Should the Internet of Things be regulated?
Does new deployment of technology mean new regulatory needs?
19 June 2019
The Internet of Things (IoT) is becoming a reality, enabling connected devices to interact with other devices and to collect and share data on an unprecedented scale. If this is a new reality, does it require new regulation?
It is not a new idea that machines should communicate directly with other machines over the internet. Nor is it a new idea that communications should be automated. Yet, together, the new technologies involved in the collection, communication and autonomous processing of mass data (with minimal human intervention), deployed in the home, in the office or on the factory floor, represent a break with the past. If existing data regulation saw data as something that is, at base, generated and directed by human agents, is that framework still relevant to the dawning age of autonomous machine-to-machine communication?
What is IoT?
From home thermostats remotely operated using an app on your mobile phone to fridges that top up your groceries (and remind you of family birthdays), IoT is focused on making devices "smarter" by integrating embedded computer processors and internet connectivity. For home appliances, which have grabbed much of the recent media attention, IoT innovation centres broadly on improving user experience and extending device functionality, but also on collecting and processing device input data. The same fridge that wishes you a happy birthday may order a new carton of milk when the current one is nearly empty and also collect detailed data on your grocery consumption habits, which can then be aggregated with the data from thousands of other users.
IoT does not stop at making white goods more communicative: its applications span the whole spectrum of machine-enabled activities, from retail (automated stock monitoring, point-of-sale analytics), manufacturing (self-monitoring and automated industrial control systems, predictive maintenance and remote diagnostics), transportation (smart roads and traffic management interacting with connected cars) and health (wearable devices monitored remotely by AI-enabled diagnostics systems), to name but a few.
Two common denominators of IoT technologies, key to their regulatory impact, are, first that they involve the collection and transfer of data, which may in many applications (both consumer and industrial) include personal data and, second, that they automate much of the communication and processing of that data between disparate devices, limiting direct human agency in dealing with that data.
Privacy and ownership of data
For any technology that involves collecting, storing, transmitting or using data, questions arise regarding how privacy and security of the data will be safeguarded. They also raise issues as to who owns and controls the data: there may be complex layers of ownership in an open, multi-device network. Given the current state of the law, there can be uncertainty as to who exactly (if anyone) actually owns a particular data set.
IoT consumer applications tend to leverage increased granularity and volume of data, collecting multiple streams of inputs that record the activities and preferences of individuals as they go about their daily lives. Those individuals should be entitled to have certainty as to who owns and has access to that information, how it might be used, and, ultimately, who will be liable for misusing that data. Looking back to the smart fridge example, who gets to collect and use the data on my grocery consumption patterns? The fridge manufacturer, the grocery seller that tops up its contents, or the ISP that provides the connectivity, or all three? These issues are not necessarily fundamentally different from non-IoT data collection practices (especially since the advent of Big Data over the past few years), but the embeddedness in consumers' personal space and always-on functionality of many IoT products implies personalised data being processed on a whole new level, all the while subject only to limited individual control. This has triggered concerns about the rise of practices termed "algorithmic discrimination", whereby highly personal data collected by IoT devices can impact on an individual's credit rating, access to health insurance or the enjoyment of other rights and freedoms.
Security: multiplying points of failure
Clearly, the channels for sharing such detailed personal data need to be secure. Yet hackers have already shown that the increased connectedness and complexity of IoT technologies multiplies the points of failure hackers can exploit for criminal purposes, taking the cyber-security threat to new levels. Witness recent headline-grabbing distributed denial of service (DDoS) attacks on a hitherto unseen scale, using compromised webcams and hijacked baby monitors. More insidious than recruiting poorly secured devices to mount DDoS attacks are the potential malicious uses of highly granular data which provide a detailed picture of the daily lives of individuals. The days of leaving the hallway light on as you head off on your holidays to fool burglars will be a distant memory when savvy criminals can obtain minutely detailed information on your habits, the activity of your household devices and perhaps even your up-to-the-minute location. Access to detailed personal data also greatly facilitates fraudulent impersonation, which can lead not only to unauthorised access to banking and other sensitive services, but can itself be used as a means of gaining access to protected networks by passing off as an insider (so-called social engineering).
A key issue will be to allocate responsibility for security breaches, when the very nature of IoT means a fragmented and diffuse network of devices inter-operating and communicating autonomously. Are existing contractual models of responsibility and liability sufficient?
