On September 28, 2018, California approved a bill regulating the issues of privacy and security in one of the leading sectors of the technical industry – the Internet of Things (IoT). While progressive home appliance manufacturers talk about the magical benefits of a smart fridge, California law will regulate their “dark” side — the use and protection of data collected by IoT devices.
With the rapid growth (according to forecasts, the total market of the Internet of Things will double by 2021 and will reach 520 billion dollars around the world) new challenges arise in this industry. And a question remains whether to adopt separate legislation to regulate smart devices or not, as in California, for example, or to apply existing provisions of legislation on cybersecurity and personal data protection. One way or another, in production and provision of smart devices it is necessary to take into account specific features of information security.
What are smart devices and why does this industry need regulation?
In simple terms, a smart device is anything that is connected to the Internet and that collects data surrounding it through its sensors. Accordingly, the Internet of Things is a network of smart devices that jointly collect and correlate data.
It is generally believed that the first IoT device was created in 1989 by American production engineer John Romkey. It was a toaster that could be turned on and off via the Internet. Nowadays, thanks to cheap microchips, smart devices are becoming commonplace in our daily lives. All things surrounding us from now on can be connected to the world wide web: our refrigerators, doorbells, speakers, vacuum cleaners and even sockets.
On the one hand, connecting devices to the Internet provides people with all the benefits of the Internet in anything they use. It allows to transfer a significant part of the daily routine on such devices, thanks to remote controlling and the data they collect. If necessary, your refrigerator may automatically order milk. The doorbell records any activity around your front door and sends it directly to the owner’s phone, using facial recognition to improve security. Smart speaker or, as it is called, a housework helper, like Alexa, is connected to all the appliances and helps its owner to manage the routine automatically and centrally, and do all the monotonous work for you. The only thing you have to do is adjust the IoT operation according to your daily schedule.
People used to think that the online world remains only inside computers and smartphones. Nowadays the situation has been changing and the border between online and offline is blurred. Smart devices are becoming widespread inside our homes. Most of the time, connected home devices are turned on, sometimes without the ability to disconnect the Internet. They collect data about people’s behavior and habits, process it, analyze, and send it to servers. When combined with other technologies, such as speech or face recognition, smart devices add value to data, which brings significant benefits.
In addition to user customizing, devices provide information to their manufacturers that can be used to improve IoT performance. In addition, data can be shared with advertisers, allowing them to learn from users’ consumer preferences.
On the other hand, this convenience creates risks for end users they may not even know about. Smart devices depend entirely on their Internet connection, the quality of their sensors, and the data they collect. In addition, IoT devices are designed in such a way that it is difficult to manually control or regulate their operation, unlike a classic PC or smartphone. This leads to two major problems with connected devices: cybersecurity or protection against unauthorized access and user privacy-protecting data collected about the user.
Cybersecurity, cyber threats, cyber attacks – all these categories exist in the invisible realm of people’s daily lives. However, this makes cybersecurity just as important. Due to the fact that nowadays everything is connected to the Internet, the very nature of crime is changing. Fraudsters no longer need physical access to assets – they can simply steal them by gaining unauthorized access through online connection. As cybersecurity experts say, no system is safe. It is easy to prove by reviewing the latest cybersecurity news — daily we have a lot of data breaches – from the infamous leaks in Facebook to Pentagon data breach.
Since smart devices are connected to the Internet, they are no exception for hacks. Moreover, users regard a smart device as an ordinary home device, forgetting about simple measures of computer security, so the situation gets even worse. The same applies to IoT devices manufacturers — due to limited functionality they usually decide not to comply with the relevant security standards.
As a result, the security threshold for accessing such devices is low, allowing anyone with a basic knowledge of network security to interfere with their work. According to surveys, most professionals (more than three-quarters of respondents) working in the IoT industry, believe that their devices will be hacked in the next two years. The number can even be increased by those who do not know the risks or do not want to admit to data leaks.
The consequences of unauthorized access can be divided into two categories. The first category is related to the possibility of remote control of connected devices. Due to the simplicity of passwords (e.g. “pass1234″ or “12345678”), their absence or low cybersecurity level, it is relatively easy to gain control of an IoT device. Further actions are completely at the discretion of hackers. For example, in 2016, cybercriminals shut down the entire temperature and pressure control system in a residential building in Finland. As a result, residents were left without water for an entire week, simply due to the lack of basic firewall protection.
An example of the risks of setting weak passwords by default was presented by the BrickerBot attack in 2017. The BrickerBot malware could connect to any IoT device with a default name and password – which is basically easy to find over the Internet and just “destroy” the device. The malware caused so much damage to the devices that it required complete hardware replacement.
The second category of risk is related to data collection with the use of smart devices on a large scale. This data can be extremely valuable for cybercriminals – the principles of security, geolocation data or daily habits of a user often present key information for planning high-quality fraud. There is no need to collect it legally as you can just connect to an IoT device and take whatever you need. For example, last spring, hackers stole a database of casino bets connecting to a thermometer in the casino lobby. The more vulnerabilities an IoT system has, the more available its data are.
