Complying with Privacy Regulations: Not Easy for IoT Solution Providers
Security and privacy in a world of an increasing number of connected things has become more complex and challenging than ever. With new regulations being passed in the EU, US, Asia and every other region in the world, IoT industry participants are being tasked with ensuring everything from their devices and applications to their transmission networks and clouds comply with laws wherever they or their distribution partners do business.
For example, the Federal Trade Commission in the U.S. continues to send comments to the Department of Commerce, outlining concerns about the security and privacy of connected and embedded devices, saying “these devices also create new opportunities for unauthorized persons to exploit vulnerabilities.”
FTC staff members wrote that there are many benefits offered by IoT devices, including connected cars, smart parking meters, connected health devices and more, but that even with these benefits, privacy and security risks are present and must be mitigated.
One of the key security problems researchers have cited with IoT devices is the impracticality of updating them when vulnerabilities are discovered. Installing new firmware on light bulbs or refrigerators is not something most consumers are used to, and many manufacturers haven’t contemplated those processes either. The FTC said the lack of available updates is a serious problem for consumers and the businesses who serve them.
“Although similar risks exist with traditional computers and computer networks, they may be heightened in the IoT, in part because many IoT chips are inexpensive and disposable, and many IoT devices are quickly replaceable with newer versions. As a result, businesses may not have an incentive to support software updates for the full useful life of these devices, potentially leaving consumers with vulnerable devices. Moreover, it may be difficult or impossible to apply updates to certain devices,” the FTC filing said. “IoT devices are capable of collecting, transmitting, and sharing highly sensitive information.”
The commission staff also cites bugs in medical devices or connected vehicles as potential risks to physical safety for users, as many connected devices collect information about their usage, environments, and users, which some providers may use for marketing and other programs.
“In one FTC analysis, staff found the presence of numerous third parties in apps connected to IoT health and fitness wearable devices. A number of those third parties collected data such as persistent device identifiers, workout routines, eating habits, length of walking stride, medical search histories, zip code, gender, and geolocation,” the FTC comments say.
“As this analysis demonstrates, IoT devices are capable of collecting, transmitting, and sharing highly sensitive information about consumers’ bodies and habits. These privacy implications may increase if consumers’ health routines, dietary habits, and medical searches are combined with offline sources and across devices.”
That data collection–some of which is done without users’ real knowledge of its purposes–is one of the main concerns that privacy advocates and security researchers have raised with IoT devices. The FTC staff said the IoT presents vendors and data aggregators with a prime opportunity, but cautioned that they must consider building security into devices and systems from the beginning, including oversight of downstream vendor contracts on data collection and privacy.
DeviceTone and CloudSwitch
When building a global IoT solution, providers must adhere to different laws, regulation and standards which may be overlapping or sometimes contradictoty. There is, however, one general principle that exist in most privacy laws and regulations: requirements for specific geographic locations to store personal data. Some countries have taken this to the extreme and require that no personal data will be stored outside their physical boundaries (for example China and Russia, with indications this may also transpire in India).
Some put limitations and specific requirements on cross border data transfer, seen most prominently in GDPR.
These regulations are creating “data Islands” which are challenging when designing the data gathering from our IOT devices since each data source must be stored in the location that is allowed by the relevant law, based on the geographic location of the device.
A major architectural decision we made in developing our CloudSwitch was decoupling our management channel from our IoT data channel. The decoupling process enables us to be more flexible when designing our topology for global customers.
Once those channels were separated, we engineered our data channel to handle two specific requirements:
- Allowing our customers or partners choose which cloud provider to point our IoT data channel to, and
- allowing them to choose the geographic location
We knew that with flexible enough topology we could offer our customers and partners a unique and powerful feature: the ability to decide, in real time, for each IOT device where to store its operational data. We will elaborate on this further in a future post.
CloudSwitch is a software agent running on each IOT device that we manage. CloudSwitch supports all the large Cloud providers (i.e. AWS, Azure, GCP) and through DeviceTone manager, administrators can decide, for each IOT device or group of devices, to which geographic location of that provider data should be stored.
Behind the scenes CloudSwitch is made from unique drivers that interact with IoT API’s of the large providers and enable us to make sure that our global customers can work with any provider and store data at any geographic location based on their operational and compliance requirements. While the solution might sounds obvious, there are enormous engineering challenges when trying to program one layer to support the variety of providers, IoT devices and API’s out there, and this is the greatness of CloudSwitch that takes the load off from the IOT provider and puts it on DeviceTone manager.
Legislation and regulation will shape how IOT adoption will proceed in the next couple of years. IoT providers must carefully plan to make sure they challenging and complex regulations and laws with platforms that are flexible enough to make sure compliance will not become more complicated.
The Internet of Medical Things (IoMT) is trending, especially in the context of the ongoing battle against COVID-19. Why shouldn’t we provide devices to patients in their homes so their care teams can monitor everything from their oxygen levels to the heart rates and blood pressure without their having to visit a medical office?
As we head into the New Year, it is that time of year for planning and predictions, and this year, creating strategies in the midst of what could be a second wave of the global pandemic makes the process for businesses even more challenging.
It is an honor to announce our DeviceTone IoT solution suite was selected by Microsoft in a second “success story” this year. Several months ago, our collaboration with Hortica, AES MinIoT, and the Microsoft Azure IoT Marketplace was featured by Microsoft as a solution built on Azure IoT services, which enabled the rapid launch of a smart horticultural unit.