IOT Regulation

 

The Internet Of Things

Figure 1, Guru99

The Internet of Things

The Internet of Things (IOT) describes the network of devices that have imbedded sensors, software, and electronics that enable them to collect data and transfer it over the internet. The IOT typically refers to “smart” objects such as thermostats, toasters, vacuums, and other devices that don’t usually connect to the internet, but are able to offer more or better services by doing so [1]. The IOT offers the benefit of automation, convenience, and optimization. Users of smart devices can turn off lights or play music with a voice command. They can remotely lock doors, monitor children, or start their car by using an app on their phone. By analyzing the data collected, devices can help users to track health or sleep patterns, or to identify a problem in their home such as an inefficient device. “Smart cities” can utilize devices to monitor traffic patterns or to reallocate resources [1,2]. Medical care can also be improved by the IOT because more robust data can be collected from medical devices that send real-time data, and patients can monitor their own vital signs at home [2,3].

There is a tradeoff with these benefits. The IOT poses a great risk to privacy unless devices are developed with security in mind, and there is regulation on what data is collected and stored. Some states have privacy regulations in place that companies will have to comply with, such as the California Consumer Privacy Act, but there is no comprehensive federal privacy legislation to provide this regulation [4]. In 2015 the Federal Trade Commission (FTC) issued a report where they recommended that “strong, flexible, and technology-neutral federal legislation” be enacted [2]. The question is this: Is federal regulation necessary? Or would it be better to allow industry to self-regulate?

Concerns of Government Regulation

Those who oppose government regulation argue that premature legislation will stifle innovation at a time when there is great potential for the industry to grow [2]. Legislation that is too strict could prevent certain technologies from fully developing. Many IOT devices incorporate AI, so that the device can learn to accomplish a task more efficiently. In order to do this, a neural network needs to be trained with large amounts of data. Many of the devices also need to react quickly to stimuli such as temperature change or motion detection. This means that they need to be collecting data about the environment often. So, if legislation places restrictions on the data that can be collected, capabilities could be limited [5]. It is also difficult to impose regulation on the IOT because it spans so many different industries with devices for all different purposes. Some of the devices will need more data than others to function, and some will deal with far more sensitive data. It is also difficult to enforce legislation requiring consent because most of the devices are always running in the background and can’t gather consent from every person that might be affected [5,6].

Privacy Concerns

The IOT raises many privacy concerns due to the vast amount of data that is being sent through it, often without encryption. Kashmir Hill and Surya Mattu conducted an experiment where they “hacked” Hill’s smart home and found that her smart devices were constantly communicating with their manufacturers, even when no one was home. They also found that information such as the shows she watched on Hulu were sent unencrypted, while data that was encrypted still revealed information about her habits through the metadata [6]. All of the data that is sent over the internet has the potential to be intercepted, and even after that data is stored by a company it can still be vulnerable to data breaches, especially if it is known that a company stores lots of sensitive data. Even if it doesn’t seem like the data being collected is that sensitive, “the collection of personal information, habits, locations, and physical conditions over time may allow an entity that has not directly collected sensitive information to infer it” [2]. It has also been shown that even when data is depersonalized, if it is robust enough, individuals can be reidentified [4]. Smart devices are creating a more detailed picture of people’s private lives than they might realize.

While smart devices often have the same privacy risks as using the internet on a traditional device, there are some unique qualities of the IOT that increase concerns. Because the majority of smart devices are made ready to use out of the box, and because they are passive devices, most people don’t change the default settings. They don’t think about what data is being sent over the internet, and they don’t consider checking the privacy settings [5]. Many smart devices are also made to work together to form a whole network of shared data. Some devices are more secure than others though, and the more devices connected, the greater security risk. If one device is hacked, then the whole network can become compromised [1,2]. Unlike traditional hardware, manufactures of smart devices often maintain a lot of control; they decide when to update, what features are available, and how often data is transferred [5]. If users try to take control, for example refusing an update, they might find that they lose functionality.

The concern has also been raised that if the use of data collected by the IOT isn’t regulated than companies will take advantage of it. Data collected on a user might factor into decisions about their credit, their employment, or their insurance, which opens the door to discrimination [2]. Patients who use smart medical devices could be monitored by their insurance company who might then deny access to insurance if they deem the patient isn’t making enough effort towards recovery or isn’t using the device correctly [3]. Data could also be used for targeted advertisement, or potentially used by law enforcement.

Conclusion

I think that the FTC should adopt regulations about the collection, storage, protection, and use of information by the IOT. Even though each device is different, and they require different levels of data collection and protection, I do think there should be a baseline of what is acceptable. Companies should only collect as much information as is reasonable for the function of their device. They should also limit who has access to the data within the company and should have security protocols in place such as encryption. They should also only store the data for as long as it is in use and only request more data from the devices as often as is required for them to function.

Sources

[1] Williams, L. (2023, January 19). IOT tutorial: Introduction to internet of things (IOT basics). Guru99. Retrieved March 17, 2023, from https://www.guru99.com/iot-tutorial.html

[2] Federal Trade Commission. (2015, January). Internet of things: Privacy & security in a Connected World. Retrieved March 17, 2023, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[3] Asay, M. (2018, November 21). How IOT medical devices save your life and threaten your privacy. TechRepublic. Retrieved March 17, 2023, from https://www.techrepublic.com/article/how-iot-medical-devices-save-your-life-and-threaten-your-privacy/

[4] UNESCO. (2022, February 9).Data Privacy and the internet of things. Retrieved March 17, 2023, from https://en.unesco.org/inclusivepolicylab/analytics/data-privacy-and-internet-things

[5] Office of the Victorian Information Commissioner. (2022, October 6). Internet of things and privacy - issues and challenges. Retrieved March 17, 2023, from https://ovic.vic.gov.au/privacy/resources-for-organisations/internet-of-things-and-privacy-issues-and-challenges/

[6] Hill, K., & Mattu, S. (2018, February 7). The house that spied on me. Gizmodo. Retrieved March 17, 2023, from https://gizmodo.com/the-house-that-spied-on-me-1822429852