Standards Legal Privacy Security - Broadband India Forum · Prominent telecommunications standards...

1

www.theiet.in/IoTPanelStandardsLegalPrivacySecurity,Sep2017

StandardsLegalPrivacy

Security

2


1. ExecutiveSummary

Nowadays, the Internet of Things (IoT) became an advanced technology widely deployed in severalfields including industry, transportation, energy, home and environmentmonitoring, and healthcareandwellbeingapplications.IoTprovidesanaddedvalueserviceallowinguserstoeasilysupervisetheirenvironmentsandhelpingthemmakesuitabledecisions.IoTislikelytoimprovethequalityofpeople'slives, create new markets and new opportunities, increase economic growth, and be a driver forcompetition. The IoT is slowly making the world more agile and functional via M2M and otherprotocols. M2M represents a developing field with its own concepts that include sensors,communications in local-area andwide-area, server on premises, local scanning devices, user-facingservices,andstorageandanalytics.Additionally,thetechhasdevelopedintothemobileenvironmentto further improvepeopleandmachinecommunication, including inmonitoring systems that collectdata anddrivedecisions.M2M is alsohaving an impact on the telecommunication industry, helpingchangehowweinteractwithourdevices.AsperDeloitte'sTMTIndiaPredictions2017,IoTisgoingtobethenextbigthingforoperatorsasIndiawillrapidlygrowintoahubforIoTSolutions.ThemarketvalueofIoTisexpectedtoreachUSD9billionby2020. IoTunits inIndiaarealsoexpectedtoseearapidgrowthof31timestoreach1.9billionby2020.M2M/IoThasbeenaroundforseveraldecadesnow:Somedeploymentsdatebacktomorethan20 years. However, M2M/IoT markets are struggling to realise the full M2M market potential.EstimatesindicateIoTisaTrillionDollarOpportunityhavingunlimitedpossibilities.IoT comprisesM2M aswell as Human-to-Machine communication(H2M).The enabling technologiesfor Internet of Things are sensor networks, RFID, M2M, mobile Internet, wired & wirelesscommunication network, semantic data integration, semantic search etc. Inwireless communicationWi-Fi, ZigBee, 6LOPAN andBluetooth technologiesmay be used for short range connectivity amongdevice(s) to the gateway. Further GSM 2G/ 3G/ LTE/ Wi-Max may be used for connecting M2Mgatewaytothedesiredserver.TheIoTecosystemisheavilydependentondatacollectionandtransmission.Connectedsensorscollectlargeamountofdata throughthe Internet,enablingM2Minteractionandprocessingof thedata forparticular services. Different types of data are transmitted and processedwithin the IoT ecosystem.The data primarily includes personal data and sensitive personal information such as financialinformation,location,healthrelatedinformation,etc.Standards and policy are critical elements of IoT and M2M as many devices will be connected.Standardisation is needed in order to deliver the scalability and flexibility the market requires tomaximisethepotentialofIoTandM2M.Standardisationenablesimprovedfunctionality–cost-qualitytrade-offstobemade–whichwilldeliverfastertime-tomarketfornewdevicesandapplications.

3


Prominent telecommunications standards bodies such as 3GPP, ETSI, oneM2M, IEEE, ITU andISO/IECJTC1etc.areinvolvedinprovidingrecommendationsandstandardsinthecontextofM2M/IoT.oneM2M,whileaddressingtheCommonServiceLayerStandards,releaseditsfirstsetofstandardsinJanuary 2015 and Release 2 were published in August 2016 which is made up of 17 TechnicalSpecificationsand9TechnicalReports.Atthesametime,however,theInternetofThingsraisessignificantchallengesthatcouldstandintheway of realising its potential benefits. Attention-grabbing headlines about the hacking of Internet-connected devices, surveillance concerns, and privacy fears have already captured public attention.Technicalchallengesremainandnewpolicy,legalanddevelopmentchallengesareemerging.

SomekeyIoT issueareasareexaminedtoexploresomeofthemostpressingchallengesandquestionsrelatedtothetechnology.These includestandards, legalandregulatory;privacy issuesandsecuringofInternetofThings.• Standards, Legal and Regulatory: A fragmented environment of proprietary IoT technical

implementations will inhibit value for users and industry. While full interoperability acrossproductsandservicesisnotalwaysfeasibleornecessary,purchasersmaybehesitanttobuyIoTproducts and services if there is integration inflexibility and high ownership complexity. Inaddition,poorlydesignedandconfigured IoTdevicesmayhavenegativeconsequences for thenetworking resources they connect to and the broader Internet. Appropriate standards,referencemodels,andbestpracticesalsowillhelpcurbtheproliferationofdevicesthatmayactindisruptedways to the Internet. Theuseof generic,open,andwidelyavailable standardsastechnicalbuildingblocksforIoTdevicesandservices(suchastheInternetProtocol)willsupportgreateruserbenefits,innovation,andeconomicopportunity.

There is a strongmarket case forproducingglobal specifications.M2Moffersunprecedentedbusiness opportunities for new devices and services. But if we are to fully exploit theseopportunitiesandgrowthemarkettothescaleprojected,weneedcommonglobalstandardstoreducecomplexity,facilitatetheroll-outofnewdevicesandservices,andprovideeconomiesofscale.Onesuch initiative isoneM2MpartnershipprojectwhichhasdevelopedspecificationforCommonServiceLayerandarebeingusedbyanumberofindependentopensourcefoundationsandprojects,inadditiontocommercialdeployments[OCEAN,IOTDM,OM2M,CDOT,HPetc.],astheindustrylookstoacceleratetakeupofIoTproductsandplatforms.

The use of IoT devices raises many new regulatory and legal questions as well as amplifies

existinglegalissuesaroundtheInternet.Thequestionsarewideinscope,andtherapidrateofchange in IoT technology frequently outpaces the ability of the associated policy, legal, andregulatorystructurestoadapt.Onesetofissuessurroundscrossborderdataflows,whichoccurwhen IoT devices collect data about people in one jurisdiction and transmit it to anotherjurisdiction with different data protection laws for processing. Further, data collected by IoTdevices is sometimes susceptible to misuse, potentially causing discriminatory outcomes forsomeusers.Other legal issueswith IoTdevices include the conflict between lawenforcement

4


surveillance and civil rights; data retention and destruction policies; and legal liability forunintendeduses,securitybreachesorprivacylapses.Whilethelegalandregulatorychallengesarebroadandcomplexinscope,adoptingtheguidingInternetSocietyprinciplesofpromotingauser’s ability to connect, speak, innovate, share, choose, and trust are core considerations forevolvingIoTlawsandregulationsthatenableuserrights.

TheWhitepaperasAnnexure1tothisreporthighlightsStandards,legalandRegulatoryworkaroundM2M/IoT.

• PrivacyandotherlegalIssues:ThefullpotentialoftheInternetofThingsdependsonstrategies

that respect individual privacy choices across a broad spectrum of expectations. The datastreamsanduser specificityaffordedby IoTdevicescanunlock incredibleanduniquevalue toIoTusers,butconcernsaboutprivacyandpotentialharmsmightholdbackfulladoptionoftheIoT. This means that privacy rights and respect for user privacy expectations are integral toensuring user trust and confidence in the Internet, connected devices, and related services.Indeed, the IoT is redefining the debate about privacy issues, as many implementations candramatically change the ways personal data is collected, analysed, used, and protected. Forexample, IoT amplifies concerns about the potential for increased surveillance and tracking,difficultyinbeingabletooptoutofcertaindatacollection,andthestrengthofaggregatingIoTdata streams topaintdetaileddigitalportraitsofusers.While theseare important challenges,they are not insurmountable. In order to realise the opportunities, strategies will need to bedevelopedtorespect individualprivacychoicesacrossabroadspectrumofexpectations,whilestillfosteringinnovationinnewtechnologyandservices.

Black’s Law Dictionary defines “privacy” as the quality, state or condition of being free from

public attention, intrusion into, or interference with one’s acts or decisions. Black’s LawDictionaryfurtherdefines“informationalprivacy”astherighttochoosetodeterminewhether,what,howandtowhatextentinformationaboutoneselfiscommunicatedtoothers,especiallysensitiveandconfidentialinformation.ThisdefinitionbecomesrelevantinthecontextoftheIoTecosystemasinformationalprivacyanditsconceptsarebeingchallengedwiththeevolutionofIoT.

TheIoTecosystemisheavilydependentondatacollectionandtransmission.Connectedsensors

collect largeamountofdatathroughtheInternet,enablingM2Minteractionandprocessingofthedataforparticularservices.DifferenttypesofdataaretransmittedandprocessedwithintheIoT ecosystem. The data primarily includes personal data and sensitive personal data such asfinancial information, location, health related information, etc., that is attributed to anindividual.Inthiscontext,itispertinenttoexaminehowdataistreatedlegally.

Further,M2Minteractionscontemplatescontractsbetweenmachinesandsensorswithminimal

human involvement. In this regard, the validity of such contracts needs to be examined. Thetraditionalconceptofproductliability(wherethemanufacturer/supplierismadeliableforanyinjuriesorlossarisingoutofdefectiveproducts)ischallengedintheIoTecosystem,asatypical

5


IoTtransactionchaininvolvesmultipledeviceswithdifferentmanufacturersorsuppliers.Inthisregard,itbecomesdifficulttopreciselyascertaintheliabilityofaparticularmanufacturerorIoTserviceprovider.

TheWhite paper as annexure 2, Part I to this report highlights the evolution of the right toprivacyinIndiaandtheexistenceoftherightinthepresentlegal infrastructure.Theseexistingprinciples of the right to privacy are then examined in the context of the IoT environment, inordertoassessiftheyeffectivelyprotecttheprivacyoftheuser.ThisPaperhasconfineditselftothe assessment of B2C interaction in the IoT ecosystem and does not address B2B networks.Further,thePaperhasrestricteditsdetailedexaminationofexistinglegalnormstoinformationtechnologylawandTRAIregulations,sincedatawithintheIoTecosystemisprimarilyelectronicdata.The legal framework forprivacy inother jurisdictionsandthestepstakentoadopt themfor IoT isalsoanalysedtoprovideacomparativeperspective.Part I thenattemptstohighlightthe gaps that need to be filled and make suggestions in law and policy, for ensuring andsafeguardingprivacyintheIoTecosystem.

Part IIofannexure2tothis report initiallyexaminesthe jurisprudenceofdataaspropertyandhasaddressed theconceptofownershipofdataand treatmentofdataasproperty.Further, itgoesontoexaminethelawrelatingtoproductliabilityandvalidityofmachinetomachine(M2M)contracts intheIoTecosystem.Inthisregard,thelegislationssurroundingproduct liabilitysuchas the Consumer Protection Act, 1986 and the law of Torts on product liability have beenexamined. Further, the provisions of the Indian Contract Act, 1872 and the InformationTechnologyAct,2000havebeenanalysedtogaugepotential legal issuesinthevalidityofM2Mcontracts.

• Security:While security considerations are not new in the context of information technology,

the attributes of many IoT implementations present new and unique security challenges.Addressing these challenges and ensuring security in IoT products and services must be afundamentalpriority.Usersneedto trust that IoTdevicesandrelateddataservicesaresecurefrom vulnerabilities, especially as this technology becomemore pervasive and integrated intoour daily lives. Poorly secured IoTdevices and services can serve as potential entry points forcyber-attacksandexposeuserdatatotheftbyleavingdatastreamsinadequatelyprotected.TheinterconnectednatureofIoTdevicesmeansthateverypoorlysecureddevicethatisconnectedonline potentially affects the security and resilience of the Internet globally. This challenge isamplifiedbyother considerations like themass-scaledeploymentofhomogenous IoTdevices,the ability of some devices to automatically connect to other devices, and the likelihood offieldingthesedevicesinunsecureenvironments.Asamatterofprinciple,developersandusersofIoTdevicesandsystemshaveacollectiveobligationtoensuretheydonotexposeusersandthe Internet itself to potential harm. Accordingly, a collaborative approach to securitywill beneeded todevelopeffective andappropriate solutions to IoT security challenges that arewellsuitedtothescaleandcomplexityoftheissues.

6


Fortunately,IoTsecuritycanbecoveredwithfourcornerstones:o ProtectingCommunicationso ProtectingDevices,o ManagingDevices,ando UnderstandingYourSystemThese cornerstones can be combined to form powerful and easy-to-deploy foundations ofsecurityarchitecturestomitigatethevastmajorityofsecuritythreatstotheInternetofThings,includingadvancedandsophisticatedthreats.

TheWhitepaperasAnnexure3tothisreportdescribesthesecornerstones,theirnecessity,andstrategies foreasyandeffective implementation.Nosingle,concisedocumentcancoverallofthe important details unique to each vertical. Instead, this paper attempts to provide adviceapplicable to all verticals, including automotive, energy, manufacturing, healthcare, financialservices,government,retail,logistics,aviation,consumer,andbeyond,withexamplesspanningthemajorityoftheseverticals.

ListofContributors

A. PrimaryAuthors/DraftingCommittee

Name Designation Organisation E-mailaddress

Mr.DineshChandSharma

DirectorinStandardsPublicPolicy

EUProjectSESEI [email protected]

Mr.SheahanVerghese Founder&MDTreeofLifeAssociates

[email protected]

Mr.ShrikantShitoleSeniorDirectorandCountryHead

FireEye [email protected]

7


B. Contributors(WorkingGroupStandards,Legal&Regulatory–IETIoTIndiaPanel)

Name Designation Organisation E-mailaddress

Mr.ShreyasJayasimha Founder AarnaLaw [email protected]

Mr.AnujAshokanLeadIoTsolutions

Tatateleservices [email protected]

C. IETReviewCommittee

Name Designation Organisation

ShriT.V.Ramachandran President BroadbandIndiaForum

ShriKuldipSinghFormerMemberTDSAT&CMD MTNL

Hon'yPrincipalAdvisor BroadbandIndiaForum

ShriDPSinghManagingPartnerArtheLaw TMT


ShriAbhishekMalhotra

ManagingPartner,ArtheLaw,TMTexpert

TMT


8


Annexure:1

WhitepaperOn

Standards,LegalandRegulatoryworkAround

Machine-To-Machine/InternetofThings

9


1. IntroductionMachine-to-machine (M2M) communicationsis used for automated data transmission andmeasurementbetweenmechanicalorelectronicdevices.ThekeycomponentsofanM2Msystemare:Field-deployed wireless devices with embedded sensors or RFID-Wireless communication networkswith complementary wireline access includes, but is not limited to cellular communication, Wi-Fi,ZigBee,WiMAX,wirelessLAN(WLAN),genericDSL(xDSL)andfibretothex(FTTx).TheInternetofThings(IoT) referstotheever-growingnetworkofphysicalobjectsthatfeatureanIPaddressforinternetconnectivity,andthecommunicationthatoccursbetweentheseobjectsandotherInternet-enableddevicesandsystems.MostindustryanalystsacknowledgetheInternetofThingsandMachine-to-Machineasunprecedentedopportunities for creating and commercializingnewdevices andapplications. IoT andM2Mwill alsochangethewayweliveandworkthroughnewandinnovativeservices.Thereisnodoubtthatwithinafewyears,therewillbeavastincreaseinthenumberofconnecteddevices.InternetofThingswillbeatthetopofemergingtechnologiesandanticipatesafive-to-tenyearperiodforthemarkettoreachfullmaturity.AsperDeloitte'sTMTIndiaPredictions2017,InternetofThings(IoT) isgoingtobethenextbigthingforoperatorsasIndiawillrapidlygrowintoahubforIoTSolutions.ThemarketvalueofIoTisexpectedtoreachUSD9billionby2020.IoTunitsinIndiaarealsoexpectedtoseearapidgrowthof31timestoreach1.9billionby2020.M2M/IoThasbeenaround forseveraldecadesnow: Somedeploymentsdatebackmore to than20years.However,M2M/IoTmarketsarestrugglingtorealisethefullM2Mmarketpotential.EstimatesindicateIoTisaTrillionDollarOpportunityhavingunlimitedpossibilities.Someofthelatestforecastsandpredictionsbyanalystsare;

• Theworldwide InternetofThings (IoT)market isexpected togrow19% in2015, ledbydigital

signage, according to a new forecast from International Data Corporation (IDC). The secondannualforecastfocusesongrowingIoTuse in11vertical industries, includingconsumer,retail,healthcare, government,manufacturing, transportation, and other industries,while also sizingIoTopportunitiesfor25vertical-specificusecases.Fewoftherecentpublicationarehighlightsbelow:

• ResearchNester:TheGlobalInternetofThings(IoT)marketreachedUSD598.2Billionin

2015andthemarketisexpectedtoreachUSD724.2Billionby2023.Further,themarketisprojected to registeraCAGRof13.2%during the forecastperiod2016-2023globally.ThemarketofAsia-Pacificregionacquired36%oftheglobalrevenueshare in2015andthemarketisanticipatedtogrowataCAGRof10.2%duringtheforecastperiodi.e.2016-2023.

10


• Juniper:ThenumberofconnectedIoT(InternetofThings)devices,sensorsandactuators

willreachover46billionin2021.

• MarketsandMarkets:IottechnologymarketisexpectedtogrowfromUSD130.33Billionin2015toUSD883.55Billionby2022,ataCAGRof32.4%between2016and2022.

• Machine Research: - The total number of IoT connections will grow from 6billion in

2015to27billionin2025,aCAGRof16%.

• Cisco: Over the next five years, global IP networks will support up to 10 billion newdevices and connections, increasing from 16.3 billion in 2015 to 26.3 billion by 2020.Thereareprojectedtobe3.4devicesandconnectionspercapitaby2020—upfrom2.2per capita in2015.Globally,M2Mconnectionsare calculated togrownearly three-foldfrom4.9billion in2015 to12.2billionby2020, representingnearlyhalf (46percent)ofTotalconnecteddevices.

• Grandviewresearch:Theglobal InternetofThings (IoT)marketsizewasvaluedatUSD

605.69 billion in 2014.Technological proliferation and increasing investments areexpectedtodrivetheglobalmarketoverthenextsevenyears.

• Gartner:Gartner,Inc.forecaststhat6.4billionconnectedthingswillbeinuseworldwide

in2016,up30percentfrom2015,andwillreach20.8billionby2020.In2016,5.5millionnewthingswillgetconnectedeveryday.Gartnerestimatesthat4billionconnectedthingswillbeinuseintheconsumersectorin2016,andwillreach13.5billionin2020.

• IDC: According to IDC, global IoT spendingwill experience a compound annual growth

rate(CAGR)of15.6%overthe2015-2020forecastperiod,reaching$1.29trillionin2020.WhileIOT/M2M/IOEisahugetopicrangingfromlastmileconnectivityallthewaytodatamodelsandsemantics, one cannot expect the work to focus in a single place. The following list contain fewexamplesandmanymoreexist:

• Alljoyn–opensourceproject• IEEE P2413—Standard for an Architectural Framework for the Internet of Things, IETF , ISA

100(IndustrialIOT)• ISO/IECJTC1/WG7:projectnamedIOTRAcoveringSensorNetworkReferenceArchitecture• ITU Y 2066 and Y2067: Recommendation about IOT covering Requirements and Gateway

capabilities• Open-Interconnect,ZigBee,Z-Wave(wirelessprotocolforhomeautomation)etc.• ETSI/oneM2M

11


Keychallenges:

• Fragmentation,provisioning/efficiency,integrationcomplexity,scalability• M2MCommunicationsmeetsnon-ICTIndustry[Automotive,Health,Energy]• Howtomakeintelligentuseofinformation,enabledbyconnectedIT[Cloud]

MarketprojectionsforthegrowthofMachine-to-Machine(M2M)communicationsandtheInternetofThings (IoT) are unrealistic without the emergence of a global standardised platform. In short, thisindustry will not take off without significant consolidation and the economies of scale thatstandardisation can bring. Hence standardisation is needed in order to deliver the scalability andflexibilitythemarketrequirestomaximisethefullpotentialofIoTandM2M.

