Operations

3/8/2016
11:45 AM
John C. Havens
John C. Havens
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

A Warning for Wearables: Think Before You Emote

An examination of how wearable devices could become the modern equivalent of blogs broadcasting proprietary workplace information directly to the Internet of Things -- and beyond.

In 2013, I wrote an article for The Guardian about a woman who owned a wearable device that measured her stress at work. After realizing her anxiety was spiking every day at the same time her oppressive manager checked in at her cubicle, she began tallying her aggregate physiological data for a month. After commiserating with two other colleagues suffering similar tensions with the same manager, all three employees took their data to their boss. Presenting quantified proof to the CEO (time-stamped data correlating to an increase of stress), the employees demanded the negative manager get fired before their health insurance premiums increased.

Put simply, and literally, they also noted: “He’s killing us.”

It’s easy to ignore the intimate nature of personal data. We’ve been trained to give it away by signing terms and conditions agreements to utilize services where we aren’t fully aware of how our data will be utilized or shared. We’ve also been trained to share our data with friends via social media, a practice that is typically reinforced by most wearable manufacturers. Whether you’re letting the world see progress about your fitness or how you slept last night, it’s dead simple to set permissions that will broadcast aspects of your inner life you’ve never been able to reveal before.

This same logic also applies to employees, as demonstrated in the following scenario.

Death by Data
Recently appointed EVP of Social Media for his top-ten PR firm – let’s call him Tom Delancey – assumed he'd been called to see his CEO for a holiday bonus. Having secured a choice article in Fast Company describing the company's forward-thinking approach to wearable devices and innovation, Tom assumed CEO Cheryl would be praising him for positioning the firm as a market leader to their clients. But upon closing the door to her swanky 30th floor corner office, Tom was in for quite a shock:

“You’re fired, Tom. In your Fast Company article you mentioned your innovation meetings with our biggest client happen every week on Thursdays during lunch. One of our competitors went on LinkedIn, identified everyone on your marketing team and their Twitter handles, and followed every tweet generated by their wearable devices. Using a pretty simple algorithm, they were able to correlate what the increase of people's heart rates and other data meant in terms of their mood. Apparently during last week's session something pretty bad happened near the end of the meeting, because everyone's data registered a spike in negative emotion.”

Tom's jaw dropped as his stress-sensing watch registered a massive increase in tension. He gasped as Cheryl turned her laptop on her desk so he could read an Ad Age article headline written in large type: “Delancey Debunked: Our New Client Finds the Off Switch for Quantified Employees.”

“Our new client?” asked Tom. “You mean...”

“Correct,"” Cheryl interrupted. “Our biggest client just fired our agency because you unintentionally broadcast the emotional and quantified data of your team. They didn’t have to say a word. Their data essentially said our client's new product sucks.”

Data by Design
While this vignette may seem futuristic, devices exist today that are designed to read your brainwaves to control objects with your thoughts. So, for example, an employee forgetting to switch his mental settings from public to private could conceivably tweet a negative thought about a client. Companion robots using affective computing technology that analyze and influence human emotions could also start broadcasting our moods at work.

Just think how easy it might be for your office photocopier to post on Medium after you aggressively punched the “print” button multiple times before a big meeting. More likely, after your fingerprint is matched to your actions, the copy machine may determine that your anger issues are negatively affecting the office and you’ll be let go.

Though the example I’ve cited may seem far-fetched, it represents an emerging and important privacy issue centered around how employees share data publicly with their IoT devices in and out of the workplace. In the same way companies learned to set social media policies to guide employees (e.g. saying, “tweets are my own” on Twitter), organizations need to set similar regulations regarding wearables.

In some ways, this boils down to the human dimension of risk-based security, an area that will be addressed at the upcoming Rock Stars of Risk-Based Security technology event in Washington DC next month. Since security is fundamentally a human-to-human conflict, understanding users, attackers, and defenders is core to containing and minimizing the threats our Internet-based society faces.

It’s also important to start slow when building employee wellness or other programs utilizing quantified self tools, as Ken Favaro and Ramesh Nair point out in their excellent article, The Quantified Self Goes Corporate. Rather than focus on quick hits or flashy results like my fictional Tom Delancey, the authors provide a great description of what they call, the “quantified core; it is the enterprise equivalent of the ‘quantified self’ movement, the tracking of individuals’ health and daily life patterns for the sake of improving both.” This process demands buy-in from the C-suite with a broad understanding of what it means to improve employee well-being, including physical, emotional, and cultural sensitivities at any program’s core.

Wearable data devices are the modern equivalent of blogs broadcasting directly to the Internet of Things. This is a good analogy to frame your policies regarding how employees utilize their quantified tools in the workplace. While they may not realize their data could be interpreted as inappropriate or breaking corporate confidences, unless they’ve updated their settings accordingly, that choice is not theirs to make.  

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

John C. Havens is a speaker at the IEEE Computer Society Rock Stars technology events and the founder of the The H(app)athon Project, whose workshop utilizing techniques of positive psychology to increase wellbeing has taken place in over a half dozen countries and multiple ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Symantec Intros USB Scanning Tool for ICS Operators
Jai Vijayan, Freelance writer,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3988
PUBLISHED: 2018-12-10
Signal Messenger for Android 4.24.8 may expose private information when using "disappearing messages." If a user uses the photo feature available in the "attach file" menu, then Signal will leave the picture in its own cache directory, which is available to any application on the...
CVE-2018-10008
PUBLISHED: 2018-12-10
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended...
CVE-2018-10008
PUBLISHED: 2018-12-10
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace br...
CVE-2018-10008
PUBLISHED: 2018-12-10
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jen...
CVE-2018-10008
PUBLISHED: 2018-12-10
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.