INTERNET OF THINGS AND REGULATION

The deployment of internet of things (IoT) systems, and their potential impact on individuals and businesses, raises regulatory issues – some familiar to telecoms regulators, such as licensing, spectrum management, standards systems, and their potential impact on individuals and businesses, raises regulatory issues – some familiar to telecoms regulators, such as licensing, spectrum management, standards taken by other regulators, such as data protection, privacy and security.

A 2013 European Commission consultation exercise found a diversity of views on whether IoT-specific regulation is necessary.¹ Industry respondents argued that state intervention would be unwise in this young sector, and that general rules such as the EU’s forthcoming data protection regulation will suffice. Privacy advocacy groups and academics responded that IoT-specific regulation is needed to build public confidence, as well as to ensure a competitive market.

Meanwhile, a US Federal Trade Commission (FTC) staff report suggested that IoT-specific legislation would be premature. It instead encouraged self- regulatory programmes for IoT industry sectors to improve privacy and security practices – while also reiterating the FTC’s previous call for “strong flexible, and technology-neutral federal legislation” to strengthen its ability to enforce wider data security standards and require consumer notification following a security breach, and for broad-based privacy legislation.² I will now review possible actions taken by regulatory agencies that will enable the development and adoption of IoT systems in a way that should maximise their societal benefit.

Licensing and Spectrum

Licensing and spectrum management are important issues for ensuring availability and capacity for IoT communications. IoT devices communicate using a range of different protocols, based on their connectivity requirements and resource constraints. These include short-range radio protocols such as ZigBee, Bluetooth and WiFi, mobile phone data networks, and in more specialised applications such as traffic infrastructure, longer-range radio protocols such as ultra-narrow band (UNB).

To communicate with remote networks, IoT devices may send data via a gateway with a wired (PSTN, ethernet, power line or DSL) or wireless (2G, 3G, 4G/LTE or UNB) connection to the global internet or telephony network – or directly over one of these mediums. For consumers, the gateway will often be a smartphone or home wireless router. Businesses will frequently make use of their existing corporate data networks.

Is IoT-specific regulation needed to build public confidence and competition?

Devices communicating over kilometres need access to the 300 MHz to 3 GHz spectrum range, while centimetre or millimetre contactless transactions may use near field communications at 13 MHz or EHF bands. Some IoT applications may also make use of AM/FM bands in the VHF range. Telecoms companies are experimenting with white space spectrum to make more use of often-unused spectrum bands, while a US presidential commission has recommended the development of shared-space technology that enables government, licensed commercial users, and unlicensed users to cooperatively make use of a large amount of spectrum.

The US Federal Communications Commission (FCC)’s expert IoT working group predicts IoT will add significant load to existing services such as WiFi and 4G mobile networks. Regulators will need to give continuing attention to the availability of spectrum for short-range IoT communications and the capacity of backhaul networks that connect IoT gateways to the internet, and to the rollout of small cell technology such as 4G. If these conditions are met, the working group does not expect that new spectrum will need to be explicitly allocated to IoT communications.³

The FCC is also reviewing the use of spectrum above 25 GHz for 5G networks, and possibly for IoT. The Korean government plans to secure additional frequency of at least 1 GHz by 2023 and ensure 5G is commercialised by 2020 in response to the exponential growth it expects in IoT traffic.⁴

Studies for the European Commission have suggested that a licence-exempt model is most effective for IoT development, since it avoids the need for contractual negotiations before devices are manufactured and used, allowing the production of large numbers of cheap devices.⁵

Switching and Roaming

Firms operating large networks of M2M devices via mobile telephony networks, with a fixed SIM in each device, may not find it easy to switch networks at the end of a contract, or if a device roams into a different network area, or for some time period they could get better service from a different provider. This roaming capability is important for devices that move between countries, and also for fixed location devices that may be used in an area with periods of service unavailability, often indoors.

Some technical standardisation work has been done to enable such services, with some of Apple’s latest iPads including SIMs that make it easier for users to switch between mobile networks, while SIM supplier Gemalto is supplying reprogrammable SIMs for smart watches. The first steps have been taken in the Netherlands, which in 2014 allowed SIMs to be issued by organisations other than mobile network operators, such as utilities and car companies. The GSMA has developed standards for remote M2M device management, which are being supported by mobile operators including China Unicom and Telefónica.

