Google’s CEO Eric Schmidt (2010): “We know where you are ... · This paper holds the emergent...
Transcript of Google’s CEO Eric Schmidt (2010): “We know where you are ... · This paper holds the emergent...
1
Original Title: Capturing Complexity: emergent properties and security analysis The original paper title built upon research I had done concerning intelligence analysis. As I delved into this subject it became clear to me that as a society we were increasingly and unwittingly contributing intelligence feeds into corporate and government data-warehouses. Deciphering and decoding the complexity of these feeds and of this intelligence struck me as an underexplored area. The re-titled paper follows and is a very first draft. In the coming months it will be refined and updated in the light of new material and in particular market data and technical detail. The argumentation will also be updated, I am sure. "Freedom, Covert Security Surveillance, and Big Data: the Internet of Things and Security Challenges” RM DOVER (Loughborough University) First Draft – Prepared for UK Political Studies Association Conference, 30 March – 1 April 2015, Sheffield. Please do not cite without permission. Amended draft will be posted on Loughborough University’s Institutional Repository. Abstract: The Internet of Things, or objects that have the capacity to report data derived from sensors or usage back to a central data-hubs are becoming ubiquitous. From wearable technology, ostensibly for healthcare improvement, through to dash-cams to protect a driver from erroneous insurance claims, through to internet enabled lights, heating and entertainment centres, the quantity of information being produced by and about individuals has increased beyond the confines of our social understanding of it, and the regulation of it. This paper holds the emergent phenomenon of the IoT up to a bifurcated analysis: 1) the potential covert security applications of the IoT and data-aggregation and analysis, and what this does to the social contract between citizen and government, and in terms of social relations between social actors (individuals) and consumers and companies and 2) how the social scientific researcher can access and make sense of the technology and the data produced (an interdisciplinary question) and the security implications of this technology and its usage. There is a substantial gap in scholarly understandings of how covert security surveillance - within the broad wrapper of network enabled devices - contributes to the use of forms of coercive violence or restrictive behaviours. Given that the commercial and marketing applications of these technologies is well known there seems no better time to tackle this subject. "
___________________________________________________________________
Google’s CEO Eric Schmidt (2010): “We know where you are. We know where you’ve been.
We can more or less know what you’re thinking about.”
The internet has changed everything: or so the popular meme goes. Along with such
thoughts follows that data has become ‘democratised’, or ‘free’ and that the ordinary
citizen has become ‘empowered’. A newer variant on the internet is coming to the fore,
which extends the notion of its ubiquity and the security challenges lying behind it.
The internet of things – as it has become known – is a broad range of objects, or artefacts
which are network enabled. That is objects which are capable of generating data from
sensors or usage, and which communicate this information across a network, typically
directly via an internet connection or at one step removed via Bluetooth to a so-called smart
phone, which in turns transmits the data to a data-hub via a mobile data or internet
connection. We see evidence of this underpinning architecture of the IoT in all sorts of
commonplace technology platforms. These include our motor vehicles – where most new
models come with data-gathering and transmission technology including for diagnosis and
2
repair. The onset of the smartwatch – and Apple’s grand launch of the Apple Watch in
March 2015 – may well herald a wider adoption of internet enabled devices, in addition to
the ubiquity of so-called smart-phones.
The internet of things is regarded as a disruptive set of technologies (Kellmereit &
Obodovski, 2013), that is a set of developments capable of generating paradigmatic shifts in
the way business is conducted, or in the way the individuals communicate or deal with
commerce, government, or in their social relations. The term ‘Internet of Things’ was a
marketing device coined by the founder of Belkin, Kevin Ashton, in a presentation to traders
in 1998. The term has stuck presumably due to the invocation of the term internet (which
carries a particular cache), whilst those working in this area prefer the umbrella term M2M
(machine to machine). This paper focuses on the security aspects of the IoT: not the deeply
technical forms of security that can be found in firmware and software architecture, but in
the security studies themes that apply most directly to these technologies. This paper is very
much a work in progress, indeed it is a first draft of a piece that I will seek to refine and
hone. As such the conclusions are preliminary and I would like to deepen much of the
analysis, so what is presented here is a set of indicative areas of concern.
The Management of Urban Space
Section Summary:
The Smart Cities initiatives offer officials and their suppliers the opportunity to plan more effectively
for capital spend. They do this in two ways: 1) the use of sensor data and prediction to assess the rate
of obsolescence in publicly owned objects – e.g. street lights, drainage. 2) the use of movement data
to better understand how people use cities, what time various public goods are required, when
resource can be better deployed.
