Issue #90 Cover Story: A Brave New World – How Might Wearable Technology Impact On Security

techW4_180589430By Bruce Baer Arnold.

The very low-key commercial launch last month of GoogleGlass is a reminder that we are entering the ‘Age of Wearables’. New personal technologies such as GoogleGlass and FitBit offer both threats and opportunities for security specialists. Most of those challenges will not be fixed by law or technology: they need a human solution.

This article offers a perspective on the emerging world of wearables. It places developments in context (some innovation looks distinctly traditional, some of the most effective responses to dangers are quite old). It also questions some of the hype and asks what is the best way to manage a disruptive security technology.

What is a wearable?

The term ‘wearable’ or ‘wearable technology’ is just starting to creep into the mass media. It is already in use in the information technology and academic communities, sometimes as part of enthusiasm about the ‘internet of things’ that has been highlighted in past issues of Security Solutions.

As the name suggests, a ‘wearable’ is a sensing technology that is worn by an individual, typically on a day-by-day basis. It is sensing because it collects information about that individual and potentially about the individual’s environment – e.g. the people the individual meets or facility that the individual observes. Typically that information is shared with and accessed through a personal computer or other device. Many of those devices are connected to the internet and the storage of information may be in the Cloud (e.g. in servers located in North America or India) rather than on the individual’s carefully firewalled private hard drive.

Media attention has centred on technologies such as GoogleGlass, partly because they are funky and partly because they raise questions about privacy, confidentiality and security (the security might be protection of the wearer – some of whom report being assaulted in bars or toilets by people who did not want to be recorded – rather than a matter of industrial espionage). Much wearable technology is, however, less dramatic and less visible. The key example is personal trainer or personal health wearables: the wrist, arm or ankle bands that allow you to track heart rate, the number of pushups, speed when you go for a cycle and so forth.

Some of those wearables are quite dumb: they are essentially just counters. Others are becoming increasingly sophisticated, with, for example, scope for GPS positioning. Much research funding is going into wearable innovations that excite venture capitalists but are unlikely to present fundamental security challenges. For example, if you trawl the literature, you will encounter research on smart socks and shoes: what you wear on your feet monitors your health and tracks where you have been. (At this stage you have to throw the socks away after a couple of wears and we might suspect that 20-somethings will prefer wristbands – funkier than tatts but without the nasty pain – to a pair of joggers that talks to their PC.) The literature also features proposals for smart jackets, shirts and even y-fronts, with your sentient shirt, for example, vibrating to let you know that a friend is in the neighbourhood or that a retailer is offering an unbeatable deal. Ordinary people will almost certainly skip the smart shirt and sock experience and rely on their mobile or pad, given the functionality of those devices and worries about putting the shirt through the wash. There will inevitably be alarms about offenders hacking data collected via the wearables and about misuse by private health or other services.

GoogleGlass goes a step beyond that monitoring. Along with several competing products, it allows users to record still and video images through internet-enabled spectacles that also provide the consumer with a display. So there is no need to fumble for your mobile or iPad to search for information about someone you have just met. Several apps are being promoted as giving consumers the ability to take a still image, via the glasses, of someone that they have just seen and verify the person’s identity through a high-speed search of images on the web. Potentially useful if you are an investigator or assassin … and if the technology works the way that it is supposed to. Some enthusiasts envisage recording everything that they see, with the data being stored by Google in the US. Others envisage much more restricted use, for example by surgeons only in operating theatres or by military personnel in the field rather than off duty. At the moment, ‘glass’ technology has not really hit the mainstream market, partly because of price (upwards of $1,300), partly because of bugs, and partly because of uncertain consumer demand. That may change in the coming three years and we can expect deals to provide prescription smart specs rather than the current one-size-fits-all offering.

Before we get too excited about wearables, it is useful to remember that some security questions are traditional and often readily solvable.

Have we been here before?

Critics of wearable hype point to three security precedents.

