Due to the large amount of devices in Internet of Things (IoT) systems employ, there are many points of entry for possible security and privacy threats. IoT brings to light a wide range of privacy and security concerns that developers must address for customers to feel comfortable using the systems.
Strict data privacy is best practice in the IoT industry because it is a fundamental right. There are several ways to try and protect the privacy of IoT users. Domain Name System (DNS) Security Extensions, or DNS Security Extensions (DNSSEC), are key to protecting the privacy of users (Weber Vol. 12). “(DNSSEC) are a set of Internet Engineering Task Force (IETF) standards created to address vulnerabilities in the Domain Name System (DNS) and protect it from online threats” (Mirondai). The location of domain names and mapping those domains to IP addresses is controlled by the DNS protocol (Weber Vol. 12). When it was originally designed, DNS did not determine the authenticity of domain data and had no authorization methodology (Weber “New security…”). This was a major security issue in early Internet systems. Hence, DNSSEC was developed by the IETF to try and mitigate these security threats (Weber 2013). DNSSEC offers integrity of data, authentication of origin, and authenticated denial of existence. The second popular privacy method is Private Information Retrieval, or PIR. PIR allows the discreet access of information in a database by a user (Weber Vol. 12). If a user needs to access information in the server, the owner of the database will be notified but they will not know what data they selected to access (Weber Vol. 12). In any healthcare data system, PIR is used to maintain the medical privacy of the patients (Weber Vol. 12). PIR is client oriented (it is important to note that “client” does not refer to the client/server dualism that has been established in previous papers) and hence does not protect the privacy of the owner (Weber Vol. 12). This was a major weakness in the PIR protocol, and this led to the development of SPIR, or Strong Private Information Retrieval, a couple of years late (Weber Vol. 12). SPIR requires the client themselves to know something about the data they are trying to acquire from the database (Weber Vol. 12). This would protect against hackers and other security threats that are trying to access the database anonymously under the pretense of a common user. Finally, Peer-to-Peer (P2P) systems are a common way to maintain privacy integrity in IoT systems (Mirondai). P2P is a way for devices to interface without being connected to an outside server. It’s essentially a closed LAN, or Local Area Network (Mirondai). P2P systems are entirely local and on-site, and typically devices are connected via USB (Universal Serial Bus) or via copper wires. This way, the system is completely protected from outside threats. Hospitals often employ P2P in their on-site computers because those computers often do not need to access the outside Internet, but rather just need access to the hospital database (Mirondai).
Regulators need to make IoT one of their main focuses when thinking about technology regulation (Weber Vol. 12). While the IEEE defines standards to make designing these systems easier, there are currently no special laws, acts, or commissions that deal specifically with the Internet of Things. IoT has been named consistently as one of the main driving forces of the technology sector in the coming decades (Weber Vol. 12). Due to the expected prevalence of this technology, regulators need to take this far more seriously. The European Commission took the first step in 2009 when it released a comminiquė detailing the challenges it thought the government would face in trying to regulate IoT. The six areas of main concern were: “object naming, the authority responsible for assigning the identifier, ways to find information about the object, how information security is ensured, the ethical and legal framework of IoT, and control mechanisms” (European Commission). Unfortunately, not many steps have been taken since this report to regulate IoT systems. Lawmakers who are aware of IoT often suggest Virtual Private Networks (VPN) as a great way to ensure private networks (Weber Vol. 12). A VPN is created by using dedicated connections, particular tunneling protocols, and encryption services to create a point-to-point connection between the client and the server (Weber Vol. 12). This allows users to send and receive data across public networks (Weber Vol. 12). The advantage with VPN is that it allows scalability with the protection of privacy (Weber Vol. 12). Without VPN, devices, if geographically far away from their host network, would have to use connections through public networks (Weber Vol. 12). VPN is useful for working remotely. If a company wants to keep a closed network of devices, but an employee has to commute, they will still be able to access the closed network securely. This could potentially cause a data leak.
The free flow of ideas is crucial in the software and electronics development world (Weber 2013). Weber argues that mercantilism and special trade agreements among powerful countries limit the contribution of software developers in less-developed countries (LDCs) as well as the proliferation of sophisticated technology in those countries (Weber 2013).
