Although Amazon and Google respond to reports of vulnerabilities in popular home smart assistants Alexa and Google Home, hackers continually work hard to exploit any vulnerabilities to be able to listen to users’ every word to obtain sensitive information that can be used in future attacks.
Last week, it was reported by ZDNet that two security researchers at Security Research Labs (SRLabs) discovered that phishing and eavesdropping vectors are being used by hackers to “provide access to functions that developers can use to customize the commands to which a smart assistant responds, and the way the assistant replies.” The hackers can use the technology that Amazon and Google provides to app developers for the Alexa and Google Home products.
By putting certain commands into the back end of a normal Alexa/Google Home app, the attacker can silence the assistant for long periods of time, although the assistant is still active. After the silence, the attacker sends a phishing message, which makes the user believe had nothing to do with the app that they interacted with. The user is then asked for the Amazon/Google password and sends a fake message to the user that looks like it is from Amazon or Google. The user is then sent a message claiming to be from Amazon or Google and asking for the user’s password. Once the hacker has access to the home assistant, the hacker can eavesdrop on the user, keep the listening device active and record the users’ conversations. Obviously, when attackers eavesdrop on every word, even when it appears the device is turned off, they can obtain information that is highly personal and can be used malevolently in the future.
The manufacturers of the home smart assistants reiterate to users that the devices will never ask for their account password. Cyber hygiene for home assistants is no different than cyber hygiene with emails.
For more than a decade I have been warning about the vulnerability of brainspray – the brain signals that can be captured from outside your head. In 2008, this article by Jeffery Goldberg demonstrated that an fMRI machine could easily interpret how a person felt about stimuli provided – which could be a boon to totalitarian governments testing for people’s true feelings about the government or its Dear Leader. Of course in 2008 the fMRI costs two million dollars and you must lie still inside it for a useful reading to emerge.
While fMRI mind reading and lie detection is not yet ready for the courtroom, its interpretations are improving all the time and mobile units are under consideration. And its wearable cousins, like iWatches and computerized head gear are reading changes from within your body, such as electrocardiogram, heart rate, blood pressure, respiration rate, blood oxygen saturation, blood glucose, skin perspiration, capnography, body temperature, motion evaluation, cardiac implantable devices and ambient parameters. Certain head gear is calibrated just for brain waves.
Some of this is gaming equipment and some helps you meditate. Biofeedback headsets measure your brain waves, using EEG. They’re small bands that sit easily on your head and measure activity through sensors. Several companies like MindWave, NeuroSky, Thync, and Versus all make such equipment available to the general public.
I wrote six years ago about how big companies like Honda were exploring brainspray capture, and have spoken about how Google, Facebook and other Silicon Valley giants have sunk billions of dollars into creating brain-machine interfaces and reading brainspray for practical purposes.
I will write more on this later, but be aware that hacking of this equipment is always possible, which could give the wrong people access to your brain waves and pick up if you are thinking of your bank account PIN or other sensitive matter. Your thoughts of any sort should be protected from view. Thought-crime has always been on the other side of the line.
Now that it is possible to read your brainspray with greater certainty, we should be considering how to regulate this activity. I don’t mind giving the search engine my information in exchange of efficient immediate searches. But I don’t want to open my head to companies or government.
Hyperconnectivity is a real phenomenon and it is changing the concerns of society because of the kinds of interactions that can be brought about by IoT devices, which could be: i) People to people; ii) People to things (objects, machines); iii) Things/machines to things/machines.
It gives rise to different issues for people. According to a European Survey, 72% of EU Internet users worry that too much of their personal data is being shared online and that they have little control over what happens to this information[1]. It gives rise to inevitable ethical issues and its relationship with the techno environment.
The discussion on ethics that follows aims to provide a quick tour on general ethical principles and theories that are available as they may apply to IoT[2]. Law and ethics are overlapping, but ethics goes beyond law. Thus, a comparison of law and ethics is made and their differences are pointed out in the great work of Spyros G Tzafestas, who wrote Ethics and Law in the Internet of Things World. In this article, he considers that the risks and harms in a digital world are very high and complex, especially explaining those tech terms and their impact in our private life. Thus, it is of primary importance to review IoT and understand the limitations of protective legal, regulatory and ethical frameworks, in order to provide sound recommendations for maximizing good and minimizing harm[3].
Major data security concerns have also been raised with respect to ‘cloud’-supported IoT. Cloud computing (‘the cloud’) essentially consists of the concentration of resources, e.g. hardware and software, into a few physical locations by a cloud service provider (e.g. Amazon Web Service)[4]. We are living in a data-sharing storm and the economic impact of IoT’s cyber risks is increasing with the integration of digital infrastructure in the digital economy[5]. We are surrounded by devices which contain our data, for instance:
Wearable health technologies: wearable devices that continuously monitor the health status of a patient or gather real-world information about the patient such as heart rate, blood pressure, fever;
Wearable textile technologies: clothes that can change their color on demand or based on the biological condition of the wearer or according to the wearer’s emotions;
As a result of the serious impact IoT may have and because it involves a huge number of connected devices, it creates a new social, political, economic, and ethical landscape. Therefore, for a sustainable development of IoT, political and economic decision-making bodies have to develop proper regulations in order to be able to control the fair use of IoT in society.