The first is the smartphone, that unremarkable device that is ‘worn’ by most Australian adults, that can record sound and images, and has an internet capability. Research and defence facilities often request people to leave their smartphone at the front desk. We can expect a range of government agencies, businesses and institutions to require visitors to hand over GoogleGlasses as a condition of entry or to prohibit their use in particular venues. (In teaching Privacy and Secrecy Law this month I have, for example, told the students to leave the surveillance kit at home.)

More broadly, there is a long history of security specialists managing concealed or miniaturised image and audio recording devices, including precision film cameras that were concealed in the palm of the hand or in lapels. The past 20 years have seen a proliferation of devices disguised as bow ties, lapel badges, fountain pens, brief cases or purses, and so forth. Managing that technology – either to prevent espionage by a competitor or to gain information that is not otherwise available – is a matter of vigilance, daring, an awareness of suppliers and an understanding of the law. (Recall, for example, the history of confidentiality law where courts have granted injunctions preventing use/dissemination of illicitly-obtained celebrity images, technical specifications and other information.)

Thirdly, the precedent that wearables enthusiasts do not like to talk about, we can see use of electronic bracelets and badges in the justice system and in business. Offenders can be electronically tethered to a particular location: move beyond a particular location (e.g. in home detention) or remove the ankle tag and the police get a call to deal with you. Most readers of Security Solutions are familiar with the invisible wearable known as the proximity card. It is invisible because most of us have the card, either worn on a lanyard or as a lapel badge that allows access to particular facilities and may even allow real-time tracking of who is in what room and what floor. ‘Wearability’, as such, is not necessarily new or frightening.

What could we do with wearables?

Much of the talk about wearables involves people shouting at each other, rather than having an informed and practical dialogue.

In meetings, for example, I have heard claims that wearables, just like RFIDs and barcodes, are The Mark of the Beast. Some critics denounce them because technologies such as GoogleGlass will make us into cyborgs, a claim that has attracted a small but devoted following in the US and North America, and is fostered by the zanier ‘posthuman’ researchers who are implanting sensing technologies in their bodies. In contrast, enthusiasts have promoted ‘wearables for everyone’ (from toddlers to grannies) as a solution for all the important problems. For example, if you need to recognise the local child molestor, you will supposedly be able to image match and view that person’s profile using GoogleGlass. The same technology will give you the ability to find bargains at the mall, or assist ‘informed eating’ (no cheesecake for me unless I run another 2,000 steps today) or give you the circuit layout at 4:00 am when you are at the perimeter fence fixing the wiring.

Concerns about hacking aside, the exercise or health bands do not present major security problems. Technologies such as GoogleGlass, just like the proliferation of low-cost and user-friendly drones, are qualitatively different. They need to be managed and need an updated legal framework for greater certainty but management is doable. We can envisage security personnel in the public and private sectors using those technologies to identify people of concern: verify that someone is indeed allowed to go through the gateway, discern that someone else has a profile that involves risk of violence. That will be accompanied by criticisms that security personnel are improperly collecting information about protestors and other people. (Those criticisms will be exacerbated by the May 2014 gutting of the national privacy watchdog.) There will be criticisms that wearables result in health problems (some glass users are reporting headaches; wristband users have reported dermatitis). Proponents will call for mandatory use of wearables to minimise disputes – e.g. provide evidence that a security operative was at a particular location at a specific time or to provide video of how a particular incident was handled.

With wearables, we are looking at an uncertain future where cost and comfort and functionality are going to be much more important than technological funkiness or the dreams of marketers and venture capitalists. The most informed answer may be that not all wearables are the same and that we should watch the space to see what goes right, and what goes wrong in the next five years. If you can manage someone’s mobile phone you can manage the socks, jocks and glasses.

 

Bruce Baer Arnold is an Assistant Professor in the Law School, University of Canberra, with a specialisation in privacy, confidentiality and data protection. He has published widely on new technology regulation and innovation. Asst Professor Arnold is an organiser of the forthcoming national symposium at the University of Canberra on wearable technology, security and privacy.