Technically, the engagement of LDCs in the global IoT marketplace is not limited by law, but it is limited by practicality (Weber 2013). IoT capable technology is expensive, and hence only available to the rich few in LDCs. Improvements in technology depend on open source, accessible technologies to be developed on by thousands of people. This is just not possible with current expenses. Technology companies investing or setting up branches in these countries would help the situation. Turnover in technology is increasing at an exponential rate. Products often become obsolete in a matter of months. Because of this, one could argue that regulations by law vastly inhibit the speed at which technology can be developed and be produced. If restrictions were removed, perhaps IoT systems would be more common in our everyday lives and accessible to more people. While Weber does agree that this is true, he argues that this is an idealistic view of the real world. While companies employing IoT systems have generally not been caught in unfair or unethical practices, it is still unlikely that self-regulation would lead to more responsible practices. Perhaps these companies have been caught due to IoT’s young age as a concept and implementable business plan. Perhaps, when technology becomes advanced enough, businesses can employ automated self-regulatory practices implemented by the government but run autonomously in the IoT system itself. At this point, however, technology just isn’t there yet. Weber calls for a new international body specifically for IoT to dictate regulations and law for cross-country networks and domestic networks. There are many advantages for having a global regulator. It could set international standards to allow systems from different countries to successfully interface with each other (similar to how the IEEE sets wireless standards for different communication protocols like WiFi, Bluetooth, and FM radio), it could create new research initiatives employing people around the globe, and finally it could implement a high standard of privacy and security to ensure that consumers are comfortable employing IoT systems in their businesses or in their every-day lives. As I explained before, the IEEE does set standards, which is a pseudo-regulation. Companies have no choice but to abide by IEEE standards, otherwise protocols will run on different frequencies, there would be different media ports on devices, and nothing would work with anything (Mirondai et. al). If the IEEE sets a standard, companies will follow it. However, in terms of safety, privacy, and security, it is just not possible for companies to be regulated by anything but the law.
Developers focusing on the Internet of Things must focus on privacy and security. The tools to make this happen already exist, they just have to be implemented. An international regulator would help make this happen.
Works Cited
Strict data privacy is best practice in the IoT industry because it is a fundamental right. There are several ways to try and protect the privacy of IoT users. Domain Name System (DNS) Security Extensions, or DNS Security Extensions (DNSSEC), are key to protecting the privacy of users (Weber Vol. 12). “(DNSSEC) are a set of Internet Engineering Task Force (IETF) standards created to address vulnerabilities in the Domain Name System (DNS) and protect it from online threats” (Mirondai). The location of domain names and mapping those domains to IP addresses is controlled by the DNS protocol (Weber Vol. 12). When it was originally designed, DNS did not determine the authenticity of domain data and had no authorization methodology (Weber “New security…”). This was a major security issue in early Internet systems. Hence, DNSSEC was developed by the IETF to try and mitigate these security threats (Weber 2013). DNSSEC offers integrity of data, authentication of origin, and authenticated denial of existence. The second popular privacy method is Private Information Retrieval, or PIR. PIR allows the discreet access of information in a database by a user (Weber Vol. 12). If a user needs to access information in the server, the owner of the database will be notified but they will not know what data they selected to access (Weber Vol. 12). In any healthcare data system, PIR is used to maintain the medical privacy of the patients (Weber Vol. 12). PIR is client oriented (it is important to note that “client” does not refer to the client/server dualism that has been established in previous papers) and hence does not protect the privacy of the owner (Weber Vol. 12). This was a major weakness in the PIR protocol, and this led to the development of SPIR, or Strong Private Information Retrieval, a couple of years late (Weber Vol. 12). SPIR requires the client themselves to know something about the data they are trying to acquire from the database (Weber Vol. 12). This would protect against hackers and other security threats that are trying to access the database anonymously under the pretense of a common user. Finally, Peer-to-Peer (P2P) systems are a common way to maintain privacy integrity in IoT systems (Mirondai). P2P is a way for devices to interface without being connected to an outside server. It’s essentially a closed LAN, or Local Area Network (Mirondai). P2P systems are entirely local and on-site, and typically devices are connected via USB (Universal Serial Bus) or via copper wires. This way, the system is completely protected from outside threats. Hospitals often employ P2P in their on-site computers because those computers often do not need to access the outside Internet, but rather just need access to the hospital database (Mirondai).