The Smart Cities and open data initiatives offer a regenerative opportunity in an urban space: that is
to allow start-up companies to form making use of and applying lessons from captured data. This has
occurred mostly within what has become known as ‘hackathons’ which are competitions in which the
largest contribution to the community are attempted and which are a closely related cousin of the
ecosystem that supports the Internet of Things.
Smart Cities create opportunities to improve governance (through data-driven analysis), energy
usage, building usage, mobility, healthcare (which is a definite IoT area) and to improve the
knowledge base of the ordinary citizen.
As will be expanded on later in this piece, the ethical and regulatory dimensions required to roll these
initiatives out fully are yet to reach maturity. The citizen is – as yet – passive in the collection of their
data and in their understanding of what the analysis of this data means. The small number of pilot
projects has also been due to the commercial necessity of where providers or suppliers can reach
deals with local authorities. Many of these deals have not been a commercial success in their own
right, merely a proof of concept exercise for future deals.
There is the potential for these technologies to be used to enhance the security of urban spaces – as
the monitoring of movement has been shown to provide insights into trigger points for violence and
disorder.
3
Surveillance, Social Relations, Ubiquity and Data-collection
Section Summary:
There are competing interpretations of what sensor technology and IoT means for individuals, their
relationships with each other, and their relationship to sources of authority. The two competing views
essentially coalesce around the question of whether these technologies compound a power
imbalance between authority (be it public or private) and the individual or whether they allow the
individual to hold authority in check or to enable genuinely local power and influence to occur.
The clear emphasis within the extant literature is that these range of technologies allow minor
improvements in efficiencies and function for individuals whilst providing a strong advantage to
corporations in understanding the behaviour of consumers and minable data-sets that have their own
intrinsic value.
There is a misunderstanding that the primary collectors of M2M data are states, this is not the case.
There would be many potential utilities for states in collecting movement data (for example) which
would provide greater levels of prediction around violence in urban spaces, alternatives to mobile
phone led surveillance data, movement data in the home, and in resource planning and resilience in
understanding prevailing health of a community as an unrelated task. But the reality is that the
majority of this data is collected, stored and mined by the manufacturers back-end function and by
third parties contracted into perform these roles. The utility for these actors is to be able to analyse
the usage of their devices, to make improvements and modifications as a result of this, and also to
find activities that follow a logical consequence of this analysis.
From a political science perspective the pace of technological change coupled with the pervasive
quality of this technology into our everyday lives has outstripped our sociological understanding of
what such leaps have done to the relationship between state and citizen, and the relationship
between consumer and supplier. Similarly, the regulatory and ethical dimensions of the use of this
technology has been outpaced by the speed at which the technology has come to market and
‘penetrated’ the market. In this respect there is much that is analogous with and to the analysis of the
leaks by Edward Snowden: those involved in the development of technologies have continued to
pursue the logical end-points of their technological advances without paying much credence to the
braking influence of formal regulation and ethical control. As such we may well find ourselves
collectively in the position of enduring a Snowden MkII moment, whilst these technologies have
become genuinely ubiquitous.
In the adult lifetime of this author, western society has become immersed in a sea of
collectable, collectable and analysable electronic data. Before I went to university in 1996,
electronic mail was the clunky preserve of a few, and the majority of those I studied law
with were introduced to email by the necessity of the university, rather than because it was
ubiquitous. Students who could afford the £1500 for a basic laptop might have one, but it
had yet to hear of this thing called ‘Wi-Fi’. Mobile phones were not smart, nor were they 3,
4, or 5g and relatively few people owned one. Supermarkets had just begun to get serious
about their loyalty card schemes, but carrying one was more exception than the norm. And
4
internet shopping and banking was only done by early adopters, if at all.1 So, within a
remarkably short period of time on the human developmental scale, we have moved from
an analogue society, to a digital one. Our everyday purchases (both online and offline)
generate collectible data feeds that can be recorded, analysed, repackaged, exploited and
sold, similarly so our online activity, telephone communication (both voice and messages),
as can our everyday movements (be they motorised or on foot). And whilst it can be seen
that these changes have occurred very rapidly, it is the case that the public and political
debate around what this growth of data production and analysis means is vastly
underspecified.
