Innovation first, then security

The internet of things: It can help us manage our energy use even when we’re away from home, it can help you let people into your house remotely or make receiving packages easier. It can help you monitor your own family, home security issues or grocery use.. and it can help others monitor you.

A recent Gizmodo investigation, for example, revealed that Amazon’s smart doorbell/home security system Ring had major security vulnerabilities even despite a company pledge to protect user privacy. Gizmodo was able to uncover the locations of thousands of ring devices within a random Washington DC area. While only the Ring users who chose to use the Neighbors app were revealed, this still represents a major vulnerability which is ripe for exploitation.

Reflecting the density of Ring cameras that have been used to share footage on Neighbors over the past 500 days. Screenshot: Gizmodo

I think vulnerabilities like this arise because the preferred agile prototype model used in software – that is release quickly, bugs and all, and patch later – is not optimized for security. The ethic of “move fast and break things” might be ok if the things being broken are loops of code, but doesn’t hold up when the thing being broken is your home security system. When we’re thinking about devices that infiltrate peoples’ homes and record some of the most intimate details about their lives, we must choose to adopt a slower route to innovation. Like government processes, we must adopt development processes which consider unintended consequences and move at a conservative pace.

I get worried when I hear of governments who want to adopt an innovation model from the technology and software communities. Moving fast, shipping and then debugging has a place when the consequences are small. But if the consequences are large and can impact personal or national security, or the power grid, or health care, it is prudent to adopt a more cautious approach.

Right now we live in a technology world where innovation is placed before security. I’m not sure this represents the best conditions for community or individual thriving. Instead, new processes, methods and norms are needed that strike the right balance between smart innovation and also security, lest we literally throw the baby out with the buggy code.

Innovation first, then security

Leave a Reply

Your email address will not be published.