In this sense, the most developed regions as regards establishing IoT Regulations and an ethical framework are the European Union and the United States both of which have enacted:
Legislation/regulations.
Ethics principles, rules and codes.
Standards/guidelines;
Contractual arrangements;
Regulations for the devices connected;
Regulations for the networks and their security; and
Regulations for the data associated with the devices.
In light of this, the next section will deal with Data Protection Regulations, Consumer Protection Acts, IoT and Cyber Risks Laws, Roadmap for Standardization of Regulations, Risk Maturity, Strategy Design and Impact Assessment related with 2020 scenario, which is: 200 billion sensor devices and market size that, by 2025, will be between $2.7 trillion and $3 trillion a year.
Europe
The Alliance for Internet of Things Innovation (AIOTI) was initiated by the European Commission in order to open a stream of dialogue between European stakeholders within the Internet of Things (IoT) market. The overall goal of this initiative was the creation of a dynamic European IoT ecosystem to unleash the potential of IoT.
In October 2015, the Alliance published 12 reports covering IoT policy and standards issues. It provided detailed recommendations for future collaborations in the Internet of Things Focus Area of the 2016-2017 Horizon 2020 programme[7].
The IoT regulation framework in Europe is a growth sector:
EU Directive-2013/40: this Directive deals with “Cybercrime” (i.e., attacks against information systems). It provides definitions of criminal offences and sets proper sanctions for attacks against information systems[8].
EU NIS Directive 2016/1148: this Network and Information Security (NIS) Directive concerns “Cybersecurity” issues. Its aim is to provide legal measures to assure a common overall level of cybersecurity (network/information security) in the EU, and an enhanced coordination degree among EU Members[9].
EU Directive 2014/53: this Directive “On the harmonization of the laws of the member states relating to the marketing of radio equipment”[10] is concerned with the standardization issue which is important for the joint and harmonized development of technology in the EU.
EU GDPR: European General Data Protection Regulation 2016/679: this regulation concerns privacy, ownership, and data protection and replaces EU DPR-2012. It provides a single set of rules directly applicable in the EU member states.
EU Connected Communities Initiative: this initiative concerns the IoT development infrastructure, and aims to collect information from the market about existing public and private connectivity projects that seek to provide high-speed broadband (more than 30 Mbps).
United States
A quick overview of the general US legislation that protects civil rights (employment, housing, privacy, information, data, etc.) includes:
Fair Housing Act (1968);
Fair Credit Reporting Act (1970);
Electronic Communication Privacy Act (1986), which is applied to service providers that transmit data, the Privacy Act 1974 which is based on the Fair Information Practice Principle (FIPP) Guidelines;
Breach Notification Rule which requires companies utilizing health data to notify consumers that are affected by the occurrence of any data breach; and
IoT Cybersecurity Improvement Act 2019: the Bill seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up cybersecurity requirements for IoT devices purchased and used by the federal government, with the aim of affecting cybersecurity on IoT devices more broadly.
SB-327 Information privacy: connected devices: California’s new SB 327 law, which will take effect in January 2020, requires all “connected devices” to have a “reasonable security feature.”
The above legislation is general, and in principle can cover IoT activities, although it was not designed with IoT in mind. Legislation devoted particularly to IoT includes the following:
White House Initiative 2012: the purpose of this initiative is to specify a framework for protecting the privacy of the consumer in a networked work.
This initiative involves a report on a ‘Consumer Bill of Rights” which is based on the so-called “Fair Information Practice Principles” (FIPP). This includes two principles:
Respect for Context Principle: consumers have a right to insist that the collection, use, and disclosure of personal data by Companies is done in ways that are compatible with the context in which consumers provide the data;
Individual Control Principle: consumers have a right to exert control over the personal data companies collect from them or how they use it.
