regulations in iot - innovation stifle or urgent need

Regulations in IoT.Innovation stifle or an urgent need?

Rajesh Chitharanjan (@raj3sh1)

2© Copyright Publicis.Sapient | Confidential


“Is there a God?”The machine answered, “Yes, now there isa God.”

– “The Answer” by Fredric Brown


We are on the verge of one of the biggest moments in human

history.


But there are many weak links!Privacy, Security, Standardization, Interoperability etc.


Experience is the best teacher.But the tuition is high.


Drag and drop image

“It’s not that we didn’t think about security. We knew that there were untrustworthy people out there, and we thought we could exclude them.”

– David D. Clark, MIT (involved in the early days of internet)


“People don’t break into banks because they’re not secure. They break into banks because that’s where the money is. They thought they were building a classroom, and it turned into a bank.”

– Janet Abbate

Source: https://mitpress.mit.edu/books/inventing-internet


Do we need to regulate applications in IoT?

Will it stifle innovation?

Drag and drop image

01 A Case For Regulations


Will you give upyour first-born for

free WiFi?


Drag and drop image

Does your flashlight need to know where you are?


It’ll take

70+ DAYS year to read the Privacy Policies for an averageweb user

Source: Data Privacy Lab, Harvard


Even bigger problem with IoTBorn Digital &Born Analog Data


Our data is anonymized. Isn’t that enough?


What can you infer from a person’sZipCode, Gender & DoB?

Individually identifying 87% of Americans.

Source: Dr. Latanya Sweeney http://privacy.cs.cmu.edu/dataprivacy/papers/LIDAP-WP4abstract.html


Is the old school PII based protection valid anymore?


“Data can either be useful or perfectly anonymous, but never both.”

– Paul Ohm


Standard(s) chaos?

Thread Group Backed by NEST and Google. an ambitious, wireless-centric standard that covers networking, power conservation, security, and product compatibility concept of a mesh network works well in an interconnected device environment where no device becomes a single point of failure

AllSeen/AllJoyn Designed by Qualcomm, backed by Linux fuondation Open-source framework that directs connectivity and service layer operations for IoT devices in order "to create interoperable products that can discover,

connect, and interact directly with other nearby devices, systems, and services regardless of transport layer, device type, platform, operating system, or brand." Backed by MS, Sony and 160 odd other companies

OIC/IoTIVITY Founded by Intel in response to AllSeen. Launched IoTivity framework that competes with AllJoyn May not make a big wave in this space.

Industrial Internet Consortium

Industrial Applications. Backed by GE, IBM, Cisco, AT&T outlines key characteristics of Industrial Internet systems, various viewpoints that must be considered before deploying an Industrial Internet solution, and an

analysis of key concerns for the Industrial Internet, including security and privacy, interoperability, and connectivity

ITU-T SG20 Created by International Telecommunication Union responsible for international standards to enable the coordinated development of IoT technologies, including machine-to-machine communications and

ubiquitous sensor networks Seems to be the most authoritative of the list despite not a huge industrial backing

IEEE P2413 IEEE’s own umbrella of standards more than 350 IEEE standards that are applicable to IoT, 40 of which are being revised to better support IoT. Furthermore, there are more than 110 new IoT‐

related IEEE standards in various stages of development) build a reference architecture that "covers the definition of basic architectural building blocks and their ability to be integrated into multi-tiered systems."

Others Apple Homekit, ZigBee (Radio protocol)…


Interoperability?Interoperability?


Not just data access!How about hacking garages in 10 seconds?


Hospitals will have to deal with Computer viruses along with ones from the real world


What if a new Stuxnet like worm does more than just sabotaging a nuclear

power plant?


How long before a rogue nation or a terrorist group wages warfare through our ‘Things’?

© Copyright Publicis.Sapient | Confidential32

US Department of Commerce called for a Public RFC on regulations in IoT.

European Commission’s DG Connect, considering a separate IoT legislation.

02 A Case For Self-regulation


Enforced Regulations just won’t work

It will likely end up to be too restrictive

It’ll not be expected to keep up with the pace in which innovations happen in the Market

May cripple smaller startups by enforcing constraints

Will introduce more red tape with respect to auditing, compliance etc.