Regulators need to make IoT one of their main focuses when thinking about technology regulation (Weber Vol. 12). While the IEEE defines standards to make designing these systems easier, there are currently no special laws, acts, or commissions that deal specifically with the Internet of Things. IoT has been named consistently as one of the main driving forces of the technology sector in the coming decades (Weber Vol. 12). Due to the expected prevalence of this technology, regulators need to take this far more seriously. The European Commission took the first step in 2009 when it released a comminiquė detailing the challenges it thought the government would face in trying to regulate IoT. The six areas of main concern were: “object naming, the authority responsible for assigning the identifier, ways to find information about the object, how information security is ensured, the ethical and legal framework of IoT, and control mechanisms” (European Commission). Unfortunately, not many steps have been taken since this report to regulate IoT systems. Lawmakers who are aware of IoT often suggest Virtual Private Networks (VPN) as a great way to ensure private networks (Weber Vol. 12). A VPN is created by using dedicated connections, particular tunneling protocols, and encryption services to create a point-to-point connection between the client and the server (Weber Vol. 12). This allows users to send and receive data across public networks (Weber Vol. 12). The advantage with VPN is that it allows scalability with the protection of privacy (Weber Vol. 12). Without VPN, devices, if geographically far away from their host network, would have to use connections through public networks (Weber Vol. 12). VPN is useful for working remotely. If a company wants to keep a closed network of devices, but an employee has to commute, they will still be able to access the closed network securely. This could potentially cause a data leak.
The free flow of ideas is crucial in the software and electronics development world (Weber 2013). Weber argues that mercantilism and special trade agreements among powerful countries limit the contribution of software developers in less-developed countries (LDCs) as well as the proliferation of sophisticated technology in those countries (Weber 2013).
Technically, the engagement of LDCs in the global IoT marketplace is not limited by law, but it is limited by practicality (Weber 2013). IoT capable technology is expensive, and hence only available to the rich few in LDCs. Improvements in technology depend on open source, accessible technologies to be developed on by thousands of people. This is just not possible with current expenses. Technology companies investing or setting up branches in these countries would help the situation. Turnover in technology is increasing at an exponential rate. Products often become obsolete in a matter of months. Because of this, one could argue that regulations by law vastly inhibit the speed at which technology can be developed and be produced. If restrictions were removed, perhaps IoT systems would be more common in our everyday lives and accessible to more people. While Weber does agree that this is true, he argues that this is an idealistic view of the real world. While companies employing IoT systems have generally not been caught in unfair or unethical practices, it is still unlikely that self-regulation would lead to more responsible practices. Perhaps these companies have been caught due to IoT’s young age as a concept and implementable business plan. Perhaps, when technology becomes advanced enough, businesses can employ automated self-regulatory practices implemented by the government but run autonomously in the IoT system itself. At this point, however, technology just isn’t there yet. Weber calls for a new international body specifically for IoT to dictate regulations and law for cross-country networks and domestic networks. There are many advantages for having a global regulator. It could set international standards to allow systems from different countries to successfully interface with each other (similar to how the IEEE sets wireless standards for different communication protocols like WiFi, Bluetooth, and FM radio), it could create new research initiatives employing people around the globe, and finally it could implement a high standard of privacy and security to ensure that consumers are comfortable employing IoT systems in their businesses or in their every-day lives. As I explained before, the IEEE does set standards, which is a pseudo-regulation. Companies have no choice but to abide by IEEE standards, otherwise protocols will run on different frequencies, there would be different media ports on devices, and nothing would work with anything (Mirondai et. al). If the IEEE sets a standard, companies will follow it. However, in terms of safety, privacy, and security, it is just not possible for companies to be regulated by anything but the law.
Developers focusing on the Internet of Things must focus on privacy and security. The tools to make this happen already exist, they just have to be implemented. An international regulator would help make this happen.
Works Cited
- European Commission. (2009, September 22). Internet of Things. Retrieved November 1, 2016, from http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=URISERV:si0009
- Miorandi, D., Sicari, S., De Pellegrini, F., & Chlamtac, I. (2012). Internet of things: Vision, applications and research challenges. Ad Hoc Networks, 10(7), 1497-1516.
- Weber, R. H. (2010). Internet of Things–New security and privacy challenges. Computer Law & Security Review, 26(1), 23-30.
- Weber, R. H., & Weber, R. (2010). Internet of Things (Vol. 12). New York, NY, USA:: Springer.
- Weber, R. H. (2013). Internet of things–governance quo vadis?. Computer Law & Security Review, 29(4), 341-347.