China
Where we start to see the most advanced picture is in China. In 2017, the Ministry of Industry and Information Technology (MIIT), China’s telecom regulator and industrial policy maker, issued the Circular on Comprehensively Advancing the Construction and Development of Mobile Internet of Things (NB-IoT) (MIIT Circular [2017] No. 351, the “Circular”), with the following approach in the opening provisions:
Building a wide-coverage, large-connect, low-power mobile Internet of Things (NB-IoT) infrastructure and developing applications based on NB-IoT technology will help promote the construction of network powers and manufacturing powers, and promote “mass entrepreneurship, innovation” and “Internet +” development. In order to further strengthen the IoT application infrastructure, promote the deployment of NB-IoT networks and expand industry applications, and accelerate the innovation and development of NB-IoT[11]
Nowadays China already has a huge packet of regulation on technological matters:
2015 State Council – China Computer Information System Security Protection Regulation (first in 1994);
2007 MPS – Management Method for Information Security Protection for Classified Levels;
2001 NPC Standing Committee – Resolution about Protection of Internet Security;
2012 NPC Standing Committee – Resolution about Enhance Network Information Protection;
July 2015: National Security Law – ‘secure and controllable’ systems and data security in critical infrastructure and key areas;
2014 MIIT – Guidance on Enhance Telecom and Internet Security;
2013 MIIT – Regulation about Telecom and Internet Personal Information Protection
2014 China Banking Regulatory Commission – Guidance for Applying Secure and Controllable Information;
Technology to Enhance Banking Industry Cybersecurity and Informatization Development
Further, as if this were not enough, the Chinese government is being proactive and has several important laws and regulations in the Pipeline, as it can be seen from the list below:
CAC: Administrative Measures on Internet Information Services;
CAC Rules on Security Protection for Critical Information Infrastructure;
Cybersecurity Law;
Cyber Sovereignty;
Security of Product and Service;
Security of Network Operation (Classified Levels Protection, Critical Infrastructure);
Data Security (Category, Personal Information);
Information Security.
Finally, China established, in 2016, the National Information Security Standardization Technical Committee and its current work is developing a Standardization – TC260 (IT Security) on Technical requirement for Industrial network protocol and general reference model and requirements for Machine-to-Machine (M2M) security.
Latin America
The Latin American countries have different levels of development and this sets up a huge asymmetry between the domestic legal frameworks. The following is a quick regulation overview on Latin American countries:
Brazil has the “National IoT Plan” (Decree N. 9.854/2019) that aims to ensure the development of public policies for this technology sector and members of Brazilian parliament presented the bill No. 7.656/17 with the purpose of eliminating tax charges on IoT products;
Colombia has a Draft of Law No. 152/2018 on the Modernization of the Information and Communication providing investments incentives to IT Techs (article 3);
Chile has a new Draft Law Boletín N° 12.192-25/2018 on Cyber crimes and regulation on internet devices and hackers attacks;
In 2017, Argentina launched a Public Consultation on IoT regarding regulations that must be updated and how to get more security and improve the technological level of the country[12].
Most Promising Smart Environments
Smart environments are regarded as the space within which IoT devices interact connected through a continuous network. Thus, smart environments aim to satisfy the experience of individuals from every environment, by replacing the hazardous work, physical labor and repetitive tasks with automated agents. Generally speaking, sensors are the basis of these kind of smart devices with many different applications e.g. Smart Parking, Waste Management, Smart Roads and Traffic Congestion, Air Pollution, River Floods, M2M Applications, Vehicle auto-diagnosis, Smart Farming, Energy and Water Uses, Medical and Health Smart applications, etc[13].
Another way of looking at smart environments and assess their relative capacity to produce business opportunities is to identify and examine the most important IoT use cases that are either already being exploited or will be fully exploited by 2020.
For the purposes of this article, the approach was restricted to sectors consisting of the most promising smart environments to be developed up to 2020 in the European Market as displayed in the Chart below:
Vertical IoT Market Size in Europe
The conclusions of the last report of the European Commission are impressive and can help to understand the continuous development of the IoT market and how every market has to comply with the law and they will emerge facing a regulatory avalanche as mentioned in item 2 on the Regulatory Ecosystem.
Final Considerations: IoT as Consumer Product Health and Safety
IoT safety is becoming more important every day. On the one hand, as mentioned above, most concerns for IoT safety are primarily in the areas of cyber-attacks, hacking, data privacy, and similar topics; what is better referred to as security than safety. On the other hand, it can be approached by physical safety hazards which may result from the operation of consumer products in an IoT environment or system. IoT provides a new way to approach business and it is not restricted to one or other market or topic. It is a metatopic ormetamarketshowing different possibilities and applications and will be spread in the near future.
In general, IoT products are electrical or electronic applications with a power source and a battery connected by a charging device. So long as the power source, batteries and charging devices are present we have the usual risks of electrical related hazards (fire, burns, electrical shock, etc.). Nonetheless, IoT makes matters more complicated as smart devices have the function to send commands and control devices in the real world.
IoT applications can switch the main electrical powers of secondary products or can operate complex motor systems and so on. Then they have to be accurate and might provide minimal requirements to care of consumer health and safety. Risk assessment and hazard mitigations will have to adapt to IoT applications reinventing new methods to assure regular standards of IoT usability. Traditional health and safety regulations might be up to date with this new technological reality to be effective at reducing safety hazards for consumer products.
To conclude, this article was intended to summarize two main issues: I) IoT as an increasing and cross topic market which will become a present reality closer to our daily lives; II) IoT will be regulated and become an important concern in consumer product health and safety.
[1] Nóra Ni Loideain. Port in the Data-Sharing Storm: The GDPR and the Internet of Things. King’s College London Dickson Poon School of Law Legal Studies Research Paper Series: Paper No. 2018-27.P2.