These observations are as equally valid to the ‘ordinary’ internet and telecommunications as
they are to the IoT. This paper focuses on the IoT for reasons of immediacy – enabled
technologies are a rapidly emerging tranche of technologies – and because the IoT advances
and embeds the essential networked qualities of the internet closely onto and sometimes
effectively into the bodies of ordinary citizens. IoT hardware is attracting a lot of media and
investment attention due to the large so-called ‘unicorn’ acquisitions of GoPro, Nest, and
FitBit amongst others, and the public accessibility of information around crowdsourcing
rounds. The IoT is, at the moment, relatively simple to research on due to the closely
defined nature of its ecosystem. The IoT creative space is very clearly geographically
delineated with key hubs in San Francisco, New York, Austin, Shenzhen, London, Hamburg,
Paris, Barcelona and Bangalore. The ecosystem is essentially underpinned and supported by
a sub-strata of Hackerspaces, FabLabs, incubators, MakerSpaces, MakerFaires, and meetup
spaces: the London IoT meetup community for IoT runs to 4712 members according to
meetup.com (accessed 12 March 2015). The IoT centres are also heavily present in cities
where there is ready availability of capital. Whilst crowdfunding platforms should allow the
making community to geographically disperse, the reality has been that ambitious makers
have continued to locate themselves near to venture and angel investors, whether they
have an immediate need for these forms of capital or not. Similarly, as makers has clustered
near to money, they have created learning and innovation communities, so there have been
intellectual reasons to cluster in the way that we can observe. That growth has had an
exponential rather than linear quality to it, however, with the industry commentator Renne
DiResta (2014) asserting that in 2008 there were 50 hacker/make spaces created per year,
rising to 200 new spaces created in 2009, 300 in 2011 and 250 per year since. The
development of manufacturing platforms such as Hackster2) has allowed micro- or small
scale innovators the opportunity to rapidly prototype their ideas and has lowered the
barriers to market entry. Whilst this market entry is quicker and cheaper – and therefore a
positive to business – it has also allowed more experimental ideas and innovations to find
airplay, if not a market. This is because the prototyping is quicker, easier and cheaper thanks
1 I should declare that I have been an early-adopter for most electronic devices in my adult life-time. I have what the comedian Eddie Izzard describes as techno-joy, as opposed to techno-fear. 2 https://www.hackster.io/platforms, accessed 20 March 2015
5
to standardised platforms like Arduino, Raspberry pi, and Spark, and the development of
additive manufacturing. For this rapidly developing area the unit cost price of these ‘3D
printers’ is continually dropping: the top end Makerbot now retails at $2899, and as
functionality decreases there is the Buccaneer at $1099, Overlord $699, Micro at $349, and
at the budget end the ibox nano at $299. The time to market has been compressed by the
hastening of prototyping, finance, manufacturing and retail offer (be it online and offline
retail options). An indication of scale in this regard comes from AngelList (an online platform
for investors to place money in Angel syndicates), who estimate that there were 3022
hardware start-ups in March 2015, around 1000 in 2014, around 800 in 2013, around 700 in
2012 and around 200 in 2011, with very few present before that date. These innovation
communities and the organic growth they have experienced, the local and national
government policies that have helped to spur inorganic growth and how the innovation
policy has spilled out into consumer electronics are all worthy of further exploration. For
this paper, however, the central question is around the impact of these technologies in the
security space.
The development, improvement and cost efficiencies found in on-board processing, in a
variety of sensor types, battery size, weight and longevity, have helped to create a wave of
devices (that have come to market in 2014/15) that effectively ‘intelligent’ and which can
operate autonomously. Prior to this small connected devices (watches, trackers etc) were
reliant upon piggy-backing on other forms of computing power, such as smart-phones
and/or cloud platforms. Autonomous networking capabilities are now coming to the fore
and there is some evidence for this in the investments made into M2M networking
platforms such as Helium which secured $21m and SigFox, which is a telecommunications
network for IoT devices, which secured $148m of investment capital. Whilst it is only a
proxy measurement for influence and likelihood of success, there is a strong assumed
correlation in this sector between investment capital secured and the direction of travel for
these technologies.3
3 Valuations as an indicator of success
1) Xiaomi (a wide range of wearable tech) 2) GoPro (wearable cameras) 3) Square 4) Jawbone (wearable health-tech) 5) Nest (home – thermostat, carbon monoxide) 6) Beats (home entertainment) 7) Magic Leap 8) Oculus (virtual reality) 9) Razer (virtual reality) 10) Kiva Systems 11) Makerbot (3D printing) 12) Dropcam 13) Boston Dynamic 14) PrimeSense 15) Fitbit (wearable health tech) 16) Parrot 17) SmartThings (home automation)
6
The current direction of travel appears towards varieties of health-related, home-related,
energy-related and mobility-related technologies. The technology causing headlines in the
early part of 2015 was all around the notion of human augmentation and technology, the
replacement of human workers with machines (but this debate seems centuries old), and
the potential for machines to displace humans more generally, as per the pessimistic
conclusion of such towering figures as Stephen Hawking. However, the ongoing human
security threats in West Africa from the Ebola virus, and from a variety of pandemic
respiratory diseases has spurred such initiatives as ‘Fever Smart’4 which was funded via the
crowd-funding platform indiegogo, but at $125 is unlikely to break into developing world
markets. Clarity – an air quality monitor – seeks to provide information to users about the
quality of air in their vicinity.5 For those in jobs where concerted attention is vital there is a
device called Vigo which will provide alerts if it detects fatigue, but it seems a very niche
technology.6 Even more extraordinary is the Scout by Scanadu which measures a body’s vital
signs from a USB stick sized device.7 It is capable of measuring heart rate, ECG readings,
breathing flows, and body temperature. It is – essentially – like being wired up in hospital,
but without the whole hospital ‘experience’. There are emerging devices that sit in the inner
ear, or in the inner soles of shoes, all of which brining technology closer to human
augmentation. The utility of these apps to the individual are clear (for the most part) but the
data collected, particularly from those apps which draw upon sensitive data (which would
be of acute interest to the insurance markets) and thus are both eminently marketable and
yet pose some issues and potential concerns for those who are generating the data.
