Is the Movie Eagle Eye a Precursor for IoT?

Executive Summary

• A Movie Before its Time
• IoT Today and in the Future
• Controls and Regulation for IoT
• A Well Tread Pathway
• What We Learned from the Equifax Breach

Introduction

I was recently watching the movie Eagle Eye. Eagle Eye is a movie that is about a conspiracy. The plot surrounds an artificial intelligence system (AI) created by the government that ends up running out of control.

Watch the trailer to get a taste.

The movie has more time to get into the relationship between data collection and the government system embodied by the woman’s voice on the phone who is directing civilians to its ends based upon information it has collected and its control over distributed devices. 

One of the movie’s interesting features is that it shows a centralized computer having control over distributed computing devices. It’s challenging to watch this movie, and it did not think about the new IoT trend.

A Movie Before its Time

This movie predates IoT by some years, and when watching the movie, one of the things that came across to me is that a centralized computer like this would have no way of controlling the devices controlled in the movie.

• Remote Locking and Unlocking of Airport Doors: In one scene where two protagonists are trying to get through a locked airport security door, the centralized computer ends unlocking the door to let them through and then locking it again, their pursuers try to get through the door.
• Redirecting Conveyor Belts: Several scenes where this centralized computer is redirecting parcels and even people who end up on electronic conveyor belts. In one scene, it does so by reading the faces of people on the belt.
• Controlling a Military Drone: In one of the most inventive scenes, the centralized computer ends up taking control of a military attack drone. When the drone pilots recognize that they can no longer control the drone, they direct it currently flying F-16 to destroy the drone. When the Drone sees the F-16, it can initiate the pilot’s ejection before the F-16 can shoot it down. In this extreme, it implies that the F-16 has no security and then furthermore that it is on a network system and therefore can be remotely controlled in this way. I have no idea how F-16 systems work, but it seems a bit far-fetched. Because of this, while the time of first viewing eagle-eye is quite exciting, it seemed unrealistic.

Because of this, while the time of first viewing Eagle Eye is quite exciting, many of the scenarios it laid out were not possible — at the time.

IoT Today and in the Future

Everything that has developed in the 9 years since the movie was released has made Eagle Eye more possible. With the background of IoT and all that, it can do, and all the information you can gather, and the bi-directional nature of these connected systems, and Eagle Eye seems like a precursor, although still a bit far-fetched of what is to come.

And here, I focus not so much on the AI aspects of Eagle Eye. There is still no real evidence that AI will drive to the result conveniently displayed in the movie creating this artificial antagonist. While appealing for Hollywood scriptwriters, it is largely fiction based on the misconception that AI will develop along human lines. All the evidence up to this point is that AI artificial intelligence does not work that way.

Skynet will not become self-aware, but plenty of companies run by ordinary humans with intentions not focused on protecting privacy but dedicated to using a widening net of data collection are here already, and telling us they need no “interference” in terms of how to use this data. 

No, it turns out the problem is not software becoming AI self-aware. It is increasingly powerful data collection and analysis being misused by ordinary humans. Humans already have enough bad intentions. We don’t need to have self-aware AI to step in as a villain.

However, the distributed device part of the movie seems increasingly possible as IoT is receiving such a large amount of investment to create capabilities that allow devices to communicate with centralized systems for them to share information and be remotely controlled by centralized systems.

Controls and Regulation for IoT

IoT needs controls and regulations because IoT captures large amounts of information, and in many cases, it captures information that relates to people and does so without their agreement. People have an implied right to privacy that companies are not covered when they begin collecting this information. But this right must be protected by governments, and private companies have no incentive to protect it.

One of the problems is that countries’ founding documents were developed before any of these capabilities existed.

• In the US, freedom of speech was designed to protect citizens against the government, not against private companies.
• The 4th Amendment to the constitution was primarily written to protect the right to privacy against the government, also not against private companies.

And all of this was written before modern data collection and analysis technologies. In fact, private companies’ current ability to collect information looks little like it did even 15 years ago.

Yet here is the statement from the FTC on this exact topic of regulation of IoT data.

The US Federal Trade Commission is holding off regulating the Internet of Things industry until there is an event which “harms consumers right now”, according to its acting head.

Maureen Ohlhausen, the American regulator’s acting head, told a gathering of cyber security professionals that she was not inclined to impose mandatory regulations on IoT devices. – The Register

This is one of the most careless statements that one could imagine. One does not have to wait for abuses when the history of how data is collected without oversight has been treated historically by private companies.

And the next quote brings up the question of the knowledge of IoT among regulators.