2. StandardisationandPolicyStandards and policy are critical elements of IoT and M2M as many devices will be connectedStandardisation is needed in order to deliver the scalability and flexibility the market requires tomaximisethepotentialofIoTandM2M.Standardisationenablesimprovedfunctionality–cost-qualitytrade-offs to bemade, whichwill deliver faster time-to-market for new devices and applications. AdramaticchangewithinshortperiodoftimeismainlyattributedtodevelopmentofICTandInternet.ItisexpectedthatfutureICTdevelopmentswillmainlyrideonM2MandIoT.ThenumberofworldwideM2Mconnections isgrowingexponentially,with some forecastsashighas50billionby2020.Theseconnections will reside within virtually every major market category – from healthcare totransportation and energy to agriculture. Also huge investments in terms of billions and trillions forM2M based services have been announced by developing and developed countries. At present 468mobileoperatorsareofferingM2Mservicesacross190countries.AllkindsofM2Mservicescanbeefficientlyandeconomicallymadeavailabletoconsumersiftheyareconfiguredoncommoncommunicationnetworkwhichisopen,scalableandstandardsbased.HoweverdifferentkindsofM2Mserviceshavevaryingnetworkrequirementsbroadlycategorisedasunder:

Ø VerylowBandwidth<1Mbps(Monthlyusage10kbto10Mb)e.g.RemotesensorsØ Low Bandwidth < 1kbps to 10kbps (Monthly usage 1Mb to 10Mb) e.g. utility, health security

monitoringØ MediumBandwidth<50kbpstoafewMB(Monthlyusage10mbto300mb)e.g.retail,ticketing,

inventorycontrol,gaminganddigitalpictureframes.Ø High Bandwidth, in Mbps (monthly usage > 300Mb to 90Gb) e.g. digital signage, video

surveillance.

12


Keeping all these facts under consideration, the need of having a global partnership in developingstandards for Machine-to-Machine (M2M) communications and the Internet-of-Things (IoT) wasstronglyfelt.

2.1. M2M/IoTGlobally

2.1.1. M2M/IoTPolicyinitiativesFavorable regulations and government supports are other important aspect that needs to be takencare by various governments and associations to harness the full potential of M2M. In variouscountries, a number of government supported M2M projects are announced; however regulationsaroundM2Mareannouncedinbitsandpieces.Tilldate,full-fledgedregulationsonM2Marenotseenin any country. Action in this direction has started in some countries and consultation papers havecomeout.GSMA (Groupe SpecialeMobileAssociation) has issued guidelines for IoT/M2Mmarket thatoutlinehow devices and applications should communicate via mobile networks. The guidelines include anumber of best practice areas such as data aggregation within devices, non-synchronous networkaccess, application scalability and guidance on how tomanage signaling traffic fromde-activated orout-of-subscriptionSIMs.GSMAisalsoundertakingaprojecttodevelopacommonsetofacceptancetests for IoT/M2Mdevicesandapplications toensurebestpracticesarebeing followed.Theprojectwill establish a single, standard set of connection efficiency tests for IoT/ M2M devices andapplications, enabling players across the industry to develop and deploy IoT/ M2M services withconfidence.

LegislationandPolicyDocumentatEuropeanlevel:o Com(2016)176:ICTStandardisationpriorityfordigitalsinglemarket:To support Europe’s role in the global digital economy, the European Commission has adopted acommunicationonaDigitalSingleMarketstrategy,andhasmadeitoneofitskeypriorities.Commonstandards ensure the interoperability of digital technologies and are the foundation of an effectiveDigitalSingleMarket.Theyguaranteethattechnologiesworksmoothlyandreliablytogether,provideeconomiesofscale,fosterresearchandinnovationandkeepmarketsopen.Toaddressthechallengesrelated to ICT standardisation, the Commission announced that it would “launch an integratedstandardisation plan to identify and define key priorities for standardisation with a focus on thetechnologiesanddomainsthataredeemedtobecriticaltotheDigitalSingleMarket”.

13


o Com (2016) 180:Digitising European Industry reaping the full benefitsofDigital SingleMarket.

Digitisationprovidesauniqueopportunityforattractingfurther investments into innovativeandhighgrowth digital and digitised industries in Europe. Industry in the EU can build on its strengths inprofessional digital technologies and on its strong presence in traditional sectors to seize the widerange of opportunities that IoT, big data and AI-based systems offer and capture a share of theemergingmarketsoffutureproductsandservices.While adapting to the digital industrial change is primarily a matter for business, a targeted publicpolicycanplayanimportantpart increatingthebestconditionsforthattohappeninallsectors inacompetitiveenvironmentbolsteredbythecompetitionrules.Thisisparticularlyimportantforthevastnumber of small andmedium-sized enterprises that underpin the European economy. Public policyshould aim at a thriving digital sector fueling the digitisation of the whole industrial fabric, fromconstruction,healthandagro-foodtocreativeindustries.

The purpose of this Communication is thereforeto reinforce the EU's competitiveness in digital

technologiesandtoensurethateveryindustryinEurope,inwhicheversector,whereversituated,andnomatterofwhatsizecanfullybenefitfromdigitalinnovations.o SWD(2016)110/2:AdvancingtheInternetofthingsinEuropeTheInternetofThings(IoT)representsthenextmajoreconomicandsocietalinnovationwaveenabledby the Internet. With the IoT, any physical (e.g. a thermostat or a bike helmet) and virtual (i.e. a

representationofrealobject inacomputersystem)objectcanbeconnectedtootherobjectsandtothe Internet, creating a fabric between things as well as between humans and things. The IoT cancombinethephysicalandthevirtualworldsintoanewsmartenvironment,whichsenses,analysesandadapts,andwhichcanmakeour liveseasier,safer,moreefficientandmoreuser-friendly.TheDigital

SingleMarketStrategyforEurope(inshortDSMStrategy)underlinestheneedtoavoidfragmentationandtofosterinteroperabilityfortheIoTtoreachitspotential.Ø Com(2009)278:Internet of Things— An action plan for Europe”: Standardisationwill play an important role in theuptake of IoT, by lowering entry barriers to newcomers and operating costs for users, by being aprerequisiteforinteroperabilityandeconomiesofscaleandbyallowingindustrytobettercompeteatthe international level. IoT standardisation should aim at rationalising some existing standards ordevelopingnewoneswhereneeded.

14


Ø BERECBoR(16)39,ReportonenablingtheInternetofThings:In view of the Digital Single Market (DSM) review, BEREC considers that, in general, no specialtreatmentofIoTservicesand/orM2Mcommunicationisnecessary,exceptforthefollowingareas:• Roaming;• Switching;• Numberportability.Withregardtoprivacy,BERECseestheneedforacarefulevolution–butnotanentireoverhaul–oftheexistingEUdataprotectionrules.ThisassessmentdoesnotprecludethatwithintheDSMreviewfurtherareasforamendmentsoftheregulatoryframeworktakingintoaccountthepeculiaritiesofIoTservicesand/orM2Mcommunicationmightbeidentified.NoneedforaEuropeannumberingschemeforM2Mcommunicationhasbeenidentified.

2.1.2. M2M/IoTStandardisationActivities

There are various standards development sub-activities taking place at the level of individual TSDOlistedasunder:

Ø European Telecommunications Standards Institute (ETSI) M2M: ETSI Technical Committee is

developingstandardsforM2Mcommunications.Thegroupaimstoprovideanend-to-endviewofM2Mstandardisation.

ETSI is addressing the issues raised by connecting potentially billions of smart objects into a

communicationsnetwork,bydevelopingstandardsfor:• DataSecurity• DataManagement• DataTransport• DataProcessingThiswillensureinteroperableandcost-effectivesolutions,openupopportunitiesinnewareassuchase-Healthandsmartmetering,andallowthemarkettoreachitsfullpotential.Machine-to-Machine(M2M)communicationswillformthefoundationfor:• SmartDevices• SmartAppliances• SmartHome• SmartBuilding• SmartCitieshttp://www.etsi.org/technologies-clusters/clusters/connecting-things

15


Ø 3rd Generation Partnership Project (3GPP): Apart from ETSI, 3GPP is also active in M2Mtechnology relatedactivities. In3GPPM2M isalsocalledmachine-typecommunications (MTC)whereworkhasbeencarriedoutontheoptimisationofaccessandcorenetworkinfrastructure,allowingefficientdeliveryofM2Mservices.

Ø IEEE: IEEE has a number of existing standards, projects in development, activities, and events

thataredirectly related tocreating theenvironmentneeded foravibrant IoT, recognising thevalue of the IoT to industry and the benefits this technology innovation brings to the publichttp://standards.ieee.org/develop/msp/iot.pdf.• IEEEP2413,DraftStandardforanArchitecturalFrameworkfortheInternetofThings

Thisdraft standarddefines an architectural framework for the Internet of Things (IoT),includingdescriptionsofvariousIoTdomains,definitionsofIoTdomainabstractions,andidentification of commonalities between different IoT domains. To participate in thedevelopmentofthisstandard,visittheIEEEP2413WorkingGrouppage.

• IEEEP2418StandardfortheframeworkofBlockchainuseofInternetofThings

The purpose of this project is to develop definitions and a protocol for blockchainimplementationswithinanIoTarchitecturalframework.Thisstandardprovidesacommonframework for blockchain usage, implementation, and interaction in Internet of Things(IoT) applications. The framework addresses scalability, security and privacy challengeswith regard to blockchain in IoT. Blockchain tokens, smart contracts, transaction, asset,credentialed network, permissioned IoT blockchain, and permission-less IoT blockchainareincludedintheframework.Readmore

• IEEEP1451-99-StandardforharmonisationofInternetofthingsDevicesandSystems

The purpose of this standard is to define a metadata bridge to facilitate IoT protocoltransport for sensors, actuators, and devices. The standard addresses issues of security,scalability, and interoperability. This standard can provide significant cost savings andreducecomplexity,andofferadatasharingapproach leveragingcurrent instrumentationand devices used in industry. This standard defines a method for data sharing,interoperability, and securityofmessagesover anetwork,where sensors, actuators andotherdevicescaninteroperate,regardlessofunderlyingcommunicationtechnology.ReadMore

16


• IEEEP1931.1standardforanArchitecturalFrameworkforRealTimeOnsiteOperationsFacilitation(ROOF)forInternetofthings

This standard defines ROOF computing and networking for technical and functional

interoperabilityforIoTsystemsthatoperateandco-operateinasecureandindependentmannerwithinthecontextofalocalenvironmentsuchashome,factory,officeorairport,etc. This standard defines an architectural framework, protocols and ApplicationProgramming Interfaces (APIs) for providing Real-time Onsite Operations Facilitation(ROOF). ROOF computing andnetworking for thedata and thedevices includenext-hopconnectivity for the devices, real-time context building and decision triggers, efficientbackhaulconnectivitytothecloud,andsecurity&privacy.ReadMore

Ø The InternetEngineeringTaskForce(IETF)ROLL: IETFhascreatedasetofactivitiesrelatedto

sensortechnologiesandsmartobjectssuchas6LoWPANandROLL(routingoverlow-powerandlossynetworks).TheseeffortsareaimingatbringingtheInternetProtocoltosensorsandM2Mdevicesneededforbuildingamonitoring infrastructureforSmartGrid.WorkingGroupROLL isfocusingonRPL (routingprotocol for LLNs) for low-powerand lossnetworks (LLNs)where thenodesinthenetworksaremanyembeddeddeviceswithlimitedpower,memory,andprocessingresources.Theemphasisoftheworkisonprovidinganend-to-endIP-basedsolutioninordertoavoidthenon-interoperablenetworksproblem.

Ø International Telecommunication Union (ITU): International Telecommunication Union has

established various Focus Groups with the objective of developing recommendations fromtelecom/ ICT perspective. There are various focus groups in ITU developing recommendationrelevanttoM2Me.g.FocusGrouponSmartSustainableCities(FGSSC);FocusGrouponSmartWaterManagement(FGSWM);FocusGrouponDisasterReliefSystems,NetworkResilienceandRecovery(FG-DR&NRR);FocusGrouponSmartCableTelevision(FGSmartCable);FocusGroupon M2M Service Layer (FG M2M); Focus Group “From/In/To Cars Communication” (FG CarCom);FocusGrouponSmartGrid(FGSmart);FocusGrouponCloudComputing(FGCloud)etc.

Ø Advancing open standards for the information society (OASIS): OASIS runs a TC onmessage

queuingtelemetrytransport(MQTT)https://www.oasis-open.org/committees/mqtt.It is producing a standard for theMQTT protocol compatiblewithMQTT V3.1, togetherwith

requirementsforenhancements,documentedusageexamples,bestpractices,andguidanceforuseofMQTTtopicswithcommonlyavailableregistryanddiscoverymechanisms.AsanM2M/IoTconnectivity protocol, MQTT is designed to support messaging transport from remotelocations/devicesinvolvingsmallcodefootprints(e.g.8-bit,256KBramcontrollers),lowpower,lowbandwidth,high-costconnections,highlatency,variableavailability,andnegotiateddeliveryguarantees.

MQTTalsohasbeenapprovedasISO/IEC20922:2016https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=mqtt

17


OASIS also runs advancedmessage queuing protocol (AMQP) description: ubiquitous, secure,reliableinternetprotocolforhighspeedtransactionalmessaging.AMQPalsohasbeenapprovedasISO/IEC19464:2014https://www.oasis-open.org/committees/amqp.

Ø OIC:OICworksondefiningtheconnectivityrequirementsfordevicesincludingthedefinitionof

thespecification,certificationandbrandingtodeliverreliableinteroperability;IPprotection;andprovidinganopensourceimplementationofthestandard.

Ø World Wide WEB Consortium (W3C): W3C’s web of things https://www.w3.org/WoT/ is to

supportovercomingthefragmentationoftheIoTbyintroducingawebbasedabstractionlayercapableofinterconnectingexistingIoTplatformsandcomplementingavailablestandards.

Ø OpenGeospatial Consortium (OGC):OGCdefines andmaintains standards for location-based,

spatio-temporal data and services. Someof thework is related to IoT, e.g. amodular suiteofstandards forweb services allowing ingestion, extraction, fusion, and (with theweb coverageprocessing service (WCPS) component standard)analyticsofmassive spatio-temporaldata likesatelliteandclimatearchives.http://www.opengeospatial.org

Ø ISO/IECJTC1:ISO/IECJTC1WG10(InternetofThings):developingISO/IEC30141

—IoTreferencearchitecture.WG10workisongoingonthefollowingworkareas:

• TermsanddefinitionsforJTC1IoTVocabulary(ISO/IEC20924).• IoT reference architecture which is flexible and easily extended to various types of

applications(ISO/IEC30141).• Support for interoperability of IoT systems in termsof framework, networking, syntactic

andsematicinteroperability(ISO/IEC21823-1).

Diverseuse-casescoveredbyIoT:

• Monitoringtheongoingregulatory,market,businessandtechnologyIoTrequirements• IoTstandardsthatbuildonthefoundationalstandardsinrelevantJTC1subgroups

DocumentsfromJTC1/WG10canbefoundhere:https://jtc1historyblog.wordpress.com/isoiec-jtc-1-working-groups/wg-10-internet-of-things/

Ø oneM2M has published its Release 2 in August 2016. The first oneM2M release includes

specifications covering requirements, architecture, protocols, security, and management,abstraction and semantics and Release 2 added new functionality, particularly by expandingmanagement,abstractionandsemantics.Release2published inAugustand freelyavailableat

18


www.oneM2M.org.Itismadeupof17TechnicalSpecificationsand9TechnicalReports.InETSISmartM2M, cooperation with AIOTI is foreseen to support 2017-2020 H202 IoT LSP on(semantic) interoperability, cross sector shared IoT reference architecture (high levelarchitecture),securityandprivacy.oneM2MistheallianceofthefollowingmajorICTSDOs:o AssociationofRadioIndustriesandBusinesses(ARIB)ofJapano TelecommunicationTechnologyCommittee(TTC)ofJapano AllianceforTelecommunicationsIndustrySolutions(ATIS)ofUSAo TelecommunicationsIndustryAssociation(TIA)oftheUSAo ChinaCommunicationsStandardsAssociation(CCSA)ofChineo TelecomStandardsDevelopmentSociety,India(TSDSI)o EuropeanTelecommunicationsStandardsInstitute(ETSI)ofEuropeo TelecommunicationsTechnologyAssociation(TTA)ofKorea

Otherforums/organisations:o BBF(BroadbandForum)o Continuao GlobalPlatformo HGI(HomeGatewayInitiative)o TheNewGenerationM2MConsortium–Japano OMA(OpenMobileAlliance)andover200memberorganisations.

2.2. M2m/IOTinIndia

2.2.1. M2M/IOTPolicyInitiativesDOTreleasedM2Mroadmap.TheroadmapcoversglobalscenarioonM2MStandards,Regulationandpolicies, Initiatives,Make in India: Supported throughM2MAdoptionandApproach&WayForwardincludingsetofrecommendation:

o TofacilitateM2Mcommunicationstandards includingencryption,quality,securityandprivacy

standardsfromIndianPerspectiveandtorecognisesuchstandardsforIndia.o ToreleasenationalM2MNumberingPlan(withinyear2015).o AddressM2MQualityofServiceaspects.o ToaddressM2MspecificRoamingrequirements.o ToformulateM2MServiceProvider(MSP)registrationprocess.o ToissueguidelinesforM2MspecificKYC,SIMTransfer,Internationalroamingetc.o FormationofAPEXbodyinvolvingallconcernedstakeholders.o ToaddressM2Mspecificspectrumrequirements.

19


o TodefinefrequencybandsforPLCcommunicationforvariousIndustryverticalso FinalisationofM2MProductCertificationprocessandresponsibilitycenters.o FacilitatingM2MPilotprojects.o MeasuresforM2MCapacitybuilding.o ToestablishCenterofInnovationforM2M.o ToassistM2MentrepreneurstodevelopandcommercialiseIndianproductsbymakingavailable

requisitefunding(pre-ventureandventurecapital),managementandmentoringsupportetc.o InclusionofM2MdevicesinPMAPolicy.o TotakeupmatterswithrelevantministriestoboostM2Mproductsandservices.o DefineproceduresforenergyratingofM2Mdevicesandimplementationofsame.o ToevolvesuitableguidelinesofEMFradiationofM2Mdevicesbasedonresearchandstudiesby

relevantbodies.DoTDraftM2MServiceProvidersRegistrationGuidelinesCovering:o Terms&ConditionsforM2MSPRegistrationo TechnicalConditionsforM2MSPRegistrationo SecurityConditionsandaprovisionsuchas:

The M2MSP shall induct only those devices/equipment in the network which meet TEC/TSDSI/BISstandards,whereverspecifiedasmandatorybytheAuthorityfromtimetotimeandintheabsenceofmandatoryTEC/TSDSI/BISstandard,theM2MSPmaydeploythosedevices/equipmentthatiscertifiedincompliancetomeettherelevantstandardssetbyNationalandInternationalstandardisationbodies,suchas3GPP,BIS,TSDSI,ITU,OneM2M,IEEE,ISO,ETSI,IECetc.

