Internet lawyer Girard Kelly at February’s INET-Internet of Things Conference said that when it comes to devices collecting personal information, it’s imperative to provide notice and consent to what data is being collected but also that services ensure a baseline level of privacy – which can benefit both the user and the service provider.

Kelly said developers should aim for a “privacy by design” model where privacy is the standard and default setting, and any use of personal information is clear to the user. He said that focusing on what data is needed, and discarding unneeded data also helps protects the service provider in case of a security breach by limiting its impact. Not holding data could also limit the service provider’s obligation to hand over data through a subpoena or warrant which can be onerous.

“When thinking about privacy from start to finish and approaching a system’s engineering where we want to think about the potential privacy and security breaches that could happen,” he said. “Looking at consumer expectations upfront – we want to prevent incidents where consumers could be potentially harmed through identity theft or exposure of personal information and building that into the product itself.”

To guard against a user feeling that their data is being unexpectedly collected, a service provider can provide a clear summary of what data will be collected and for what use. For instance, it could come as a surprise to someone that their IoT lightbulb was sharing geolocation data without a clear justification.

He also noted that data aggregation and consumer profiling can lead to new forms of discrimination. “Whether I have a mobile device [or not], what applications I use, what games I play – all that in the aggregate can paint of picture of the user that might be unwanted by the user,” he said. A certain combination of factors might lead someone to be turned down for a loan or a job.

This might not be clear to the users of devices.

“When consumers are buying a lot of these IoT devices and the mobile application as a bundle, they’re not going to be scrolling through a very long privacy to get an understanding of what this device may be collecting,” he said. “When we have dozens if not more IoT devices at home or at work, just the amount of time to analyze these policies and arrive at an informed consent is just not going to happen.”

Although the “reasonable expectation of privacy” is continuing to change to reflect our era, it’s important to ensure a certain level of privacy that doesn’t harm the user – even if they’re unwilling to read the terms and conditions.

2. Security

In an era where major data breaches make headlines weekly, users need to believe their connected devices and their information are reasonably secure from misuse or harm to truly trust the Internet of Things.

Security can’t be entirely guaranteed, but exists on a spectrum ranging from totally unprotected devices with no security features to highly secure systems with multiple layers of security features.

The networked connectivity of IoT devices means that security decisions made at the device level can have global impacts on other devices, and changes as high as the cloud level can also affect the security of the entire system.

Some of the specific IoT security challenges outlined by the Internet Society (ISOC) include:

• The potentially enormous quantity of interconnected links between IoT devices that’s on a much larger scale than existing security tools, methods, and strategies.
• In deployments where IoT devices are identical or nearly identical, the homogeneity magnifies the potential impact of any single security vulnerability.
• IoT devices may be in service years longer than typical high-tech equipment, which can make it difficult to reconfigure or upgrade them, presenting potential security flaws in these older devices.
• Many IoT devices are designed without any ability to be upgraded or the update process is difficult. (Fiat Chrysler issued a recall of 1.4 million vehicles in 2015 due to a vulnerability that would let an attacker wirelessly hack into the vehicle, requiring cars to be taken to a dealer for a manual upgrade.)
• IoT devices could be deployed in places that aren’t physically secure like a public place where attackers have direct physical access to IoT devices, so anti-tamper features might be required.

3. Lifecycle (Interoperability, Standards & Obsolescence)

In the Internet, interoperability meant that connected systems would be able to speak the same common language of standard protocols and encodings. This is extremely important for the rollout and long-term success of IoT.

Some propose that IoT devices should have a built-in end-of-life expiration so that older, non-interoperable devices would be put out of service and replaced with more secure and interoperable devices. But this model is much less efficient than building IoT devices around the current open standards that are emerging and providing the ability to push software updates to smart objects to keep them up-to-date.

In an interview with the WHIR, Olivier Pauzet, Sierra Wireless’ VP of Marketing & Market Strategy, explained that standards are emerging at each layer of IoT.

“Standards based IoT is a must to enable interoperability and to enable as well the evolution of a system over time because systems are going to evolve, new services will emerge,” Pauzet said. “For that, you’re going to have to add applications into your device, and get cloud-interoperable APIs; Standards allow it to work anywhere in the world.”

At the cloud level, OneM2M is a standard that helps provide a common API for IoT applications. At the data acquisition layer, there’s a push to get a specific 3GPP technology standard that uses long-energy LTE devices for IoT. On the device itself, Linux is often used to power an edge device’s edge intelligence and on-board analytics capabilities – along with providing the ability to easily port applications to the device itself. For a device to stay functional for a long time, standard device management protocols for light-weight M2M updates are also becoming standardized.

The Internet Protocol is also a common technology for IoT, and CoAp is a protocol built on top of IP for specialized web transfer protocol for constrained nodes and constrained networks in the Internet of Things.

4. Legal and Regulatory Issues

The application of IoT devices poses a wide range of challenges and questions from a regulatory and legal perspective, and the pace of technology advances are often much faster than the associated policy and regulatory environments. In some cases, IoT devices amplify legal and civil rights issues that already existed, and in others they create new legal and regulatory situations and concerns.

Some particular areas of IoT legal and regulatory importance include:

• Data protection and cross-border data flows – IoT devices may collect data about people in one jurisdiction and transmit it to another jurisdiction for processing that has different data protection laws. Typically, however, cross-border data flows are addressed in patchwork of regional and international privacy frameworks like the OECD Privacy Guidelines, Council of Europe Convention 108, and APEC Privacy Framework) or special arrangements like the APEC Cross Border Privacy Rules system and EU Binding Corporate Rules.
• Co-operation with law enforcement and public safety – IoT devices and the data they generate can be used to fight crime, but the deployment and use of these kinds of IoT technologies can cause concern among some civil rights advocates and others concerned about the potentially adverse impact of surveillance.
• Device liability – One of the fundamental IoT questions that isn’t always clear is: who is responsible if someone is harmed as a result of an IoT device’s action or inaction? It’s best to ensure that applications limit the potential damage they can do to individuals.

Proceed with Caution

As with any bleeding-edge technology, it’s important to be aware of the potential risks and to learn from the progression of other technologies. Despite the risks, IoT has the potential to expand the capabilities of the cloud beyond the traditional data center and traditional devices. As the industry moves forward, it’s best to keep in mind that small IoT devices can have big real-world consequences.

Source: TheWHIR