Similar sorts of concerns might be found in technology that relates to the home. Not only in
the occupancy patterns of home life, but in how real people (as opposed to modelled
assumptions) move around and use their homes: this sort of data is more valuable than the
modelled assumptions for obvious reasons, and would open up all sorts of
commercialisation and economic data for energy companies, as well as advertisers. Google
is currently making a strong bid to dominate the home data space, and whilst there is an
obvious counter-play expected from Apple, for example, the rivals to Google are likely to
become acquisition targets for well capitalised large companies. NEST is the best known of
these companies and has become a tech-unicorn (essentially a billion dollar acquisition),
which focuses on domestic heating and separately in fire and carbon monoxide detection.
The thermostat platform is surprisingly open and most industry commentators assume that
18) iHealth 19) Aldebaran Robotics 20) Basis
4 http://feversmart.com/ accessed 25 March 2015. 5 http://clairity.io/index.html accessed 25 March 2015. 6 http://www.wearvigo.com/ accessed 25 March 2015. 7 https://www.scanadu.com/scout/ accessed 25 March 2015.
7
Google will begin to expand the range of functions that NEST can perform. The acquisition
of Revolv by NEST (and thus by Google) which is a home automation hub merely reinforces
the notion of Google making headway in this space. A similar sized venture – certainly in
scale and ambition – is Samsung’s SmartThings suite8 (currently only available in the US and
Canada) which is a home automation platform that traverses entertainment, security,
heating, lighting and motion. It aims to provide a complete home automation solution and it
is not clear whether it suffers from the same security glitches as the Samsung voice
operated televisions which Samsung themselves warned against speaking too candidly in
front of for privacy reasons.9 So, any work-place device that is voice controlled and Wi-Fi
enabled is capable of being manipulated to provide intercepted human intelligence. Control
by voice means that voice is recorded, understood and analysed (normally via cloud
services), and being Wi-Fi enabled means that the device goes via the local corporate
network into wider internet networks. So, if there are any vulnerabilities in the firmware or
in the corporate network then that device might provide sensitive human intelligence to the
third party. Security in this field is reliant upon the firmware designers (and as mentioned
elsewhere in this paper, the component manufacturer) having security at the forefront of
their design parameters. The accusations in the Snowden leaks were that the NSA – in
particular – had noted and collected security vulnerabilities but not sought to address them,
aiding their own collection efforts, but leaving ordinary users still vulnerable (Schneier,
2015, p. 38).
As part of the Snowden revelations we collectively discovered that all network enabled
devices are capable of being compromised by SIGINT and ELINT agencies to provide
intelligence. The most lurid examples located themselves around the switching on of
microphones and cameras laptops and so on to provide details of conversations and also to
record who was using the device at the time of a particular search. The range of data that
can be captured by these devices has become part of an investigation by a committee of the
UK Parliament. In this inquiry the committee has said: “there are legitimate concerns that
certain categories of Communications Data – what we have called ‘Communications Data
Plus’ – have the potential to reveal details about a person’s private life (i.e. their habits,
preferences and lifestyle) that are more intrusive. This category of information requires
greater safeguards than the basic ‘who, when and where’ of a communication.” The report
also says that legislation should cover different levels of metadata: Communications Data,
which is restricted to basic information about a communication, rather than data, which
would reveal a person’s habits, preferences or lifestyle choices. This should be limited to
8 http://www.smartthings.com/ accessed 25 March 2015 9 (eg NEST, Ecobee, Revolv (Google), SmartThings (Samsung), Dropcam (google) , Welcome by
Netatmo, protect (smoke) by net, Point – house sitter, Ring (smart doorbell), smart body analyser (by
withings), nomiku (cooking), luna (smart bed cover)
8
basic information such as identifiers (email address, telephone number, username, IP
address), dates, times, approximate location, and subscriber information. Communications
Data Plus would include a more detailed class of information, which could reveal private
information about a person’s habits, preferences or lifestyle choices, and websites visited.