• DEITY/MEITYDRAFTIOTPOLICY:

Vision:“To develop connected and smart IoT based system for our country’s Economy, Society,Environmentandglobalneeds.“

Objectives:o TocreateanIoTindustryinIndiaofUSD15billionby2020.IthasbeenassumedthatIndia

wouldhaveashareof5-6%ofglobalIoTindustry.o To undertake capacity development (Human& Technology) for IoT specific skill-sets for

domesticandinternationalmarkets.o ToundertakeResearch&developmentforalltheassistingtechnologies.o TodevelopIoTproductsspecifictoIndianneedsinallpossibledomains.

20


o ThePolicyframeworkoftheIoTPolicyhasbeenproposedtobeimplementedviaamulti-pillar approach. The approach comprises of five vertical pillars (Demonstration Centres,CapacityBuilding&Incubation,R&DandInnovation,IncentivesandEngagements,HumanResourceDevelopment)and2horizontalsupports(Standards&Governancestructure).

• TRAICPonM2M:

o Addressing questions around a) Regulatory Licensing framework, b) what should be thequantum of spectrum required to meet the M2M communications, c) roaming, d)SIM/eUICCe)Securityetc.

o TRAI has recommended for V-band (57-64GHz)which can also be used forM2M.Othersub-GHzbandswhicharelicenseexemptforindooruseare433-434MHzand865-867MHz.

o TheQosandbandsarestilltobeclearlyidentifiedforM2McommunicationsinIndiaandwhether these will be licensed or unlicensed bands. And along with that the issue ofnational/internationalroaming.

o M2Misalsobeingusedinter-changeablywithothertermslikeIoT,IoE,smartsystems.o Launch of various government programmes such as “Digital India”, “Make in India” and

“StartupIndia”willalsohelpimmenselyindrivingthegrowthoftheM2M/IoTindustryinthecountry.

o AccordingtoBEREC’sreportcurrentM2Mservicessharefollowingcharacteristics:o Fullyautomaticcommunicationofdatafromremotedevices.o Simpledevicesthatcanbestaticormobile.o Low volume traffic often with sporadic/irregular pattern though some use-cases have

emergedabouttransmissionofdataingreatervolumes.o M2MservicesrequireconnectivitybutitaccountsforlowproportionofoverallM2Mvalue

chainrevenueopportunity.o SomeM2Mservices/devicesarebeingproducedforworldmarket/globalusage.o SomeM2Mdevicesaredesignedforlifetimeofmanyyears.o Inmostcases,thebusinessmodelisB2Bevenifdevicesareaimedforconsumers(B2B2C).o There are different ways M2M services could be implemented - different connectivity

technologies,differentprotocolsusedtodeliverdataandM2Mdeviceisaddressedviaanidentifier (necessarilynotaglobal identifierasmanydevicesarenotconnectedtopublicnetworks).Readmore

• TheinstitutionofEngineeringandTechnology(IET)INDIAIoTPanel

It’savolunteerledvisionary,neutral,thinktankinthe“InternetofThings”spacetofocusontheareasofIoT,viz.Retail,Energy,Healthcare,Agriculture,ConnectedHomes,IoTLabs,Regulatory&Legal,EducationandSocialImpact.

21


2.2.2. M2MStandardisationActivities• BISPanelonICTNew&EmergingTechnologycoverstopicsofSmartcities(ICTtechnologyarea-

ISO/IEC/JTC1/SG1[WG11]),BigData(ISO/IEC/JTC1/SG2),InternetofThings(ISO/IEC/JTC1/SWG5 &WG 10), Sensor networks (ISO/IEC/JTC 1/WG 9), Systems Evaluation Group - Smart Cities(IEC/SEG 1), Systems Evaluation Group - Ambient Assisted Living (IEC/SEG 3), Active AssistedLiving(IEC/SyCAAL),SmartEnergy(IEC/SmartEnergy)andSmartManufacturing(IEC/SG8).TheBISCouncilhasdividedtheworkintotwogroupstherebysetting-uptwopanelsasfollows:Panel 1: Title – Internet of Things (IoT), Scope – To explore the work being pursued at theinternationallevel,theneedforstandardisationinthenationalcontextandguidetheCouncilforfurtheractioninthefollowingtechnologyareas:a)ThestandardsdirectlyunderdevelopmentbyJTC1,b)InternetofThings,c)BigData,d)Sensornetwork,ande)Wearabledevices.Convener:Dr.GargiKeeniPanel 2: Title – Smart Infrastructure, Scope – To explore the work being pursued at theinternationallevel,theneedforstandardisationinthenationalcontextandguidetheCouncilforfurther action in the following technology area: a) Smart Cities (ICT Technology), b) ActiveAssistedLiving,c)Smartmanufacturingandd)SmartEnergy.Convener:ShriNarangKishore

• TEC:M2Mworkinggroups:

-NTcellofDoTisworkingonframingpolicyonM2Mcommunication.TEChadbeenassignedthetask to undertake studies through stakeholders and finalise Indian specificstandards/specificationsandalsotomakecontributionsinInternationalStandardisationeffort.-Tobeginwith,fivemultistakeholdersWorkingGroupsasdetailedbelowwereformedinTECinMarch 2014.WorkingGroups are having members fromTEC,DoT, Telecom Service Providers(TSPs),OEMs,R&Dorganisations,Vertical Industries,MNCs, IT / ITes,Semiconductor industriesandstandardisationbodies(ETSI,TSDSI,BISetc).

a) GatewayandArchitectureb) Powerc) Automotived) Healthe) SafetyandSurveillance

Ø JointWorkingGroup(JWG):Itcomprisesmembersofalltheworkinggroups.

Ø FollowingnewworkinggroupshavebeencreatedinJune-2015a) Security(EndtoEndsecurityofM2Mdomain)

22


b) Smartcityc) SmartHomesd) SmartvillagesandAgriculturee) SmartEnvironment(EnvironmentmonitoringandPollutionControl)f) SmartGovernance

Ø FrameofReferencefortheworkingGroupswaspreparedandapprovedintheJWGmeeting.(Clickhere)

Ø TechnicalReports(Release1andRelease2)ofM2Mworkinggroupsgivenbelow:

M2M/IoTTechnicalReports(Release1.0,May2015):

o M2MGateway&Architectureo M2MEnablementinPowerSectoro M2MEnablementinAutomotive(IntelligentTransportSystem)Sectoro M2MEnablementinRemoteHealthManagemento M2MEnablementinSafety&SurveillanceSystemso ICTdeploymentandstrategiesforIndia’sSmartCities:ACurtainRaiser

M2M/IoTTechnicalReports(Release2.0,November2015):

o M2MNumberresourcerequirement&optionso V2V/V2IRadiocommunicationandEmbeddedSIMo SpectrumrequirementsforPLCandLowpowerRFcommunications

Workcontinuestohavearelease2.0forICTdeploymentandstrategiesforIndia’sSmartCities,CommunicationTechnologiesinM2M/IoT,SmartHomeetc.

• TelecommunicationStandardsDevelopmentSociety,India(TSDSI):TSDSI is thegovernmentrecognisedbodyworkingon ICT includingM2Mstandards. It isanotfor profit industry led legal entity with participation from all stake holders includingGovernment, service providers, equipment vendors, equipment manufacturers, academicinstitutes and research labs etc. It aims at developing and promoting research based India-specific requirements, standardisingsolutions formeeting these requirements, contributing toglobal standardisation in the fieldof telecommunications,maintaining the technical standardsand other deliverables of the organisation and safe-guarding the related IPR. TSDSI WGpublishedreportsonM2M/IoTgivenbelow:

23


TSDSIWGonM2M/IOTpublishedreportcoveringIndianUsecases:

M2MUseCasesforUtilities-V0.2.0-20151003advanceforNWGM2MUseCasesforEnvironmentPollutionMonitoring&ControlM2MusecasesforSmartCities-V0.2.0-20151003advancereleaseforNWG20M2MUseCasesforSmartGovernance-V0.2.0-20151003advanceforNWGM2MUseCasesforRemoteAssetManagement-V0.2.0-20151003advanceforNWG

M2MUseCasesonSmartVillagesV0.2.0-20151003advancereleaseforNWGM2MUseCasesforTransportationV0.2.020151003advanceforNWG

M2MUseCasesonIndustrialAutomationV0.2.0-20151003M2MUseCasesonSmartHomesV0.2.0-20151003advancereleaseforNWG

M2MUseCasesonHealthV0.2.0-20151003advanceforNWG

3. VariousCommunicationTechnologiesforM2M/IoTCellular technologies have played an instrumental role in connecting the people to one another viavoice,andalsoextendedconnectivitytothemobileInternetbydeliveringfastandmobilebroadbandservices.IntheareaofM2M/IoT,datafromthedeviceswillvaryfromfewkilobits(water/electricitymeters,environmental sensors) to severalmegabytes (Security camera) depending upon the use case. Datamaybeintheformofburstsandmayalsobenoncritical/criticalinnature.In M2M/ IoT domain, there are various types of communication technologies depending upon thecoverage, power, QoS etc. Communication technologiesmay be categorised towork in TAN / PAN/NAN/LAN/WANdependinguponcoveragedistance.Thesehavebeenshowninfigurebelow:

24


WideareanetworkmayalsohavewiredtechnologiessuchasFixed linebroadband,Fibretothehome(FTTH)andPowerlinecommunication(PLC).

3.1. ComparisonTableforwiredandwirelessTechnologiesA technological description in brief has been given in the following table. However a detaileddescriptionhasbeentakenupinthefollowingchapters:

Table:ComparisonofCommunicationTechnologies

Technology/Protocol

Frequencyband(s)

Advantages Limitations Suitablefor

BluetoothLowEnergy

2.4GHz

• Maturetechnology

• Easytoimplement• LowPower• Poweredbycoincell• Longerbatterylife

• Smalldatapackets

• Healthcaredevices

• Fitnessdevices• SmartMetering

25


Technology/Protocol

Frequencyband(s)


NFC 13.56MHz

• Consumeslesspower• Almost

instantaneousconnectivitybetweendevices

• Nopowerisrequiredin-caseofpassiveTags

• Extremelyshortrange

• Expensive• Low

informationsecurity

• Lowmarketpenetration

• Healthcaredevices

• Fitnessdevices• SmartMetering

Wi-Fi 2.4GHz


• Highhome/officepenetration

• Highdataratesachievable

• Easytoimplement

• Limitedrange• Poorbuilding

penetration• High

interferencefromother

sources• Power

consumptionhigherthanthosetechnologiesthatoperateinthesub-GHzband

• BasestationinHealthClinics

• SmartMetering• Home

Automation

ZigBee

2.4GHz,920MHz,915MHz,868MHz,780MHz

• FullsupportofIEEE11073

devicespecializationprofile

• LongerbatterylifefromlowcostcoincellsforwearableDevices

(source:ZigBeealliance)• Wirelessrangeup

to70metersindoorand400metersoutdoor

• Notwidelyadopted

• BLEisthedirectcompetitionforZigBeeprovidingdifferentmodes/profilesofoperation.

BLEisgettingadoptedfaster

thanZigBeewithin

shortspanof

• HealthMonitoringandSafety

• ClientActivityMonitoring

• HealthandWellnessmonitoring

26


Technology/Protocol

Frequencyband(s)


(source:ZigBeealliance)

time

Z-Wave

Sub1GHzforIndia(865-867MHz)

• StandardisedbyCSR564(E)

• verysuccessfulduetoitseaseofuseandinteroperability

• MajorityshareoftheHomeAutomationmarket

• Proprietaryradiosystemsavailable

• LimitedRangedrivesupcosts

• Securitysystems.

• Homeautomation

• Lightingcontrols

Wi-SUN

Sub1GHzforIndia(865-867MHz)

• Openstandardsbased

• Interoperable• Highdatarate• LongRange• Widelyadopted

inJapan,SingaporeandUSA.CurrentlybeingadoptedinAsia,AustraliaSouthAmericaandpartsofEuropeandotherregions

• Lowpowerconsumption

• OperatesasRFmeshnetworkdeliveringhigherreliability.

• NotwidelyadoptedinIndia

• BasedonlatestIEEEstandardwhichisnotyetadoptedwidely

• Smartmetering• Distribution

Automation• SmartHome• SmartCity• Industrial

automation

ANT 2.4GHz

• Lowpowermodesupportinglongerbatterylife• Adoptedbymajor

mobile

• BLEisgivingdirectcompetitiontoANTasitisalready

• Fitnessdevice• Healthcare

device

27


Technology/Protocol

Frequencyband(s)


manufacturer• Supportsmesh

capabilitywhichisanedgeoverBTLE

supportedbyallthemobilemanufacturer

• NotallmobileManufacturerissupportingANThardware

• Lowpenetrationinmarketislessduetopresenteco-systemofotherWirelessTechnologies

Cellular(2G,3G,LTE,NB-IoTand5G)

ForIndia,900MHz,1800MHz,2100MHzand2300MHzisallocated.


• Rapiddeployment

• Communicationmodulesarelowcostandstandardised.

• Roaming

• Coveragenot100%

• Reliabilitynotthebest

• Shorttechnologylife-cycle(2G,EDGE,3G,LTEetc.)

• Tele-Health• RemoteHealth

Monitoring• SmartMetering

LoRa SubGHz

• Networkcanbedefinedbytheindividuals/owners.

• Supportlongrangeandhighbatterylife

• HighsecurityusingAES128encryption

• Owndeploymentwithnosubscriptionfees

• Worksinunlicensedband.

• SmartMetering,• Smartstreet

Lightingsolutions

• Assetmonitoring

SIGFOX SubGHz

• Infrastructurebeingdeployed.SeveralcountriesSIGFXready

• DeploymentbyNetworkOperator

• Subscriptionfee

• SmartMetering,Lighting

28


Technology/Protocol

Frequencyband(s)


DSL 0-2.208MHz

• Inexpensive(installationanduse)

• HighSLA• Lessinstallation

time• BondedDSL

providesinherentredundancy

• Lowdatasecurity

• Lowerthroughput

• Higherlatency

• GatewayforRemoteHealthMonitoring

• ConcentratorforTele-Health

• HomeAutomation

Ethernet

16,100,250,500,600MHz1GHz,1.6-2.0GHz

• Inexpensive(installationanduse)

• Excellentthroughput

• Lowinstallationtime

• Easilyscalable

• Lowestdatasecurity

• LowestSLA• Highestlatency• Burstsof

additionalbandwidthnotpossible

• GatewayforRemoteHealthMonitoring

• ConcentratorforTele-Health

• SmartMetering• Home

Automation

PLCNodefinedfrequencybandinIndia

• Readyinfrastructure

• Communicationpossibleinchallengingenvironmentssuchasundergroundinstallations,metal-shieldedcasesetc.

• Longtechnologylife-cycle

• Manystandardsandprotocolsavailable

• Point-to-pointcommunication

• Cancausedisturbancesonthelines

• Notsuitablewherepowercablesarenotinagoodcondition;initialandongoinglineconditioningandmaintenancecanaddsignificantO&Mcosts

• HighlytrainedmanpowerrequiredforO&M

• Smartmetering• Home

automation

29


Technology/Protocol

Frequencyband(s)


• Communicationnotpossibleincaseofanoutage

• Absenceofregulationsonuseoffrequencybands

Source:Technicalreport(TEC)

4. RoleofM2M/IoTinSmartCityMissioninIndiaThesearetopfivetechnologieswhichplayanimportantroleinbuildingsmartcitiesinIndia.

o MachinetoMachinetechnologieso DataSecurityo NewStorageTechnologieso TechnologiesforRenewableEnergyo DisasterManagementtechnology

• M2M technology plays an important role in building smart cities because without M2M

technology,itwouldbeimpossibleforSmartCitiestoexist.• TheSmartCity transformationwouldbe fueledbyadvance technologyand thedeploymentof

intelligence&informationmanagementsystems.• Dream of Smart cities can be achieved at accelerated pace with higher reliance on ICT

(informationandcommunicationstechnology).• IoT is the backbone of Smart Cities. However, without a robust security and privacy

infrastructure,therecanbenopracticalandsafeapplicationof IoTwithinaSmartCity.Accessandcontrolstandards for ICTnetworkswithintheSmartCityare imperative forbothdataandhumansecurity,thelackofwhichcancauseseriousthreatsandvulnerabilitiestoallwholiveandoperateinsuchcities.

• AsSmartCitiesgrow,theamountofinformationgatheredandstoredforanalysisandrecordwillgrow tremendously. New storage technologies, such as flash, high-capacity drives, software-definedstorageandCloudinfrastructures,etc.,willonlygrowtoserveIoTdeploymentsneededinSmartCities.

30


• Solar, wind, electric mobility, biogas and other alternatives will greatly shape the success ofIndia’s Smart City infrastructure. Smart cities require large amounts of energy supply that canonlybeachievedthroughrecycling,effectivemanagementandnewsourcesofenergy.

• It isrightlyconsideredasahorizontal layer inthesmartcityframeworkratherthanoneofthepillars which means sustainable Smart City will have a forms of Smart communication/ ICTinfrastructure, Smart mobility, Smart Living, Smart Economy, Smart Environment, SmartGovernanceandSmartCitizensandallofthiswillrideonM2M&IoT

• HenceICT/M2M/IoTwillplayasignificantroleinSmartCityMissionofIndia.Readmore

5. ConclusionThe internet isn't just for communicating with people; it is now also used to intelligently connectdevices which must be able to communicate and interact with speeds, scales, and capabilities farbeyondwhatpeopleoriginallyneededorused.TheInternetofThings(IoT)isslowlymakingtheworldmore agile and functional viaM2Mandotherprotocols.M2M represents adeveloping fieldwith itsownconcepts that includesensors,communications in local-areaandwide-area, serveronpremises,local scanning devices, user-facing services, and storage and analytics. Additionally, the tech hasdeveloped into the mobile environment to further improve people and machine communication,includinginmonitoringsystemsthatcollectdataanddrivedecisions.M2Misalsohavinganimpactonthetelecommunicationindustry,helpingchangehowweinteractwithourdevices.Thereisastrongmarketcaseforproducingglobalspecifications.M2Moffersunprecedentedbusinessopportunitiesfornewdevicesandservices.Butifwearetofullyexploittheseopportunitiesandgrowthemarkettothescaleprojected,weneedcommonglobalstandardstoreducecomplexity,facilitatethe roll-out of new devices and services, and provide economies of scale. One such initiative isoneM2M partnership project which has developed specification for Common Service Layer and arebeing used by a number of independent open source foundations and projects, in addition tocommercial deployments [OCEAN, IOTDM, OM2M, CDOT, HP etc.] as the industry looks toacceleratetakeupofIoTproductsandplatforms.