[4] Nóra Ni Loideain. Port in the Data-Sharing Storm: The GDPR and the Internet of Things. King’s College London Dickson Poon School of Law Legal Studies Research Paper Series: Paper No. 2018-27.P. 19.
[5] Petar Radanliev, David Charles De Roure and others. Definition of Internet of Things (IoT) Cyber Risk – Discussion on a Transformation Roadmap for Standardization of Regulations, Risk Maturity, Strategy Design and Impact Assessment. Oxford University. MPRA Paper No. 92569, March 2019, P. 1.
Technological Revolutions are quiet and astonishing. Step by step new technological applications are pushing existing paradigms and changing the way business is transacted by consumers, companies and in society. In the past, electricity and printing had a revolutionary role in social development, shifting all sectors of life. These days, the Internet of Things (IoT) is pivotal in creating quick, profound and quiet transformations.
According to the Committee on Digital Economy Policy of Directorate for Science, Technology and Innovation of OCED:
The Internet of Things (IoT) could soon be as commonplace as electricity in the everyday lives of people in OECD countries. As such, it will play a fundamental role in economic and social development in ways that would have been challenging to predict as recently as two or three decades ago[1].
In 2008-2009, according to Cisco IBSG – Internet Business Solutions, there were more connected objects, such as smartphones, tablets and computers, than the world’s population. Therefore, this period is considered the year that IoT was born[2]. In 2008, Rob Van Kranemburg published “The Internet of Things”, which addresses a new paradigm in which objects produce information.
Supporting CISCO’s statement, the chart below of Google Trends shows the period of time during which popularity in searches on Google increased. In the last 5 years, IoT has sharply rocketed as a very attractive subject in the general mind of the people on the internet[3]:
Interest Over Time (2004-2019) As Search Item
Digging deeper we can see that IoT popularity is not only relevant to internet users or to some futuristic curiosity on Google, it is a real and concrete “combination of network connectivity, widespread sensor placement, and sophisticated data analysis techniques” which enables“applications to aggregate and act on large amounts of data generated by IoT devices in homes, public spaces, industry and the natural world”[4].
The potential benefits of this kind of connectivity are immense: real-time monitoring and more accurate metrics, the ability to remotely control various actions, interconnectivity and automation, plus the ease of handling a variety of devices that can be centralized on just one smartphone. Nonetheless, this technological avalanche also brings risks and vulnerabilities to users, such as increased vigilance over our habits, exposure of our personal data, hacking vulnerabilities, global or cascading failures, among others.
In the last two years, a set of supporting policy actions have been adopted by the European Commission to accelerate the take-up of IoT and to unleash its potential in Europe for the benefit of European citizens and businesses[5]. These policy actions and statements are not only a guess or shallow forecast, they are a serious result of data and market analysis that came from several studies which found impressive numbers such as 11 billion connected ‘things’ in 2018[6]. This could be as many as 20 billion connections by 2020[7], about 6 billion of which will be in Europe[8]. Of these, 60-65% are consumer devices.
According to the Centre for the Promotion of Imports (CBI) more than 65% of businesses are expected to use IoT products by 2020, compared to 30% in 2017. Europe accounts for more than a third of global Industrial IoT investments by 2020. The market is expected to grow at an impressive average annual rate of 22%. Reaching a value of €287 billion in 2020, Industrial IoT is Europe’s largest IoT market[9].
Seizing the Benefits and Addressing the Challenges
The Centre for the Promotion of Imports (CBI), an Agency of the Netherland’s Ministry of Foreign Affairs and part of the development cooperation effort of the foreign relations of the Netherlands conducted research on the IoT in Europe in January 2019. It concluded:
The European market for Internet of Things (IoT) solutions is growing. Western and Northern Europe are especially promising. Both consumer and business IoT offer opportunities, but specialisation may give you a competitive advantage. The home, health and finance sectors are front runners. National and European initiatives are working to stimulate the roll-out of Industrial IoT solutions and lower barriers. The shortage of skilled specialists continues to drive outsourcing[10].
Apart from an advantageous and “smart” business opportunity, IoT can facilitate innovation in the private sector supporting a wide range of innovative businesses, not only raising the productivity level but increasing the accountability and responsiveness of companies and its employees, improving the client confidence.
Thus, IoT can work to facilitate Private Sector Innovation by so-called industrial Internet, Next Production Revolution (NPR)[11], autonomous machines and big data[12] and automotive industry[13]. On the other hand, innovative Public Sector Delivery with IoT applications could provide smart cities[14], smart governments, smart street lighting[15]and traffic flow optimization[16], innovation in healthcare practice and delivery[17]. IoT technologies are, therefore, expected to play a major role in improving the management of transport, energy use, water services, education, employment, health, crime prevention, by making society more efficient, innovative, safe, sustainable, and inclusive[18].
Regardless of all the benefits, there are many challenges and risks associated with IoT digital security, such as cyber attacks, digital incidents and privacy challenges. Furthermore, bad outcomes can happen causing physical consequences in case of the wrongdoing of autonomous vehicles, health care tools or industrial machines.
