Industry Urges EC Not to Set New Rules for Internet of Things

The EC questionnaire on how to unleash the benefits of the IoT asks about real and potential concerns, but seeks simple answers that don’t elicit input about the technology’s societal advantages, the EABC said. It’s concerned that the EC desire to make easily processed forms could lead to skewed findings and policy guidance, it said.

The suggestion that the IoT needs unique rules to safeguard privacy and security is “counterproductive” not only to promoting growth and innovation, but also to possible mutual recognition of basic principles among EU and U.S. privacy frameworks, the EABC said. Privacy and security should and will be considered at the beginning of the design phase when IoT systems are being built, it said. Industry-led controls can cut the risk of unauthorized modifications to data in transit, and the idea of “privacy by design” should by explored to encourage industry to find appropriate security requirements for specific applications, it said. To address IoT privacy concerns, existing EU principles of “proportionality” and “transparency” should be applied, it said. People should be given reasonable and appropriate notice of the type of data being collected and how it will be used and shared, it said.

The EU draft data protection regulation, which will replace the existing directive, sufficiently addresses IoT privacy concerns, DigitalEurope and TechAmerica Europe said in a joint response. Imposing IoT-specific rules will not only be overburdensome and confusing, but will run the risk of not keeping pace and becoming quickly outdated, they said. Privacy by design should be mandated, and data privacy impact assessments could also play a role if they're not too prescriptive, they said. But a detailed, one-size-fits-all approach to administrative requirements won’t work, they said. Security should be considered upfront when IoT architectures are designed, they said. Strong network controls within hardware, coupled with source authentication, can lower the risk of unauthorized changes to data in transit, they said.

IoT applications can’t operate under an explicit consent privacy regime, the European Telecommunications Network Operators’ Association (ETNO) said. It urged the EC to find another way to handle privacy concerns, such as contextual consent based on the nature of an application, or informed consent with an opt-out system. User empowerment should be the overall objective, it said.

Policymakers and industry should promote interoperability based on open, industry-scrutinized standards among IoT devices and technology, while also balancing security worries, DigitalEurope and TechAmerica Europe said. But “we do not advocate new regulation in the realm of critical infrastructure protection,” although there should be compliance incentives, they said. Interoperability must be a dedicated policy goal, with global, voluntary, industry-driven standards, they said.

IoT governance should be as generic as possible, while ensuring that it can respond effectively to regional or local needs, ETNO said. But it’s more important at this early stage to have global coordination and an exchange of ideas that leads to adoption of best practices to spur innovation and rapid progress, it said. Governments and industry should define the guidelines and expectations for IoT operators, said the EABC. The ITU is not the place for IoT governance, it said. That should be handled via the multistakeholder process taking place in the Internet Governance Forum, it said.

On the issue of net neutrality, ETNO said, future services associated with IoT applications will be based on traffic prioritization techniques and will probably need different quality-of-service levels adapted to customer demands. Any regulation that hampers the implementation of those techniques will hurt IoT development, it said.

The EABC urged the EC to look at the broader picture of the IoT. Its premise is based on assumptions that aren’t the most likely deployment scenario, it said. While most, if not all, items may in the future be “tagged” in some way and readable, “we find it less likely that they will be directly linked to the Internet,” it said. For example, a soda vending machine may contain cans with some form of tagging or way of being machine-read, but they don’t need to be connected to the Internet, it said. The vending machine, however, may have an IP address and connectivity to be able to provide information on service requirements, inventory and the like, it said. Internet connectivity will be via machines and appliances, but individual tagged items are more likely to be read in local area networks which may be connected by machine or device to the Internet, it said.

Similarly, the broader context of the IoT and cloud must be considered, the EABC said. They're complementary elements on a continuum, interrelated technologies, it said. Policy, regulatory and self-regulatory approaches must reflect that relationship and ensure that differential treatment of related technologies doesn’t create administrative headaches, it said. The IoT must be considered as a continuum of Internet connectivity to which things, people and even animals may all be tied, it said. Narrow, technology-specific EU regulations or mandates on the type of acceptable IoT technology will stifle innovation and competitiveness, and the EC should focus more on making privacy regimes interoperable than on regulating IoT technology, it said.