31


6. Glossary

Sl.no. Acronym Expansion

1 M2M MachinetoMachine

2 3GPP 3rdGenerationPartnershipProject

3 BBF BroadbandForum

4 BERECBodyofEuropeanRegulatoryforElectronicsCommunications

5 BIS BureauofIndianStandards

6 CAGR CompoundAnnualGrowthRate

7 DEITY DepartmentofElectronics&InformationTechnology

8 DoT DepartmentofTelecommunication

9 DSM DigitalSingleMarket

10 ETSI EuropeanTelecommunicationsStandardsInstitute

11 GSMA GroupeSpecialeMobileAssociation

12 HGI HighGatewayInitiative

13 IDC InternetDataCorporation

14 IEC InternationalElectro-technicalCommission

15 IEEE-SAInstituteofElectricalandElectronicsEngineersStandardsAssociation

16 IEFT InternetEngineeringTaskForce

17 IoT InternetofThings

18 ITU InternationalTelecommunicationUnion

19 JTC JointTechnicalCommittee

20 JWG JointWorkingGroup

21 MEITY MinistryofElectronics&InformationTechnology

22 MQTT MessageQueuingTelemetryTransport

32


23 OASIS AdvancingOpenStandardsfortheinformationsociety

24 OGC OpenGeospatialConsortium

25 OMA OpenMobileAlliance

26 SDOs StandardsDevelopmentorganisations

27 SWD StaffWorkingDocument

28 TEC TelecommunicationEngineeringCenter

29 TSDSI TelecommunicationStandardsDevelopmentSociety,India

30 W3C WorldWideWebConsortium

31 WC WorkingGroup

7. Sources- Departmentoftelecommunications(DOT)- NationalTelecomM2MRoadmap- TelecomStandardsDevelopmentSociety,India(TSDSI)- TelecommunicationEngineeringCenter(TEC)- DEITY/MEITY- BIS- EuropeanTelecommunicationsStandardsInstitute(ETSI)- IEEEStandardsAssociation- Advancingopenstandardsfortheinformationsociety(OASIS)- InternationalTelecommunicationUnion(ITU)- WorldWideWebConsortium(W3C)- elets-smart-city

33


Annexure:2

WhitepaperOn

PrivacyandotherLegalIssuesintheInternetofThingsEcosystem

ThiswhitepaperisintendedtoprovideonlyamacroperspectiveofkeylegalissuesidentifiedbytheWorkingGroupthathaveanimpactontheIOTecosystem.The

intentionoftheWorkingGroupistopublishfurtherwhitepaperssettingoutgranularperspectivesonsomeorallofthelegalissuesidentifiedinthiswhitepaper.

34


PART-IPRIVACYISSUESINTHEIoTECOSYSTEM

1. Introduction

Technology has significantly reduced human intervention inmany day-to-day tasks. The Internet ofThings(IoT)hasemergedasthesinglebiggestfactorinenablingthisinrecenttimes.IoTisessentiallythe inter-connection or interaction of devices, through the Internet, facilitatingmachine tomachineinteraction(M2MInteraction),andminimisinghumanintervention.Minimumhumaninterventionisadesired trait formany industries and sectors as this can increase efficiency and productivity. As thisneed arises across varied sectors such as communication, healthcare, energy, infrastructure,automobiles,etc.,IoThasbecomerelevantinthesespheres.TheIoTecosystemisheavilydependentondatacollectionandtransmission.Connectedsensorscollectlargeamountofdata throughthe Internet,enablingM2Minteractionandprocessingof thedata forparticular services. Different types of data are transmitted and processedwithin the IoT ecosystem.The data primarily includes personal data and sensitive personal information such as financialinformation,location,healthrelatedinformation,etc.Accordingly,theimportanceofprivacyanddatasecuritybecomespertinentwiththedevelopmentof IoT. Itsemergencehas ledto largescaledeviceinteractionandexchangeofdata(includingsensitivepersonaldata)betweenthem,whichinturnhasresultedinchallengingtheexistinglegalnormsinprivacy.ThisWhitePaperinitiallyexplorestheevolutionoftherighttoprivacyinIndiaandtheexistenceoftheright in the present legal infrastructure. These existing principles of the right to privacy are thenexamined in the context of the IoT environment, in order to assess if they effectively protect theprivacy of the user. This Paper has confined itself to the assessment of B2C interaction in the IoTecosystem and does not address B2B networks. Further, the Paper has restricted its detailedexamination of existing legal norms to information technology law and TRAI regulations, since datawithin the IoT ecosystem is primarily electronic data. The legal framework for privacy in otherjurisdictions and the steps taken to adopt them for IoT is also discussed to provide a comparativeperspective. TheWhite Paper then attempts to highlight the gaps that need to be filled andmakesuggestionsinlawandpolicy,forensuringandsafeguardingprivacyintheIoTecosystem.

2. StakeholdersinapersonalinformationtransactionBefore examining the impact of privacy laws that regulate the transmission of personal data andinformation in the IoTecosystem, it iscrucial tounderstandthe flowofsuch informationamongthevarious stakeholderswithin an information transaction. Further,most privacy laws across theworldhaveaffixedrolesandobligationsonthesestakeholders.

35


Theprimary interaction inapersonal information transaction isbetweentheproviderof thedataorthepersonwhoisthesubjectofthepersonalinformation(DataSubject)andthepersoncollectingandprocessing suchdata, for a specificpurposedeterminedby thatpersonorunderwhose control, thedata is processed (Data Controller). Besides the primary stakeholdersmentioned above, others in apersonal information transaction include entities/personswho process the data of Data Subjects onbehalfoftheDataControlleratmultiplelevelsandtypesofdata(DataProcessors).DataProcessorsarealso cast with similar obligations as that of Data Controllers undermost privacy laws.Most privacylegislations regulate the flow of personal information between these stakeholders, by specifyingcertainrightsthattheDataSubjectmayhaveinrelationtohis/herinformationandcertaindutiescastupontheDataController/DataProcessorinhandlingthepersonal information.Consideringthatmostpersonalinformationrelatestoanaturalpersonandbearsattributesthatidentifysuchperson,itcanbeconcludedthatmostDataSubjectsareindividuals.AflowchartdepictingapersonalinformationtransactioninthecontextofIndiandataprotectionlawundertheInformationTechnologyAct,2000,canbefoundintheExhibit1tothiswhitepaper.

3. LawsonprivacyanddataprotectioninIndia

Black’s Law Dictionary defines “privacy” as the quality, state or condition of being free from publicattention, intrusion into, or interferencewith one’s acts or decisions. Black’s LawDictionary furtherdefines“informationalprivacy”astherighttochoosetodeterminewhether,what,howandtowhatextent information about oneself is communicated to others, especially sensitive and confidentialinformation. This definition becomes relevant in the context of the IoT ecosystem as informationalprivacyanditsconceptsarebeingchallengedwiththeevolutionofIoT.

3.1. EvolutionandConstitutionalbasisforprivacyinIndia

TheSupremeCourthasrecentlyinJusticeKSPuttaswamyandAnr.v.UnionofIndiafinallysettledthedebate as to whether the right to privacy in India, is a fundamental right, guaranteed under theConstitution. The court unanimously held that the right to privacy is a fundamental right, with themajorityholdingthatsuchrightprimarilyresidesinArticle21(RighttoLifeandPersonalLiberty)aswellasotherfundamentalrightsguaranteedundertheConstitution.

Note: This sectiononlyprovidesabrief insight into the various laws thatgoverndataprotectionandprivacyinIndia,withspecificcontexttoelectronicdata.Thissectiondoesnotprovideacriticalanalysis of the legislations discussed and is onlymeant to give an understanding of the currentlegalpositionondataprotectioninIndia.

36


Priortothis,thediscussionontherighttoprivacyhastransformedoverthecourseofvariousjudicialdecisions. In M.P Sharma v. Satish Chandra, District Magistrate Delhi1, the Supreme Court whileconsidering the ambit of Article 20(3) (right against self-incrimination), held that since the right toprivacyhasnotbeenexpresslysetoutintheConstitution,therewasnobasistoimputeitunderotherFundamentalRights. KharakSinghv.StateofUttarPradesh2,asubsequentcase,involvedaddressingtheconstitutionalityofcertainpoliceregulationsthatallowedthepolicetoconductdomiciliaryvisitsandsurveillanceofpersonswithacriminalrecord.Theseregulationswerechallengedonthegroundsthat they were a violation of the right to privacy under ‘personal liberty’ in Article 21. While theSupremeCourtinvalidatedthepoliceregulationsondomiciliaryvisits,itrefusedtorecognisethattheright to privacy existed under the Constitution. It upheld the existence of the common law right ofordered liberty, based onwhich, part of the police regulations on domiciliary visitswere held to beviolativeoftherighttopersonallibertyunderArticle21.However,thisdecisionoftheSupremeCourthasbeenheldtobeinherentlyinconsistentbythePuttaswamydecision,andtherebyoverruled.3

Thequestionof the right toprivacy as a fundamental right under theConstitutiononce again camebefore the Supreme Court again in Gobind v. State of Madhya Pradesh4, which involved a similarquestionofconstitutionalityofregulationsrelatingtopolicesurveillanceincludingdomiciliaryvisits.Inthiscase,thecourtdidnotexplicitlyrecognisetherighttoprivacyundertheConstitutionbutdidalludeto the possibility of its existence in the penumbral regions of other Fundamental Rights under theConstitution.However,thecourtfurtherstatedthatevenifoneistoassumetheexistenceoftherightto privacy, itwould not be an absolute right and could be curtailed for reasons of compelling stateinterests.WhiletheCourtinGobinddidnotexpresslyholdtheexistenceofrighttoprivacy,subsequentcases intheSupremeCourthaveconstruedthisdecisionasconfirmingtherighttoprivacyundertheConstitution.InthecaseofRajagopalv.StateofTamilnadu5,theSupremeCourtforthefirsttimedirectlylinkedtheright to privacy with the Constitution. Subsequently, the Supreme Court went on to evolve variousprinciplesontherighttoprivacythroughcaselaw.Thisincludedtherighttoprivacyinthecontextoffree speech, sexual identities, freedom from unauthorised search and seizure, etc. It is pertinent tonotethatthefundamentalrighttoprivacyisavailableonlyagainststateactionandnotagainstprivateparties.However,sincemostofthesedecisionsbytheSupremeCourtwerebysmallerbenchesthanthat of M P Sharma and Kharak Singh, the unequivocal existence of the right to privacy as afundamental right under the Constitution was not addressed until the recent decision of K SPuttaswamy.

1(1954)SCR10772(1964) SCR (1) 3323The Supreme Court in the Puttaswamy case opined that the inconsistency in Kharak Singh arose from (i) the Court first holding that an unauthorised intrusion into a person’s home would violate that person’s common law right of ordered liberty, which in turn was derived from a U.S Supreme Court judgement in Wolf v. Colorado which based the entire premise of such right on a right to privacy and thereby striking down the regulation on domiciliary visits as violative of Article 21 and; (ii) thereafter concluding that the right to privacy was not part of the Constitution. 4 1975 SCR (3) 946 5 1994 SCC (6) 632

37


ThedecisioninKSPuttaswamycameabout,whentheSupremeCourtwasdecidingonthevalidityofAadhar. In thecourseof theAadharcase, thequestionon theexistenceof the fundamental right toprivacy was required to be addressed, after which a nine judge bench of the Supreme Court wasconstituted for the same.TheCourtwenton tohold that the right toprivacy isa fundamental rightundertheConstitutionandissubjecttosimilarrestrictions6applicabletotheotherfundamentalrights,fromwhich it flows.TheCourtelaboratedthatprivacyhasbothapositiveandnegativecontent.Thenegativecontentrestrainsthestatefromcommittinganintrusionuponthelifeandpersonallibertyofacitizen,whilethepositivecontentimposesanobligationonthestatetotakeallnecessarymeasurestoprotecttheprivacyoftheindividual.The Court also discussed informational privacy under the ambit of right to privacy. Informationalprivacy recognises the individual’s right tohavecontrolover thedisseminationofhis/herdata.Thishas been referred in the judgement in the context of electronic data and data over the Internet.Further, informational privacy is available against both state and non-state actors. Violation ofinformationalprivacybystateactors ismostly throughsurveillance,profiling,etc.Non–stateactorscouldviolateprivacythroughunauthorisedaccessandprocessingofdataand information.TheCourthas gone on to recognise the need for a comprehensive data protection legislation for violations ofprivacythroughnon-stateactors.ThecommitteeforsuchalegislationhasbeensetupunderJusticeB.NSrikrishna. It ispertinent tonote thatanydevelopmentson this frontwillbe relevant to the IoTindustry.

3.2. Existinglegislations7relatingtotherighttoprivacy,dataprotectioninIndia

Presently,Indiadoesnothaveanyexclusiveomnibuslegislationgoverningprivacyanddataprotection.Generally,thecontractualtermsbetweenthepartiesgoverntheissueofdataprotection&privacybyway of confidentiality provisions and parties are free to determine their relationship by defininginformation that requiresprotectionand itsusageandseekenforceabilityunder the IndianContractAct, 1872. However, the legal principles on privacy and data protection are embodied in variouslegislations suchas the InformationTechnologyAct, 2000, Encryption Laws, TheTelecomRegulatoryAuthorityofIndia(TRAI)Regulations,etc.Thelegislationsdiscussedbelowarerestrictedtoprivacyinrelation to electronic and computer data. Other legislations which address the right to privacy indifferentformshavenotbeencovered.

6 The majority in the Puttaswamy decision held that any intrusion or encroachment on the right to privacy would have to satisfy a three- fold test in order to be considered a reasonable restriction on such right; i) the encroachment has to be pursuant to and under the authority of valid law; (ii) such law should clearly define the need for such encroachment, which should be in furtherance of a legitimate government objective and (iii) there should be a rational nexus and proportionality between such objective and the means adopted to achieve them ( in other words, the means shouldn’t be in excess of the objective). 7Legislations includes sub-ordinate legislation such as rules, regulations, license terms and guidelines of regulatory authorities.

38


3.2.1. InformationTechnologyAct,2000

TheprovisionsundertheInformationTechnologyAct,2000(ITAct)andsubsequentamendmentshavetried toaddressprivacy concernswith respect toelectronic informationanddata.It addresses issuesrelating to payment of compensation by a company in case of wrongful disclosure and misuse ofpersonal and sensitive information of the person concerned. The disclosure of information sansconsent of the person concerned and in breach of lawful contract has beenmade punishable for adefiniteterm.The ITAct has anexception to the general ruleofmaintenanceof privacy anddataprotection. Thisexceptioniswherethegovernmentissatisfiedthatitisnecessaryorexpedienttodosointheinterestofthesovereignty, integrityanddefenceofIndia,securityoftheState,friendlyrelationswithforeignStates or public order. The government in such instances is empowered to intercept, monitor ordecryptanyinformationordataincludinginformationofapersonalnature.TheexceptionundertheITAct isbroadinscopeandtheITActdoesnothaveindependentmechanismstoensurethatthetestsoutlinedintheSectionareeffectivelymet.Inmostcasesthereviewifthestandardhastobemetwillbeanexpostfactoreviewratherthananexantereview.Giventhescaleofinformationthatisontheinternet, this unfettered power to monitor communications can result in warrantless searches andseizures. This raises massive privacy concerns given the Government’s broad power to intercept. Amechanism like the United States Foreign Intelligence Surveillance Court, which has to authoriserequeststointerceptmaybemoreusefulinensuringthatGovernmentpowerdoesnotgounchecked.Suchacourt,however,willhavetoworkfarmoreindependentlyandjudiciouslythantheFISAcourtsarecurrentlyknowntowork.

Further,thespecificprovisionsrelatingtonotice,choiceandconsentoftheDataSubjectforprocessingpersonal information by Data Controllers (service providers) are dealt with under The InformationTechnology(ReasonableSecurityPracticesandProceduresandSensitivePersonalDataorInformation)Rules, 2011 (IT Privacy Rules). The IT Privacy Rules impose an obligation on companies to protectpersonal informationandsensitivedatathat iscollectedbythemandtaketheDataSubject’swrittenconsentbeforesharingthesamewiththirdparties.TheserulesareamanifestationofIndia’scurrentposition on having a co-regulatory regime for data protection and not a comprehensive omnibusprivacylegislation.

The ITPrivacyRuleshas categorised information into“personal information”and“sensitivepersonaldata and information” (SPDI). Personal information is any information that is directly attributable totheidentityofanindividualandiscapableofidentifyingsuchindividual.SPDIisinformationrelatingtothepassword, financial information,physical,psychologicalandmental condition, sexualorientation,medicalrecordsandbiometricinformationoftheDataSubject.However,postthecomingintoforceofthe IT Privacy Rules, a clarification was issued by the Ministry of Electronics and InformationTechnology,whichappearedtorestricttheapplicationoftheITPrivacyRulestoSPDIonly.Regardless

39


ofthisambiguity, it ispertinenttonotethatmost IoTdevicescollectandprocessSPDI,duetowhichtheITPrivacyRulesinitsentiretyisapplicabletoalargepartoftheIoTecosystem.The IT Privacy Rules requires Data Controllers (body corporates or companies) collecting suchinformation to have a privacy policy that gives notice and information relating to its practices andpoliciesonsuchdata.Theprivacypolicymustcontainclearandaccessiblestatementsonthetypeofinformationcollected,purposeforwhichtheinformationiscollectedanddisclosurepoliciesrelatingtotheinformation,etc.

The ITPrivacyRulesprovides that theDataSubject’sconsent is required forcollectingSPDI.Further,theinformationmaybecollectedonlyforalawfulpurposeandsuchpurposemustbemadeknowntothe Data Subject. The information collectedmust be utilised only for the purpose for which it wascollected.TheDataSubjectmustalsobegivenachoice tonotdisclose the informationandmustbeenabledtowithdrawconsentforutilisationoftheinformationgiven.Further,disclosureofinformationorSPDItoanythirdpartymustbemadeonlywiththepriorpermissionoftheDataSubject,unlessthecontractunderwhich ithasbeenmadestipulatessuchterms.Personal informationandSPDImaybetransferredtootherentitiessubjecttotheconsentoftheDataSubjectandthetransfereeensuringthesamelevelofprotectionthattheDataControllermaintainswithrespecttotheinformationcollected.ThisisanimportantprovisionfromacrossborderdataflowperspectivewhichisfairlytypicaltoanIoTtransaction, considering that the inter-operabilityof IoTdevicesand theprocessingof IoTgenerateddataextendacrossborders.Dataanalytics canusemeta-data toprovide targeteddeliveryof goodsand servicesbut canalsobeused to deprive people of access to public goods, e.g. Insurance Companies may use metadata tostatistically determine which income group is more willing to pay a higher premium rather thanimplementing existing actuarial science to arrive at premium calculations. Further,metadata can beused by Pharmaceutical companies to target ads at people with specific conditions based on theirsearchhistories.Asmetadata is an indirectmeansof identifyingan individual,metadata canalsobeusedtotrackdownadatasubject.ThecurrentITPrivacyRulesdonotextendthedefinitionofSPDItometadata that is collected by service providers and used to provide targeted consumer services.However, the IT Privacy Rules has defined personal information to include information that can beattributedtoanindividualdirectly,indirectlyorincombinationwithotherinformation.Thewideambitof the definition can be said to include metadata that, together with other data, is capable ofidentifyinganindividualandtherebysubjecttotherequirementsoftheITPrivacyRules.Sincethisisamatterofinterpretation,itmaybebestthatthelegislaturemakesthisinclusionabundantlyclear.

