Looking forward to living in a house that reduces your workload by mowing your lawn? What about having your front door beam you photographs of everyone your adolescent children let into your home while you are at work? Or, even better, a door that will only open for certain people at specific times during the week? As the Internet of Things (IoT) continues to expand into every nook of daily life, these “advances” are not only the way of the future – they are the way of the present.
In response to this proliferation of the IoT and IoT devices, the United States Government Accountability Office recently released a technology assessment of the IoT (the “Report”) respecting the status and implications of an increasingly connected world. The Report highlighted the benefits of the IoT’s rapid emergence. However, it also made sure to stress the challenges presented by a future where our refrigerators can provide a summary of our late night snacking habits to our insurance companies, or worse, our personal trainers.
The Benefits of Living in a Connected World
There is no shortage of benefits that can be derived from IoT devices. Some of these benefits are obvious; imagine a surgeon operating on you through smart glasses that overlay digital aids onto the physical world. Some benefits are less obvious, such as cow monitoring devices used by ranchers to determine when cows are in their optimal breeding cycle.
Clearly, there can be little debate that the benefits of IoT devices are seemingly endless. Consumers are seen to benefit from the use of wearables, networked electronic homes and collision detection systems in vehicles.[i] Industry benefits through an optimization in operations and the public sector benefits through the management of service delivery.[ii]
The Downside to the IoT
However, despite the significant benefits of IoT devices, there are also real dangers associated with this increased connectivity and, more importantly, there seems to be little consensus on how to regulate the IoT moving forward.
Information Security Challenges
As the Report identifies, the rapid adoption of IoT devices into everyday situations has the potential of bringing the effects of a device’s poor security into homes, industries and communities.[iii] The risk is that unauthorized individuals and organizations can gain access to IoT devices for malicious purposes.[iv] Furthermore, this risk is exacerbated as many IoT devices were built without anticipating the threats associated with internet connectivity.[v] As an example, researchers found that they could remotely gain control over a vehicle’s steering and brakes through wireless communication.
Although numerous agencies have issued extensive guidelines in respect of protecting IoT devices, there is no standard for the implementation of these guidelines and there is no consensus on how to deal with the associated risks.[vi]
For example, the Federal Trade Commission recommends that companies prioritize and build security into their devices. However, the risk is that by implementing access controls and security measures, the functionality and flexibility of IoT devices could be affected.[vii]
As an additional security feature, the National Institute of Standards Technology and AT&T recommend that consumers take steps to ensure that their IoT devices are updated with the most current software upgrades.[viii] Although this suggestion is practical, it is based on the assumption that an IoT device can easily be updated, that the update will increase the security of the device and that the consumer will ultimately install the update. This suggestion also raises an interesting question as to who would be responsible for any damage caused by a rogue vehicle if the owner had failed to install a software upgrade that may have prevented the vehicle from being wirelessly hijacked.
Other major hurdles for the developers of IoT devices are to ensure: i) that the devices do not inappropriately collect or misuse personal information; ii) that suitable methods for notifying customers about how data will be used are developed; and iii) that a consumer’s consent is obtained for the collection and use of personal data.[ix] As an example, in many cases IoT devices collect information through sensors that are embedded in everyday items and that record data while an individual is unaware that data is being recorded.[x] Despite this constant monitoring, many of these IoT devices do not seek consent or do not have the means to seek consent. In addition, even if an IoT device requested consent, would consumers take the time to properly review and understand the consent that they were providing?
There are also the concerns that information harvested from IoT devices can be used for a variety of purposes unrelated to the consumer’s use of the device and that this information could ultimately be linked with other harvested information to provide a detailed profile of an individual’s habits.[xi] Accordingly, experts suggest that data harvested from IoT devices should be de-identified. However, not only is there no standard process by which data can be de-identified, but the de-identification of data must be done in such a manner that the information cannot be re-identified.[xii]
Although the Report does not provide a solution on how to manage the proliferation of IoT devices, it does highlight that fact that in the United States there is no single “federal agency that has overall regulatory responsibility for the IoT”.[xiii] Canada has a more centralized privacy regime and in that respect has an advantage (and may provide more certainty to businesses), but IoT involves more than just privacy.
As IoT devices continue to become cheaper and move into all facets of life, governments in Canada will need to determine if and how to get involved.
Based on the Report, it would seem that one of the first areas where government may look at is in the adoption of guidelines to ensure that IoT devices are built to minimum security standards. The threshold question of whether this is approached as a regulatory initiative, a framework document, or in partnership with a third-party standards body and/or industry would need to be answered.
Furthermore, concerns regarding consent, data harvesting and the de-identification of personal information – concerns central to IoT devices – were front and centre in the recent hearings on the review of Canadian privacy legislation (PIPEDA). While IoT devices and manufacturers may not be regulated specifically, it is likely that coming amendments to privacy laws will impact those in the IoT ecosystem.
[i] The Report at pgs 16-19.
[ii] The Report at Appendix II.
[iii] The Report at p 26.
[iv] The Report at p 26.
[v] The Report at p 28.
[vi] The Report at p 27.
[vii] The Report at p 28.
[viii] The Report at pgs 29-30.
[ix] The Report at p 31.
[x] The Report at p 33.
[xi] The Report at p 35.
[xii] The Report at p 35.
[xiii] The Report at p 55.