What would a regulated-IoT world look like?

The wildfire growth of IoT is arguably the most important trend happening in technology today, but the ease with which bad actors can exploit its manifold security vulnerabilities has been demonstrated many times in just the past couple of years.

Despite the generally laissez-faire stance the U.S. takes toward regulating technology companies, the severity of the threat – IoT security issues affect healthcare, infrastructure, transportation and many other crucial parts of society – has some calling for regulation of the IoT.

The hands-off approach

Given the speed at which technology, particularly around IoT, develops these days, from drawing board to prototype to production, plenty of people would argue that it’s impossible for a regulatory regime to keep pace.

According to James Waldo, a professor at Harvard’s Paulson School of Engineering and Applied Sciences and that department’s CTO, there’s little hope for a set of regulations that evolves along with the technology.

“The timescale by which regulation and legislation works is immensely different than the timescale that technology development works on,” he said. “The regulators tend to be reactive, and reactive to things that happened four or five years ago.”

That being the case, the simplest way to address many of the most grievous harms that insecure IoT systems can inflict is at a basic engineering level – it’s not unreasonable to expect devices produced today not to have unchangeable default passwords, nor to require them to be changed from the default by consumers once activated.

Nevertheless, current culture in the technology sector – including many of the brand-new entrants that are part of the IoT market, which is projected to reach 45.4 billion Internet-connectable devices by 2021, according to IHS Markit – is to get products out the door and into customers’ hands as quickly as possible.

This, of course, requires corners to be cut, and security is inevitably one of the first of those corners. Norman Sadeh, a professor of computer science at Carnegie Mellon University, said that the problem could well be exacerbated by the influx of new companies in the connected device market.

“IoT devices … aren’t just going to come from sophisticated vendors, but might also be developed by two guys in a garage,” he said. A couple of sensors, an Arduino or Raspberry Pi, and an IoT gadget is born.

Where we are now

The U.S. has historically been hesitant to impose regulatory rules on businesses, particularly in the technology sector – witness the recent decisions rolling back the application of common carrier rules to ISPs – which means it’s likely that any attempt to regulate IoT technology will be done with a soft touch.

Congress has introduced several privacy protection bills, including H.R. 1324, the Securing IoT Act of 2017 earlier this month, but none have passed the preliminary stages of the legislative process. The most active part of the government on this issue has been the Federal Trade Commission, which has issued guidelines and best practices about IoT security.

But the FTC’s ambit has always been limited, and Waldo noted that its mechanism for regulation is centered around fair-trade practices.

“They can ensure that a company follows its own privacy policy, but that privacy policy may be weak,” he said.

Big changes to U.S. consumer protection laws tend to be scandal-dependent, according to Waldo – things only change when something really awful happens, frequently to lawmakers or other powerful people.

“I think that this is one of the reasons that Silicon Valley doesn’t take regulation all that seriously – they’d rather get the stuff out, and once they do, the facts on the ground sort of overwhelm the regulators,” he said.

What the future might look like

Perhaps the most useful contrast to the U.S.’s lack of regulatory attention to IoT security issues is Europe, where the General Data Protection Regulation has provoked howls of outrage from the tech industry, but won praise from privacy rights advocates. (It’s set to take full effect May 25, and Computer World has a handy primer here.)

GDPR, in essence, places the burden on companies to state clearly and up-front what types of user data will be gathered, and precisely what it will be used for. It also gives users the right to see data that has been collected about them, and to correct inaccuracies.

It’s not wildly dissimilar to the most stringent data protection law currently on the books in the U.S. – the Health Insurance Portability and Accountability Act, better known as HIPAA. According to Sadeh, a more broad-based privacy protection law in the U.S., designed to address the threats posed by IoT and other technologies that have badly outstripped existing regulations, could easily resemble HIPAA with greater scope.

That said, he’s not expecting movement on that point anytime soon.

“I think there would be a ton of resistance – I like many aspects of GDPR, personally I think that what they’ve done is great, it’s also very ambitious and ambiguous,” Sadeh said. “It’s good that they’re doing what they’re doing, and it’s good that we’re doing what we’re doing here in the U.S.”

Despite the manifold headaches and dangers caused by a lack of uniform regulation around privacy world-wide, Sadeh suggested that the variable climates enable innovation. The difference allows for reflection on what different regulatory regimes will look like, and can help balance the interests of innovation with consumer protection.

Nailing down that balance will be central to any successful regulation of IoT, he said.

“This is a great space – don’t get me wrong, I’m all for it, I teach it, I think there are tremendous opportunities here to make our cities smarter, make our health better,” said Sadeh. “But I think that there’s a need for people to take more responsibility in making sure that we’re not digging our own graves as we go through these technologies.”