3.2.2. Regulations relating to data protection and privacy by telecom service providers andInternetserviceproviders

Theregulatoryrequirementsinrelationtouseofencryption,dataprotectionandprivacythatistobeensuredbyDataControllersaresetoutinvariouslegislationssuchasTheInformationTechnologyAct,

40


2000, Indian Telegraph Act, 1885, the Unified Access Services Agreement (UAS License) and theInternet Service Providers LicenseAgreement (ISP License). Section 84Aof the IT Act lays down themodes ormethods of encryption. It grants the authority to the government to prescribemodes ormethodsofencryptionforsecureuseoftheelectronicmedium,andtopromotee-governanceande-commerce. However, the government has not yet come up with any encryption rules under thissection.Section69BofITAct,empowersthecentralgovernmenttomonitorandcollectinternettrafficdataorinformation passing through any computer resource for reasons of cyber security both in terms ofprevention and redressal. In this regard, the Information Technology (Procedure and Safeguard forMonitoring and Collecting Traffic Data or Information) Rules, 2009, prescribes for intermediaries toadheretothedirectionsformonitoringandcollecting Internettrafficdatathatmaybe issuedbythesecretary of the Ministry of Communications and Information Technology. Upon receipt of suchdirections, intermediaries such as website service providers, Internet service providers, OTT serviceproviders etc. will need to comply with the government’s requirement for monitoring and/orinterceptingInternetdatatrafficontheirnetworks.TheUASLicenseAgreementisenteredintobetweenatelecomserviceproviderandtheDepartmentofTelecommunications (DoT) for theprovisionofspecifiedwirelessandtelecomservices inaparticulararea.AserviceproviderundertheUASLicenseAgreementmustcomplywithcertainconditionsofthelicense relating to data protection and privacy. This also includes putting in place infrastructure toenable the government to intercept and access calls and informationwhen necessary8. Further, theUASLicenseAgreementconsistsofclausesrequiringserviceproviderstodisclosethecalldatarecordstolawenforcementagencieswhenrequired9.TheISPLicenseenteredbetweentheDepartmentofTelecommunications(DoT)andanInternetServiceProvider(ISP)permitsuseofencryptiontechnologiesonlyupto40bitswithasymmetriccryptographicalgorithmoritsequivalentwithoutanypriorapprovalfromDoT.However,iftheISPwishestoupgradeits encryption level beyond 40 bits, itwill have to get prior approval from theDoT and deposit thedecryptionkeyswithDoT.In 2016,Whatsapp, an instant messaging application, came up with 256 bit end to end encryptiontechnologyforallitsusersacrosstheglobe.TherehadbeenaflurryofreportsonhowWhatsappwasinfringing theexistingpoliciesofencryption in India.Whatsappclaimedthat it isa serviceownedbyFacebook Inc., and is not an individual or group or organisation as covered under license termsbetween ISPs and DoT.Whatsapp claimed that it is purely an ‘Over The Top’ (OTT) service and theexistingregulationsdoesnotbindthem.InsteadtheonuswouldfallonISPsonwhichthisOTTserviceisriding,toobtainpriorapprovalfromDoT.Hence,thelawsgoverningencryptionforOTTareoperating

8Stakeholder Report Universal Periodic 27th Session: The Right to Privacy in India, October 2016, Centre for Internet and Society and Privacy International 9 ibid

41


inagreyareawithnolegalprecedentsorrulestoallowordenythishighlevelofencryptionstandards.Someclaritycouldemerge,oncetheencryptionrulesundertheITActareissued.Endtoendencryptionalsoposesanewchallengeforlawenforcementastheywillatalltimesneedtheconsentofapersonunderinvestigationtounlockthedata.Theadventofendtoendencryptede-mailservices like Tutanota andmessaging services like Signal mean that the data is encrypted behind apassword. A court may have issues with compelling a person to reveal their password as this willconflictwith theperson’s rightagainst self-incrimination.Since thedata isencryptedon thebasisofthepasswords,noonepersoncanunlockthedataandonlywhenthereisakeypaircanthedatabeunlocked. These challenges need to be looked intoby the lawand thereneed to bemechanisms inplace thatcancompelapasswordorotherelectronicdata residing inapersonaldevice thathas thepotentialtobeself-incriminatory,toberevealedshouldtherebeanorderfromacourtaskingthatitberevealed.

3.2.3. TheIndianTelegraphAct,1885

The Indian Telegraph Act, 1885 lays down provisions in relation to wire-tapping/ interception ofcommunication andhow it invades individual’s privacy. TheAct givespower to the government andofficersinchargetointerceptprivatecommunication(includingcallsandmessages) intheinterestofsovereignty and integrity of India, the security of the State, friendly relationswith foreign States orpublic order or for preventing incitement to the commission of an offense. However, theseinterceptions have to be done only with specific orders from the government and in a regulatedmanner as provided under the law. Any person or officer in charge who does it unlawfully will bepenalised.

InthecaseofPeople’sUnionforCivilLibertiesV.UnionofIndia10,thepetitionerhadfiledacaseagainsttheStatefor interceptingphonecalls.Recognisingprocedural lapsesthathadoccurred,thecourtsetout procedural safeguards which would have to be followed, even as it did not strike down theprovision relating to interception in the Telegraph Act 1885. In arriving at its decision, the courtobserved:“Telephone-tappingisaseriousinvasionofanindividual'sprivacy.It isnodoubtthateverygovernment, howsoever democratic, exercises some degree of sub-rosa operation as a part of itsintelligence outfit, but at the same time a citizen's right to privacy has to be protected from beingabusedbytheauthoritiesoftheday.”Thecourtheld:“Telephone-tappingwould,thus,violateArticle21 of the Constitution of India unless it is permitted under the procedure established by law.” TheSupremeCourtplaced restrictionson theclassofbureaucratswhocouldauthorise such surveillanceandalsoordered thecreationofa ‘reviewcommittee’whichwould reviewall surveillancemeasuresauthorisedundertheAct.

10 [(1997) 1 SCC 30]

42


UnderthedefinitionofTelegraphundertheTelegraphAct,1885acomputerconnectedtotheinternetwould also function as a Telegraph. While the IT Act and Telegraph Act (through subsequentamendment) have put in place a procedure for interception and surveillance, these appear to becompletelygovernmentdrivenandthereforenotinconsonancewiththespiritofthePUCLjudgement.Accordingly, an independent judicial pre/review authority structured along the lines of the UnitedStatesForeignIntelligenceSurveillanceCourt(withmore independenceandhigh levelscrutinyoftheexecutivegovernment’s reasons forseekingcourtorders thanFISAcourtscurrentlydo), thatreviewsinterceptionrequestsandchecksthemforconstitutionality,maybetheorderoftheday.

3.2.4. TRAIRegulations

The Telecom Regulatory Authority of India (TRAI) has issued several guidelines to telecom serviceprovidersinrelationtomaintaininguser’sprivacyandconfidentiality.OneofthemintroducedbytheauthoritieswastheTelecomUnsolicitedCommercialCommunicationsRegulations,2007.Thepurposebehind creating suchamechanismwas toallow subscribers toavoid receivingunsolicitedmarketingcommunications and thereby prevent invasion of privacy. This regulation has defined “UnsolicitedCommercial Communication” as any message, through telecommunications service, which istransmittedforthepurposeofinformingabout,orsolicitingorpromotinganycommercialtransactionin relation togoods, investmentsor serviceswhicha subscriberoptsnot to receive.Asper theTRAIorder,all telecomserviceprovidersneedtohaveanappropriatesystem inplace inorder topreventbreachofconfidentialityofinformationbelongingtosubscribersandensureprivacyofcommunication.

3.2.5. Guidelinesonmedicalandhealthrelateddata

The Medical Council of India (MCI) Code of Ethics Regulations sets the professional standards formedicalpractice.Theseprovisionsregulatethenatureandextentofdoctor-patientconfidentiality. Italso establishes norms in relation to consent to a particular medical procedure and sets theinstitutionally acceptable limit for intrusive procedure or gathering excessively personal informationwhen it is not mandatorily required for the said procedure. The provision addressed under theseregulations pertains to the security of the information collected by medical practitioners and thenatureofdoctor-patientconfidentiality.Itisthedutyofdoctorstoprotecttheconfidentialityofpatientsduringallstagesoftheprocedureandwith regard to all aspectsofpatient information includingany information relating to their personaland domestic lives11. However, the regulations provide an exception forwhere the law requires therevelationofcertaininformation,orifthereisaseriousandidentifiablerisktoaspecificpersonand/orcommunityofanotifiabledisease.

11 Code of Ethics Regulations, 2002 Chapter 2, Section 2.2

43


Further, inJuly2017,theLawCommissionofIndiapublishedareportonDraftUseandRegulationofDNA Based Technology Bill 2017 (DNA Bill), which provides regulations on the use of DNA basedtechnology. Itprovides fora framework forcollection,storageanduseofDNAdataandrestricts thecircumstancesunderwhichsuchDNAdataisused.TheDNABillfurtherprovidesforconsentrequiredincollectingDNAsamplesandrestrictsthecollectionofsuchsamplesonlytospecificpurposes.

3.2.6. AadharActThe Aadhar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016(AadharAct) provides for the procedure and rules involved in enrolment and assignment ofAadharnumberforcitizens,bycollectingthebiometric informationof individuals.Thebiometric informationunder theAadharActhasbeen categorisedas SPDIasdefined in the ITAct. TheAadharAct furthercastsadutyontheenrollingagencycollectingbiometricandotherpersonalinformation,toinformtheindividual submitting such information about themanner inwhich the informationwill be collectedand stored and the nature of recipients with whom the information is intended to be shared. Theindividual submitting the information must be notified of the right to access the information, theprocedureforsuchaccessandthedetailsofthepersoninchargetowhomtherequestforaccessistobemade.The authority under theAadharAct (UIDAI) is empowered to performauthenticationof theAadharnumberholder,ontherequestofarequestingentity.Therequestingentitymustobtaintheconsentofanindividualbystatingthepurposeoftheauthenticationandensurethattheinformationisusedonlyfor the authentication. The requesting entity must inform the individual whose information isauthenticated, the nature of the information collected, the uses of the information received duringauthenticationandalternativestothesubmissionofinformation.The Aadhar Act also prescribes obligations on UIDAI for ensuring security and confidentiality ofinformation collected from individuals, through technological and organisational measures. Suchmeasuresmustensurethattheinformationisprotectedagainstunauthoriseduse,accessordisclosure.UnauthoriseduseisanysuchusethatisnotaspertheAadharAct.TheAadharActalsopenalisesthepublishingofidentityinformationofindividualstothepublic.

4. CurrentgenerallegalprinciplesinrelationtodataprotectionandprivacyThefollowinggeneralprinciplesoftherighttodataprivacyareculledoutfromtheabovelegislationsonprivacyinIndiaandcansaidtobethebasisforexistinglawsonprivacyinIndia.12

12 The Group of Experts on Privacy under the Chairmanship of Justice A.P Shah, in its report has recommended has also enumerated a set of National Privacy Principles (explained in Section 5), which represents the foundation of any regime to privacy.

44


• Notice:ThisprincipleensuresthatDataSubjectsareinformedofhowtheirpersonalinformationwillbeused,includingtheintentionandpracticesrelatingtothedatacollectedand,allowstheDataSubjectstoholdDataControllersaccountable.TheDataControllermustgivenoticeof itsinformation practices in clear and concise language to the Data Subject on the purpose ofcollection, use and security practices in relation to the information. Further notices on databreaches,legalaccessandchangesintheprivacypolicyofthedatacollectionmustalsobegiven.

• ChoiceandConsent:TheDataControllerneedstogiveachoicetotheDataSubjecttoopt-inor

opt-out of giving personal information. Further, the Data Controller needs to take the DataSubject’s consent before taking the information. The IT Privacy Rules recognises only writtenconsent given through fax or email. However, a subsequent clarification issued specified thatconsent can be taken through any valid electronic means. In this regard, the IT Act alsorecognises electronic signatures and electronic authentication methods which could beextrapolatedtomeanclick-wrapandshrinkwrapconsent(undersecure,controlledconditions),asanextensionofwrittenconsent13.

The Data Subjectmust at any time also have an option to withdraw his/ her consent that isalreadygiven.ThisempowerstheDataSubjecttoapproveandauthorisecollectionandusageoftheirinformationfordefinedpurposes.

• Limitationoncollectionandpurpose:TheDataControllermustlimitthecollectionofpersonal

informationforcertainidentifiedpurposesandcollectonlysuchinformationthatisrequiredforthe identified purpose. This principle also brings forward the concept of data minimisation,where organisations deal with minimum personal information of the individual, reducing theprobabilityof itsmisuse. It alsoensures that thepersonal information is retainedby theDataController only as long as is necessary for fulfilling the purpose forwhich such information iscollected.

• DisclosureofInformation:ADataControllershouldnotdisclosetheinformationtothirdparties

without the consent of the Data Subject. This ensures that the Data Subject has authorisedtransfertothirdparties.Furthermoretheprinciplemakesanyde-anonymisationofinformationthatwasanonymisedaviolationoftheprinciple.

• Ensuringsecurityofinformation:TheDataControllerisrequiredtoimplementsecuritypractices

andmeasuresforprotectingthestoredpersonalinformationoftheDataSubject.Suchsecuritypracticesincludemanagerial,technical,operationalandphysicalsecuritycontrolmeasures.TheITPrivacyRuleshasprescribedstandardssuchasIS/ISO/IEC27001formeetingthisrequirement.

13 On the other hand, the Privacy Bill recognises consent given by the Data Subject through any medium.

45


5. Proposedprivacylegislation/policy

5.1. ReportoftheGroupofExpertsonPrivacyunderJusticeA.PShahThe Group of Experts on Privacy under Justice A. P Shah (A.P. Shah Committee) was constituted forprovidingan in-depthanalysisoftheprivacyregimein India,andidentifyrecommendationswhichmaybe considered while formulating the regulatory framework on privacy. The A.P Shah Committeeenumerated nine National Privacy Principles14 which is to be the basis of any privacy regulatoryframeworkinIndia.Theyare:

Ø Notice:Adatacontrollershallgivesimple-to-understandnoticeof its informationpracticestoallindividuals,inclearandconciselanguage,beforeanypersonalinformationiscollectedfromthem.Suchnoticesshouldinclude:

a)DuringCollection: Whatpersonal informationisbeingcollected;Purposesforwhichpersonalinformationisbeingcollected;Usesofcollectedpersonalinformation;Whetheror not personal information may be disclosed to third persons; Security safeguardsestablished by the data controller in relation to the personal information; Processesavailable to data subjects to access and correct their own personal information and;ContactdetailsoftheprivacyofficersandSROombudsmenforfilingcomplaints.b) Other Notices: Data breaches must be notified to affected individuals and thecommissionerwhenapplicable; Individualsmustbenotifiedofany legalaccess to theirpersonal informationafter thepurposesof theaccesshavebeenmet; Individualsmustbe notified of changes in the data controller’s privacy policy; Any other informationdeemed necessary by the appropriate authority in the interest of the privacy of datasubjects.

Ø ChoiceandConsent:Adatacontrollershallgiveindividualschoices(opt-in/opt-out)withregardtoprovidingtheirpersonalinformation,andtakeindividualconsentonlyafterprovidingnoticeofitsinformationpractices.Onlyafterconsenthasbeentakenwill thedatacontrollercollect,process,use,ordisclosesuch information to thirdparties,except in thecaseofauthorisedagencies.Thedata subject shall, at any time while availing the services or otherwise, also have an option towithdrawhis/herconsentgivenearliertothedatacontroller.Insuchcasesthedatacontrollershallhavetheoptionnottoprovidegoodsorservicesforwhichthesaidinformationwassoughtifsuchinformation isnecessaryforprovidingthegoodsorservices. Inexceptionalcases,where it isnotpossible toprovide the servicewith choiceand consent, then choiceand consent shouldnotberequired.

Ø CollectionLimitation:Adatacontrollershallonlycollectpersonal informationfromdatasubjectsas is necessary for the purposes identified for such collection, regardingwhich notice has been

14 Report of the Group of Experts on Privacy under Justice A.P. Shah, Planning Commission, 2012- Pages 21-27

46


provided and consent of the individual taken. Such collection shall be through lawful and fairmeans.

Ø PurposeLimitation:Personaldatacollectedandprocessedbydatacontrollersshouldbeadequateandrelevanttothepurposesforwhichtheyareprocessed.Adatacontrollershallcollect,process,disclose,makeavailable,orotherwiseusepersonalinformationonlyforthepurposesasstatedinthenoticeaftertakingconsentofindividuals.Ifthereisachangeofpurpose,thismustbenotifiedto the individual. After personal information has been used in accordance with the identifiedpurposeitshouldbedestroyedaspertheidentifiedprocedures.DataretentionmandatesbythegovernmentshouldbeincompliancewiththeNationalPrivacyPrinciples.

Ø AccessandCorrection:Individualsshallhaveaccesstopersonalinformationaboutthemheldbya

datacontroller;shallbeabletoseekcorrection,amendments,ordeletionsuchinformationwhereitisinaccurate;beabletoconfirmthatadatacontrollerholdsorisprocessinginformationaboutthem;beabletoobtainfromthedatacontrolleracopyofthepersonaldata.Accessandcorrectiontopersonal informationmaynotbegivenby thedatacontroller if it isnot,despitebestefforts,possible to do sowithout affecting the privacy rights of another person, unless that person hasexplicitlyconsentedtodisclosure.

Ø Disclosure of Information: A data controller shall not disclose personal information to third

parties, exceptafterprovidingnoticeand seeking informedconsent from the individual for suchdisclosure. Third parties are bound to adhere to relevant and applicable privacy principles.Disclosure for law enforcement purposes must be in accordance with the laws in force. Datacontrollers shall not publish or in any other way make public personal information, includingpersonalsensitiveinformation.

Ø Security:A data controller shall secure personal information that they have either collected orhave in their custody, by reasonable security safeguards against loss, unauthorised access,destruction, use, processing, storage, modification, de-anonymisation, unauthorised disclosure[eitheraccidentalorincidental]orotherreasonablyforeseeablerisks.

Ø Openness: A data controller shall take all necessary steps to implement practices, procedures,

policiesandsystemsinamannerproportionaltothescale,scope,andsensitivitytothedatatheycollect, in order to ensure compliance with the privacy principles, information regarding whichshallbemadeinanintelligibleform,usingclearandplainlanguage,availabletoallindividuals.

Ø Accountability:Thedatacontrollershallbeaccountable forcomplyingwithmeasureswhichgive

effect to theprivacyprinciples.Suchmeasuresshould includemechanisms to implementprivacypolicies; including tools, training, and education; external and internal audits, and requiringorganisationsoroverseeingbodiesextendallnecessarysupporttothePrivacyCommissionerandcomplywiththespecificandgeneralordersofthePrivacyCommissioner.

47


The A.P Shah Committee report further recommended five salient features15 any privacy regulatoryframeworkmusthave.Theyare:

• Technological Neutrality and Interoperability with International Standards: Any proposedframework for privacy legislation must be technologically neutral and interoperable withinternational standards. It should notmake any reference to specific technologies andmust begeneric enough such that the principles and enforcement mechanisms remain adaptable tochangesinsociety,themarketplace,technology,andthegovernment.Todothis,itisimportanttoclosely harmonise the right to privacy with multiple international regimes, create trust andfacilitate co-operation between national and international stakeholders and provide equal andadequatelevelsofprotectiontodataprocessedinsideIndiaaswellasoutsideit. Indoingso,theframework should recognise that data has economic value, and that global data flows generatevaluefortheindividualasdatacreator,andforbusinessesthatcollectandprocesssuchdata.Thus,oneofthefocusesoftheframeworkshouldbeoninspiringthetrustofglobalclientsandtheirendusers, without compromising the interests of domestic customers in enhancing their privacyprotection.

• Multi-Dimensional Privacy: A framework on the right to privacy in India must include privacy-related concerns around data protection on the internet and challenges emerging therefrom,appropriate protection from unauthorised interception, audio and video surveillance, use ofpersonal identifiers,bodilyprivacy includingDNAaswellasphysicalprivacy,whicharecrucial inestablishinganationalethosforprivacyprotection,thoughthespecificformssuchprotectionwilltakemustremainflexibletoaddressnewandemergingconcerns.

• HorizontalApplicability:Anyproposedprivacy legislationmustapplyboth to thegovernmentaswellastotheprivatesector.Giventhatthe internationaltrendistowardsasetofunifiednormsgoverningboth theprivateandpublic sector,andbothsectorsprocess largeamountsofdata inIndia,itisimperativetobringbothwithinthepurviewoftheproposedlegislation.

• ConformitywithPrivacyPrinciples:TheframeworkshouldconfirmwiththenineNationalPrivacyPrinciples (discussed above). These principles, drawn from best practices internationally, andadapted suitably to an Indian context, are intended to provide the baseline level of privacyprotectiontoallindividualdatasubjects.Thefundamentalphilosophyunderliningtheprinciplesistheneed tohold thedatacontrolleraccountable for thecollection,processinganduse towhichthedataisputtherebyensuringthattheprivacyofthedatasubjectisguaranteed.