The threat of interoperability
Moving beyond the consumer space, the implementation of industrial control systems that exploit IoT technologies is one area where thinking through the cyber-security risks begins to conjure doomsday scenarios involving cyber-warfare attacks on critical infrastructure. It has already been more than five years since the industrial sabotage Stuxnet worm hit the headlines. Stuxnet was a sophisticated piece of malware widely believed to have been coded by US and Israeli intelligence for the specific purpose of disabling Iranian uranium processing centrifuges. While the malware spread widely on PCs across the globe, its harmful payload was specific to certain types of equipment and designed to affect them in precisely pre-determined ways. One of the key thrusts of IoT technologies is increased interoperability of disparate systems and shared protocols to enable devices to interact with greater autonomy, without the need for specific implementations in each case. This level of interoperability in turn brings with it a greater threat of contagion and vulnerability to malicious control: the Stuxnets of tomorrow may be able to do more than disable specific machinery and could take control of vast arrays of devices that operate in the real world, from energy and communications infrastructure to industrial plant.
IoT technologies have the potential to exacerbate vulnerabilities of many systems which had hitherto been relatively insulated by not being connected to the outside world. In addition to this increase in the surface of attack, the sheer increase in the types and volumes of data being collected amplifies the potential consequences of breaches both in their impact on the privacy of individuals and in disrupting the systems that support real-world businesses. What should regulators do about it?
Too early to regulate?
Regulators have been considering whether to regulate IoT technologies for several years already. Both the EU's Article 29 Working Party and the US Federal Trade Commission published reports in late 2014 and early 2015, respectively, assessing the regulatory challenges the emerging technologies present. They have so far shied away from proposing concrete new regulatory approaches to the IoT, opting instead for recommendations of principle, in particular stressing the need for privacy by design – i.e. the need for developers to make privacy and security a key part of new products from the get go.
The lack of proposals for concrete regulation may in part be due to a sense that the technologies that form the broad IoT family have not yet matured to such an extent that it is apparent that they pose new threats that existing data and cyber-security regulation does not address. Ill-advised regulation could stunt the growth of promising new technologies. Furthermore, as we have seen, the sheer multiplicity of risks created by IoT technologies presents regulators with a dilemma: do they focus on high-level principles that will apply across the board, but perhaps with little specificity; or is a more targeted approach that addresses risks in particular fields of activity a more effective approach? For example, there is an arguable case that operators of critical infrastructure should have specific responsibilities to ensure that technology deployment does not unwisely trade off security for other operational advantages. In the EU, the adoption of the Network and Information Security Directive, which imposes obligations on both public and private “operators of essential services” to implement appropriate cyber-security measures, while not specific to IoT, is a clear step in that direction.
Technological solutions to technological problems
For now, regulators seem inclined to rely on more general principles already governing cyber-security and data issues. One factor that may be influencing them, in addition to the relative immaturity of the technology, is that there is clearly an awareness among IoT innovators of the security risks involved in the technologies. Technologies that are not secure are also unlikely to be adopted by prudent organisations and may therefore have limited success in the market. This results in a focus on ensuring that innovations in IoT functionality are matched with innovations in security to ensure the integrity and long term viability of the new technologies – embracing the mantra of security by design promoted by the regulators. The standards being devised for M2M communication and interoperability of connected devices are, crucially, also security standards. Regulators can (and do) have a role to play in monitoring and participating in the work of IoT standard setting to ensure that privacy and security remain front and centre.
The need for accountability
Alas, not all manufacturers and developers quite live up to the ideal of applying the highest standards of security to protect the integrity of their products and services. The vulnerability which was exploited in the record-breaking DDoS attack mentioned above was enabled by humble webcams. The attackers exploited the fact that the webcams of a certain manufacturer were for the most part still set to their factory default password – an issue which should have been easy to fix, with little need for groundbreaking security innovation.
Regulators are therefore key to ensuring that businesses that deploy or adopt IoT technologies are held accountable for lax data security practices. Data protection rules should ensure that businesses in consumer-facing IoT are accountable for mishandling of individuals' data, such as sharing it without consent or allowing unauthorised access to it; cyber-security rules such as those adopted by the Network and Information Security Directive should promote enhanced security practices in IoT (and other) technologies used in critical infrastructure; and general liability risk in connection with the use of insecure technologies may help ensure other adopters are mindful of the security implications of embracing IoT. As the range and power of IoT grows, regulators should maintain a watchful eye. Where IoT operators are seen to be exploiting any lack of clarity in the allocation of responsibility to the detriment of the privacy of consumers or in a way that compromises the overall security of communications networks, regulators should consider whether there is a case for intervention. In the struggle between innovators and those who would exploit innovation for malicious purposes, the IoT will undoubtedly be a fiercely contested battlefield.