The Vision of IoT in 2020
First of all, the 2020 scenario might be approached by a combination of the Cloud and Big Data. Nowadays the hyperconnectivity[19] of society drives IoT to be “The Next Big Thing” in business. According to OECD this next big thing will be related to “a sophisticated industry ecosystem consisting of vendors (providing components), suppliers (creating solutions), service providers, and enterprise users in all sectors of the economy” that will be “measured in billions of Euro in Europe alone, and that will extend across the world too”[20].
Could expectations be too high? Maybe not, because of the following points: I) the centrality of IoT in the upcoming years is corroborated by the sheer number of connections that are expected to be in place by 2020; II) IoT ecosystem will have grown to encompass not only the traditional supply-side actors, but also a rising number of businesses and organizations serving and using IoT; III) hyper-connected society will be an established reality by 2020, as most of the “things” that can be connected, will be by then.
In 2018, the World Economic Forum (WEF) published a study considering initiatives on the future of production. Essentially, it gives an insight into: i) Solution-driven: technology can tackle and solve challenges that have previously been insurmountable; ii) Human-centric: technology can unlock human potential by unleashing creativity, innovation and productivity in new ways; iii) Sustainable: technology can promote sound production processes that minimize negative environmental impact, conserve energy and resources and enable carbon neutrality; iv) Inclusive: employees, companies and countries at different stages of development benefit from Fourth Industrial Revolution technologies and the transformation of production systems[21].
One of its conclusions is that in the coming years, the IoT market is expected to grow across Europe. Most of the front runners are Western European countries, which have traditionally invested more in IT. And together, six countries make up more than 75% of the European IoT market, this makes them especially promising target markets for 2020.
Chart 2. IoT Market Size in Europe
Further, apart from the geographic localization of the opportunities arising, to have a real and concrete overview it is important to be aware of the market size and 2020 forecast by sector. By 2020, industrial IoT is predicted to consist of:
60% cross-industry devices – used in multiple industries, mainly to save costs;
40% vertical-specific devices – used in a specific industry to improve efficiency/accuracy.
Industrial IoT also offers good opportunities, as the average spending per device is much higher in this sector. This makes total spending on consumer and industrial IoT about equal by 2020[22].
Chart 3: IoT Market Size Per Sector
Based on the US Dollar: Euro exchange rates in October 2018, the global average spending on IoT devices is expected to be:
€102 per consumer device;
€114 per cross-industry business device;
€239 per vertical-specific business device.
Finally, electronic sensors are now everywhere – in smartphones, cars, home electronic systems, healthcare devices, fitness monitors and in the workplace. It has been estimated that, by 2020, over 200 billion sensor devices will be inter-connected, creating a market size that, by 2025, will be between $2.7 trillion and $3 trillion a year[23].
At the same time, the market opportunity will bring regulatory challenges. The next section of this report will analyze by specific studies the impact of regulatory requirements on IoT devices and deployment.
[1] OCDE. Committee on Digital Economy Policy of Directorate for Science, Technology and Innovation. The Internet of Things: Seizing the Benefits and Addressing the Challenges. Background Report for Ministerial Panel 2.2. English Version. 24 May 2016. P. 5. Available here.
[2] MANCINI, Monica. Internet das Coisas: História, Conceitos, Aplicações e Desafios. Available here.
[3] Interest over time. Numbers represent search interest relative to the highest point on the chart for the given region and time. A value of 100 is the peak popularity for the term. A value of 50 means that the term is half as popular. A score of 0 means there was not enough data for this term. The information is available here.
[4] Idem, p. 5.
[5] European Commission. Digital Single Market. Policies: Internet of Things. Available here.
[6] Gartner, Inc. Press Release. Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent From 2016. February 2017. Available here.
[7] Idem, Leading the IoT. Gartner Insights on How to Lead in a Connected World. 2017. P. 2.
[8] European Commission. Definition of a Research and Innovation Policy Leveraging Cloud Computing and IoT Combination. FINAL REPORT. A study prepared for the European Commission. DG Communications Networks, Content & Technology. Digital Agenda for Europe. Available here.
[9] Netherlands Ministry of Foreign Affairs. Centre for the Promotion of Imports (CBI). January 2019. Available here.
[10] Netherlands Ministry of Foreign Affairs. Centre for the Promotion of Imports (CBI). January 2019. Available here.
[11] (NPR) entails a confluence of technologies ranging from a variety of digital technologies (e.g. 3D printing, the Internet of Things [IoT] and advanced robotics) to new materials (e.g. bio- or nano-based) to new processes (e.g. data-driven production, artificial intelligence [AI] and synthetic biology). The Next Production Revolution. A Report to G20. OECD, 2017. Available here.
[12] Autonomous machines and the use of big data are increasingly present in agriculture. Robots can now sort plants based on optical recognition, harvest lettuce and recognise rotten apples. Idem, Ibidem.