• Co-RegulatoryEnforcementRegime:ItprovidesfortheestablishmentoftheofficeofthePrivacyCommissioner, both at the central and regional levels. The Privacy Commissioners shall be theprimaryauthorityforenforcementoftheregulatoryframework.However,ratherthanprescribeapuretop-downapproachtoenforcement,thisreportrecommendsasystemofco-regulation,withequal emphasis on Self-Regulating Organisations (SROs) being vested with the responsibility ofautonomously ensuring compliance, subject to regular oversight by the Privacy Commissioners.TheSROs,apartfrompossessing industry-specificknowledge,willalsobebetterplacedtocreate

15 Supra n. 14, Pages 4-5

48


awareness about the right to privacy and explaining the sensitivities of privacy protection bothwithinindustryaswellastothepublicinrespectivesectors.

The first and the last feature discussed above is of particular relevance in the IOT ecosystem.Interoperableprivacyprincipleswillenableuniformityacrossdifferent typesofstakeholderswithintheIOT ecosystem, enhancing seamless interaction of devices. A co-regulatory enforcement regime withSROs will ensure that concerns of stakeholders, with respect to complying with data protectionregulationsareaddressedeffectively.5.2. PrivacyProtectionBill,2013

Acommitteeforframingaregulatoryframeworkfordataprotectionhasbeenformed,underJusticeB.N.Srikrishna. The recent judgementonprivacyhas also referred to the committee anddirected them toframedataprotection legislation, suitable to thedemandsof rapid technology growth. Previously, thePrivacy Protection Bill, 2013 (Privacy Bill) was framed with an intent to strengthen privacy and dataprotection laws in India.Although, thePrivacyBillhasnot converted into law till date,andappears tohavebeenputintocoldstorage,itisworthnotingtheprovisionsofthePrivacyBilltohaveaninsightonthe impact of a potential data protection legislation in India The concept of “Privacy” has not beendefined in the Privacy Bill per se, however it specifically focuses on the protection of personal andsensitive personal data of a person. “Personal Data” has been defined as any datawhich relates to anaturalperson if thatpersoncan,whetherdirectlyor indirectly inconjunctionwithanyotherdata,beidentified from itand includessensitivepersonaldata.Sensitivepersonaldata includesbiometricdata,deoxyribonucleicaciddata(dataconcerningthecharacteristicsofapersonthatareinheritedoracquiredduring early prenatal development), sexual preferences and practices, medical history and health,politicalaffiliation,commission,orallegedcommission,ofanyoffense,ethnicity,raceorcaste,religion,financialandcreditinformation.The Privacy Bill lays down specific provisions in relation to collection, storage, processing, transfer,security, confidentiality anddisclosureof personal and sensitivepersonal informationof theperson.ConsentoftheDataSubjectinregardtothecollectionandprocessingofdatawillhavetobeobtainedbytheDataController.Importantprovisionsrelatingtoitareasfollows:

a) ConsentoftheDataSubjectisnotrequiredunderthefollowinginstances:

• EmergencymedicalservicetotheDataSubject;• EstablishmentoftheidentityoftheDataSubjectandthecollectionisauthorisedbylawin

thisregard;• Preventingareasonablethreatnationalsecurity,defenceorpublicorder;or• Preventing,investigatingorprosecutingacognisableoffence.

49


b) Theprocessingofpersonaldataforapurposeotherthanforwhich itwascollected ispossibleonlyif:

• The Data Subject gives consent to the processing and only that personal data that is

necessarytoachievetheotherpurposeisprocessed;• itisnecessarytoperformacontractualdutytotheDataSubject;• itisnecessarytopreventareasonablethreattonationalsecurity,defenceorpublicorder;

or• itisnecessarytoprevent,investigateorprosecuteacognisableoffence.

c) TheDataSubjectmustbe informedofthefollowingpriortothedisclosureofhis/herpersonal

data:

• whenitwillbedisclosed;• thepurposebehindthedisclosure;• thesecuritypractices,privacypolicyandotherpolicies, ifany,thatwillprotecttheData

Subject;and• theprocedureforrecourseincaseofanygrievanceinrelationtoit.

d) Inrelationtosensitivepersonaldata,itlaysdownstrictprovisionssuchas:

• no person is allowed to store any sensitive personal data for a period longer than is

necessarytoachievethepurposeforwhichitwascollected,orifthatpurposehasbeenachievedorceasestoexistforanyreason;

• processingofsuchsensitivepersonaldataforapurposeotherthanthepurposeforwhichitwascollectedisnotallowed;

• nopersonshoulddisclosesensitivepersonaldatatoanotherperson,orotherwisecauseanyotherpersontocomeintothepossessionorcontrolof,contentoranyotherdetailsofinrespecttosensitivepersonalinformation.

6. TheIoTchallengetoprinciplesofprivacyIoTdevicesprovidesignificantbenefitsto individualconsumersacrossdifferentaspectsoftheir lives.Data andespecially personal data, underpins anddeliversmostof thesebenefits. Consequently, theinteractionofIoTdeviceswithindividualswouldposeongoingandrealtimechallengestotheprivacyofanindividual,astheyimpactlifestylesonadailybasisandpermeateintothedaytodayprivacyoftheindividual.Suchinteractionwiththedailyprivacyofindividualscanleadtopotentialrisksaffectingthedailylifeofpeople.Hence,itispertinenttoaddressthechallengescreatedbyIoTintheprivacyofanindividual.

50


The advent of IoT has challenged the principles of privacy as derived from the above laws, as theycannot be effortlessly applied for data collection and processing within the IoT ecosystem. Theprocessing of data involves the coordinated intervention of various stakeholders within theecosystem.16 These stakeholders are device manufacturers, data platforms, data aggregators orbrokers,applicationdevelopers,socialplatforms,etc.Theinterventioninvolvesextensiveprocessingofdata,resultinginsensorsexchanginginformationinanunobtrusiveandseamlessmanner.17ThefeasibilityofprovidingnoticetotheDataSubjectwithintheIoTecosystemcomesintoquestion,astraditionalformsofnoticeoninformationpracticesaredifficulttoimplementinanenvironmentwheremanysensors/devicesatmultiplelevelsaremeasuringandtrackingvariousdatasimultaneously.Itisdifficulttogivenoticeatallinstancesofcollectionandprocessing,asitwillbeburdensomeonboththeconsumers and the stakeholders. The same challenge exists for following traditional methods ofprovidingchoiceandwrittenconsent(asundertheITPrivacyRules).Further,mostIoTdevicesdonothave a screen or interface where they can communicate notice and obtain consent from the DataSubject,ortheexistinginterfaceinthedeviceisnotsufficientforsuchcommunication18.Conceptsonlimitingthecollectionof informationandlimitingthepurposeforwhichtheinformationmaybelawfullyused,isalsosubjecttoscrutinywithintheIoTenvironment.Dataminimisationisonesuch conceptwhere companies should limit the data they collect and retain, anddispose of it oncetheynolongerneedit19.DataminimisationmaynotbeafeasibleoptionforIoTasitisovertlyrigidandmayhinderthepotentialforinnovation,intermsofdevelopingandcreatingmoreserviceswithintheIoT ecosystem. However, it continues to remain an essential element for the protection of privacywithintheIoTecosystemandcannotbeignored.Theapplicabilityofsomeoftheselegalprinciplesandlawsbasedonthem,areillustratedthroughcasestudiesinsection6below.

7. Casestudies7.1. Self-Driving/DriverlessCarsDriverlessandautonomouscarshavesensorsandcamerasfittedinthemthatgatherandrelaydataforthepurposesofnavigationtowardsadestination.Thedatagatheredcomprisemainlyofgeo-locationalongwithothermoreintimatedetailssuchasdrivinghabits,biometricdataetc.Additionally,constantreal time communicationwithin the ecosystemof the car can also be accessed byData Controllers.Although,thegeneralprinciplesofprivacymaybeappliedtoalimitedextent,thecurrentlawinIndiafailstoaddresscertainissuesuniquetoaself-drivingcar.Forexample,therequirementofnoticeand

16 8/2014 on Recent Developments on the Internet of Things, Working Party 29 on the protection of individuals with regard to the processing of personal data, Sep 16, 2014 17 ibid. 18 Internet of Things- Security and privacy in a connected world, Staff Report, Forward Trade Commission, USA, January, 2015 19 ibid.

51


consentbeforecollectinginformationisdifficulttoimplement,whereinformationisbeinggatheredatthetimeofdriving,inrealtimeandsuchinformationisdifferentfromwhattheownerofthecarhasinitiallyconsentedto.Further,hackingintothecar’stelematicsunitisnotbeyondtherealmofpossibilityandthiscouldposeserious risks to the occupant of the car, as the hacker could control the car’s engine and brakingfunctions.Inthisregard,thedatasecurityrequirementsundertheITPrivacyRules,would,attheveryminimum,havetobemetbythecarmanufacturer/ancillaryserviceproviders,toavoidliabilityundertheITPrivacyRules.

7.2. FitnessDevices/WearabletechnologyThesearedevicesthatarecarriedbyindividualswhowanttoregularlyrecordinformationabouttheirlifestylesandhabits.Examplesofsuchdevicesarefitnesstrackers,sleeptrackers,smartclothing,shoes,etc.Theinformationcollectedbysuchdevicesaremostlyrelatedtotheindividual’sphysicalactivitiesorparticular physical state, like burned calories, body temperature, etc. however, a number of thesedevices alsomeasure other physiological andhealth related data such as blood-pressure, pulse rate,etc. The analysis of data gathered from these devices can be used to infer further health relatedinformation.ItispertinenttonotethatmostinformationcollectedbythesedevicesareinthenatureofSPDI.Accordingly,anySPDIcollectedthatisnotconsentedtobytheDataSubjectordisclosedasbeingcollectedbytheDataController,wouldneedspecificconsentforsuchcollection.Further,theITPrivacyRulesmandatesthatdatacollectedshouldonlybeusedforthepurposeforwhich it iscollected.Anyuseofsuchdatabeyondstateduses,willneedconsentonceagainfromtheDataSubject.

8. LawsonprivacyandIoTpolicyinotherjurisdictions8.1. EuropeThe right to data privacy is heavily regulated and enforced in Europe. Article 8 of the EuropeanConventiononHumanRights (ECHR)providesaright torespect forone's"privateandfamily life,hishomeandhiscorrespondence",subjecttocertainrestrictions.TheEuropeanCourtofHumanRightshasgiventhisarticleaverybroadinterpretationinitsjurisprudence.AccordingtotheCourt'scaselaw,thecollectionofinformationbyofficialsofthestateaboutanindividualwithouttheirconsentalwaysfallswithinthescopeofArticle8.Thus,gatheringinformationfortheofficialcensus,recordingfingerprintsandphotographs inapolice register, collectingmedicaldataordetailsofpersonalexpendituresandimplementingasystemofpersonalidentificationhasbeenadjudgedtoraisedataprivacyissues.Anystate interferencewithaperson'sprivacy isonlyacceptablefortheCourt if threeconditionsarefulfilled20:

20Handbook on European Data Protection Law, European Union Agency for Fundamental Rights/ Council of Europe,

2014, April 2014.

52


• Theinterferenceisinaccordancewiththelaw• Theinterferencepursuesalegitimategoal• Theinterferenceisnecessaryinademocraticsociety

TheECbelievesthatthegovernment isnottheonlyentity,whichmayposeathreattodataprivacy.Other citizens, and private companies most importantly would engage in far more threateningactivities,especiallysincetheautomatedprocessingofdatabecamewidespread.TheConventionforthe Protection of Individuals with regard to Automatic Processing of Personal Data was concludedwithin the Council of Europe in 1981. This convention obliges the signatories to enact legislationconcerningtheautomaticprocessingofpersonaldata,whichmanydulydid21.Asall thememberstatesof theEuropeanUnionarealsosignatoriesof theEuropeanConventiononHumanRightsandtheConventionfortheProtectionofIndividualswithregardtoAutomaticProcessingofPersonalData, theEuropeanCommissionwasconcernedthatdivergingdataprotection legislationwould emerge and impede the free flow of data within the EU zone. Therefore, the EuropeanCommission decided to propose harmonising data protection lawwithin the EU. The resulting DataProtectionDirective(Directive)wasadoptedbytheEuropeanParliamentandministersfromnationalgovernmentsin199522.The Directive contains a number of key principleswithwhichmember statesmust comply. Anyoneprocessing personal data must comply with the eight enforceable principles of good practice. Theystatethatthedatamustbe:

• Fairlyandlawfullyprocessed.• Processedforlimitedpurposes.• Adequate,relevantandnotexcessive.• Accurate.• Keptnolongerthannecessary.• ProcessedinaccordancewiththeDataSubject'srights.• Secure.• Transferredonlytocountrieswithadequateprotection.

Asthefrontrunnersinprivacylegislation,theEUhasbroughtintheGeneralDataProtectionRegulation(GDPR)thatissettoreplacetheDirectivein2018.TheGDPRhasenhancedtheframeworkinrelationtoprivacyanddataprotectionbyplacingmoreonerousobligationsoncompaniesandoverhaulingtheregulatory and enforcement structure. One of the main purpose of the European Commission inproposing this legislation is to bolster the rights of individuals. The strengthened rights of the usersinclude, a right to require information about data being processed about themselves, access to the

21 ibid 22 ibid

53


dataincertaincircumstances,rectificationofdatawhichiswrong,arighttorestrictcertainprocessingof data and a right to object to their personal data being processed for directmarketing purposes.Individuals canalsoask to receive theirpersonaldata ina structuredandcommonlyused format sothat it can easily be transferred to another Data Controller. The GDPR expressly recognises BindingCorporateRules(BCRs)forDataControllersandDataProcessorsasameansoflegitimisingintra-groupinternationaldatatransfers.TheBCRsmustbelegallybindingandapplytoandbeenforcedbyeverymemberofthegroupofundertakings/enterprisesengagedinajointeconomicactivity,includingtheiremployees.BCRsmustexpresslyconferenforceablerightsonDataSubjects.The GDPR has further included concepts pertinent to IoT such as privacy by design, as part of itsframework23. However, the traditional principles of privacy such as notice, consent and choice,continue toexistwith tightercompliancesunder theGDPR, therebyposingchallengeswithin the IoTecosystem.Itisthedutyofdataprocessorauthoritiestonotifytheusersansanydelay,within72hoursof any sort of databreach to theuser. TheGDPRhas establisheda tieredapproach topenalties forbreach of any of its provisions enabling data protection authorities to impose fines for someinfringements,ofuptothehigherof4%ofannualworldwideturnoverandEUR20million.

8.2. UnitedStatesofAmerica

UnliketheEU,theUSdoesnothaveasingleoverarchingprivacylaw.TheSupremeCourtinterpretedtheConstitutiontograntarightofprivacytoindividualsinGriswoldv.Connecticut24.Veryfewstates,however,recogniseanindividual'srighttoprivacy,anotableexceptionbeingCalifornia.Dataprivacyisnothighly legislatedor regulated in theU.S.Access toprivatedata contained in, for example, third-partycreditreportsmaybesoughtwhenseekingemploymentormedicalcare,ormakingautomobile,housing,orotherpurchasesoncredit terms.Under federal laws, certain industriesare coveredwithrespect todataprotectionandprocessingwhileothers arenot. Therefore, lawsonprivacyanddataprotectionat thefederal level issectorspecific.These legislationsarehoweverbasedonthegeneralprinciplesofprivacy.ExamplesofU.SfederallawsonprivacyaretheHealthInsurancePortabilityandAccountabilityActof1996(HIPAA),theFairandAccurateCreditTransactionsActof2003(FACTA),theFairCreditReportingAct (FCRA),1970andthePrivacyAct,1974applicable to federaldatabasesandfederalagencies.Therearemanystatelawsonprivacyinrelationtoonlinedataprocessingandonlinebusiness handling. Many states have recently also started looking into legislations on the right toprivacy. Additionally, usage, collection, access, processing of data of European Data Subjects by U.SCorporationsiscontrolledthroughspecificinternationalagreements,themostfamousexamplebeingEU-USSafeHarborAgreement,2000whichwasheldasillegalbytheEuropeanCourtofJusticerecentlyafter which the same is sought to be replaced by the Privacy Shield Agreement, 2016 which is a

23 Privacy by design is a concept where it is ensured that privacy is embedded into a new product or data processing at the time of designing, rather than incorporating elements of privacy and data protection at a later stage. Privacy by design is being suggested as an essential feature to be adopted for seamless transmission and processing of data within the IOT ecosystem. 24 381 U.S. 479

54


stronger agreement providing for stronger protection for Trans-Atlantic data flows. The challenge inU.SwithrespecttoIoTissimilartomostotherjurisdictions,asthelegislationsonprivacyarebasedonsimilarlegalprinciples.TheFederalTradeCommissionhascomeoutwithareportontheapplicabilityof the above mentioned legislations in the IoT ecosystem, which underlines the importance thatprivacyconcernsinIoTtransactionsaregarneringtoday.

8.3. UnitedKingdomTheUnitedKingdomdoesnothaveawrittenconstitutionthatenshrinesafundamentalrighttoprivacyforindividuals.TheUKhas,however,incorporatedtheEuropeanConventiononHumanRightsintoitsnational law,whichprovides for a limited rightof respect towardsan individual’sprivacyand familylife. The primary legislation in the UK that regulates the holding of an individual’s personal data bycompanies,andconsequentlyhasanimpactoninformationconcerningtheprivatelivesofindividuals,istheDataProtectionAct,1998(DPA).TheDPAcontainseightprinciplesthatregulatehowpersonaldatashouldbehandled,whicharebasedonthepremiseofcompliancewithgeneral legalprinciplesonprivacy.Theseprinciplesapplytobothonlineandofflinedataandrequirethat:

• Personaldatamustbeprocessedfairlyandlawfully• Personaldatamustbeobtainedonly foroneormorespecifiedand lawfulpurposes,andmust

notbefurtherprocessedinanymannerincompatiblewiththatpurposeorthosepurposes• Personal data should be adequate, relevant and not excessive in relation to the purpose or

purposesforwhichtheyareprocessed• Personaldatamustbeaccurateand,wherenecessary,keptuptodate• Personal data processed for any purpose or purposes shall not be kept for longer than is

necessaryforthatpurposeorthosepurposes• PersonaldatamustbeprocessedinaccordancewiththerightsofDataSubjectsundertheDPA• Appropriate technical and organisational measures shall be taken against unauthorised or

unlawfulprocessingofpersonaldataandagainstaccidentallossordestructionof,ordamageto,personaldata

TherightsofDataSubjectsundertheDPAincludetherighttobenotifiedofanydatabeingprocessedbythedatacontroller,beinggivenachoicetonotprovideanypersonalinformationaboutthemselves,etc. The Office of Communications (Ofcom), the communications regulator in UK has identifiedchallenges in the applicability of privacy laws within IoT ecosystem which are analogous to thoseidentifiedinthispaper.ItspecificallycallsforconjunctionandcooperationofprivacyandtelecomlawsfortheregulationofIoT.