Greater flexibility and competition would be possible if large IoT operators were able to act similarly to mobile virtual network operators – not least because they could then have wholesale access to mobile networks.⁶ The German regulator, Bundesnetzagentur, consulted on the market for international mobile subscriber identifiers (IMSIs) in late 2014. An OECD analyst estimated that if German carmakers were able to issue their own SIMs and rent spare capacity on mobile networks, they could save $2.5 billion a year through lower prices and more flexible contracts.⁷ The Belgian communications regulator BIPT is also consulting on the national number plan.

The electronic communications committee of the European Conference of Postal and Telecommunications Administrations (CEPT) has recommended that SIMs whose IMSI can be remotely updated should be implemented as soon as possible, and that CEPT countries consider more flexibility in assigning mobile network codes (MNCs) to IoT service providers. It has also encouraged ITU-T to consider updating recommendation E.212 to allow this flexibility, as well as to plan for the future use of MNCs to support a broader range of services. These changes have been under consideration in ITU-T study group 2.

Addressing and Numbering

To date, IoT devices may have a globally unique and routable communications address (requiring a very large protocol address space, such as that of IPv6); an address assigned by a gateway that allows limited inter-network connectivity; or make use of local networks only, to share data with and receive instructions from a nearby controller, such as a personal computer, smartphone, or specialised management device – in which case a globally unique address is not required.

Enabling peer-to-peer connections between devices can increase the reliability of communications, rather than requiring a large and complex global network, and matches the common ‘use case’ of an individual discovering and interacting with nearby devices. But where devices must be globally reachable – most likely, via the internet – a large address space is required to individually identify each one.

The transition to IPv6 has taken longer than expected and may need encouragement.

The number of unallocated addresses for the current version of the internet protocol (IPv4) is extremely limited, but the new version (IPv6) being rolled out by ISPs around the world has enough addresses for almost any conceivable number of devices. The transition from IPv4 to IPv6 has taken longer than expected, and policymakers may need to continue with programmes to encourage the transition in the medium term. The US government, for example, set up a federal IPv6 task force to move all federal agencies from IPv4 to IPv6, with one aim being to encourage the private sector to do the same. Other countries have also set up IPv6 task forces to encourage national transitions.

For any IoT identification scheme, there will be trade-offs between performance, scalability, interoperability, efficiency, privacy preservation, ease of authentication, reliability, flexibility, extensibility, and mobility support. As well as IPv6 addresses, the other main identification standards being developed are from ISO and GS1, as well as ITU-T recommendation E.212 for the use of IMSIs for machine-to-machine communications. The latter has the advantage of a well-developed authentication, payment and global roaming framework, operated by mobile telephony providers, with hardware security based on SIMs.

The ITU-T E.164 telephone numbering plan remains relevant for IoT. Applications using public networks, particularly mobile networks, will require E.164 numbering in the short to medium term and will provide a bridge to an all-IP solution in the longer term. The European Communications Office (at CEPT) has noted that there is continuing demand for telephone numbering resources for vending machines, smart meters and in-vehicle communications modules.

Competition

IoT technologies will likely have a range of impacts on the competitiveness of different markets. In the short term, firms adopting IoT systems will have better information on their business processes, enabling an increase in efficiency and more flexible responses to supply, processing and demand shocks. This could strengthen the market position of larger firms that have greater access to capital (to build their own IoT infrastructure) or brand loyalty (to increase sales volume to cover the price of third party IoT services).

For products with ‘network effects’, greater sales volumes can increase the likelihood of consumers being locked into existing suppliers – especially if the supplier uses non-standard interfaces and sells complementary services. (Network effects are where the purchase of a product increases its value to existing purchasers – eg. a telephone service, where a new customer can call and be called by all existing customers.)