[13] The automotive industry is one of the sectors most affected by interconnectivity and enhanced efficiency in both production and operation of vehicles. Idem, Ibidem.
[14] “Smart city plans explore the ability to process huge masses of data coming from devices such as video cameras, parking sensors and air-quality monitors to help local governments achieve goals in terms of increased public safety, improved environment and better quality of life. In: OCDE. Committee on Digital Economy Policy of Directorate for Science, Technology and Innovation. The Internet of Things: Seizing the Benefits and Addressing the Challenges. Background Report for Ministerial Panel 2.2. English Version. 24 May 2016. P. 16.
[15]“Dublin (Ireland), Oslo (Norway) and Chattanooga, Tennessee in the United States have started to use smart street lighting systems.29 Often triggered by replacing municipal lighting with LED solutions to save on energy costs, smart street lighting can offer combined savings of up to USD 100 per streetlight per year”. Idem, Ibidem.
[16]“The SCOOT system developed by Transport for London uses data on road usage with real-time control of traffic lights in the city to deliver on average a 12% improvement in traffic flow. Other large cities, like Beijing, São Paulo, Toronto or Preston have introduced SCOOT”. Idem, Ibidem.
[17] “Smaller sensors, smartphone assisted readouts, big data analysis and continuous remote monitoring can enable new ways of managing care. Such a digital health feedback system includes wearable and that work together to gather information about medication-taking, activity and rest patterns. Idem. p.15.
[18] UN General Assembly, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, A/HRC/32/38 (2016), P.12.
[19] A term invented by Canadian social scientists Anabel Quan-Haase and Barry Wellman, it refers to the use of multiple means of communication, such as email, instant messaging, telephone, face-to-face contact and Web 2.0 information services.
[20] OCDE. Committee on Digital Economy Policy of Directorate for Science, Technology and Innovation. The Internet of Things: Seizing the Benefits and Addressing the Challenges. Background Report for Ministerial Panel 2.2. English Version. 24 May 2016. P. 24.
[21] World Economic Forum. Insight Report. Readiness for the Future of Production. Report 2018. Available here.
[22] Netherlands Ministry of Foreign Affairs. Centre for the Promotion of Imports (CBI). January 2019. Available here.
[23] Russo et al. Exploring regulations and scope of the Internet of Things in contemporary companies: a first literature analysis. Journal of Innovation and Entrepreneurship, 2015, P. 5.
These companies engaged in “grading,” a process where they review supposedly anonymized recordings of conversations people had with voice assistant program like Siri. A recent Guardian article revealed that these recordings were being passed on to service providers around the world to evaluate whether the voice assistant program was prompted intentionally, and the appropriateness of their responses to the questions users asked.
These recordings can include a user’s most private interactions and are vulnerable to being exposed. Google acknowledged “misconduct” regarding a leak of Dutch language conversation by one of its language experts contracted to refine its Google Assistant program.
Reports indicate around 1,000 conversations, captured by Google Assistant (available in Google Home smart speakers, Android devices and Chromebooks) being leaked to Belgian news outlet VRT NWS. Google audio snippets are not associated with particular user accounts as part of the review process, but some of those messages revealed sensitive information such as medical conditions and customer addresses.
Google will suspend using humans to review these recordings for at least three months, according to the Associated Press. This is yet another friendly reminder to Google Assistant users that they can turn off storing audio data to their Google account completely, or choose to auto-delete data after every three months or 18 months. Apple is also suspending grading and will review their process to improve their privacy practice.
Despite Google and Apple’s recent announcement, enforcement authorities are still looking to take action. German regulator, the Hamburg Commissioner for Data Protection and Freedom of Information, notified Google of their plan to use Article 66 powers of the General Data Protection Regulation (GDPR) to begin an “urgency procedure.” Since the GDPR’s implementation, we haven’t seen this enforcement action utilized, but its impact is significant as it allows the enforcement authorities to halt data processing when there is “an urgent need to act in order to protect the rights and freedoms of data subjects.”
While Google allows users to opt out of some uses of their recordings; Apple has not provided users that ability other than by disabling Siri entirely. Neither privacy policy explicitly warned users of these recordings but do reserve the right to use the information collected to improve their services. Apple, however, disclosed that they will soon provide a software update to allow Siri users opt-out of participation in grading.
Since we’re talking about Google Assistant and Siri, we have to mention the third member of the voice assistant triumvirate, Amazon’s Alexa. Amazon employs temporary workers to transcribe the voice commands of its Alexa. Users can opt out of “Help[ing] Improve Amazon Services and Develop New Features” and allowing their voice recordings to be evaluated.
When California enacted SB 327 last year, it became the first state to regulate Internet of Things (IoT) devices, which refer to physical devices that are connected to the internet. Beginning next January, the new law will require manufacturers of IoT devices sold in California to implement reasonable security features that protect the software, data, and information contained within them. While the law regulates only the minimum security standards for IoT devices, its definition of a “connected device” (i.e., an IoT device) may impact product liability claims because “connected devices” are physical objects and not technology. SB 327’s definition suggests that manufacturers of the software in IoT devices may not be held strictly liable for software defects, because the law aligns with and reinforces the view of most courts that software is not a product, but a service.
