At Ecovent, privacy has been a priority since day one. We originally set a few top level requirements for our system. It had to:
Keep customer data safe.
Make people comfortable.
Be easy to use.
The reason we put privacy first is twofold. First, we’ve all had issues with companies not keeping our data safe, like the ones that “lose” our credit card number or personal information. We’ve all had companies sell our data without clear permission (oh, you didn’t read the terms of service?), and a clear benefit for the customer. Neither of these scenarios are acceptable at Ecovent.
Second, we strive to build relationships with our customers based on trust. We didn’t take money for our pre-orders until they were ready to ship. We replace malfunctioning parts, no questions asked. We have open and honest discussions on forums and in person at trade shows like CES and AHR. We really want to know our customers and build their trust in us.
For a customer to trust us, we have to keep their data safe, even if they don’t realize it.
A recent Pew Research study says that 91% of adults agree that consumers have lost control of how personal information is collected and used by companies. We don’t want to add to this statistic. With these security concerns in mind, we used the following three mantras to guide us in developing our security.
1. Build in security from the beginning. Security is like good design. It has to be incorporated from the start, or it just looks tacked on. With this in mind we built a team that understands and knows how to implement security measures. Our CIO, Shawn Rose–alias Bucky–worked at Lockheed Martin for 9.5 years on the Aegis Combat System software. The software he helped design, develop, test, and maintain is responsible for protecting the US Battle Fleets including the aircraft carriers of the US Navy. That’s quite a serious task, and Bucky took his job seriously. Through this work he learned how to apply security methods like code obfuscation, encryption architectures, and attack monitoring and detection.
Scott Sawyer was our next big engineering hire. He also worked at Lockheed Martin for 4 years, and then Lincoln Labs for almost 4 more. At Lockheed he was involved in anti-tamper initiatives (including a patent on anti-tamper for DRAM) and at Lincoln Labs he worked on secure cloud architectures. Three other founders worked at Lockheed Martin for approximately 10 years each, and even more had positions where security was a top priority. With this team, we implemented end-to-end security from the start. Some of the key early design decisions that helped embed security in our system included choosing radios with hardware encryption support, selecting a secure processor, and selecting a file system that supports encryption. These features ensure that no one can control the system without approval, and that no one can access system data without permission.
2. Security through obscurity is no security at all. If there is an open hole in your security, someone will find it. A great example is the wireless light bulb that could reveal your wifi password. Being obscure didn’t prevent data from being revealed. Our early architectural decisions ensured user data stays isolated to secured areas of the system. The vents and sensors in our system never receive user data like a wifi password or anything similar. They cannot request sensitive data from the Control Hub. Our Hub connects directly to the homeowner’s router, which means the Wi-Fi password is never even stored on our hub. All data collected and sent by the system is encrypted in memory and during transmission. As we designed our system we kept a constant eye on user data to be sure it was never stored or transmitted in an unencrypted manner. By reducing the number of places sensitive information is available, we reduce the ways attackers can try to access it. No sensitive data is stored where it isn’t needed, and if it is stored it’s encrypted. We don’t rely on people not knowing our system to keep data safe.
3. The company and its employees are a part of the security system. A lot of times information is compromised through a human link in the chain, not an electronic attack. The whole company can be the weak link in the chain when it openly sells customer data to the highest bidder. Sometimes data is shared with governments outside of legal requirements (we stand with Apple). We built Ecovent to prevent both of these scenarios. Company laptops are encrypted so that in the case of loss a bad actor can’t gain access to company data. Company mobile devices are configured to be wiped in the event that they are lost. Employees use LastPass or a similar program to generate and securely store strong passwords. Sensitive data is shared only on a need to know basis to minimize the opportunity for data loss. Finally, Ecovent as a company strives to give customers a choice in how their data is used. We make any data sharing an opt in choice and make sure the value provided to the customer is clear.
No one can guarantee absolute data security, but we’ve taken concrete steps to minimize the risk of customer data being compromised. We’re a family at Ecovent, and that family includes our customers. With that in mind, we’re committed to protecting our customers as much as we protect ourselves.