In an earlier posting I examined the future potential regulatory landscape for the IoT market and introduced Ofcom's (the UK's communications regulator) 2014 consultation on the Internet of Things. This stakeholder consultation was issued in order to examine the emerging debate around this increasing interconnectivity between multiple devices and to guide Ofcom regulatory priorities. Since the consultation was issued, the potential privacy issues associated with IoT continue to attract the most attention but, as yet, no IoT issues have led to any specific laws or legal change.
In two separate developments in January 2015, the UK and US Internet of Things markets were exposed to more advanced thinking and guidance around the legal challenges of the IoT.
UK IoT developments
Ofcom published its Report: "Promoting investment and innovation in the Internet of Things: Summary of responses and next steps" (27 January 2015) which responded to the views gathered during the consultation which closed in the autumn of 2014. In this report Ofcom has identified several priority areas to focus on in order to support the growth of the IoT. These "next step" Ofcom priorities are summarised across four core areas:
Spectrum availability: where Ofcom concludes that "existing initiatives will help to meet much of the short to medium term spectrum demand for IoT services. These initiatives include making spectrum available in the 870/915MHz bands and liberalising licence conditions for existing mobile bands. We also note that some IoT devices could make use of the spectrum at 2.4 and 5GHz, which is used by a range of services and technologies including Wi-Fi." Ofcom goes on to recognise that, as IoT grows and the sector develops, there may be a renewed need to release more spectrum in the longer term.
Network security and resilience: where Ofcom holds the view that "as IoT services become an increasingly important part of our daily lives, there will be growing demands both in terms of the resilience of the networks used to transmit IoT data and the approaches used to securely store and process the data collected by IoT devices". Working with other sector regulators where appropriate, Ofcom plans to continue existing security and resilience investigations and to extend its thoughts to the world of IoT.
Network addressing: where Ofcom, previously fearing numbering scarcity, now recognises that "telephone numbers are unlikely to be required for most IoT services. Instead IoT services will likely either use bespoke addressing systems or the IPv6 standard. Given this we intend to continue to monitor the progress being made by internet service providers (ISPs) in migrating to IPv6 connectivity and the demand for telephone numbers to verify this conclusion"; and
Privacy: In the particularly hot privacy arena there is nothing particularly new within Ofcom's preliminary conclusions. Ofcom concludes that there is a need for "a common framework that allows consumers easily and transparently to authorise the conditions under which data collected by their devices is used and shared by others will be critical to future development of the IoT sector." In a world where the UK's Data Protection Act already applies, it was inevitable that Ofcom (without a direct regulatory remit over privacy) would offer little further insight in this regard.
It's not surprising to read from the Report that commentary within the responses highlighted data protection and privacy to potentially be the "greatest single barrier to the development of the IoT". The findings from its consultation do foresee potential inhibitors to the IoT adoption resulting from these privacy challenges, and Ofcom acknowledges that the activities and guidance of the UK Information Commissioner (ICO) and other regulators will be pertinent to achieving clarity. Ofcom will be co-ordinating further cooperation and discussion with such bodies both nationally and internationally.
A measured approach to an emerging sector
Ofcom appears to be striking the right balance here for the UK. Ofcom suggests that future work with ICO and others could include examining some of the following privacy issues:
- assessing the extent to which existing data protection regulations fully encompass the IoT;
- considering a set of principles for the sharing of data within the IoT looking to principles of minimisation and restricting the overall time any data is stored for;
- forming a better understanding of consumer attitudes to sharing data and considering techniques to provide consumers "with the necessary information to enable them to make an informed decision on whether to share their data"; and
- in the longer term, exploring the merit of a consumer education campaign exposing the potential benefits of the IoT to consumers.
The perceived need for more clarity around privacy and the IoT
International progress around self-regulation, standards and operational best practice will inevitably be slow. On the international stage, Ofcom suggests it will work with existing research groups (such as the ones hosted by BEREC amongst other EU regulators).
We of course already have insight from Working Party 29 in its September 2014 Opinion on the Internet of Things. The Fieldfisher privacy team expounded the Working Party's regulatory mind-set in another of our Blogs. The Working Party has warned that the IoT can reveal 'intimate details'; ‘sensor data is high in quantity, quality and sensitivity’ and the inferences that can be drawn from this data are ‘much bigger and sensitive’, especially when the IoT is seen alongside other technological trends such as cloud computing and big data analytics.
