Complying with Privacy Regulations: Not Easy for IoT Solution Providers
Security and privacy in a world of an increasing number of connected things has become more complex and challenging than ever. With new regulations being passed in the EU, US, Asia and every other region in the world, IoT industry participants are being tasked with ensuring everything from their devices and applications to their transmission networks and clouds comply with laws wherever they or their distribution partners do business.
For example, the Federal Trade Commission earlier this year sent comments to the Department of Commerce, outlining a list of concerns about the security and privacy of connected and embedded devices, saying “these devices also create new opportunities for unauthorized persons to exploit vulnerabilities.”
FTC staff members wrote that there are many benefits offered by IoT devices, including connected cars, smart parking meters, connected health devices and more, but that even with these benefits, privacy and security risks are present and must be mitigated.
One of the key security problems researchers have cited with IoT devices is the impracticality of updating them when vulnerabilities are discovered. Installing new firmware on light bulbs or refrigerators is not something most consumers are used to, and many manufacturers haven’t contemplated those processes either. The FTC said the lack of available updates is a serious problem for consumers and the businesses who serve them.
“Although similar risks exist with traditional computers and computer networks, they may be heightened in the IoT, in part because many IoT chips are inexpensive and disposable, and many IoT devices are quickly replaceable with newer versions. As a result, businesses may not have an incentive to support software updates for the full useful life of these devices, potentially leaving consumers with vulnerable devices. Moreover, it may be difficult or impossible to apply updates to certain devices,” the FTC filing said. “IoT devices are capable of collecting, transmitting, and sharing highly sensitive information.”
The commission staff also cites bugs in medical devices or connected vehicles as potential risks to physical safety for users, as many connected devices collect information about their usage, environments, and users, which some providers may use for marketing and other programs.
“In one FTC analysis, staff found the presence of numerous third parties in apps connected to IoT health and fitness wearable devices. A number of those third parties collected data such as persistent device identifiers, workout routines, eating habits, length of walking stride, medical search histories, zip code, gender, and geolocation,” the FTC comments say.
“As this analysis demonstrates, IoT devices are capable of collecting, transmitting, and sharing highly sensitive information about consumers’ bodies and habits. These privacy implications may increase if consumers’ health routines, dietary habits, and medical searches are combined with offline sources and across devices.”
That data collection–some of which is done without users’ real knowledge of its purposes–is one of the main concerns that privacy advocates and security researchers have raised with IoT devices. The FTC staff said the IoT presents vendors and data aggregators with a prime opportunity, but cautioned that they must consider building security into devices and systems from the beginning, including oversight of downstream vendor contracts on data collection and privacy.
DeviceTone and CloudSwitch™
When building a global IoT solution, providers must adhere to different laws, regulation and standards which may be overlapping or sometimes contradicting. There is, however, one general principle that exists in most privacy laws and regulations: requirements for specific geographic locations to store personal data. Some countries have taken this to the extreme and require that no personal data will be stored outside their physical boundaries (for example China and Russia, with indications this may also transpire in India).
Some put limitations and specific requirements on cross border data transfer, seen most prominently in GDPR.
These regulations are creating “data Islands” which are challenging when designing the data gathering from our IOT devices since each data source must be stored in the location that is allowed by the relevant law, based on the geographic location of the device.
A major architectural decision we made as part of developing CloudSwitch™ was decoupling our management/control channel from the IoT data channel. The decoupling process enables us to be more flexible when designing our topology for global customers.
Once those channels were separated, we engineered the data channel to handle two specific requirements:
- Allowing our customers or partners to choose which cloud provider to stream IoT data to, and
- allowing them to choose the geographic location of the data cloud
We knew that with flexible enough topology we could offer our customers and partners a unique and powerful feature: the ability to decide, in real time, for each IoT device where to store its operational data,.
We will elaborate on this further in a future post.
CloudSwitch™ is a module inside DeviceTone. It runs on IoT devices that we manage. CloudSwitch™ supports the leading IoT Cloud providers (i.e. AWS IoT, Azure IoT, GCP) and through DeviceTone cloud-based manager, administrators can decide, for each IoT device or group of devices, to which geographic location of that provider data should be streamed.
Behind the scenes, CloudSwitch is made from unique drivers that interact with the corresponding IoT Cloud APIs and enables us to make sure that our global customers can work with any provider and store data at any geographic location based on their operational and compliance requirements. While the solution might sound obvious, there are enormous engineering challenges when trying to program one layer to support the variety of providers, IoT devices and APIs out there.
Legislation and regulation will shape how IoT adoption will proceed in the next couple of years. IoT technology providers must carefully plan ahead to make sure that challenging and complex regulations and laws are mitigated with platforms that are flexible enough to make sure compliance will not become more complicated.