This is far more sensitive data, and therefore should be regulated far more toughly. Such
debates were had over Passenger Name Record data that the US Department of Homeland
Security had requested from the European Parliament, which also included ‘lifestyle data’
and which caused a great deal of unrest amongst privacy campaigners and MEPs (Dover,
2010). In the event, the EU permitted the transmission of such data under the threat of
further visa restrictions being placed upon European citizens seeking to travel to the US.
The analysis of voice has been used successfully by Google to refine their ‘Translate’ product
to the point where it gives a very fair account of spoken phrases into different languages.
The voice search and Apple’s initially much-mocked Siri service also make much use of these
techniques and analysis, and provide further insights into machine-learning of the spoken
word, things that are highly prized by SIGINT and ELINT agencies.
Beyond the reasonable scope of this paper10 are cognate areas that make up the IoT
ecosystem, all of which contain security implications. Wearable cameras – disconnected
from smartphone cameras – have been one of the most visible manifestations of the IoT in
general, but of privacy issues more generally. The discontinuation of Google Glass in early
2015 was part recognition of the prohibitive pricing of the glasses (circa $1500), and of the
issue around the augmentation of the internet through the glasses, and with the unresolved
issues around privacy – the recording of third parties without consent and of conversations
etc (Hof, 2015). But Google Glass is actually one of the more limited pieces of wearable
augmented reality available. The key political science point about augmented reality is the
discrimination of the information presented to screen and in the case of augmented
reality11 and virtual reality devices for gaming the immersive quality of the experience when
matched to particular world views or delineated choices12.
On the periphery of the IoT are productivity tools for agriculture, which covers formerly
labour intensive activities of harvesting and pruning, spraying and indeed laying seeds,
which according to market data is a sector currently worth $800m and by 2020 is estimated
it will be worth $16bn (wintergreen research, January 2014). Related technologies that
10 Although I will extend it in the published version of this paper. 11 For example, Magic Leap, HoloLens by Microsoft, SmartEyeGlass (Sony), and Skully which is an augmented reality bike helmet. 12 Examples of virtual reality platforms include Oculus (acquired by Facebook), Project Morpheus (Sony), VICE VR (co-owned by the smart-phone manufacturer HTC and the gaming platform Valve), OSVR (by Razer, another gaming platform), Samsung Gear VR (oculus), iPhone VR headset (patented by Apple but not yet in production), and Google Cardboard, which is a budget device. In order to add usability to this technology there has also been developed a virtual reality keyboard to match the VR headset, allowing the user to type, virtually. This is called Leap Motion.
9
incorporate network enabled robotics for a domestic range of tasks – such as mowing the
lawn and vacuuming the house – extend the IoT further into the home, providing labour
saving capacity. These devices are smart – in as much as they can be controlled over the
internet – but are not particularly intelligent in the data they collect and transmit. A new
breed of so-called social robots13 have a much higher level of ‘smart’ development, as they
are – with varying degrees of success – able to respond to facial expressions and speech,
and clearly the data that these devices are able to glean fall into the category of
Communications Data Plus, as do those aimed at children, such as the interactive Barbie Doll
(BBC Technology, 2015) and the long-standing concerns about the Furby toys’ ability to
collect sensitive data leading to it allegedly being banned from the US NSA in 1999
(Marshall, 1999).
Lastly, the increasingly prominent (and overhyped) area of self-driving cars poses an
analytical problem around whether this segment is transport, or large scale IoT devices.
Audi, BMW, Google and Tesla (of the large players) and the MEV-c by ZMP which is a car not
blessed by aesthetic beauty have made strong leaps to develop genuinely autonomous
vehicles and whilst Audi have managed to get their vehicle (based on the large A6 saloon) to
drive more quickly than a human racing driver (Knapton, 2015) there are legal, ethical and
practical issues to be resolved. In the UK there are driverless car pilots in Greenwich
(focussing on safety), Milton Keynes and Coventry (focussing on road usability), Bristol
(focussing on legal and insurance dimensions as well as how the vehicles are received by
local communities). The technology itself is very complicated, requiring a mix of radar (to
judge distance from other vehicles), video cameras (to read roadside signs, and lights, and
the positioning of static and moving objects), LIDAR (light) and ultrasonic detectors locate
kerbs and lines whilst a central computer system and control planes bring this together to
actually drive the car. The benefits of these systems are said to appear in emissions control,
congestion, and safety, as well as legal compliance and planned maintenance. The
networked quality of these vehicles would again provide the sort of meta-data that would
provide Communications Data Plus, and therefore those UK pilots, particularly the Bristol
one will need to carefully hone the ethical dimensions of this emergent technology.