55


9. Recommendations

9.1. LegislativeMeasures

Thetraditionalprinciplesofprivacyasdiscussedabove,cannotbecompletelyeliminated,astheyareessentialtoupholdtheprivacyofanindividual.Therefore,itisessentialtoincorporatetheprinciplesinaworkablemannerwithinthe IoTecosystem. Inthis regard,werecommendthefollowing legislativemeasures:

9.1.1. Consent,NoticeandCollectionofdata

a)Formsofconsent

ConsentascontemplatedunderthecurrentITPrivacyRules,readwiththeITAct,appearstobelimitedtoelectronic authenticationmethodsand it is best that it is clarifiedandexpanded to includeothermodes of consent such as voice recognition, biometric consent, etc. Further, express consent asrequired under the IT Privacy Rules is difficult to implement in an IoT transaction. The Privacy Billspecifies that consentmaybe taken in any form from the Data Subject, provided it is not obtainedthrough threat, duress or coercion. This provision needs to be adopted into the existing privacyregime, especially under the IT PrivacyRules, to enable IoT stakeholders to incorporate and captureimplied consent in the transaction. For instance, continued use by the Data Subject of an IoTdevice/service could be construed as implied consent for processing data related to furtherfunctionalitiesofsuchdevice.Further,provisionsforimpliedconsentalsoneedtobefactoredin,sinceexpressconsentmaynotalwaysbefeasibleintheIOTecosystem.

b)Alternativetonoticeandconsent

GiventheinherentdifficultiesinprovidingnoticeandprocuringconsentineveryM2MInteractionthatunderpinsIoTtransactions,analternativetotherequirementofnoticeandconsent,couldbedefiningtheusestowhichpersonalinformationwillbeput.Suchusagedefinitionshouldbeprecise,clearandunambiguous in theprivacypolicyof theDataControllerandas longas the informationof theDataSubject collected is confined to such usage, consent could bewaived. However, this suggestionwillonlyworkwherethereisaregulatoryagencymonitoringeffectivecompliancewithsuchusagethroughperiodicauditsoftheDataControllerand/orcompliancereportsfromtheDataController.TheexistingITPrivacyRulesdonotprovideforsuchanagency.25

25 The A.P Shah Committee Report provides for setting up an institution of privacy commissioners both at the central and at

the state level for monitoring compliance with data protection regulations.

56


c)AnonymisationofDataIdentifying certaindata that couldbemaintained in ade-identified formcouldbea viableoption tohelp minimise potential data breaches. In this regard, it can be legislatively mandated for certainidentified categories of data to be collected, maintained and processed in a de-identified form, forinstance,healthdatainfitnessorhealthtrackersorotherdatainIoTdevicesthatisnotdependentontheidentityoftheindividualtoprocessthedataanddeliveritsfunctionality.However,suchmandatemustadditionallyensurethatthedatacannotbere-identified.

9.1.2. DataMinimisation

Although data minimisation may potentially hinder the growth of services in the IoT ecosystem, itcontinuestoremainanintegralpartofprivacyprotectionlaw.However,thecurrentprovisionsundertheITPrivacyRules,requirethattheDataControllershouldnotholdSPDIfor longerthanisrequiredforthepurposesforwhichtheinformationmaylawfullybeused.Theseprovisionsmaybemodifiedtoinclude supplementary or ancillary uses of such information beyond the contracted purposes, withsufficientchecksandbalancesonwhatconstitutessupplementaryorancillaryuse.

9.1.3. LegislationonDataProtectionSince, any legislative measures in IoT would not be possible without a change in privacy or dataprotectionlawinIndia,itappearsthattheneedofthehourisanomnibusdataprotectionlegislation.Inthis regard, it is pertinent to note that Supreme Court in Puttaswamy has called upon the Uniongovernmenttotakeconcretemeasurestobringaboutsuch lawandhasnotedtheappointmentoftheJusticeB.NSrikrishnaCommittee.Asaguiding framework, thenineprivacyprinciples recommended inthe Justice A.P. Shah Report could be considered. Additionally and subsequent to the enactment ofcomprehensivedataprotectionlegislationforIndia,itmaybeworthwhileconsideringadoptingasimilardatasharingstructuresuchasthePrivacyShieldarrangementbetweentheEUandtheUSA,giventhattrans-borderdataflowsinanIoTtransactionareverylikely.

9.2. Industryrecommendations

9.2.1. De-IdentificationofdataDataControllers should considerwhat data canbe collected andmaintained in a de-identified form,andadoptaprotocolatdevicelevelanduserinteractionlevel,tode-identifysuchdata.Ifdatacanbeprocessed in a de-identified form effectively, the Data Controller must also ensure that there is noscopeforre-identificationofsuchdata.

57


9.2.2. Adoptingprivacybydesign

Privacybydesignor dataprotectionbydesign is a notionwhereprivacymeasures are incorporatedinto the design architecture of the device/software. This will reduce some of the compliancerequirementsorthetimeforcompliancesuchasdataminimisation(fromthestandpointofthedeviceonlycollectingdata it isprogrammedtocollect, insyncwiththestateddevicefunctionality),preventsecurity breaches by having necessary infrastructure in place andpre-emptively analyse and redresschallengesinmeetingprivacyrequirementsunderthelaw.Further,privacybydesigncanalsoensurede-identificationofdata (asdiscussedabove), in the IoTdevice/software.Theanonymisationofdataand prevention of its re-identification may be incorporated into the design architecture of thedevice/software.Privacybydesigncanensurethatprotocolsandmechanismsareinplaceforeffectiveanonymisationofdata.Exhibit 2 setsout aquestionnaire that could serveas a frameof reference for incorporatingprivacyelements into thedesign architectureof IoT devices/systems aswell as help in planning compliancewithprivacyrequirements.

9.2.3. CommandCentres

GiventhenoticeandconsentrequirementsundertheITPrivacyRules,someformofinterfacebecomesessential to capture consent and provide policy information on the Data Subject’s personalinformation. While high end IoT device manufactures would most likely have application/portalinterfaces to meet this requirement, a number of low end device manufacturers may not. Therequirementcouldbepossiblymetthroughacommonportal/networkpartnerthatenablestheDataSubjecttocontrolthecollectionandprocessingofhis/herdataacrossvariousdevicesandtransactions.This would reduce the onus on low end IoT devicemanufacturers to integrate interfaces into theirdevicessoastoprocureconsentfromtheDataSubjectsandkeepthemupdatedonhowtheirpersonalinformationisbeingused.Theportalcanserveasacentralcontrolroom,wheretheDataSubjectandthestakeholderswillbeabletooverseeandmanageallthedataflowinoneplace.

9.2.4. Allocationofresponsibility&liability

Thenatureoftheprivacyregulationswouldcastprimaryresponsibilityandliabilityfornon-complianceontheIoTserviceproviders/devicemanufacturerswhohaveadirectcontractualrelationshipwiththeData Subject. However, most IoT devices/services potentially involve a host of stakeholders in thetransactionchainwhowillhaveaccesstotheDataSubject’spersonalinformationatdifferentpointsoftime,withoutadirectcontractwiththeDataSubject.Therefore,itisimportantthatcontractsbetweentheprimaryserviceprovider/manufacturerandancillaryserviceproviders/componentmanufacturers,containdataprotectionanddata security terms thatat theminimumalignwith the ITPrivacyRulesandpossibleindustrystandards.

58


9.2.5. PrivacyStandardsBodyTo enable effective compliance with privacy norms in India and to standardise such compliance, anindustrybodycouldbeagreeduponandsetupbydifferentIoTindustrystakeholders.Thisbodycouldbetaskedwith conducting data privacy and data security impact assessments related to IoT devices andservicesandprovidingprivacycertifications,basedonpre-definedstandards(thatattheveryleastmeettherequirementsundertheITPrivacyRules).

59


Exhibit1

TYPICALFLOWCHARTOFAPERSONALINFORMATIONTRANSACTION

• DS: Data Subject

• DC: Data Controller

• PI: Personal Information

• SPDI: Sensitive Personal Data & Information

60


Exhibit2

Questionnaire

1. Whatinformationisbeingcollectedfromtheuser?2. IstheinformationcollectedpersonalinformationorsensitivepersonalinformationaspertheIT

PrivacyRules?[Note:Personalinformationisanyinformationthatrelatestoanaturalpersonandattributestothe identity of such person. Sensitive personal information is any information relating to thepassword, financial information, physical, physiological and other health related data, sexualorientation,medicalrecordsandbiometricinformation]

3. Whatisthepurposeforwhichtheinformationiscollected?

4. Canthepurposebedeterminedbeforehand?

5. Is it possible to limit the collection of information to the specified purpose under Q3?Conversely,istheinformationcollectedgoingtobeusedforpurposesotherthanthespecifiedpurposeunderQ3?

6. Isthereaway/modeinwhichtheconsentoftheuserisobtainedforalltypesofinformationandforallpointsoftime?[Note:Consentcanbeprocuredthroughwriting,faxoremail.]

7. Cansuchconsentbedemonstratedonscrutiny?

8. Isthereaprovisionforallowinguserstomodifyoropt-outoftheconsenttheyhaveprovided?

9. Canitbedeterminedwhentheuseofthecollectedinformationisnolongernecessary?

10. Whatisthesystemforremovinginformationthatisnolongernecessary?11. Istheinformationbeingtransferredordisclosedtoanythirdparties?12. Is such transfer or disclosure in Q11 made with the consent of the user providing the

information?13. Isthereaprocessinplacetoaddressanygrievancethattheusermayhaveinrelationtotheuse

ofinformation?

61


14. IsthereadesignatedGrievanceOfficertoaddressgrievancesmentionedinQ13?15. Arethereanysecuritypracticesinplacetoprotectthedatasharedbytheusers?Ifsoarethey

in compliance with the IS/ISO/IEC 27001 on “Information Technology- Security Techniques-InformationSecurityManagementSystem-Requirements”?

PART-II

OTHERLEGALISSUESINTHEIoTECOSYSTEM

1. Introduction

PartIIofthisPaperaddressesthefollowingthreelegalconcernsotherthanprivacythatispresentintheIoTecosystem:• AnyIoTtransactionisbasedonexchangeoftrillionsofdatabetweenthevariousstakeholdersinthe

transaction.Giventhis,itisimportanttoconsiderwhoownsthedatawithinthetransaction.Inthisregard, the concept of data as property has been examined. Further copyright in databases andmultipleownershipofdatabasesamongthestakeholdersintheIoTecosystemhavebeenanalysed.

• IoT transactions are heavily dependent on machines talking to each other (M2M interaction)withoutanyhuman interventionorcontrol.Theexisting lawoncontractsandelectroniccontractshave been reviewed to see if it contemplates automated communications/contracts betweenmachineswithoutthecontroloftheuserandtheimplicationsofthesame.

• A product within the IoT ecosystem is essentially comprised of various components includinghardware, software and service elements, combining to form an IoT product. Each of thesecomponentscomewiththeirownwarrantiesanddisclaimers.Theaffixingof legal liabilities in theIoTtransactionchainandtheinterplayofthesewarrantiesanddisclaimersareexaminedundertheexistingproductliabilityregimeinIndia.

2. LegalIssuesrelatingtodata

2.1. OwnershipofDataintheIoTEcosystem

Withtheproliferationofconnecteddevices inthe IoTecosystem,questionsrelatingtodataownership

have come up. Is it the device manufacturer, system operator, device operator or the maintenanceoperatorwhoownsand is responsible for thedatacollected?The IoTecosystem isdrivenbypersonaldata of individuals and who owns this data is one of the biggest concerns. Customers or devicemanufacturers or transactions that generate data will claim ownership of data; participants who are

62


transformingthedataintheprocessingchainwillalsotrytoestablishasimilartypeofownership,astheyclaimtobe‘manufacturers’ofthisnewlyinterpreteddata26.

Where IoT transactiondata comprisesof personal information, itwill notbepossible for thedifferent

stakeholders in the IoT transaction chain to claim ownership over such personal information, as itpertains to the Data Subject. However, it may be possible to claim ownership in the expressedcompilation of such data, essentially the database. Even where the data is anonymised or does notpertaintothedatasubject(suchasmetadata,networkdata,etc.),itmaybedifficulttoclaimownershipifsuchdata is inthenatureof facts.Asstatedearlier, theownershipwill lie inthecompilationofsuchfacts.Database ownership at every stage is a debatable point with several actors involved in the IoT chainlonging to stake a claim in the ownership. Generally, databases or compilation of data are protectedundercopyrightlaw(discussedindetail inSection2.2below).Therefore, ifaparticularstakeholdercandemonstrate that they are the ones that compiled the data in the IoT transaction chain, they couldpotentially claimownership. This could lead toananomalous situation,where theprimaryproviderofthe IoT device service may lose claim over the compilation as a result of an intervening third partyprovider, carrying out the actual data compilation. If it can be shown however that such third partyprovideractedastheagentoftheprimaryproviderindoingso,thelattercouldclaimownership.Allofthisrendersthecontracts intersethedifferentstakeholderswithintheIoTtransactionchain,themostessentialmediumfordatabaseownershipidentificationanddistribution.Tocapturemaximumvalueandavoid disputed use of databases by different stakeholders, it is important that this complex issue isaddressedearlyinthecontractphaseofanIoTexecution.However,theprocessing,storing,transmittingofanypersonalinformationwithinsuchdatabaseswillstillneedtosatisfytherequirementofITPrivacyRules.

2.2. CopyrightinDataandDatabases

Database is a collection of independent components, such as pieces of information, data or works,arrangedinasystematicormethodicalwayandwhichareindividuallyaccessiblebyelectronicorothermeans27.WiththeadventoftechnologyandpenetrationofelectronicinformationintheIoTecosystem,validandverifiablepersonaldatahasbecomecrucial formostoftheactivitiesrangingfromdailytaskslikeshoppingforgoodsandservices,payingutilitybills,etc.,tocomplextransactionssuchashealthcareandbanking.Ithasbecomethebiggestcorporateassetforthedatadrivenindustry.Withthephasingoutofconventionalmeansofdatacompilationinphysicalpaperformliketelephonedirectoriesandyellowpagesandtheswitchingofsuchcompilationtoanelectronicform,ithasbecomeeasierforapersontocopythedataandthecompilationofanotheranddistributethesameforpersonal/commercialgain.

26BuildinganEffectiveIoTEcosystemforYourBusiness bySudhiR.Sinha, 27 Charles Brill, Legal Protection of Collection of Facts, 1 COMPUTER LAW REVIEW & TECHNOLOGY JOURNAL 2(Spring1998).

63


InIndia,thereisnoseparatelegislationfortheprotectionofgeneraldatabaserightsasisthecaseintheEuropeanUnion(EUDatabaseDirective1996).ThelimitedprotectionavailabletodatabaserightsinIndiaareasfollows:

• Section 43 of the Information TechnologyAct, 2000 states that if any person downloads, copies or

extractsanydata, computerdatabaseorany information fromsuchcomputer, computer systemorcomputer network including information or data held or stored in any removable storagemediumshallbeliabletopaydamagesbywayofcompensationtothepersonsoaffected.

• TheamendmentoftheIndianCopyrightAct,1957,includestheconceptof‘computerdatabase’inthe

definition of ‘literary work’. Therefore, copying a computer database, or copying and modifying adatabasewillbeconstruedasinfringementofcopyrightforwhichcivilandcriminalremediescanbeapplied. However, to obtain copyright protection for a data compilation, it must exhibit skill andjudgement inselectionorarrangementofcontentsof thecompilation.With theabsenceofspecificlegislation on database, companies tend to rely on the interpretation of the Copyright Act by thecourts, especially those relating to how database is a literary work and thus protected under theCopyright Act. The earlier approach of the courts was based on the requirement that to claimcopyrightprotection incompileddatabases, theauthorhastoput inconsiderableamountofeffort,money and time to compile the data. However, lately there has been a discernible shift in thisapproach, and courts now require skill and judgement along with labor and capital, to securecopyright protection in a database.Mere changes like spelling, corrections of typographical errors,additionoreliminationofquotations,willnotconstituteexerciseofskillandjudgementtowarrantacopyrightinadatabasecompilation.

With digitisation of data in the IoT space, and recognition of computer databases as copyright it isentirely possible that databases created through software processing and compilation of IoTtransaction data, would have copyright protection. However, given the above judicial view ondatabaseprotection,mere compilationsof data that arise fromor through IoT sensorswithout theapplication of skill and judgement (through a software programme or otherwise), may not getcopyrightprotection.EvenassumingIoTtransactionengineereddatabasesgetcopyrightprotection,itis importantthatthedifferentstakeholders inanIoTtransactionchain,contractuallydecide intersethemselves,thenatureandextentofownershipoversuchdatabase.Otherwise,ordinarilythecreatorofthedatabase(evenifnottheprimaryproviderofIoTdeviceservice)willownthecopyrightinsuchdatabase.

3. ValidityofM2McontractsThethreeessentialprinciplesforavalidcontractundertheIndianContractActareoffer,acceptanceandconsideration.Anotheressentialelementofavalidcontract isconsensusadidemormeetingofminds.Further, the IT Act recognises electronic contracts through the recognition of electronic records andauthenticationmethods. Under the IT Act, an electronic record is attributed to the originator of such

64


record28, if it issent (i)bytheoriginator; (ii)byapersonwhohastheauthoritytoactonbehalfof theoriginatoror;(iii)byasystemprogrammedbyoronbehalfoftheoriginatortooperateautomatically.In an IoT ecosystem, devices themselves perform certain functions without any human intervention.These functions include automated transactions that are potentially contractual in nature, effectivelyallowingthesedevicestoconcludecontractsonbehalfofpeople.AnexampleofsuchtransactionsistheAmazon’sDashReplenishmentService(DRS)thatallowshouseholddevicestoautomaticallyordergoodswithoutanyhumaninterventionontheirbehalf,throughmeasuringtheusageofthegoods.29TheITActprovidesforattributionofanelectronicrecordtoapersonifasystemhasbeenprogrammedto operate automatically on behalf of that person. Therefore, it appears that the IT Act contemplatesacceptance of electronic contracts by a device/system on behalf of a person, so long as it has beenprogrammedtodosoby/onbehalfofsuchperson.Continuingwiththeaboveexample,iftheuserhasconsentedtoandauthorisedtheorderingofgoodsthroughtheDRS,itcanpotentiallybeavalidcontractundertheITActandtheIndianContractAct.However,mostly such consent is given through theacceptanceof the termsand conditionsof the IoTproduct at the time of purchase. Although, this is a valid form of acceptance of a contract, it can bearguedthatthetermsandconditionsdonotcontemplateacceptanceoftheuseratevery instancethedevicecontractsonbehalfof theuserandadditionalconsent for thesame is required tobecaptured.Further,sometermsandconditionsoftheseIoTdevicescontainprovisionsonunilateralamendmentstotheseterms,whichtheuserconsentstoatthetimeofconsentingtothetermsandconditionsoftheIoTproduct.30Ata laterpoint intime,theunilateralamendmentmadebytheserviceprovidermaynotbeproperly reviewed by the user due to a lack of a traditional interface in the IoT device. In suchcircumstances, it may potentially lead to lack of consensus or consent between the user and the IoTserviceproviderontheadditionalamendedterms.

Therefore,giventheabovechallenges,IoTdevicemanufacturers/providersshouldclearlycalloutintheterms and conditions of sale, what transactions will be enabled through the IOT device/service,seamlesslyandautomatically,evenwithouttheuser’sspecificconsent.

4. ProductLiabilityintheIoTecosystem

Product liability laws are closely linked toproduct safety laws, regulations, compliances and standards(ProductSafetyLaws)thatarespecifictovarioussectors.AnydamageresultingfromabreachofProductSafetyLawswillresultinanactionundertheproductliabilityregime.