As with previous WP29 Opinions (think cloud, for example), the regulators in that Opinion have taken a very broad brush approach and have set the bar so high, that there is a risk that their guidance will be impossible to meet in practice and, therefore, may be largely ignored. This is in contrast to the more pragmatic FTC musings further explained below, though following a similar approach to protect privacy, the EU approach is far more alarmist and potentially restrictive.
Hopefully, as practical and innovative assessments are made in relation to technologies within the IoT, we may find new pragmatic solutions emerging to some of these privacy challenges. Perhaps the development of standard "labels" for transparency notifications to consumers, industry protocols for data sharing coupled with associated controls and possibly more recognition from the regulators that swamping consumers with more choices and information can sometimes amount to no choice at all (as citizens start to ignore a myriad of options and simply proceed with their connected lives ignoring the interference of another pop-up or check-box). Certainly with increasing device volumes and data uses in the IoT, consumers will continue to value their privacy. But, if this myriad of devices is without effective security, they will soon learn that both privacy and security issues count.
And in other news….US developments
Just as the UK's regulators are turning their attention to the IoT, the Federal Trade Commission (FTC) also published a new Report on the IoT in January 2015: As Ofcom's foray into the world of the IoT, the FTC's steps in "Privacy & Security in a Connected World" are also exploratory. To a degree, there is now more pragmatic and realistic guidance around best practices in making IoT services available in the US than we have today in Europe.
In this report the FTC recommends "a series of concrete steps that businesses can take to enhance and protect consumers’ privacy and security, as Americans start to reap the benefits from a growing world of Internet-connected devices." As with Ofcom, it recognises that best practice steps need to emerge to ensure the potential of the IoT can be recognised. This reads as an active invitation to those playing in the IoT to self-regulate and act as good data citizens. With the surge in active enforcement by the FTC in during 2014, this is something worthy of attention for those engaged in the consumer facing world of the IoT.
As the Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them the FTC's approach focusses more on the risks that will arise from a lack of transparency and excessive data collection than the practical challenges the US IoT industry may encounter as the IoT and its devices create an increasing demand on infrastructure and spectrum.
The report focuses in on three core topics of (1) Security, (2) Data Minimisation and (3) Notice and Choice. Of particular note the FTC report makes a number of recommendations for anyone building solutions or deploying devices in the IoT space:
- "build security into devices at the outset, rather than as an afterthought in the design process;
- train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
- ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
- when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
- consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
- monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks."
With echoes of privacy by design and data minimisation as well as recommendations to limit the collection and retention of information, suggestions to impose security on outside contractors and then recommendations to consider and notice and choice, it could transpire that the IoT space will be one where we'll be seeing fewer differences in the application of US/EU best practice?!
In addition to its report, the FTC also released a new publication designed to provide practical advice about how to build security into products connected to the Internet of Things. This report "Careful Connections: Building Security in the Internet of Things" encourages both "a risk-based approach" and suggests businesses active in the IoT "take advantage of best practices developed by security experts, such as using strong encryption and proper authentication".
Both reports indicate a consolidation in regulatory thinking around the much hyped world of IoT. Neither report proposes concrete laws for the IoT and, if they are to come, such laws are some time off. The FTC even goes as far as saying "IoT-specific legislation at this stage would be premature". However, it does actively "urge further self-regulatory efforts on IoT, along with enactment of data security and broad-based privacy legislation". Obama's new data privacy proposals are obviously seen as a complementary step toward US consumer protection? What is clear is there are now emerging good practices and a deeper understanding at the regulators of the IoT, its potential and risks.
On both sides of the Atlantic the US and UK regulators are operating a "wait and see" policy. In the absence of legislation, with other potentially privacy sensitive emerging technologies we've seen self-regulatory programs within particular sectors or practices emerging to help guide and standardise practice around norms. This can protect at the same time as introducing an element of certainty around which business is able to innovate.
Mark Webber – Partner, Palo Alto California firstname.lastname@example.org