IoT and the many technologies associated with it challenge existing thinking and legal structures. Organizations must understand and abide by regulations that push for greater transparency across IoT security and data policies.
The age of ubiquitous tech surveillance has arrived — countries such as China score their citizens’ social behavior through tech monitoring — and IoT devices are part of the equation. A patchwork of old and new legislation for IoT security regulations empower organizations and constrain data collection and its unauthorized use.
The Gartner report “Top Strategic IoT Trends and Technologies Through 2023” noted that there will likely be broad social, legal and ethical effects associated with IoT security regulations. Some of those effects are already landing on the doorstep of IT.
Organizations must prioritize data security
In IoT, organizations struggle with two areas related to regulation: the security of devices and the privacy and ownership of data collected by those devices, said Ed Featherston, technologist at Hewlett Packard Enterprise. IoT devices must balance being consumer-friendly, small, easy to use and cheap, but also secure. Featherston said many device developers make tradeoffs and don’t focus on the security side, which has driven the U.S. and U.K. to take legislative action.
Europe has led IoT security regulations with GDPR. The U.S. lags far behind, with some of the individual states taking up the mantle. For example, California has crafted a regulation similar to GDPR called the California Consumer Privacy Act.
“Frequently, people don’t realize that the value of IoT devices is not the devices; it’s the data the devices collect,” Featherston said.
For example, if someone has a pacemaker, it might connect via Bluetooth to their phone, which connects to the internet. It constantly sends health updates and information about the individual, including physical activity and heart rate to the vendor and doctor. That data leads to better care for individuals, because the doctor is more aware of their symptoms or potential problems. Patient data also has value for vendor analysis and for sale.
“Who owns that data is something governments are struggling with,” Featherston said.
How do existing IoT security regulations affect consumers?
Gartner’s report also points out complexities such as emerging ethical dilemmas. For example, when IoT devices detect an imminent accident, such as a vehicle collision, what is the role of the devices in determining the outcome? Who lives and who dies?
Karen Gullo, analyst at Electronic Frontier Foundation (EFF), said the challenges with data privacy and IoT security regulation in the U.S. begin with a law designed originally to protect the entertainment industry. The Digital Millennium Copyright Act (DMCA) of the 1990s, aligns with regulations of the World Intellectual Property Organization and imposes criminal penalties on pretty much anything that circumvents copyright protection on a variety of electronic media. In practice and through further extension, it has largely shut consumers, other businesses and even security researchers from peeking into almost any hardware or software product. This means only the manufacturer controls the inner workings of these devices.
“We’ve fought for years against copyright and DMCA abuse and people’s right to repair their devices, vehicles and appliances,” Gullo said. “We have a lawsuit pending against the government that challenges the constitutionality of the Digital Millennium Copyright Act’s anticircumvention and antitrafficking provisions on First Amendment grounds,” she added.
Gullo said EFF has also filed petitions with the Library of Congress in the triennial rule-making process seeking exemptions from Section 1201 to protect and expand users’ rights to tinker with and repair their digital, software-controlled and IoT products.
Whether such issues ought to be addressed by more legislation and rule-making is subject to debate. According to Joshua New, senior policy analyst at the Center for Data Innovation, a nonprofit, nonpartisan research institute, there are not any gaps in privacy for IoT that existing laws do not already cover.
New IoT security regulations could improve security
One area where new IoT security regulations could be valuable has to do with cybersecurity, New noted.
“Congress and other national policymaking bodies should require companies to publish security policies like they publish privacy policies,” New said. Most organizations publish privacy policies for their products and services, and even though people typically do not read them, they create valuable transparency around an organization’s privacy practices that give regulators, competitors and consumer advocacy groups the ability to hold organizations accountable and provide useful oversight.
“Requiring companies to do the same for cybersecurity would generate significant consumer benefits for IoT,” New said. For one thing, although consumers may not read these policies, organizations such as Consumer Reports will and do provide easily interpretable evaluations of the security of different IoT devices. This, he believes, will create strong competitive pressures for IoT organizations to adopt good security practices. Second, organizations can manage risk as they see fit, rather than adhere to specific government-imposed security features, and regulators can still take swift enforcement actions if organizations fail to adhere to their security policies.
The idea that we need broader regulations for IoT is counterproductive, he said.
“To the extent that new rules are needed, which could be the case for certain contexts or in certain jurisdictions, they should be designed to narrowly target and prevent a specific identifiable harm,” New said. Therefore, he believes industry should advocate for such narrowly targeted IoT security regulations, as they can make IoT more valuable and lead to increased adoption. At the same time, organizations should push back against overbroad, burdensome regulations.
But Darren Sadana, a 25-year veteran of the cellular communications industry and CEO of Choice Business Connections, which provides IoT, machine-to-machine, data and voice services for IoT, does see a need for stronger legal structures. Currently, there are not any laws regulating IoT connectivity and devices, he said. Many IoT devices have little or no security built in, which can compromise the consumer and data.
“The nascent position in the IoT development lifecycle means there is a patchwork of laws and policies intended for other device or service types that will not be so easily applicable to this new data collection paradigm,” Sadana said.
As a fairly new and rapidly evolving industry, IoT has the potential for world-changing applications, Sadana said. Privacy rights will be the lynchpin of successful IoT adoption.
“The consumer and business information transmitted over IoT devices should be protected by national guidelines and laws,” he said.
What would an IoT security regulation look like? First off, according to Sadana, there should be a clear federal policy that prevents states from “adding additional legal hurdles that will only stifle innovation and competition.” Small IoT organizations cannot afford to navigate different state and municipal laws, he said. Furthermore, any data collection of private citizens must require anonymization for any utilization, “otherwise the negative legal and public ramifications will far outstrip the gains made by IoT,” he added.
Sadana explained that privacy of data has become the biggest issue over the past few years, as big corporations have “mined incredible value out of our personal digital expressions.” The upcoming wave of billions of IoT devices must adhere to the opt-in, opt-out nature of any service delivery, “so your smart home doorbell and thermostat remain private and protected,” he said.