Over time, if IoT technology is adopted in ways that require high capital spending, increase firms’ pricing power, or strengthen network effects, then adopters can drive out competitors. Market structure will also be affected if large companies can build their own IoT systems but smaller companies have to subscribe to them, or connect to networks of larger firms. If a core of large businesses adopts IoT, this could increase competition between them while reducing competition between core and peripheral firms. This could benefit consumers by turning quality based competition into price competition. But if firms feel they have to adopt IoT simply because competitors have, this could lead to overinvestment by incumbent firms and reduced entry into those markets by firms not willing to make this investment.⁸

The terms on which IoT service providers can access customers across the public internet will have a significant impact on their ability to enter new markets. Baseline access could be protected by network neutrality rules from regulators in the US, EU and elsewhere. IoT users with very high bandwidth or reliability requirements may be affected by neutrality rules that limit the ability of telecoms companies to discriminate between internet data from different sources. Such rules usually still allow telecoms providers to offer such customers ‘specialised services’ with specific speed or reliability guarantees. The terms attached to such services will be a key area of review for telecoms and competition regulators.⁹

Policy & Regulatory Measures [image]

In the longer term, an important aspect affecting competitiveness of IoT systems is the extent to which end users can gain access to the raw data gathered and stored by components. Systems usually process sensor data so that it is more useful when presented to users. While this makes systems more user-friendly, it reduces the ability of users to transfer data to different providers if a better service is offered. It also makes it more difficult for users to combine systems from different providers – which could become a competition issue if a provider becomes dominant in one area, and tries to extend that dominance into other areas by blocking interoperability with competitor systems.

One example of regulatory activity to promote competition is in Korea, where the government’s telecoms strategy council has been given responsibility to adapt existing laws and regulations to ensure a liberal and competitive industrial environment for IoT. Where the council finds regulations that hinder ICT convergence, it can request that related ministries improve these regulations. For new products and services, attention will be given to prompt processing and interim licensing.

At this relatively early stage of IoT market development, it is not clear whether the market will support more than a relatively small number of very large players, as is the case with existing internet markets such as search and advertising. Competition regulators will need to keep under review whether ex-post investigations of abuse of dominant positions will be sufficient to foster a competitive market and rapid innovation, including the ability of entrepreneurs to create new products and services.

Privacy and Security

Privacy and security are two significant (and closely related) issues in large-scale IoT deployment. There are already technologies available that address some of the underlying technical issues, particularly in sensors, such as key diversification and reader authentication. But these can have a significant impact on device size, cost, functionality and interoperability.¹⁰

Without adequate security, intruders can break into IoT systems and networks, accessing potentially sensitive personal information about users, and using vulnerable devices to attack local networks and devices. This is a particular issue when devices are used in private spaces, such as individuals’ homes, for example with baby monitors. The operators of IoT systems, and others with authorised access to the data produced, are also in a position to “collect, analyse, and act upon copious amounts of data from within traditionally private spaces”.¹¹

Electronic attacks could also lead to threats to physical safety, for example if carried out against medical devices such as pacemakers and insulin pumps, or car engines and brakes. Information about building occupancy could be used by burglars to target unoccupied premises, while location tracking data might enable physical attacks against specific individuals.

If compromised IoT devices can connect to systems elsewhere on the internet, this provides a potential route for further attacks. One security company announced in 2014 it had discovered hundreds of home devices – including smart fridges – sending unsolicited email. While a further analysis found this to be inaccurate, it also warned of recently discovered malicious software targeting Linux-based IoT devices.¹² Another common security and privacy issue is the use of default passwords on devices, which users are not required to change when setting up a device. One website has claimed to have found 73,000 webcams accessible over the internet using a default, known, password.¹³

IoT devices can be harder to secure than personal computers. Many companies building IoT devices do not have previous experience of dealing with internet security issues in their products. IoT devices are often inexpensive and resource-constrained (notably on power and battery life), which puts strong pressure on security costs and additional hardware or software to deal with threats. Combined with the limited internet connectivity of some devices, this may make it more difficult to develop and apply regular security patches when vulnerabilities are discovered – and for companies to afford ongoing support.