All of these devices providing all of this data, which is not only capable of being harvested by
manufacturers, data warehouse firms, and governments but is harvested and analysed,
raises stark questions of usage, further transfer and end-use. The security technologist
Bruce Schneier describes all such activity as ‘surveillance’. (Schneier, 2015). Similarly
Schneier does not discriminate between government and corporate collection, it being on
the same continuum of surveillance. His argument is – in parenthesis – that all surveillance
curtails natural behaviour, but that the ordinary consumer has both been slow to
understand the extent to which their privacy has been compromised and similarly slow to
13 Double – Telepresence Robot by Double Robotics, and Nao and Pepper – social robot
10
seek out the sorts of techniques and technologies that would help them address these
vulnerabilities. Ultimately – and Schneier’s book serves as a soft manifesto – he seeks a
(perhaps small) private realm free from surveillance, as he describes it. That is where the IoT
is a significant challenge to this notion of having any private space free from data collection.
Because we all anecdotally know that we are likely to speak about a subject differently in
front of a source of authority than in the privacy of speaking to friends or when speaking
without care (even if just in tenor and tone), there is a good reason to believe that we will
self-correct in front of pervasive levels of collecting technology. But even if we do not, then
the collection of authentic thoughts carries value in a multitude of ways and the Office of
the Director of National Intelligence published a redacted report in 2015, that was originally
written in 2009 on intelligence from smart phones where it posited that all the data could
form ‘crowdsourced intelligence’. (ODNI, 2009, p. 41). A powerful corrective to this notion
comes from Robert David Steele, in private correspondence where he noted that useful
open source intelligence is not merely the aggregation of sheer weight of sources, but
quality filters are required to discern the useful from useless. The challenges in this space
are then as much for governments as they are for individuals. Ultimately, however,
individual consumers and citizens are parting with ever larger data trails – some of which
they are plain unaware of, some of which they have little understanding of, and some of
which they are just happy/content/acquiescent in providing, for an assumed positive trade
off of improved services and convenience.
The importance and (threat?) of China to the IoT ecosystem
Section Summary:
The importance of China to this broad sector is found in the harvesting of the core materials base
underpinning the manufacturing of these technologies. The Chinese government’s previous
willingness to restrict access to these base materials represents a threat and challenge not only to the
consumer electronics market, but to the defence electronics sector.
The importance of China to the manufacturing supply of consumer electronics places it as a vital
component in the supply chain, but also allows it privileged access to global intellectual property on
this and related sectors. Dovetailed with the culture and pattern of business ownership in China then
the Chinese government has a very strong oversight of technology based developments.
Data mining from M2M technologies opens up the possibility for the Chinese security state to analyse
meta- and individual level data across a wide-spread of technologies (eg health tech, home tech, and
movement data). Such capabilities do not solely exist for China, of course.
A number of potentially disruptive businesses are based in China. Xiaomi and Huawei are the most
prominent of these in terms of hardware. Xiaomi has nearly 100 hardware lines making the most of
network connectivity and sensor technology, all of which substantially undercut western rivals. Whilst
this is not necessarily a ‘security’ threat, there is little understanding of how such disruption will
impact on R&D intensive sectors in the west.
The oft-cited cyber security threats presented by Chinese electronics manufacturers (particularly in
telecoms, and networking) seem partially misrepresented, and actually the threat posed by these
11
firms exists in the soft-intelligence they can potentially gather from participating in infrastructure
projects.
China holds a special place in the heart of those involved in the IoT ecosystem. Much of
China’s influence and power comes from its privileged position as the pre-eminent producer
of the world’s consumer electronics. As such, the overwhelming majority of wearable
technologies are manufactured in China, and more particularly the city of Shenzhen, which is
known as the ‘Silicon Valley of Hardware’. Those involved in technology based start-up
businesses have a fondness for China that is unmatched in other industries and sectors. Much
of this connection is due to the speed, quality and price that can be achieved manufacturing
in China. Whilst Chinese manufacturers used to be selected purely because of the prices they
could achieve, since the turn of the century, Chinese manufacturing concerns have made
much of their cash-surpluses to offer world leading manufacturing capability as well as
competitive (for which read, cheap) labour costs. For those start-ups seeking to prototype
and then rapidly scale, a trip to Shenzhen can get their product into the market quickly. A
reality of this process is – however – that an essential part of the manufacturing process is
time in Shenzhen, to adapt and design with Shenzhen’s electronics ecosystem in mind.
Components that are design, manufactured and sold in the SEG Electronics Market provide
lower barriers to entry, and rapid turnaround times, including to meeting the holy-grail of
electronics manufacturers of a twenty-four hour turnaround time of printed circuit boards
(PCBs).
