Regulating IoT devices

Posted on May 12, 2014

Toaster-WifiThe Internet of Things (IoT) can bring many benefits to consumers. The opportunity to reduce overall electricity consumption by optimising home usage, safer homes and neighbourhoods through connected CCTV cameras, improved health from using exercise and other healthcare apps, to name but a few.

The benefits to consumers are obvious. The risks lie in how the data collected from these connected devices and gadgets are stored, who can access this data, and how it may be used. It is also important to note that the data gained from the IoT is very personal and by using data fusion techniques, can be personally identifiable.


Connected home appliances
Using data from different connected devices, it is very easy to establish where an individual’s home and work addresses are, when they are on holiday, have guests staying over, when they are ill, have a party, how regularly they drive, the possibilities seem endless. This leads to the question; who is ultimately responsible for ensuring this personal data is not being misused?


Two steps behind
Regulators already find it hard to keep track of an increasing amount of online consumer data. Now add data collected from billions of internet-connected gadgets and devices, and it is not hard to see that this is a very difficult area to control.

It is important that regulators around the world agree to a set of basic principles on how IoT devices should be regulated. Only then can the identification and tracking of data misuse be considered, along with the associated penalties and enforcement mechanisms.

A good example of how regulators are starting to ensure IoT security and privacy, is a case in the USA where the Federal Trade Commission (FTC) reached a settlement with TRENDnet in September 2013. TRENDnet’s home security cameras can be monitored remotely over the internet. According to the FTC complaint, TRENDnet did not implement reasonable security measures. This caused live feeds from nearly 700 cameras to be publicly available online.


Security measures
It is of great concern that companies can create gadgets, apps and services to capture, store, analyse and distribute data, without reasonable security measures in place and in the absence of an international standard on how to regulate this.

Apart from an obvious need for international IoT standards, organisations should be proactive and take the first steps in ensuring the security and privacy of consumer data. Before new software is launched, organisations should clearly set out the steps they have taken in the development and testing of the software. Furthermore, organisations should state clearly how secure their data transfer methods are.