Skip to main content

The Collision of Privacy, Regulation, and Physical Computing

Christopher Clearfield (System Logic)
Society
Location: Fleet Room
Average rating: ****.
(4.00, 1 rating)
Slides:   1-PDF 

Physical Computing challenges designers, consumers, and regulators to rethink privacy and security, the government’s ability to regulate both.

First, as consumers engage with physical computers, they are becoming connected in ways that they may not understand or agree to.

  • Retailers and others can track consumers with smartphones and collect data about visiting habits and locations in a store or throughout a community.
  • Consumers who buy internet-enabled devices may be unwittingly buying an insecure device. Consumers have a basic expectation for security that some physical computing devices do not meet.
  • As traditional stand-alone devices are connected (e.g., cars), consumers may be implicitly opting-in to an insecure environment

Even recognizing the challenges consumers might have, product designers face challenges.

  • Engineers who work on physical computers often add security as an afterthought that leaves open security flaws. The resulting vulnerable firmware may be costly to replace or difficult for a consumer to update.
  • Instead, hardware designers need to think modularly and incorporate hardware- or software-based techniques to separate mission critical areas of a system from connected areas vulnerable to attack.
  • In addition, product designers should create an environment that encourages testing and input from diverse groups within the design process. This may include designating internal specialists or external experts as devil’s advocates and make it their job to independently review, test, and try to break systems.

Finally, all of these developments are happening in an environment that lacks clear regulation.

  • There is a high expectation of consumer protection, both from the public and from politicians.
  • On the other hand, in the US context, there is not a clear regulator with the power to regulate. While the Federal Trade Commission seeks to bring enforcement actions against manufacturers of insecure physical devices, their power to bring an enforcement action hinges on misleading statements about privacy rather than insecurity as such.
  • Finally, the security of physical devices is a fundamentally complex system, and regulators don’t necessarily have the technical expertise to regulate complex systems.

I think this is a fascinating time in the evolution of privacy, security, and regulation in the rapidly expanding world of physical computing. I would be honored to present at Solid.

Photo of Christopher Clearfield

Christopher Clearfield

System Logic

I am a principal at System Logic, a consulting firm that helps organizations manage the risk of complex systems. Before starting System Logic, I worked as a derivatives trader at a prestigious proprietary trading firm distinguished by its ability to understand and hedge risk. After years as a trader in New York, Tokyo and Hong Kong, my role matured from trading to analyzing the financial and regulatory risks inherent in the business of technologically complex high-speed trading and devising policies to mitigate those risks. I hold an A.B. from Harvard College, where I studied physics and biology, and am a licensed pilot.