A broad concept, the IoT comprises billions of devices worldwide. It includes everything from cell phones and tablets to smart speakers that respond to voice commands, smart refrigerators that help keep track of the food inside them, and even smart collars that track a dog’s fitness levels. There are wearable health monitors that send a patient’s real-time medical information directly to a health care professional, and smart pills that help keep track of the time when a patient last took one. If a product can be connected to the internet, it can become an IoT device.
Among other things, SB 327 requires manufacturers of “connected devices” to equip them with “reasonable security features.” The law defines a “connected device” to include only “physical objects,” which is significant because IoT devices combine a physical object with technology that changes the nature of the device. For example, a regular lamp is not part of the IoT. But when a manufacturer installs technology that connects the lamp to the internet and allows it to be turned on or off or dimmed by a tablet or smart phone, then the lamp becomes an IoT device. As written, SB 327 may exclude manufacturers of the intangible technology – such as software – from its requirements.
Combining a physical object and an intangible technology also creates a novel issue when it comes to strict product liability principles, which typically hold that a product manufacturer may be strictly liable for a product’s defect. The first task in a strict product liability case is to identify the product. In the context of a device that has no internet connectivity, the answer is straightforward. If a ladder is defective and causes an injury, the ladder’s manufacturer may be held strictly liable because a ladder is the product. But when it comes to IoT devices, the line may be blurred. Almost always, the software part of the IoT device is “manufactured” by a separate entity from the entity that manufactures the physical object. If the IoT device proves to be defective, the question becomes which entity may be held strictly liable.
A real-world example illustrates the issue. Medical professionals today are beginning to use implantable cardiac devices that transmit data directly from the device to the health care provider, which allow the medical professional to directly monitor the patient and device (For more information on these medical devices and other issues that surround them, see our previous blog post here). The benefits of this technology are obvious. It allows for real-time observation by medical professionals, which makes patients safer and reduces the need for long visits to the doctor’s office. But internet-based monitoring also may come with some risks that the statute attempts to address. For example, as the device is connected to the internet, it may be vulnerable to unauthorized access. Additionally, a software defect could potentially misread data, corrupt information, or even cause the device to malfunction.
If the defect is in the physical object of the device, then the entity that manufactured the device may risk being held strictly liable. But if the defect is in the software, the answer is less apparent because courts have not clearly indicated whether software is a product for purposes of strict product liability. Most observers expect courts to treat software in IoT devices as a service rather than a product, because for UCC purposes courts typically treat custom-made software (like that in IoT devices) as a service rather than a good. SB 327 aligns with this view and provides additional fuel for the argument that software is not a product.
The California Legislature may have placed the burden on an IoT device’s physical manufacturer to ensure safety when it comes to data stored inside the device. But physical device manufacturers may yet argue that the software was a component product when it comes to strict liability issues. Time will tell how courts will address that argument.
The US Government has been steadily increasing the amount of IoT devices used in day-to-day business. In response to mounting concerns surrounding this, a bipartisan group in the Senate revealed a piece of legislation that will govern the use of IoT devices in the government context.
As we have blogged previously, the implementation of IoT brings with it an array of potential security issues and vulnerabilities. If hackers are able to access one device, there’s the possibility for them to manipulate others connected on the same network. This could result in national security risks, citizen information breaches or high-scale ransom attacks.
Under the bill, the National Institute of Standards and Technology (NIST) will give recommendations to the federal government, including minimum security requirements and how the government should approach potential cybersecurity issues. These policies and recommendations would be revisited every five years to keep them fresh and responsive to ever-changing cyber threats.
The potential that such standards would provide more industry wide guidance is to be encouraged, as several years into the growth of IoT there remains huge variability in security. The internet of things is generally less of a focus than most people’s computers, but the impact and ability to propagate is arguably greater.
The Federal Trade Commission’s (FTC’s) Settlement in FTC v. Vizio, Inc.may signal the direction that agency is heading on Internet of Things (IoT) enforcement. With veteran FTC enforcer Jessica Rich leaving and new appointee Maureen Ohlhausen taking over, Ohlhausen’s separate concurring statement in that matter is insightful.
The settlement took a broad view on the types of data that require protection. While the “Covered Information” included information like personal identifiers, IP address, and geolocation, it also included “Viewing Data,” which is essentially data about the content viewed on a television. Ohlhausen criticized this expansion and the FTC’s foray into this public policy basis for alleging an unfair practice. She notes, “But here, for the first time, the FTC has alleged in a complaint that individualized television viewing activity falls within the definition of sensitive information.” Hinting that this broad view of personal data may not continue, Ohlhausen writes, “There may be good policy reasons to consider such information sensitive…. But, under our statute, we cannot find a practice unfair based primarily on public policy. Instead, we must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers.” She then promises that “[i]n the coming weeks I will launch an effort to examine this important issue further.”