As a result, currently we observe a gap in the regulation of IoT production. Existing cybersecurity laws address only certain aspects of smart devices use, such as personal data protection or provision of key public services (such as the energy or telecommunications sector). So far, there are no separate regulations on IoT, as California law provides. However, as proven by numerous cyber attacks on smart devices, a minimum level of security needs to be established, including requirements for passwords, firewalls, and other security methods.
Personal data protection
Speaking of data, the use of smart devices in people’s daily lives significantly expands collection of our personal data. Fitness trackers, smart toys, automatic vehicles and all other things in our personal use collect large amounts of information about us. In fact, connected devices may collect data about us 24/7, often without our knowledge and consent. Moreover, in most cases such extensive data collection is not required to provide a device’s functionality.
In accordance with modern data protection regulations, such as the European General Data Protection Regulation (GDPR), the collection and further use of personal data are subject to strict requirements. To obtain data legally, the IoT provider must provide an appropriate level of user privacy. This includes the obligation to inform users about collection of their personal information, to obtain consent in certain cases, the obligation to minimize data, cybersecurity measures mentioned above, and much more. User privacy should literally be implemented “in design”, given data protection at the earliest stages of development. Unfortunately, the design of smart devices rarely cares for personal data protection.
Most IoT devices are designed so that they can only receive information without providing it. Due to this, IoT providers (not)intentionally do not inform users about their data collection. Consequently, users do not know who processes the data, how it is used, which third parties have access to their data and how users can exercise their information rights. In addition, IoT providers do not care about obtaining consent to the use of data relating to our health or, for example, to our beliefs. In such cases, however, consent to data use is the primary thing and commonly the only legal basis for processing.
Accordingly, our personal data are collected without our knowledge, by default, without guarantees of their safety. This situation allows data controllers to use collected information in any way. Cases of data abuse are frequent enough: from creating and selling social profiles of electorate to political parties to selling financial data to data brokers. Despite the fact that these cases do not relate to collection of data through IoT, the same scheme applies to them.
Another important issue to consider is the lack of data minimization that is collected by IoT devices. The principle of “data minimization” means that the company can only collect data necessary to ensure a device’s functionality. Any data collection that is not related to provision of device’s functions is prohibited.
As a recent example, the principle of “minimization” was publicly applied by the French data protection authority, the Commission Nationale de l’informatique et des libertés (CNIL). On November 20, 2017, CNIL sent its official warning to a company using speech recognition technology in toys. Smart toys were equipped with a microphone and a speaker and were connected to a mobile application. To recognize a child’s speech, the toy sent recordings of conversations to servers in China, where they were processed by a special program, without any security guarantees. Such large amounts of data collected by a child’s toy did not comply with the principle of “minimization”, especially due to the absence of security measures. There was no need to send data to China to provide toy’s functionality.
Moreover, any person having Bluetooth on his/her device could connect to the toy, listen and record conversations between the child and the toy or any conversation that happened nearby. This feature of the toy contradicts the above-mentioned practices of devices’ cyber protection.
After receiving an official warning, the company has implemented appropriate measures. Toys imported to France are no longer equipped with speech recognition technology, and data are not sent to the server. Consequently, the company no longer “processes data” within the meaning of personal data protection legislation.
As a result, the CNIL completed its investigation on July 20, 2018. Despite this, the company has not solved the problem of unprotected access to the toy via Bluetooth. Further consideration of the issue was sent to the French regulatory body for consumer protection.
Oddly enough, one of the first penalties for violating the European GDPR was also imposed in connection with the principle of data minimization. An Austrian businessman installed a video surveillance camera in front of his office. The camera also recorded most of the sidewalk. Unfortunately for the entrepreneur, the Austrian Supervisory Authority considered that even a recording of the street in front of the office is large-scale monitoring of public places. In combination with the absence of public notice of street video recording via CCTV, such use of cameras does not comply with the Austrian personal data protection law. Therefore, the Austrian authority imposed a fine in the amount of 4800€. In order to comply with data protection requirements, the company may only collect the minimum information necessary for its purposes in a clear and transparent manner.
What measures should be taken to meet legislation requirements?
As mentioned above, we are not used to consider home appliances as objects of cybersecurity threats. Consequently, IoT providers typically do not include adequate technical and organizational safeguards against cyber threats and especially privacy breaches. Moreover, intentionally or not, they also violate user privacy.
However, with the advent of specific regulation of IoT production and strict rules of personal data protection, the situation is unlikely to stay the same. To ensure the security of smart devices, the main steps should be as follows:
- Transparency — notification of data collection and their further processing should be provided to each end user before (or at that time) the device started collecting data;
- Consent — if necessary, for example, when processing sensitive data or using data for advertising purposes, the IoT provider must first obtain specific consent from the user;
- Minimization – although it is sometimes difficult to maintain, the owner of the device/provider is allowed to collect and process data necessary only for a device functionality;
- Security and restricted access — last but not least — IoT devices must be protected by technical measures against unauthorized access, such as secure connections, firewalls, and passwords. Access to collected data should be limited only to those employees who support the device operation.
Vladislav Nekrutenko, a lawyer of Technology, Media and Telecom Practice at Juscutum Law Firm.