 2019 at The Maison de la Chimie in Paris. FIC is the Forum International de la Cybersécurité —the International Cybersecurity Forum— an annual cybersecurity conference, while the Agora takes place every trimester. The theme of this Agora was “50 billion connected objects in 2020: the stakes of security and challenges for freedoms” and Gandi was listening carefully.
GDPR and IoT
Gwendal Le Grand, deputy general secretary of the French Data Protection Agency (CNIL), started off by discussing how connected objects process personal data. This raises important questions about the rights of those involved and the intensity of the profiling. For example, the distinction between medical and non-medical data is growing increasingly blurred (e.g. data about sleeping rhythms). Once the data is collected, the question of where it gets sent needs to be addressed: is it sent directly to online servers (« the cloud ») or is it stored locally? How much time will the data be kept?
Most of time, GDPR applies for IoT and imposes obligations regarding information and security. This is a guarantee not only of trust for the user, but also of fostering responsible and sustainable innovation. Just recently, the CNIL gave a warning to IoT manufacturers due to vulnerabilities found in hackable dolls and robot toys. GDPR, therefore, can be an amazing tool for cybersecurity.
The most important change in our society is how much knowledge companies have on individuals. An insurance company might give away a gift card to those who walk more than 2,000 steps per day. This can have positive effects, since it helps individuals measure their health and fitness habits, but there are also, of course, strong legal and ethical questions about what kind of society we want to live in.
Standards, Law, Data, and Trust
Some of these legal and ethical issues are addressed by Internet Society (ISOC), an NGO working to build an open, reliable, and safe Internet. Lucien Castex, the general secretary for the French branch of ISOC, explained how ISOC works within standardization bodies such as W3C, with the goal of creating standards in line with their objectives.
They argue in favor of security by default and trust by design during the development process. They advocate for a central role for data, and the need for an ethical basis that puts humans being at the center of the debate, and propose regulations that foster trust from internet users.
“Taking back control of our digital destiny”
Senator Cadic started out by stating that “any system is hackable.” He related his personal experience of housing servers with sensitive content in locked rooms in his own house in the 1990s and being hacked during the first weekend.
He emphasized the importance of building a digital Europe which protects our democratic values.
“We need to take back control of our digital destiny.”
This statement was then supported by senator Morin-Desailly, who also called for a change in the EU’s competition policy and industrial strategy. Senator Cadic recalled that companies like Nokia or Ericsson, who could build the 5G network, came from Euopre, and that it was worth losing one or two years of progress as compared to Huawei in order to gain in human liberty.
He also pointed out that in spite of having excellent standards, there still remains the question of implementing them, and the complicated issue of fraud.
Cybersecurity, Surveillance, and Europe
The internet and technology provide both a well-meaning world of protection but also one of hyper surveillance. This can be shown, Senator Morin-Desailly said, through the mass surveillance by the NSA as revealed by whistle-blower Edward Snowden. Desailly was among the few public personalities in France to call the French government to give asylum to Snowden in 2014.
Mass surveillance is not only a field for intelligence services, she said, but also the work of surveillance capitalism, as remarkably studied by Shoshana Zuboff in her latest book by the same name. At the same time, the harvesting of data and subsequent targeting of political ads by Cambridge Analytica showed the potential threat posed by the use of technology against democratic processes.
She emphasized the role of the European Union in preventing the balkanisation of the internet and protect individual and collective freedom, especially against the North American model based on the monopoly of internet giants on the one hand, and more authoritarian and isolated systems such as China with its social credit system on the other. Morin-Desailly also called for a review of the Electronic Commerce Directive and more accountability of tech giants like Google and Facebook.
Furthermore, she suggested three solutions to tackle cybersecurity risks that arise when we connect objects to the Internet:
Gandi is committed to defending the right to privacy of citizens against mass surveillance as well as data exploitation by unaccountable companies.
From a legal standpoint, this is why we opposed the 2015 French surveillance law along with AFHADS, IDS, Ikoula, Lomaco, Online & OVH, as well as civil society groups such as La Quadrature du Net.
From a technical standpoint, Gandi supports the CaliOpen project along with Qwant, UMPC and the BPI. CaliOpen is a secure messaging tool built for the confidentiality of private messages, with the objective of freeing users from the dependency to privacy unfriendly services. It was released in May 2019.