Projects:2018s1-169 A Better Security Framework for Wearable Devices
Group 169 produced two research topics that are interconnected through wearable technology.
Research Topic 1: Improving the Technical Framework for Childrens Smartwatches Extended Abstract Research Topic 2: Biometric Pro�ling of Wearable Devices for Medical Monitoring and Authentication
Contents
Authors
Luke Jennings
Inderbir Singh
Supervisors
Matthew Sorell
Tobias Eggendorfer
Introduction
Today, parents have turned to smartwatches to be able to communicate with their children. Parents prefer these over smartphones because of their smaller size, limited functionality and sturdiness. However, these smartwatches have features that not only allow the parents to control who the child can communicate with, but can also activate GPS tracking to determine the child’s location at any time. The laws around surveillance and consent are critical, and some of these smartwatches favour functionalities over legal constraints. As such the technical framework of these devices must be reformulated to provide a solution to potential security flaws in different environmental scenarios, notably Australia and India, because these two environments present significantly different social constructs and so present challenges for a flexible solution.
Background
In Australia one smartwatch acts as a 3G phone, has GPS tracking and SMS messaging. Its security features consist of SOS Alerts, where a button can be pressed to call a sequence of guardians or local authorities, as well as contains Safe Places, which alert the parent or guardian if the smartwatch leaves or arrives at a predetermined location. These functions are controlled by an accompanying app, where parents can control the communications the smartwatch has with other phones. The app can be used by multiple family members under a single login, which is one of its largest security issues. Currently, there is nothing to stop, or control the access, of other family members who have gained access to the account. Should family relations become strained, the child’s smartwatch now effectively acts as a surveillance device potentially operated with ill-intent. This particular device will be used as a starting point to propose technical solutions. Conversely in India, there isn't a leading brand of children's smartwatch, and they don’t suffer as much from these situations. Instead, crimes such as abduction and abuse of children is more common and calls for a security device that parents can use to ensure the safety of their children. The task at hand is to formulate a flexible technical solution that incorporates the different sets of technical requirements for both environments.
Preliminary Research
In a recent investigation by IT security company mnemonic it was found that some smartwatch devices have critical security flaws which have led to several investigations and the legality of such devices brought up. The smartwatch being investigated for Australia abides by national safety and privacy standards, however there are no functionalities in place to prevent it from being used as an illegal surveillance device.
In Australia, the use of tracking devices becomes illegal once they are used without the expressed or implied consent of the person being tracked. A report by the Australian Law Reform Commission (ALRC) summarises the current consent policies and suggests future recommendations. The ALRC concludes that a person is regarded as a minor if they are under the age of 18, and if they’re under the age of 15 the parents are responsible for providing consent. They recommend that the Privacy Act should be amended such that, if it is reasonable and practicable, a child under the age of 18 may undertake a capacity assessment to give consent, that Agencies and Organisations that regularly handle the information of minors ensure their staff are trained about issues concerning capacity, and that they should address in their privacy policy how such information is managed.
Conversely, in India, the issue about regarding informed consent for minors is more complex, due to child marriages. According to Guardians and Wards Act (GWA), 1890, it clearly states that any person who is not over the age of 18 is a minor. Therefore, the court or appointed authority has the power to choose a guardian for the child by nominating one or removing another. Since then, there haven't been many revisions, with the latest major revision being the Juvenile and Justice (Care and Protection of Children) Act (JJC) in 2000. In 2016, this act was revised to deal with minors aged between 16-18 in the court of law by treating them as adults. The laws and policies around consent in India are outdated, with no evidence of a future reformation to be in-line with current technology. Since Australia and India are two different markets, considering the two different security needs of the children or family, while understanding the laws in such environments is crucial in formulating a flexible solution.
Solutions
The level of control the app has over the watch needs to be changed. Once a phone has logged into the app and connected with the smartwatch, there is no way to remove that phones access and is connected indefinitely, due to the single account login by design. There is no limit to the number of phones that can log into the parents account and can track the smartwatch at any time. Furthermore, there is no indication on the smartwatch, or app, when the GPS tracking has been activated, or any log for when the device was being tracked, who by, and for how long. There is no override function for the parents to stop other phones from accessing the app. There is no notification on the app that notifies the parents that the watch isn’t being worn so that tracking cannot be activated. Conversely in India, having a notification or override that allows GPS to be activated if the watch is forcibly removed is something that should be added.
Conclusion
Several solutions have been proposed that deal with possible scenarios that may occur, however the problem that is now faced is being able to implement a flexible solution to incorporate the many different security needs. More possible scenarios will be researched to provide a broader understanding on the requirements these devices shall need. Additionally, other similar devices will be researched to see how well they already cope with the scenarios proposed. The result of all this research will be to provide a flexible framework for smartwatches that shall be able to provide security and safety in multiple social environments.