May end up weakening control as compared to what would have happened through market forces

Can be used by Companies to restrict competitors

Complete enforcement will unlikely happen because of the effort involved.

Overall, could slow down investors and scare developers away

© Copyright Publicis.Sapient | Confidential35

Survival & Financial incentives will be the biggest motivator for Companies


Birth of PCI-DSS

Visa and MasterCard reported $750

Million lost in credit card fraud

1998and

1999

In2000 2001 In

2004

Total revenue lost touched $1.5 Billion

Visa reported that online credit card fraud rates were4 times greater

than the average transaction…

PCI DSS 1.0was announced


Source: http://www.valuewalk.com/wp-content/uploads/2015/02/Hacks-And-Data-Breaches-Infographic.jpg

http://www.valuewalk.com/wp-content/uploads/2015/02/Hacks-And-Data-Breaches-Infographic.jpg

http://www.valuewalk.com/wp-content/uploads/2015/02/Hacks-And-Data-Breaches-Infographic.jpg


Many successful self-regulation models

Financial rating services, such as Dun & Bradstreet and Moody’s. Better Business Bureau Certifications for kosher and halal food. Fair Trade food Responsible Care by the Chemical industry


Are Privacy concerns hyped up?


People are not as concerned about Privacy if trading information makes

life convenient

Source: http://trak.in/tags/business/2014/06/21/indians-online-privacy-concern/

http://trak.in/tags/business/2014/06/21/indians-online-privacy-concern/

http://trak.in/tags/business/2014/06/21/indians-online-privacy-concern/

03 So, Do We Need To Regulate Or Not?


Need to look at this in 3 parts

2. Policies related to specific domains

such as healthcare, automotive etc.1. Policies that are

Common across domains – such as

interoperability, security standards

etc.

3. Policies/Guidelines related

to responsibilities of the Developers

& Vendors


Data Security - Promising Options

De-Centralized data management

Secure Multiparty Computation

Homomorphic encryption

Oblivious Messaging

Zero-Knowledge Systems


Drag and drop image

Secure Multiparty Computation

Method by which a bunch of parties come together to jointly perform a function to arrive at an outcome without exposing the private data that they have.


The Enigma Project


Privacy by Design

“All in or nothing” kind of an approach to Privacy Policy should change.

Granular controls to privacy, ability to change controls, flexible policy.

Clear indication of Services the User gets upon giving the permission.

Support Users to change preferences any time in the future with hard delete.

Display Information collected under each section and allow to edit or modify it.

Source: CUPS – Cylab Usable Privacy and Security Laboratory

(Carnegie Mellon University)


Drag and drop image


Governments Need To Be A Regulator, A Facilitator And An Active Influencer.

Drag and drop image


“The fundamental problem is that security is always difficult, and people always say, ‘Oh, we can tackle it later,’ or, ‘We can add it on later.’ But you can’t add it on later. You can’t add security to something that wasn’t designed to be secure.”

– Peter G. Neumann


Vulnerability still in your router.After it was detected more than 14

years ago.


Not just some trivial applications!

Industrial Development Could boost GDP of the world’s economies by Trillions of Dollars in a decade

Environment Could support reducing Carbon by 7 Billion Tons by 2020

Health Care Expect significant contributions in preventing and managing diseases, drug management etc.

Food and Agriculture Applications like Connected Kitchen, Inventory Management could contribute up to 15% savings

in food waste.

Human Enablement Evolution of TransHumanism and H+.


How do you measure the success of your radio ads?


How many large scale, life changing ideas have we seen here?

Not Many!

Why Not?


What’s stopping BIG ADOPTION?

RoI Concerns Constraints in large cale implementation

Concernsfrom Users

Implementations& Rollout

Lack of Success Stories

Concerns over justificationof Business Case

No Clearunderstanding of TCO

Most solutions are standalone task specific, usecase specific.

Standards, Protocols abound.

Confusing messages from vendors, products and

services providers

No clear authority

Technology Immaturity

Backlash on privacy intrusions

Concerns on Data Security

Won’t participate unless there’s clear value

Not integrated enough with existing Digital Offerings

Scaling of solutionsis a problem

Tend to offer incremental benefits – rather than fundamental changes

Constraints with thePhysical Environment

Very expensive