As we forge forward into the unknown territory of the Internet of Things, few things are certain. The IoT is a complex system of integrated objects and networks where data travels through multiple models of communication; device-to-device, device-to-cloud, device-to-gateway, and back end data sharing. IoT itself doesn’t quite fit into any classification of technology so far in history. Rather, it is its own framework of all-encompassing connectedness and control.
We also know that these qualities of the IoT make it extremely difficult to regulate. With so many moving parts throughout the whole system, how do we monitor, control, and protect this technology? Who is responsible for regulation, and where do controls need to be placed? These questions are not easily answered, and there are a lot of areas of concern. Some known challenges to wrangling the IoT regulatory system are in cross-border data flow, data retention and destruction, legal liability for unintended use of devices, security infrastructure and breaches and civil rights privacy- each of which carry with them their own questions and challenges.
Cross-border data flow
The flow of digital information as it moves from point A to B to C often spans international borders, encountering different rules, regulations, and risks as it travels. Currently, these data flows are managed by frameworks and special arrangements, like the EU Binding Corporate Rules and the APEC Privacy Framework. These are only regional solutions, however. They are built around what we know of the internet data flows, not the complex interconnectedness of the IoT. International agreement to protect the open flows of information will be difficult to form, and even more so to sustain due to differences in policy and priority. Some countries may be open to unrestricted data flow, while others may have strict privacy laws in place. The challenge of international cooperation in regards to data flow seems daunting, but is a necessary consideration to mitigate unshared control and information blockages.
Data Retention and Destruction
When it comes to data, the good news is we’ve learned from our past technologies and can apply some of our existing regulatory frameworks. There are data retention directives in place- from multiple governments- that lay out how long certain types of data can be stored, who has access to sensitive data, and for what reason the data can be accessed. The down side is these are working regulations; not without faults. They also mostly apply to how corporations and governments interact with the data (like investigations). A growing concern is that the issues with current data retention and destruction legislation are only compounded as the IoT grows with more points of access, more opportunities to collect data, and much more data to retain and destroy. Current laws on data minimization, ie collecting the minimum amount of data needed for a purpose, are vague. Loopholes can be found in the purpose for data inquiry, leading to abuse of the information. Ownership is currently viewed as those who can access the data, own it. With these gaps and loopholes already present, new legislation may be necessary before the problems are further complicated and compounded by the growth of the IoT. Enforcement of the destruction (or permanent archival) of outdated data will pose a great challenge. With immeasurable data to collect, store, and use; how do we manage the finality of data sets in a secure way?
Unintended uses and liability
From the manufacturing standpoint, an IoT device can be treated as all others in the construction process concerning quality control, but what about end-use testing? IoT devices can vary in how they are used, and this causes issues in quality and assurance of the device for the consumer. Manufacturers will not be able to anticipate and test all possible uses of their devices, which poses a great risk. Policies of liability will need to be in place to protect the consumer, vendor, and manufacturer of devices in the situation that unintended usage has negative implications.
Current technology standards include protocols for networks and communications, but there are no set guidelines of best practice for any stage of the product life-cycle for IoT devices. From construction, to connection, to monitoring operations of vendors- the current model of industry standard can best be described as a free-for-all. When manufacturers don’t have a minimum set of guidelines to follow, important considerations for the physical sensors and devices can be left out of the design and building process, as we see with security measures. The connection of individual devices to different networks is a new challenge not considered in current technology protocols. The subsequent monitoring of the data flow is another area left up for interpretation at the moment. Monitoring protocols will need to be guided with best practice-if not legal liability- in the future as more nodes are added to networks. According to Qualys, Inc (a Cisco partner), companies do not yet assess how many IoT devices are touching their networks- and this putting their systems at risk by making it easier for hackers to take advantage of unmonitored areas. Standardization of the physical sensors, how they connect to networks, and the monitoring of networks are all challenges in themselves, but they add up to one bigger hurdle- a standardized approach for who can gain access to the data.
It’s a fairly obvious statement in today’s tech environment to say that devices should be secure, but currently there is no consensus on what security looks like in IoT. The lack of standardization opens many pathways for devices and systems to be hacked. As the IoT technology rapidly expands, many products are being pushed to market as quickly as they can be developed and as a result, security measures are not being properly addressed in the design. Many of the products available have weak points in their connection infrastructure. So, as they continue to be used, providers will need to retroactively patch weak points and provide firmware updates to their devices to avoid breach opportunities.The concern is that data sets from IoT devices will not be covered by a state’s statute of breach notification. These statutes encompass who must comply, what is considered PII, what constitutes a breach of information, and what steps of notification are required when a breach occurs. There are also exceptions to these laws, such as encrypted information, according to the NCSL. Current regulations dictate that individuals whose data may have been compromised must be notified only once a breach occurs, not if they are at risk. This applies even if weak points are known but a breach hasn’t happened yet. This oversight in regulation allows the current products on the market to be sold to consumers who may not be aware of the risks of use.
Civil rights privacy
All of the previous considerations for regulating the IoT tie into one major concern as more and higher quality data is collected and shared about us- privacy. Similar to data flow, any rules and regulations currently in place have been formed with our interaction of the internet and not IoT. One of these is choosing which data you wish to share and which you don’t. It’s easier to manage permissions for smartphone apps and computers, but what about for a toaster oven or toothbrush? Many consumers are still having a hard time picturing how the Internet of Things will affect their daily lives, let alone understand what data will be collected, how it will be used, and if there are risks for hacking and misuse of their information.
The General Data Protection Regulation (GDPR) seeks to give more control back to individuals in regards to their personal data and standardizes rules for data export for citizens of the EU. The GDPR is a good step towards international regulation because the scope of compliance is far-reaching geographically; even non-EU based companies are affected by the directive.
Re-identification poses a serious threat with every new connected device collecting rich data about an individual. Personally identifiable information (PII) is currently defined under the EPA’s Office of Management and Budget Memorandum M-07-1616, but is assessed on a case-by-case basis of individual risk since the data about an individual can be from any source or medium. While there are regulations that dictate sensitive data must be anonymous or encrypted- the more data that is collected, the greater the likelihood of that data becoming PII. How PII is defined, and what protection laws are in place will need to adapt to the increased level of risk for individuals as new forms of information are collected about them. Biometric technologies, like voice and visual recognition, will become more prevalent with advancement of IoT devices, but governing laws on how to ensure anonymity of this new form of personal data barely exists yet. Public places and smart cities will also need to be considered on a grand scale- will the local jurisdiction have authority of the data collected and hold liability for risks? This would pose the same issues of inconsistent governance across city limits.
We’ve seen glimpses of what IoT can do, and it brings about visions of a future that is more streamlined, more efficient, and more connected than ever. But in order to ride off into that sunset, we need to think carefully about how to wrangle all aspects of an emerging technology into submission, without stifling its wild-at-heart nature. An alternative opinion is that too many regulations will halt the technology or limit its capabilities. It’s clear to see why we need laws and best practices- to protect individuals and economies alike, but there is a possibility of government regulations promoting their own self interests and agendas. How can we cooperate without conflict, and advance the technology without anarchy?
There’s still so much more to learn about the IoT, but one thing we do know is that it’s growth and adoption is outpacing our rules and regulations. Our world is changing, and the IoT is growing in all directions to expand our connectedness. But in order to avoid chaos, a multifaceted approach is needed due to the IoT’s wild nature and unprecedented growth. The few regulations currently in place will need to adapt, and new boundaries will need to be as nimble and flexible as the technology itself if we are to see the benefits of its rapid advancement, while still mitigating the negative social, industry, and legal implications.