The growing scale of cybersecurity concerns is prompting action from government leadership on the federal level. Before the Thanksgiving recess, the House’s Committee on Energy and Commerce got in on the act when two of its subcommittees–the Communications and Technology Subcommittee, chaired by Rep. Greg Walden (R-OR), and the Commerce, Manufacturing, and Trade Subcommittee, chaired by Rep. Michael C. Burgess, M.D. (R-TX)–held a joint hearing to investigate and consider the role of Internet-enabled devices (collectively referred to as the “Internet of Things,” or “IoT”) in high-profile online attacks.
What the experts are saying.
The hearing was motivated by the revelation that cybersecurity is no longer just about protecting laptops or securing digital data. IoT insecurity puts human safety at risk, as everything from home appliances to automobiles and medical technology are becoming connected to the Internet. Representatives from both committees pressed expert witnesses Mr. Dale Drew of Level 3 Communications, Dr. Kevin Fu of Virta Labs and the University of Michigan, and Mr. Bruce Schneier of the Harvard Kennedy School of Government for examples of legislation that could target the cybersecurity concerns related to the Internet of Things.
These experts shared conflicting opinions about whether it is in fact possible for the government to establish one set of security standards that covers all Internet-connected devices, as these devices do many different things and are powered by many different types of technology. Mr. Schneier reminded the subcommittees that “[your smartphone] is not a phone; it’s a computer that makes phone calls.” The same applies to a long list of devices including WiFi-connected baby monitors, thermostats, refrigerators, DVR players, GPS systems, children’s toys, and of course, electronic voting booths. In his testimony, Mr. Drew explained that “bad actors are increasingly attracted to IoT devices since they can use those devices without being detected for long periods of time, they know most devices will not be monitored or updated, and they know there are no endpoint protection capabilities on IoT devices to remove threats.” Nevertheless, they agreed that a collaborative and, above all, proactive approach by both the government and manufacturers of these devices will be essential.
Fortunately, we already have a potential starting point. The National Institute of Standards and Technology recently issued a comprehensive set of guidelines and best practices for securing IoT devices and systems throughout their entire life cycle. But simply establishing these best practices on paper will not be enough. Dr. Fu reiterated the most important takeaway from the hearing: that proper security measures for IoT devices must be “built in, not bolted on.” Protective measures like encryption must be incorporated into the fundamental design of a device, not tacked on as an afterthought. They also must secure a device from its creation, through its life with a consumer, and after “retirement” since old but active devices are still vulnerable to hijacking by botnets like the one used in last month’s massive distributed denial of service (“DDoS”) attack on global Internet routing company Dyn.
Looking ahead to the future.
Currently, there are few market incentives to spend time and money producing more secure encrypted devices. There are likewise no significant legal or economic penalties for selling devices to consumers that are insecure. In short, consumers are focused on buying sleek and affordable new products rather than on the networks that connect them. However, if massive DDoS attacks continue the same way that data breaches have in recent years, the priorities of consumers and manufacturers alike are bound to evolve.
Will a greater focus on security slow down the rate of technological innovation? Despite some concerns, Dr. Fu and Mr Schneier reassured the subcommittees that efforts to improve cybersecurity will spur innovation in the tech industry, not hold it back. As consumers and manufacturers become more aware of the implications of poorly secured devices, incorporating features like end-to-end encryption will be understood not as necessary obstacles, but as valuable solutions to very real and costly problems.
The recent National Institute of Standards and Technology (NIST)publication of cybersecurity guidance for the Internet of Things (IoT) is a useful reminder that hacking incidents can result not only in privacy breaches, but also in bodily injury or property damage — via critical infrastructure, medical devices and hospital equipment, networked home appliances, or even children’s toys. In addition to enhanced system security engineering and preventive education efforts, insurance is an increasingly essential component in any enterprise risk management approach to cyber vulnerabilities. But purchasers of cyber insurance are finding that nearly all of the available cyber insurance products expressly exclude coverage for physical bodily injury and property damage.
These exclusions are no doubt assumed to “dovetail” with (i.e., to avoid duplicating) the bodily injury and property damage coverage traditionally afforded by general liability and first-party property insurance policies. But it is not always clear whether those more conventional policies cover bodily injury or property damage arising from a cyber-related peril (so-called “cyber-physical” risks). Unless an insurance program specifically addresses these risks, the determination of coverage for physical harm from a cyber-attack may depend on a close reading of policy language and a fact-intensive analysis of how the harm arose.
Policyholders would be well advised to understand the potential cyber-physical risks they face; to analyze all their current lines of coverage to determine whether and how each would respond to those risks; to seek clarifications in their current insurance wordings; to explore new “difference in conditions” insurance products designed to plug any gaps in coverage for such risks; and, ultimately, to expect disputes with their insurers if these novel cyber-physical harms should materialize.
