Internet of Things – New security and privacy challenges

From Wiki IoT
Jump to: navigation, search

WEBER R.H., Internet of Things – New security and privacy challenges, Computer Law & Security Review, i. 26, January 2010, 23

Type Article
Abstract The Internet of Things, an emerging global Internet-based technical architecture facilitating the exchange of goods and services in global supply chain networks has an impact on the security and privacy of the involved stakeholders. Measures ensuring the architecture’s resilience to attacks, data authentication, access control and client privacy need to be established. An adequate legal framework must take the underlying technology into account and would best be established by an international legislator, which is supplemented by the private sector according to specific needs and thereby becomes easily adjustable. The contents of the respective legislation must encompass the right to information, provisions prohibiting or restricting the use of mechanisms of the Internet of Things, rules on IT-security-legislation, provisions supporting the use of mechanisms of the Internet of Things and the establishment of a task force doing research on the legal challenges of the IoT.
Topics Data Protection, Security, Information Security, Technology


The IoT has an impact on security and privacy of the involved stakeholders.

IoT = an emerging global Internet-based information architecture facilitating the exchange of goods and services in global supply chain networks.

The IoT architecture is based on data communication tools:

  • RFID-tagged items (Radio-Frequency Identification): physical objects carrying RFID tags (RFID is a technology used to identify, track and locate assets; the universal, unique identification of individual items through the EPC is encoded in an inexpensive RFID tag)
  • EPC (Electronic Product Code): there is a unique EPC for each smart object
  • EPCIS (EPC Information Services)
  • ONS (Object Naming Service, based on the Domain Name System, DNS): it helps to make available over the Internet information about RFID-tagged products

Thanks to this architecture that makes smart objects uniquely identified, ubiquitous computing is possible: indeed, smart environments can recognize and identify objects, and receive information from the Internet about them.

Privacy includes the concealment of personal information an d the ability to control what happens with this information (transparency).

RFID tags cause problems with privacy because their presence is often unknown by users, and, moreover, there is no acoustic or visual signal to draw user attention.

WEBER lists some Privacy enhancing technologies (PET) (–-> like the IBM Report, he speaks about peer-to-peer).

It is important for privacy to allow users to disable the RFID tags if they want.

Even if non-personally identifiable information can be collected without any restriction, transparency is nevertheless needed.

EC 2009 Recommendation about privacy and RFID: the EC invites Member States to realize a framework for the assessment of the RFID technologies impact on privacy and information security.

EU Data protection Directives: DIRECTIVE 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 99/5, DIRECTIVE 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector.

Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions — Internet of Things: An action plan for Europe: it deals also with privacy and information security. It talks also about the “right to silence of the chips”, which is the right of individuals to disconnect from their networked environment at any time.

Is there a need for IoT architecture and RFID regulation? If it is, should it be a new regulation, or existing ones are sufficient? If new regulation is required, which kind of laws should be implemented?

The most important challenges to consider in answering these questions are:

  • Globality: products and services in an IoT context will be globally marketed and distributed
  • Verticality: RFID-tagged products should last long enough to use them in the supply chain until the final customer and further (e.g. for the waste management)
  • Ubiquity: the RFID-tagged environment encompasses people, animals, objects and plants
  • Technicity: complexity of the tag and of background devices

If various objects are put together to form a new thing, is it better to attribute this new object a new tag, or a multiplicity of tags is acceptable?

No regulation at all is not a real solution. National regulation doesn’t meet the globalization needs. Today, IoT regulation is for the most a self-regulation (less costly and more flexible than traditional regulation). Actually, it is a sort of co-regulation: the legislator provides for a general framework, and private parties substantiate it, creating a sort of soft law; the legislator may remain involved, monitoring and supervising the initiatives taken by the private parties. Unfortunately, these model doesn’t provide an enforcement strategy if compliance is not done voluntarily. So, we need an international regulation to set some pillars: customary rules are not ideal, because they require time to be set (and IoT moves too fast for them); the main legal source should be seen in the general principles of law (good will, equal treatment, fairness in business activities, legal validity of agreements, etc.). however, the specific problems with privacy and security, is that they are not seen in the same way in every legal system: this is why we need a framework established by an international legislator PLUS the details of the legal rules developed by the private sector.

If IoT is a new system, the realization of a new legislating can be logical, with the creation of a new body in order to take into account all the characteristics of the IoT. Alternatively, we should commit the IoT regulation task to an existing international organization.

These considerations about IoT governance in the field of privacy can be extended to IoT governance in general.

Future legislation concerning privacy and information security in the domain of IoT could have five different goals:

  • Right-to-know legislation: users should vibe informed of the existence of RFID tags, of the information collected by them and of the possibility to deactivate them.
  • Prohibition legislation: legislation which forbids or restricts the use of RFID in certain scenarios.
  • IT-security legislation: establishment of standards which should protect RFID technologies from data breach.
  • Utilization legislation: to support the use of RFID in certain scenarios.
  • Task-force legislation: to support the technical community to invest into the research.

Moreover, this legislation should consider products, animals, persons and aggregation of data. N.B. “Persons” should be also legal persons, not only individuals, notwithstanding the scope of the Data protection Directives.