Current and upcoming IoT regulations
By Raffaella Aghemo on The Capital
Internet of Things and “Digital twins”
With the implementation of Artificial Intelligence, machine learning and decentralized and distributed systems, the need to look at the Internet of Things, IoT, a network of objects equipped with identification technologies, connected to each other, able to communicate, building a huge network of things, in which each one is traceable and identifiable, also increases. The phenomenon is not very new, as the answers, which are now sought through connected devices (defined as any device or other physical object capable of connecting to the Internet, directly or indirectly, to which an IP or Bluetooth address is assigned), have so far “simulated” through the so-called “digital twins”, defined as virtual models of things or physical processes. Through 3D models and simulation processes, digital replicas of a real object are adopted to study its actions and reactions. Today, with the adoption of sensors, through machine learning technologies and connected devices, it is possible to test, almost in real-time, the functioning of digital twins, to improve that of real processes.
According to a research developed by Gartner, 24% of organizations, which have IoT solutions in production, use digital twins; another 42% plan to use digital twins by 2022. The IoT market is expected to be worth $520 billion by 2023, implementing the digital twins market, which currently yields $15 billion.
As programmable software, the cufflink will serve as a test environment where modifications can be made, powering a predictive maintenance system, resulting in operational efficiency and improved product design. Certainly, the “dialogue” between this multitude of sensors and digital objects, also increases the complexity of this network, in full evolution, in which all emerging and disruptive technologies can and must integrate with each other! Not to mention the less technical, but purely legal, problems of privacy protection and defense of huge data sets, and security, or the ownership of digital twins and the intellectual property associated with them! It is the time of “product as a service” business models, i.e. the sale of solutions and results to customers, rather than tangible products, providing the real value of that tangible object, which will consist of efficient solutions tailored to the selected target audience.
IoT legislation in place
I had already talked about the entry into force of legislation aimed at ensuring the growth of these phenomena: first California, then Oregon. To the first, we owe SB 327, issued in 2018 but in force on January 1, 2020, the Internet of Things Security Law, which requires manufacturers who sell, or offer to sell, a connected device in California to provide the device with reasonable security features, i.e. adequate to the nature of the device, appropriate to the information collected and transmitted, which must be equipped with adequate protection against attack, manipulation, destruction or unauthorized disclosure (referring to NIST and ENISA recommendations).
After these two States, others have adapted, issuing IoT legislation: Illinois, Maryland, Vermont, Massachusetts, and Washington. They follow, more or less all of them, the trail drawn by Californian law, but with some minor differences.
For example, the state of Vermont rejects the requirement for reasonable security, while paying more attention to specific security features, including encryption for network communication functions, automatic security updates, complex passwords, vulnerability management, and a detailed privacy notice.
Massachusetts, on the other hand, focuses on privacy and cybersecurity.
Next IoT Regulations
On this side of the ocean, the UK, fresh out of “divorce” from the European Union, is preparing to regulate connected devices to align with US manufacturers, announcing that it intends to develop legislation to ensure that all intelligent consumer devices sold in the UK adhere to strict IoT safety requirements.
There will be three key points of focus for the new regulations to be enacted:
- All passwords for consumer IoT devices must be unique and cannot be reset to any universal factory setting;
- all manufacturers must report a public “point of contact” to which any anomalies can be reported and which is able to respond, in a timely manner, to the reminders received;
- all manufacturers shall clearly indicate the minimum time to receive the security updates provided to the devices in the stores.
The government seems to choose a gradual approach, without, for example, labelling, which could be a heavy burden for suppliers, but through the publication of a regulatory impact assessment, the final phase in mid-2020, which we expect will shed further light on the regulatory proposals.
Some forecasts suggest that by 2025 there will be around 75 billion devices connected to the Internet worldwide by 2025, and that, this year, ownership of smart devices could increase from 10 to 15 devices per household in the UK. According to the Government’s own website, more than 90 per cent of the 331 manufacturers supplying the UK market, examined in 2018, did not have a comprehensive vulnerability disclosure programme, says Matt Warman, Minister for Digital and Broadband, Department for Digital, Culture, Media, and Sport. Privacy by design and public consultations is the first step towards a connected but secure nation!
All Rights Reserved
Raffaella Aghemo, Lawyer