The EC received 604 responses to its inquiry, Digital Agenda Commissioner Neelie Kroes’ spokesman told us. In addition to ETNO, EABC, DigitalEurope and TechAmerica Europe, Deutsche Telekom, Vodafone, Telecom Italia and Radio Frequency Identification in Europe, among others, submitted comments, he said. There were twice as many international respondents as European and national, including from the U.S., Australia, China, Canada, Brazil and Japan, he said.

IPv6 Best for IoT?

When networking capabilities are embedded in “things,” architectural decisions must be made to guarantee that the IoT is scalable, secure, futureproof and viable for businesses and end users, the IPv6 Forum’s Ladid said in a paper on the IoT based on IPv6. There are several possible models -- closed or proprietary architectures or some entirely new way to handle the IoT -- but the best way is the IP way, he wrote.

The TCP/IP model isn’t perfect but it can be deployed on a very large scale -- the Internet -- and can be centralized or distributed, he said. It’s versatile enough to handle all types of traffic, including critical services such a voice and video, and is extensively interoperable over most available standard network links such as Wi-Fi, 3G and Ethernet, he said.

IP standards are developed by an open process through the Internet Engineering Task Force and other standards bodies, Ladid said. The technology is being futureproofed via the adoption of IPv6, he said. Established application-level data models and services are well understood by software developers and widely known to the public through Web applications, he said. There are also established network services for higher-level services such as naming, addressing and routing, he said.

If IP is the right architectural model, IPv6 is the right IP version, Ladid said. Among other things, it offers an address space huge enough to accommodate millions of deployed “things” and is the future IP addressing standard, he said. If TCP/IP architecture is adopted for the IoT, all the lessons learned from years spent securing private and public IP infrastructures will apply to the new environment, he said.

Some think the “Internet” concept lacks security and privacy, but they are a many-faceted challenge, Ladid said. As with any device attached to a network, owners and network managers must address issues such as securing physical access to a thing, authenticating a data link, network and application access, and encrypting data on data and network links when necessary, he said. Moreover, connecting things to an IP environment means that all the network designs and policies already defined for intranet or Internet access will apply to the additional subnets hosting the things, he said. On day one, authentication, access control, firewall and intrusion detection mechanisms should be fully operational for the IoT, he said.

The IoT is no more than an additional layer of devices connecting to the Internet, but they don’t have to be fully reachable over the Internet, Ladid said. It’s up to a device owner or network manager to decide if a thing will fully participate in the Internet or stay isolated on an intranet, he said. When things are fully reachable on the Internet, it’s still important to decide who can communicate with them, he said. Once again, similar mechanisms and policies already in place for intranet and Internet access apply, he said. But additional standards may be needed for new business models and usages benefiting from the IoT, he said.

IoT success will largely depend on the availability of apps and services, Ladid wrote. Akin to the Internet, traffic flows are likely to range from “things” to backend servers; “things” to end-user browsers; and “things to things,” he said. There must be a standardized naming service for the IoT, he said. But considering the range of traffic flow, naming mechanisms must accept name/address resolution for all kinds of communications, he said. “It cannot be envisaged that an ‘Internet of Things’ naming service would be established disconnected from the existing” domain name system, he said.

But the “multi-million dollar question” is what naming system is best for the IoT, Ladid told us. The DNS itself isn’t good from a business point of view because it’s far too expensive for “zillions” of IoT objects, Ladid said. Nor would a naming system such as the electronic product code used for radio frequency identification work because it’s also too pricey, he said. However, the Handle System (http://xrl.us/bng6u6), used by many libraries around the world, would work from a business perspective, he said. Handle is an infrastructure on which applications serving many different purposes have been built, its website says. Items identified by “handles” include journal articles, books, government documents, metadata and digital watermarking applications, it says.