To describe China as a threat in this space needs some elucidation. Some aspects of the ‘threat’
come from a dominant market position, and thus could also be consumed under economic
headings such as the ‘west’s comparative lack of competitivity in this manufacturing field. In
this context, the drawing of threat is commensurate with the notion that seeing vital or
important fields of economic activity disappearing from – in this case – the UK is has a security
aspect to it. But it is in the connectivity of the devices in the IoT ecosystem that ‘threats’ may
be drawn (often tangentially), and indeed in the raw materials used in the manufacturing
processes itself.
The tangential concerns of security professionals around the presence of Chinese computing
components in ‘interesting’ or valuable technologies really comes from a set of concerns
around the part Chinese government owned manufacturer Huawei, as expressed by largely
Anglophone security services. It is important to note that the various official reports written
about Huawei’s technology have merely suggested vulnerabilities within it, rather than
demonstrating malfeasance. Part of the concerns expressed have been that the Huawei’s
ownership model is part-vested in the Chinese government and that the firm rigidly adheres
to Chinese modes of intellectual property and business ethic. But there is an important
12
corrective to the shrill narrative around Huawei which correlates its positioning with threat,
which is that there are very few telecommunications nor computing products (be they
commercial nor government) in the world that have not been touched by Chinese
manufactured components, and indeed our largest computing firms have their final assembly
operations in China (e.g. Dell, Apple, Cisco and Hewlett Packard). So, whilst a realisation that
global computing power is already at least partly Chinese does not dull a threat analysis, in
absolute terms, but in relative terms it does place it in context.
The most often mentioned security threats said to be presented by the Chinese computing
components are:
1) variants of malware: these include the suggestion that components can be written with a
‘kill-packet’, which essentially means that an organisation with ‘the’ coding to activate the ‘kill
packet’ could do so rendering all effected networks instantly hobbled. But such talk rather
ignores that levels of firewalling between elements of a network, so any attacker wishing to
make use of a ‘kill-packet’ would need control of the whole network anyway. Similarly, the
notion that Chinese made components contain ‘backdoor’ points of entry, seems unlikely in
the context that the manufacturers supply their own government and consumer markets.
Intentional security weaknesses would then be open to probing by our own somewhat active
ELINT agencies.
2) Deliberate software issues: the placing of deliberately weak or vulnerable software to
enable routes into the data being generated by users is also often cited. Again, this is entirely
possible, both intentially and unintentially, but these vulnerabilities would be as available to
other actors as they would be Chinese state officials.
3) Prevailing Chinese business culture: An important, non-technical issue when considering
suppliers from China is the differing cultural frameworks for both competition and intellectual
property. The Chinese government and political infrastructure requires that any successful
company be intertwined with the governing Communist Party, which itself is integrated into
the government and military infrastructure of the country. This level of formal
interconnectedness is entirely normal in China, but means that Chinese manufacturers have
a higher level of alignment to the government than would be the norm (or even the outlier)
in the UK. As such, the level of trust demonstrated between those purchasing equipment and
Chinese suppliers should be qualified (as it should in all commercial relationships), but the
fact that it needs restating points to a lapse on the part of purchasers to exercise restraint
and due caution.
And finally: 4) Intelligence reporting: Former US NSA Chief gave a controversial interview with
the Australian Financial Review (July 2013) in which asserted that the firm represented a
13
substantial threat to Australian and American security. 14 Hayden was unable to provide
precise detailing on why this was his judgement but it was part based on his instinct as a long-
serving intelligence officer, but mostly because of the kind of intimate knowledge an outside
contractor gets of the systems, processes, and procedures of government through building or
servicing telecommunications and computer networks. Hayden also said to his interviewer
that there was ‘hard evidence’ of Huawei spying for the Chinese government. As such he said:
"At a minimum, Huawei would have shared with the Chinese state intimate and extensive
knowledge of the foreign telecommunications systems it is involved with…As an intelligence
professional, I stand back in awe at the breadth, depth, sophistication and persistence of the
Chinese espionage campaign against the West." These comments followed an October 2012
report by the US House Intelligence Committee that noted that in their view Huawei and ZTE
posted a national security risk and that their telecommunications equipment should not be
used in critical infrastructure projects, something that both firms fiercely rejected. Contained
within these lines of contestation are several concepts that require unpacking: 1) what
constitutes ‘spying’ to echo the language used here, and 2) an allusion to competing purposes.
