Smart home device showing the need to have consequences for IoT regulations in order to protect privacy

To Protect Privacy, IoT Regulations Must Have Consequences

With millions of people working from home during the COVID-19 pandemic, digital device privacy and security have become front of mind. Homes are doubling up as workplaces, and businesses are now exposed to the same privacy and security threats as consumers. Many concern Internet-connected devices or the Internet of Things (IoT).

I have been advising people using collaboration and teleconferencing tools like Slack and Zoom, for example, to be very aware of their surroundings, including smart devices in the home. Because connected devices and virtual assistants such as Alexa and Siri could be listening, it is best practice to use a headset during video and audio conference calls to prevent others being able to hear your conversations.

That is just the tip of the iceberg. IoT devices give us visibility and control over our home or office automation systems – the heating and cooling, the lighting, the energy costs, or the security of the buildings. Other devices monitor our health or work environments, generating vast amounts of sensor information.

How fast we walk, our heartrates, who we are interacting with, all traverse the Internet to third-party service providers that we knowingly agree to or unknowingly share data with. All these functions expose increased privacy and security risks. A smart light bulb is no longer something that you just turn on or off when you need it. That bulb is now generating information and can also be used to access more critical data as well.

Security and privacy by design

Some risks are there by design and others because the devices were not designed to be connected to the Internet or otherwise used in ways that were not foreseen by their designers. They may be used in smart cities, critical infrastructure, and smart grids. And the more lightweight, high-speed connectivity we have – think about 5G for a moment – the more of these devices will be connected to the public domain.

It would be a lot easier for consumers and businesses to manage these risks if we could be confident that device manufacturers designed them from the ground up to meet stringent privacy and security standards. That’s not the case, however, because governments and the regulations governing devices are still catching up with the technology.

The Australian government’s recently released Draft Code of Practice for Securing the Internet of Things for Consumers, for example, is a good example of the challenges that governments face around the world in regulating the technology industry to make connected devices more resilient to cyberattacks and protect the privacy of personal information.

Whether such a code is effective or not depends on if it is going to be clearly enforced. Any code of practice or other regulatory regime without real penalties for non-compliance will allow manufacturers and service providers to continue to focus on ease of use at the expense of security and privacy best practices.

Serious consequences for failure

When device manufacturers focus on ease of use, privacy and security suffers. We end up making things too difficult for people. In the worst cases the use of devices must be limited in certain ways because security is not done by design, it is just bolted on at the end. Telling people to use a headset during conference calls is a great way to protect their privacy. But not everyone is going to do it – most people just want to do their jobs or get on with their lives.

The good news is that the Australian draft code of practice for IoT proposes a guide for what is expected from manufacturers and service providers. However, for it to be effective and make a difference, everyone must be held accountable and responsible. Ultimately, there must be serious consequences for failure to meet these principles.

The Australian initiatives are similar to those put forward in other jurisdictions such as the UK, the European Union, and the US. Other countries may be a little further ahead but not by much. Several are considering including a label on IoT or connected devices to make consumers aware of the risks. But honestly, I do not believe that leaving it up to people to make security and privacy decisions will be very effective, because whenever security or privacy gets in the way people just look for ways to get around it.

A foundation for the future

We have to focus on things that have a positive impact on people’s jobs and their lives and that help to reduce cyber fatigue. That means making IoT devices secure by design and not adding privacy or security as an afterthought which introduces complexity and makes them difficult to use. So, we need to find ways to change the perspective of manufacturers and service providers.

For IoT devices to be secure and private by design all devices must be held to a minimum standard such as cars are with seatbelts. For example, you should not be able to get cyber insurance if you install and use an IoT device that does not meet the minimum principles set out in the code of practice.

Any code of practice should clearly state that it is the foundation for any future legal requirements for IoT devices and that manufacturers should start to implement these security and privacy principles today. This should be required for them to be able to keep selling into the market in the future or else risk future penalties or restrictions. That will make companies and manufacturers start taking it seriously and putting the necessary processes and checks in place to meet the code of practice in the future.

While a voluntary code is absolutely not sufficient, it is a great starting point. The Australian government should be congratulated for taking a proactive approach on this critical challenge and continuing to make the country more resilient from cyber threats and increasing the digital safety and privacy of its citizens. Not only are the new initiatives very much welcomed by industry, they are also putting Australia on the forefront of global cybersecurity standards and setting a good example for other countries in its region.