Most IoT devices contain multipurpose computers and can be reprogrammed beyond their intended purpose – with limited mechanisms for users to monitor the device. And they frequently share operating systems, embedded chips and drivers, meaning that a single vulnerability can often be used to attack a wide variety of devices.¹⁴

In large IoT systems such as smart cities, IoT insecurity can create significant vulnerabilities, and be extremely complex to address given interdependencies and links to older public and private sector systems. One threat assessment found 200,000 vulnerable traffic control sensors in cities such as Washington DC, New York, Seattle, San Francisco, London, Lyon and Melbourne. The assessment also found such vulnerable technologies being developed and used in critical infrastructure without security testing, and that it can be difficult for third-party security researchers to gain access to devices to carry out their own tests, due to their expense and limits on sales to governments and specific companies.¹⁵

Companies developing and operating IoT systems will need to conduct security testing, and consider how security vulnerabilities discovered after devices are sold can be fixed during their likely lifetime. Where security flaws cause consumer harm, consumer protection agencies may be able to take action to require that those harms be remedied, and better security processes be put in place to reduce the risk of them recurring. EU rules require organisations processing personal data from IoT systems to carry out security assessments, and make use of relevant security certifications and standards.¹⁶ And companies need to ensure that where they use external service providers to manage IoT devices and data, those providers also take reasonable security precautions.

To meet these security and privacy challenges, regulators have suggested that companies developing IoT devices should follow a security and privacy ‘by design’ approach, building security and privacy functionality into the device from the outset of the development process, when it is much more likely to be effective.¹⁷ The 2014 international conference of privacy regulators declared that this “should no longer be regarded as something peculiar. [It] should become a key selling point of innovative technologies.” An example of this type of functionality is the ability of users to deactivate or disconnect devices from networks.

That said, there is so far little evidence of market demand for privacy friendly services – partly because of the difficulties for individuals in assessing and weighing up complex privacy risks. And while regulators have been discussing privacy by design for over a decade, the specifics of implementation have so far only been developed to a limited extent.¹⁸ Companies can undertake privacy impact assessments when designing IoT systems to consider how different design options have different privacy effects. This can also reduce the risk of the need for expensive delays and redesigns of systems that are found to be non-compliant with privacy rules – as was debated during the development of the Netherlands’ smart meter programme.¹⁹

A significant amount of work has already been done on security and privacy issues by policymakers and regulators in the EU and US. Under the general data protection regulation now given the green light by the European Parliament and Council of Ministers, there will be stronger regulatory incentives for companies developing systems that process personal data to protect security and privacy by design. The FTC also suggests companies follow a ‘defence in depth’ approach, considering security measures at several different points in their systems, such as using access control measures and encrypting data even when users are making use of encrypted links to home WiFi routers (which will not protect data between the router and the firm’s servers, or if the router is badly configured).

Privacy is a particularly strong regulatory issue in European countries, where it is included in a comprehensive legal framework that includes the Council of Europe’s European Convention on Human Rights and Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, and the EU Charter of Fundamental Rights. This framework has been influential in the development of comprehensive privacy laws now in force in over 100 countries around the world.

The EU already has a very detailed legal framework regulating the public and private sectors’ use of personal data, with the Data Protection Directive (95/46/EC) relevant to IoT device manufacturers, social media platforms and app developers that access IoT data; and an e-Privacy Directive (2002/58/EC) also relevant to IoT device manufacturers. The European Commission has sponsored a process to create an RFID privacy code of practice, developed collectively by industry and civil society and approved by the EU’s data protection authorities.

These authorities have issued a detailed opinion on the implications of IoT for privacy protection. They note that IoT produces high-volume flows of personal data that could present challenges to traditional data protection regulation – for example, individuals will not necessarily be aware when data is shared, or be able to review this data before it is sent to other parties, creating a risk of self-exposure and lack of control.²⁰

A further privacy issue is the amount of personal information that can be derived from seemingly innocuous sensor data, especially when it is combined with user profiles and data from other sources. As European privacy regulators note: “Full development of IoT capabilities may put a strain on the current possibilities of anonymous use of services and generally limit the possibility of remaining unnoticed.” Smart meter data, for example, can be surprisingly revealing of individuals’ day-to-day activities – even which programmes are being watched on a television.

