The Internet of Things (IoT), Privacy, Security and Regulation

Wednesday 16 January 2019

The IoT is expected to be an enabler of a digital transformation with positive impacts on businesses and consumers, but it will also bring privacy and security challenges. Addressing these challenges will need increased action by the market, and likely also by policy-makers and regulators.

Welcome Home by Google
Hennessy.png Michael Hennessy

IoT, The Enabler to Digital Transformation

The IoT is often promoted as a digital transformation enabler leading to increased productivity for business and better quality of life for consumers. Policy makers around the world seem to agree that the ability to benefit from the IoT is tied to the quality of broadband deployments and the capacity of societies to develop and execute on national ICT strategies.

The transition to IoT is well underway, and this marriage of automation, the Internet and big data promises a coming wave of smart everything; from smart homes and digital assistants (e.g., Amazon's Alexa), to smart factories, hospitals and utilities, and from smart wearables to smart cars and smart cities.

The scale of the anticipated transformation is unprecedented. Estimates vary significantly but there is a widely held view that by 2020, the IoT could result in some 20 to 40 billion Internet Protocol (IP) connected devices and sensors. Further, according to Forbes, IDC has estimated that by 2025, the number of connected devices and sensors could reach 80 billion.

The Challenges of Privacy and Security

However, this transition is accompanied by challenges around privacy and security. Addressing these challenges will need not only increased action by the market, but will also likely require action and intervention by policy-makers and regulators.

Policy support is strong for advanced broadband deployment, increased adoption of ICT, and related transformations like the IoT, and these developments are seen more as opportunities than as threats. Thus measures to advance related agendas by encouraging investment, promoting competition and/or deploying more spectrum continue to be priorities for policy-makers and regulators.

However unleashing the full benefits of the IoT and other transformative technologies (e.g., artificial intelligence) will ultimately depend on user trust in the system, particularly with respect to privacy and security.
To build user trust, privacy and security must become leading priorities as well.
With respect to privacy, it seems clear that there are substantial risks associated with the immense capture and manipulation of data collected by 10s of billions of devices and sensors. Without adequate protection, there could be significant negative impacts on the privacy of personal information and the protection of consumers from fraud.

Related stories: How OTT Competition is Challenging Traditional Regulatory Models

GDPR, The EU Model of Privacy and Security

If there is a will to do so, countries can make privacy protection a priority. One need only look at the EU and the General Data Protection Regulation (GDPR), perhaps the most ambitious attempt yet devised to give personal data protection the full force of law. The GDPR, all 87 pages and 99 Articles, became enforceable as of May 2018 and applies to businesses not only in the EU but also to global corporations doing business with consumers living in the EU. Penalties for non-compliance can be severe, reaching up to 4% of global revenues for firms that breach the new regime. Whether these rules are too draconian and may actually impede efforts to innovate, and whether the GDPR can be effectively enforced, particularly with respect to extra-territoriality, remains to be seen. However, these efforts prove that nation states can address issues like privacy if they have the will to do so.

Privacy is a major challenge, but even more troublesome is the very real possibility that inadequate security around the IoT can result in serious threats from hacking and denial of service attacks. These attacks can crash the Internet, undermine financial markets and even accelerate cyberwarfare between nations.

Whether the number of IoT devices turns out to be 80, 40, or even only 20 billion, it seems clear that, based on denial of service and other attacks to date, billions of these IP-connected devices will not be secure. The security challenges are immense given the vulnerabilities that will be created by billions of points of interconnection that may have inadequate password protection or no capacity to be updated by the latest security patches. And even the most securely designed system can fail if users do not ensure security is enabled and updated on a regular basis.

From the perspective of security, we are talking about an exponential increase in security risk. Security vulnerabilities in the home or consumer market is of particular concern because the consumer market demands the lowest priced options to achieve scale and the consequent low margins for profit can result in products that do not prioritize security to keep costs low. Vulnerabilities in the consumer space can be used to launch attacks that can affect all segments of the economy. And in the corporate space, the hacks on Yahoo, Sony and Equifax prove that even the systems of the largest corporations are vulnerable.

Role of Regulators and Regulations

Given the risks and costs to nations of insecure networks, particularly for critical infrastructure, a compelling argument can be made that privacy and security solutions cannot be left wholly to the markerplace. One of the bigger issues to be determined is whether any device or sensor that connects to the internet should meet certain minimum technical standards and related security protocols. Setting these types of standards will not be easy and some interested parties may balk at increased regulatory intervention in the IoT if such regulation is perceived to be a threat to innovation and commercial success.

Many jurisdictions already have some privacy policies in place or can look to other jurisdictions such as the EU for guidance on best practices. But increasingly, privacy cannot be enforced without improved security. And even if suppliers, users and regulators can effectively collaborate on security protocols and standards, these may prove ineffective without clear measures to ensure compliance, including penalties for failure to comply. Privacy and security are becoming an increased focus in various regions. For example, in the Middle East, a 2017 article on the impact of the implementation of the GDPR suggested that it “…could serve as a catalyst for nations in the region to enforce stronger privacy protections and breach disclosure requirements…” The article also noted a related compliance problem due to the fact that “Middle Eastern countries's privacy and breach notifications, in general, are less strict and detailed than GDPR.”

It should be noted that this issue is not specific just to one region or country, but would apply equally to many countries in the world, and underscores a growing need for harmonization to assist digital trade. However adopting a more holistic approach to privacy and security will also prove difficult from a legal and procedural perspective. Many telecom regulators have only limited jurisdiction to address security issues. Even if national responsibilities are worked out, solutions will require clear procedures for collaboration, not just at the national level but increasingly at the regional or international level.

Who Should do What?

Therefore, a first challenge for regulators and policy-makers is to determine not just what to do, but also who should do it: determining which agencies are responsible for what parts of the problem and then determining which fora (e.g., the ITU) in which to participate to give effect to international solutions.

Security and privacy regulation, including compliance and enforcement, will require increased resources for regulators. Regulatory budgets are constrained and shifting more resources to privacy and security will put pressures on many regulators to reduce intervention and resources elsewhere. Regulators will need to look at regulatory tradeoffs given the scope and scale of digital transformation.
<< Back