Across the Atlantic, British regulators are seemingly barely aware of the existence of the IoT, let alone thinking about regulating it. – The Register

A Well Tread Pathway

We have already been down this path of the abuse of information collected, and the evidence is in.

Data that is collected is frequently abused by those who collect it. Here are examples:

Here are some examples:

• Facebook: Facebook sells customer information, and we have no evidence they anonymize it. If Facebook seems to stalk you to get you to connect to more people and divulge more and more information about yourself, the reason is simple – the more you divulge, the more money they make.
• Google: Google, as with Facebook, possesses a scary amount of information about us. It is web searches, but also email. Before email, mailed letters in the US were protected by law against the opening. The fact that sealed envelopes and a large volume of paper, and limited access by outside parties provided great privacy. Today, while far more efficient, Google maintains decades of email and uses a bot to search through it for advertising purposes. Google and Facebook have a similar position on this — they demand no oversight as to how that data is used.
• NSA: The National Security Agency massively surveils US citizens, even though its surveillance is supposed to be directed outwards (although don’t foreign citizens have a right to privacy from the NSA?). Every time the NSA testifies to Congress about the limitations of what they do, later information surfaces that indicate that the statements on the limitations of their activities are a lie.
• Credit Agencies: Credit agencies create profiles that are now used for things that they were never intended. a) Prospective employers run credit checks on prospects. b) Credit checks are run by credit card companies on large groups of people in the credit system without the individuals in question ever filling out a credit application. The entire credit scoring system has less to do with how good of a credit risk someone is and instead is a measure of the person’s history of paying a large amount of interest.  Credit agencies have many inaccuracies in their credit reports which they put little effort into fixing. The recent Equifax breach shows how little concern they have for protecting the information in their credit histories.

What We Learned from the Equifax Breach

Here is what the Washington Post has written about the Equifax breach, and it explains the asymmetrical power between entities that collect information and those who have information collected about them:

….when you sign up for financial services, you give away your rights to negotiate how your money is used or how your information is protected. The people whose Social Security numbers Equifax lost had no say in how the company acquired, uses or guards their financial information.

Instead of capitalism based on democratic principles of trade, it’s more of a feudal system: The land is owned by the banking class and anyone using it has to pay the owners. The “land,” in this case, is the entire U.S. financial system of banking and credit, as banks and financial firms like Equifax have made themselves successful intermediaries in nearly all transactions, from simple salary payments (hello, direct deposit) to renting an apartment (try doing that without having a credit score on file.) While consumers remain accountable to financial firms — that late rent payment is on your credit report — financial firms are not at all accountable the other way around.

Under current law, consumers have essentially no rights regarding this stored personal data. Consumers are not customers of the credit reporting agencies; their data is the product being sold by those agencies to parties that have some reason to want to know individuals’ histories of managing money and their financial trajectories from birth until death. And these parties — banks, credit card companies and so on — pay the credit reporting agencies dearly for those histories. – Washington Post

Google, Facebook, Equifax, and those that possess IoT data all agree on one thing.

There should be no regulation of how they use data.

Before the breach, Equifax had been lobbying Congress to reduce the regulations it faced in protecting data.

For IoT, there seems to be little focus on even discussing the privacy implications of IoT. For the IoT industry, the best policy seems to be out of sight out of mind.

Conclusion

• Private companies have a bad history of protecting information.
• OVERALL, the US Government has a far better record, but the NSA specifically has a bad history of following US law in how information is to be used.
• Both private companies and governments’ abilities to collect and analyze information are increasing rapidly due to technological advancements. This means that abuses that were not possible in the past are now possible and will become more possible as each year passes.

Both rely upon public indifference and on people accepting the benefits of extra surveillance passively. The evidence of history is clear that institutions must be held accountable regarding collecting data, and the best way to do this is through transparency. IoT is simply another link to the chain of institutions collecting data.

References

https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/

https://www.theregister.co.uk/2017/03/14/us_ftc_wont_start_internet_of_things_regulation/

https://www.csoonline.com/article/3216110/internet-of-things/who-can-regulate-the-iot.html

https://www.washingtonpost.com/news/posteverything/wp/2017/09/21/why-didnt-equifax-protect-your-data-because-corporations-have-all-the-power/?utm_term=.6f67bae311c5

https://www.washingtonpost.com/opinions/the-equifax-disaster-points-to-a-much-bigger-problem/2017/09/21/4bd683da-9ee3-11e7-9083-fbfddf6804c2_story.html?utm_term=.a4bb77cc4f12