Potential Regulatory Measures [image]

Researchers have found that smartphone sensor data can be used to infer information about users’ personality types, demographics, and health factors such as moods, stress levels, smoking habits, exercise levels and physical activity – and even the onset of illnesses such as Parkinson’s disease and bipolar disorder.²¹

This kind of information has obvious applications, such as in pricing health insurance, but also for other decisions related to employment, credit and housing. This could lead to economic discrimination against individuals classified as poor credit and health risks, and potentially to “new forms of racial, gender, or other discrimination against those in protected classes if IoT data can be used as hidden proxies for such characteristics”.²²

To protect individuals’ privacy, the FTC has suggested that notice and consent be required when personal data is collected by IoT applications outside the reasonable expectation of consumers, based on the context of transactions and companies’ relationships with consumers. Similarly, the EU data protection authorities have noted that IoT data collected for one purpose may be analysed and matched with other data, leading to a range of secondary purposes – which should be compatible with the original purpose of collection and known to the user (this is known as purpose limitation).

IoT data collection and analysis could particularly affect privacy when it includes data from private spaces like homes and cars, and even make it difficult for individuals to go about their daily life in the largely anonymous way they took for granted. When IoT applications process personal data that can reveal sensitive data under EU data protection law – racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life – explicit consent is required from the individual concerned. Under EU law, individuals must be able to withdraw their consent to all or specific data processing at any time, without “any technical or organisational constraints or hindrances” using tools which are “accessible, visible and efficient”.

A range of mechanisms could be used to obtain consent, including choices at point of sale or device setup; QR codes or barcodes on a device that could take a user to a website; privacy dashboards, for example in smartphones; and by learning from consumer behaviour, such as through privacy preferences set on other related devices.

Data minimisation remains an important privacy-protective principle for consumer IoT devices, limiting the amount of personal data collected or retained, and hence reducing risks from data breaches and use of the data in ways not expected by consumers. The FTC foresees more flexibility for IoT services in collecting data not initially required to provide a service, while under stricter European rules the EU data protection authorities “cannot share this analysis”.²³

IoT mechanisms to protect individual security and privacy will also be useful to protect sensitive corporate information. The information that will flow from IoT-enabled production and logistics processes, for example, could provide strategic value for industrial competitors and at a national trade relation level. Further technical tools and regulations relating to trade secrecy may be required to protect such data.

Conclusions

While it is difficult to make precise forecasts about the global impact of IoT, analysts are almost unanimous that it will be extremely significant – with tens of billions of devices deployed, and trillions of dollars of annual impact within the next decade. IoT technologies could make an important contribution to global challenges such as improving public health and quality of life, moderating carbon emissions, and increasing the efficiency of a range of industries in developed and developing nations.

The pace of IoT deployment will partly depend on the development of cheaper, more reliable, well-connected systems. Common networks, technical standards, system components, and infrastructure, as well as strong public-private partnerships, can reduce the costs of IoT systems. Open data and platforms can make it easier for new systems to be developed, especially by entrepreneurs, startups and SMEs. Innovation centres and incubators can further encourage new businesses to enter IoT markets, increasing competiveness. Governments can take further steps to encourage national transitions to IPv6, updating all their own systems and providing incentives to private sector providers to do so, hence ensuring addresses are available for all IoT devices that connect directly to the internet.

Large-scale IoT systems like smart cities and international logistics chains need very cheap sensors that can last for long periods of time without needing repairs or new power sources, as well as the bandwidth to share data – whether infrequent bursts, or streams of high-resolution video. M2M systems need continued growth in coverage of 3G and 4G networks, and support for remotely provisioned embedded SIMs for more reliable and competitive communications.

This is the area where telecoms regulators can have the greatest impact, by supporting the continued development and deployment of high-speed cellular networks, and keeping under review the need for IoT-specific spectrum. Decisions on licensing and spectrum management are important to ensure IoT systems can be developed cost-effectively, and have the necessary bandwidth to communicate. By agreeing updated standards (such as the ITU’s recommendation E.212) and providing mobile network codes to M2M service providers, better services could be provided at a significantly lower cost. Shared-space technology has the potential to offer much greater bandwidth for IoT and other communications services.