The Snowden revelations arguably demonstrated that the NSA has been conducting large
scale surveillance of Chinese mobile communications data, and so there is an element of
equivalence to the stance of the two countries. Similarly, both nations are said to be guilty of
intercepting, via communication cables (often under-water) wholesale communications data
and applying decryption. Based on these activities, it is difficult to decipher why Chinese
components would add any particular layer of additional vulnerability to the IoT: the mass
interception of data is seemingly blind to the component make-up of the technology
generating interceptable data.
Hayden does seem to be mostly eluding to a pattern of competitive behaviour that partly fits
within the definition of ‘hybrid warfare’ that was advanced in relation to Russia in early 2015
by NATO, and also that I have proposed as ‘hyper-competition’ in several online forums.
Within this, state acquisition of competitive advantage (that ultimately points towards
military or security advantage) can be seen in bringing very high end intellectual property to
Chinese shores, albeit in what might have traditionally been seen as a supplicant
manufacturing role. The co-production of manufacturer and designer, and sophisticated
understanding of electronics have placed China in a pre-eminent position with on-board
computing and use of sensors. That prominent western universities have also sought to build
large-scale collaborations in China and Shenzhen in particular, with Berkeley and MIT (Boston)
being the most notable examples. Whilst these sorts of collaborations clearly align with
university priorities, they are rarely refracted through the prism of national security, and
particularly not those of hyper-competition.
China also holds a very strong position as a majority producer of the rare earth elements
contained within consumer and defence electronics – in particular dysprosium (99 percent)
14 It should be noted that the Australian parliament barred the government from contracting with the firm in May 2014.
14
and neodymium (95 percent), in components such as batteries, mobile telephony, GPS
systems and so. Figures vary from 70-95% of global production. The Chinese government has
shown themselves to be very aware of the influence such a position gives them, and has been
keen to flex this influence in restricting supply of these materials, as they did between 2009-
10 by some 9%, whilst signalling they would like to restrict by up to a further 30% in the
medium term. This has caused some forward planning by western militaries (particularly the
US, Japan, South Korea and Sweden) who also rely on these rare elements for their defence
electronics, the US Congress investigated the issue in 2012 and concluded that the US should
explore exploiting their own reserves of these elements as well as striking partnerships with
allies such as Australia, whilst President Obama pursued a diplomatic track in the WTO to
force China to drop the restrictions. The main barrier to increasing US production is cost, with
the unit cost of production in China being dramatically less than in the US. The South Korean
and Japanese responses was to begin a process of stockpiling elements of interest to them
and to forge partnerships with other rare earth producers (e.g. Vietnam and India). In Sweden,
they effectively nationalised a rare earth mine, and the German government created a
lucrative partnership with mines in Mongolia.
The softly colonial mind-set of assuming China to be a reliable, enduring and essentially
supplicant partner should be revised. Whilst some of the excessively shrill discourse around
China’s supposed bid for world domination is almost certainly over-stated, there are reasons
to sensibly revise western disposition towards China in the interlinked fields of electronics,
from the very material building blocks of electronics, to the appropriation of key IP, to the
back-end data-warehousing that takes place on Chinese soil. Misunderstanding the
competitive advantage this provides China with has the potential to put western powers (and
their citizens) in a position of vulnerability in the short to medium term. However, divesting
away from or appropriately ring-fencing China poses business costs on western firms. For the
vibrant SME community that essentially makes up the heartbeat of the IoT, this will not be an
ask they heed unless legally forced to.
Conclusion
The era of the IoT is nearly upon us and from a security perspective the real issues
surrounding this group of technologies comes from a set of unresolved debates around
ethics and privacy. As consumers and citizens we know precious little (and perhaps are not
capable of understanding) the capabilities possessed in these technologies. Whilst the
research organisation Gartner suggested that 50% of users are said to lose interest in their
devices reasonably quickly this might – to some degree – turn out to be a self-limiting
problem. Similarly CNN reports that Chinese counterfitters (a large industry in their own
right) have begun to shun the area, implying that the area is not yet profitable enough for
their endeavours (Nylander, 2014). The IoT offers public officials and consumers some real
advantages – for cities better resource planning and purchasing is possible via the various
15
Smart Cities initiatives. Similarly, regeneration and the clustering of technology firms should
spin off the installation of data-producing sensors. For individuals, I struggle to see the
arguments for enhanced productivity, those rarely result from technological advances, but
in the health-tech and med-tech spaces the gamification of well-being and the body-
monitoring do offer advantages. But for the advantages do currently come the attendant
disadvantages of the monetisation of the data that comes off the sensors. Without
appropriate controls – and the education that precedes the debates even occurring is yet to
be had – the unprecedented collection of intimate data will present a serious erosion of
what we understand to privacy to be. The analysis that can be done by competitive or
competitor nations of this data opens our societies to vulnerabilities of greater
understanding: the competitor nation simply knows and understands us better than we
know ourselves.