Common technical standards will be key to a low-cost, interoperable IoT, and can be encouraged by continued cooperation between standards bodies, and government support for standards use and participation. National and local government authorities can stimulate the availability of open IoT datasets, platforms and components. Municipal governments are playing a key role in smart city and open data programmes, and can find it easier to experiment with new technologies and policies than national governments.

Some countries are taking a relatively hands-off approach to IoT regulation, with the focus of promoting economic growth and innovation. For example, Korea has recently planned to reduce IoT (as well as e-commerce and internet finance) regulation to support a dynamic ecosystem for growth, while still protecting users, preventing abuse of market dominance and protecting internet networks, and will decide on which restrictions to maintain through social consensus. Other countries and regions, notably the EU, are taking a more proactive approach to protect social values such as privacy as the IoT develops, while still promoting the economic benefits.

Regulators can play a role in encouraging the development and adoption of the IoT, while promoting efficient markets and the public interest. Competition regulators will need to keep under review whether ex-post investigations of abuse of dominant positions will be sufficient to foster a competitive market and rapid innovation.

Particular attention will be needed from regulators to IoT privacy and security issues, which are key to encouraging public trust in, and adoption of, the technology. While many telecoms regulators already have responsibility for network security, this is an area where they could do more by cooperating with national privacy and consumer protection regulators to encourage development of a trustworthy IoT.

References

¹ European Commission (2013). Conclusions of the internet of things public consultation.
² FTC Staff Report (2015). Internet of Things: Privacy and security in a connected world.
³ FCC Technological Advisory Council. Internet of Things working group. See slides at: bit.ly/1SpsYTA
⁴ Master plan for building the internet of things (IoT) that leads the hyper-connected, digital revolution. Republic of Korea Ministry of Science, ICT and Future Planning, 8 May 2014, p4.
⁵ Schindler HR et al. (2013). Europe’s policy options for a dynamic and trustworthy development of the internet of things. RAND Corporation. bit.ly/1SptvVz
⁶ OECD (2012). Machine-to-machine communications: Connecting billions of devices. bit.ly/1Ox71RD
⁷ The endangered SIM card. The Economist, 20 November 2014. econ.st/1LFGQ6x
⁸ Schindler HR et al. (2013). op. cit.
⁹ Marsden CT (2010). Net neutrality: Towards a co-regulatory solution. Bloomsbury.
¹⁰ European Commission (2013). op. cit.
¹¹ Schindler HR et al. (2013). op. cit.
¹² Thomas P. (2014). Despite the news, your refrigerator is not yet sending spam. Symantec official blog. symc.ly/1Q5fgpH
¹³ Tofel KC. (2014). Got an IP webcam? Here are 73,000 reasons to change from the default password. Gigaom Research. bit.ly/1EleYlm
¹⁴ Soltani A (2015). What’s the security shelf-life of IoT? Tech@FTC blog.
¹⁵ Cerrudo C (2015). An emerging US (and world) threat: Cities wide open to cyber attacks. IOActive Labs white paper. bit.ly/1MpC1kL
¹⁶ Article 29 working party (2014). Opinion 8/2014 on the recent developments on the internet of things. p18. bit.ly/1smejQi
¹⁷ Mauritius Declaration on the Internet of Things (2014). bit.ly/1XAJd1i
¹⁸ See: Koops BJ and Levene R (2014). Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data protection law. International Review of Law, Computers & Technology 28 (2): 159-171; ENISA (2014). Privacy and data protection by design.
¹⁹ Cuijpers C and Koops BJ (2012). Smart metering and privacy in Europe: Lessons from the Dutch case. In: S Gutwirth et al. (eds). European data protection: Coming of age. Springer.
²⁰ Article 29 working party (2014). op. cit.
²¹ Peppet SR (2014). Regulating the internet of things: First steps towards managing discrimination, privacy, security and consent. Texas Law Review 85: 115-16.
²² Peppet SR (2014). ibid. 23 Article 29 working party (2014). op. cit.