28Section11,ITAct200029Contracting in the Age of the Internet of Things: Article 2 of the UCC and Beyond, Stacy Ann-Elvy, 44 Hofstra Law Review, 2016.30 ibid

65


Product Safety Laws impose standards and controls on products post which it can be placed in themarket. Any breach of the provisions of product safety laws could potentially lead to imposition ofpenalty,etc.ExamplesofProductSafetyLawsarePreventionofFoodAdulterationAct,1954,DrugsandCosmeticsAct,1940,etc.Withrespectto IoT,manyProductSafetyLawsthataregeneralandsectorialmay be applicable, depending on the IoT ecosystem. Product Safety Laws for medical devices arepertinent in the context of IoT, given the number of IoTmedical devices in themarket. TheMedicalDevices Rules, 2017 provides for standards and guidelines for manufacturers of medical devices. Anydamage resulting from a breach of these rules will be a cause of action under product liability laws.Therefore, when a product is placed in the market, post certification or approval under the relevantProductSafetyLaws,andwhereanydefectordeficiencyissubsequentlyidentified,therecourseforthesamewillbeavailableunderproductliabilitylaws.TherelevantproductliabilitylawsareexaminedinthissectionwithreferencetoIoT.

4.1. ConsumerProtectionAct,1986TheConsumerProtectionAct (CPA) is theprimary legislation thatprovides foramechanism toenableconsumers to have a recourse against defect in goods, deficiency in services and restrictive tradepracticesbytraders,throughasystemofauthoritiesestablishedundertheCPA.Therecourseavailableunder the CPA is against traders and service providers. Traders have been defined to includemanufacturersandanypersonwhosellsordistributesgoodsforsale.This includessellers,distributors,wholesalersandretailers.UndertheCPA,Courtshavegenerallytakenactionagainstpersonswhohavehadadirectrelationshipwiththedefectordeficiencycaused.TheIoTecosystemconsistsofvariousstakeholdersthatincludemanufacturers,softwaredevelopers,andserviceproviderswhoinacombinedcapacity,formanIoTproduct.TheprimaryIoTproductcomeswitha set of services provided by various service providers. Further, it also contains components (such assensors) attached, that are manufactured by different parties. Therefore, the IoT product that aconsumerfinallypurchasesfromtheseller,consistofvariouscomponentsthatareprovidedbymultipleparties/ stakeholders. The recourse available for the consumer under the CPA is not only against theprimaryseller,butalsoagainstpersonswhoaredirectlyresponsiblefortheallegeddefectordeficiency.However,giventhenumberofstakeholderswithintheIoTecosystemandtheinteroperabilitybetweenthem,itisdifficulttodistinguish,identifyandattributedirectcausalconnectionofadefectordeficiencytoaspecificparty/parties. Inthisscenario,thecontractualframeworkintersethevariousstakeholdersbecomespertinenttodeterminetheliabilityintermsofaparticulardefectordeficiency.

Further,theCPAdistinguishesbetweengoodsandservicesandprovidingrecourseagainstdefectoftheformeranddeficiency inthe latter.Suchadistinction inan IoTproductwillnotbefeasibleconsideringthe interoperability of various service elementswith the device components to give an integrated IoTproduct.Therefore,thereisscopeforconsideringamendmenttotheCPAtohaveahybriddefinitionofproductdefect/servicedeficiency.

66


4.2. ProductliabilityinTortAtortisessentiallyacivilwrongcommittedbyapersonthatresultsininjuryorharmtoanotherperson.Tortalsocomprisesofproductliabilitywheremanufacturers,distributors,retailersandotherswhomakeproductsavailable(Sellers),areheldresponsibleforanydefectarisinginsuchproducts.Productliabilityunder tort is based on negligence and strict liability. The injury or harm caused due to the defectiveproductarisesoutofnegligenceorlackofdutyofcarebytheSellers.TheliabilityundertortisattributedtotheSellerwhoisdirectlyresponsibleforthedefectintheproduct.Furtherunlikefaultbasedliabilityunder theCPA, strict liabilityunder tortmakes theSeller liable for anydefectiveproducteven thoughthere was no duty of care required or in the absence of negligence. The concept of strict liability isappliedwheretheSellerscanforeseecertainhazardsthatmayariseiftheproductisdefective,andarehencerequiredtoprovidesafeguardagainstthematthetimeofmanufacture.Therefore,itisimportantfor IoTdevicemanufacturers toensure fromthemanufacturingstage, that thedevice isdevoidofanydefectsthatcouldpotentiallycauserisksfortheconsumers.

67


Annexure:3

WhitepaperOn

SecuringInternetofThings

68


1. InternetofThingsPutsimply,theInternetofthings(IoT)isdeviceswithconnectivitythatarenotPCsorsmartphones.It isthe network of vehicles, buildings, roadways, farm equipment,medical devices and other itemsembeddedwith the electronics,software,sensors, actuators, andnetwork connectivitythat enablethese itemsto collect and exchange data, and be tracked, coordinated, or controlled across a datanetworkortheInternet.TomaketheInternetofThingsmoreunderstandable,"mediacoveragehasoftenfocusedonconsumerapplications, such as wearable health and fitness devices, as well as the automation products thatcreatesmarthomes."Althoughtheirresearchshows"considerablevalueinthoseareas,"theyseethat"business-to-businessapplicationswillaccountfornearly70percentofthevaluethattheyestimatewillflowfromIoTinthenexttenyears."They"believeitcouldcreateasmuchas$11.1trillionayeargloballyineconomicvalueinninedifferenttypesofphysicalsettings,withnearly$5trilliongeneratedalmostexclusively inB2Bsettings: factories in the extended sense, such as those in manufacturing, agriculture, and evenhealthcareenvironments;worksitesacrossmining,oilandgas,andconstruction;and,finally,offices."

2. WhytoSecureIoTThe Internet of Things (IoT) alreadyhelps billions of people. Thousandsof smart, connecteddevicesdeliver new experiences to people throughout the world, lowering costs, sometimes by billions ofdollars. Examples include connected cars, roboticmanufacturing, smartermedical equipment, smartgrid,andcountless industrialcontrolsystems.Unfortunately,thisgrowth inconnecteddevicesbringsincreased security risks. Threats quickly evolve to target this rich and vulnerable landscape. Seriousrisks include physical harm to people, prolonged downtime, and damage to equipment such aspipelines,blastfurnaces,andpowergenerationfacilities.AsseveralsuchfacilitiesandIoTsystemshavealreadybeen attacked andmaterially damaged, securitymust nowbe an essential consideration foranyonemakingoroperatingIoTdevicesorsystems,particularlyfortheindustrialInternet.Forrester states that IoTpresentshugeopportunities for today’s digital businesses touse connectedobjects, sensors, and devices for engaging with customers in new ways and streamlining businessoperations.Butsecurityconcernsaccompanytheseopportunities.

CybercriminalscanuseIoTdevicestolaunchunprecedentedattacks.MostIoTdevicesareconnectedtoanetwork,whichmaybesegregatedbutmayalsocommunicatewiththefirm’scorporatenetworkortheInternet.ManyIoTdeviceshaveoperatingsystemsthatcybercriminalscaneasilyhack.WiththeracetodesignandquicklybringIoTdevicestomarket,manyIoTdevicemanufacturersarenotthoroughlyscrutinisingthesecurityoftheoperatingsystemorfirmwareofIoTdevices.

69


IoTdevicesdon’thaveinput/outputmechanismstosupportcomplexpasswords.IoTdevicessuchassmartlightbulbs,electricmeters,thermostats,andsensorsdon’thavekeyboardsfromwhichonecanenterapassword.

The gatewaysthat connect IoT devices to company andmanufacturer networksmustbe secured aswellasthedevicesthemselves.IoTdevicesarealwaysconnectedandalwayson.Incontrasttohuman-controlleddevices,theygothroughaone-timeauthenticationprocess,whichcanmakethemperfectsourcesof infiltrationintocompanynetworks.Therefore,moresecurityneedstobeimplementedonthesegatewaystoimprovetheoverallsecurityofthesystem.Huge repositorieswhereIoTdatais being stored,which canbecomeattractive targets for corporatehackersandindustrialspieswhorelyonbigdatatomakeprofits.Inthewakeofmassivedatabreachesanddatatheftcaseswe’veseen inrecentyears,moreeffortneedstobemadetosecure IoT-relateddatatoensuretheprivacyofconsumersandthefunctionalityofbusinessesandcorporations.Installation ofsecurity updateson IoT devices: Each consumerwill likely soon own scores— if nothundreds—ofconnecteddevices.Manuallyinstallingupdatesonsomanydevicesisdefinitelyoutofthe question, but having them automatically pushed by manufacturerscan also be risky. Propersafeguards must be put in placeto prevent updating interfaces from becoming security holesthemselves.

70


3. IoTSecurityframeworkMost IoT devices are “closed.” Customers can’t add security software after devices ship fromthefactory.Often,suchtamperingvoidsthewarranty.Forsuchreasons,securityhastobebuilt into IoTdevicessothattheyare“securebydesign.”Inotherwords,forIoT,securitymustevolvefromsecurityjust“boltedonto”existingsystemssuchasserversandpersonalcomputer(PC)laptopsanddesktops.Securitymustevolvetosecuritythat is“built in”tothesystembeforethesystemleavesthefactory.Formostofthesecurityindustry,such“intrinsic”security,built-inatthefactoryisanewwaytodeliversecurity, including classic security technologies like encryption, authentication, integrity verification,intrusionprevention,andsecureupdatecapabilities.

Given the close coupling of hardware and software in the IoT model, it’s sometimes easier for IoTsecurity software to leverage advanced security hardware features often overlooked by traditionalsecurity vendors who must simply build “extrinsic” security layers to run on “least commondenominator”hardware.Fortunately,manychipmakersalreadybuildsecurityfeaturesintohardware.Unfortunately, thehardware layer is just the first layer required in comprehensive security, requiredfor hardware-backed security in protecting the communications and protecting the device.Comprehensivesecurity requiresclean integrationof thekeymanagement,host-basedsecurity,OTAinfrastructure,andsecurityanalyticsmentionedabove.Failingtoaddressanyoneofthecornerstonesofsecurityleavesyourfatetothewhimsofaggressors.

Inshort,asthe Industrial InternetandIoTbringnetworked intelligencetothephysicalthingsaroundus,wemustapproachitssecuritycarefully.Ourlivesdependontheplanes,trains,andcarsthatmoveuseveryday.Our livesdependonhealthcare infrastructureandthecivil infrastructure thatmakes itpossible for us to live and work so closely together in cities. It is not difficult to imagine howunauthorisedmanipulationoftrafficlights,medicalequipment,orcountlessotherexamplescancausefatalities.Itisalsobecomingclearhowcitizensandconsumersdonotwantstrangershackingintotheirhomesor cars, and the kindsof damage that canbedone through lost productivity in disruptionof

71


automated manufacturing. In this context, we’ve attempted to offer the guidance of this paper todefineend-to-endsecurityforIoTwhilemakingitbotheffectiveandeasytodeploy.Howcananyonesecurethe IoT? IoTsystemsareoftenhighlycomplex,requiringend-to-endsecuritysolutionsthatspancloudandconnectivity layers,andsupportsresource-constrainedIoTdevicesthatoftenaren’tpowerfulenoughtosupporttraditionalsecuritysolutions.Thereisnosinglesilverbullet.Lockingdoorsbut leavingawindowopen isn’tenough.Securitymustbecomprehensiveorattackerssimplyexploittheweakestlink.Ofcourse,traditionalInformationTechnology(IT)systemsoftendriveandhandledatafromIoTsystems,butIoTsystemsthemselveshaveuniqueadditionalsecurityneeds.

Fortunately,IoTsecuritycanbecoveredwithfourcornerstones:

1) ProtectingCommunications2) ProtectingDevices,3) ManagingDevices,and4) UnderstandingYourSystem

These cornerstones can be combined to form powerful and easy-to-deploy foundations of securityarchitectures to mitigate the vast majority of security threats to the Internet of Things, includingadvanced and sophisticated threats. This paper describes these cornerstones, their necessity, andstrategies for easy and effective implementation. No single, concise document can cover all of theimportantdetailsuniquetoeachvertical.Instead,thispaperattemptstoprovideadviceapplicabletoallverticals, includingautomotive,energy,manufacturing,healthcare, financial services,government,retail, logistics, aviation, consumer, and beyond, with examples spanning the majority of theseverticals.

4. IoTSecurityThefourcornerstonesisbrieflydescribesas:

1) ProtectingCommunications:

Protectingcommunicationrequiresencryptionandauthenticationfordevicestoknowwhetherornottheycantrustaremotesystem.Fortunately,newertechnologieslikeellipticcurvecryptographyworkten timesbetter thanpredecessors in resource constrained chips like8bit, 8MHz chipsof IoT. Thisleavesthecorechallengeofmanagingallofthe“keys”forauthentication.Securityrestsonfundamentals.Encryption,authentication,and“keymanagement”areinvariablythefoundation ofmeaningfully resilient security. Fortunately, some great open source libraries performencryption reallywell, even in resource constrained IoTdevices.Unfortunately,most companies stilltakedangerousrisksattemptingtodothekeymanagementforIoTentirelyontheirown.Incontrast,

72


roughly$4billionperdayofe-commercetransactionsareprotectedbyasimplebutstrongtrustmodelservingbillionsofusers,andservingoveramillioncompaniesworldwide.This“trustmodel”helpstheirsystems safely authenticate systems of other companies and safely start encrypted communicationswith those systems. This “trust model” is the cornerstone of secure interoperability in computingtoday,anditisa“trustmodel”groundedonaveryshortlistofextremelystrongcertificateauthorities(CAs).TheseverysameCAsalreadyembedcertificates inbillionsofdeviceseveryyear.Thesedevicecertificates enable the authenticationof mobile phones in safely connecting to the nearest basestations,authenticationofsmartmetersfortheelectricalpowerindustry,andauthenticationofsettopboxes in the cable television industry, among countless other examples. Strong CAsmake it easy tosafelyandsecurelygenerate, issue,enroll,manage,andrevokethecertificates,keys,andcredentialsthat are crucial to strong authentication. Given the volumes of security certificates involved in IoT,mostdevicecertificatesaresoldinhighvolumefordimeseach,notwholedollarseach.Why does authentication matter? It is dangerous to accept data from either unverified devices orunverified services. Such data can corrupt or compromise your devices, and give control of thosedevices to somemaliciouspartywhowishes toharmyouorharmothers through you.Using strongauthenticationtorestrictsuchconnectionshelpsprotectyourdevicesfromsuchthreats,whilehelpingyoukeepcontrolofyourdevicesandservices.Regardlessofwhetheradeviceisconnectingtoanotherdeviceasapeer,orconnectingtoaremoteservice,suchasacloudbasedservice,thecommunicationsmustbeprotected.Allsuchinteractionsneedrobustmutualauthenticationandtrust.Inthatcontext,skimpingondevicecertificatesseemsfoolish.Fortunately,many standards have been developed tomake deploying strongmutual authenticationrelatively easy. Standards exist for certificate formats, and strong CAs supports both standard andcustomcertificateformats.Inmostcases,certificatescaneasilybemanagedovertheair(OTA)throughstandard protocols such as Simple Certificate Enrollment Protocol (SCEP), Enrollment over SecureTransport (EST), and Online Certificate Status Protocol (OCSP). With a strong CA helping to handlecertificates,keys,andcredentials,theactualauthenticationcaneasilybedonebystrongstandardslikeTransport Layer Security (TLS) and Datagram TLS (DTLS)—akin to SSL.Mutual authentication,whereboth endpoints authenticate each other, is crucial to the end-to-end security of IoT systems. As anaddedbonus,onceTLSorDTLSauthenticationiscompleted,thetwoendpointscanexchangeorderiveencryption keys to start communication that cannot be decrypted by eavesdroppers. Many IoTapplicationswill require absolute privacy of data, and this requirement is easilymet through use ofcertificates and TLS/DTLS protocols. However, where privacy isn’t a requirement, the data can beauthenticated by any party if it’s signed on sensor at “time of capture,” and this approach cuts theburdensoflinklevelencryption,whichcanbeparticularlyimportantinmulti-hoparchitectures.

It is very common to encounter concerns over the cost and power of IoT chips for cryptographicoperations. However, it is important to recognise that Elliptic Curve Cryptography (ECC) has beenproven10xfasterandmoreefficientthantraditionalencryptioninresourceconstrainedchips,suchasIoT chips. ECC achieves this 10x improvement in speed and efficiencywithout reducing the level ofsecurity. ECC has even demonstrated “industry best practice” levels of security, equivalent to RSA2048, and demonstrated such equivalent levels of security on extremely resource constrained chipssuchas8-bitprocessors,andmegahertzandevenkilohertzspeed32-bitprocessors,someofwhichrun

73


on such lowpower as to be viable even inmanymicro-watt energy harvesting use cases. TheDTLSvariantofTLSwasdeveloped specifically for low-powerdevices thatoperate intermittentlybetweensleep cycles. Last, the financial cost for such 32-bit chips can be in the 50-cent range, so it is notappropriate to use cost or power as reasons for skimping on security below reasonable thresholdswheresecuritymatters.Forthesereasons,wehaveproposedthefollowingguidelinesonkeylengthsfor IoT device authentication where security matters: (a) 224-bit ECC at a minimum for end-entitycertificates,with256-bitand384-bitpreferred;(b)256-bitECCataminimumforrootcertificates,with384-bitpreferred.Today,wecannot imaginethe inconvenienceofmanually installingourbrowserswithcertificatesforeachwebserver,norcanweimaginethedamagefromblindlytrustinganycertificate.That’swhyeachbrowserhasafew“roots”oftrustagainstwhichallcertificatesareevaluated.Embeddingtheserootsintobrowsersenabledsecuritytoscaletomillionsofserversontheweb.Asbillionsofdevicescomeonlineannually,itisequallycrucialthatweembedbothrootsoftrustanddevicecertificatesintothesedevices.InmanagingdatafortheIoT,dataneedstobekeptsafeandsecureatalltimes.Our livesfrequentlydependonthecorrectness,integrity,andproperlyfunctioningavailabilityofthesesystemsmorethanon the confidentiality of the data. Authentication of information and devices, and provenance ofinformation, can be critical. Unfortunately, data is often stored, cached, and processed by severalnodes;notjustsentfrompointAtopointB.Forthesereasons,datashouldalwaysbesignedwheneverandwhereverthedataiscapturedandstored.Thishelpsmitigaterisksofanythingtamperingwiththeinformation.Signingdataobjectsonceatcapture,andrelayingthesignaturewiththedata,evenafterthedataisdecrypted,isanincreasinglycommonandusefulengineeringpattern.

2) ProtectingDevices

a) ProtectingtheCodethatDrivesIoT

In powering up, eachdevice boots and runs some code. In that context, it is crucial thatweensuredevicesonlydowhatweprogrammedthemtodo,andensurethatotherscannotreprogrammethemtobehavemaliciously.Inotherwords,thefirststepinprotectingadeviceistoprotectthecodetobesurethe device only boots and runs code that you want it running. Fortunately, many chipmakersalreadybuild“secureboot”capabilitiesintotheirchips.Similarly,for“higherlevel”code,anumberoftime-proven,open-source,andclient-sidelibrarieslikeOpenSSLcaneasilybeusedtochecksignaturesofcode,andacceptcodeonlyifitcomesfromanauthorisedsource.Inthatcontext,signingfirmware,boot images, and higherlevel embedded code are all increasingly common, including signing theunderlyingsoftwarecomponentssuchasanyoperatingsystem,andnotjustapplications,butallcodeon thedevice. This approach canensure that all critical components, sensors, actuators, controllers,andrelaysareallproperlyconfiguredtoonlyrunsignedcodeandneverrununsignedcode.

Anaptrulemightbe,“nevertrustunsignedcode.”Acorollarywouldbe,“nevertrustunsigneddata,andespeciallydon’tevertrustunsignedconfigurationdata.”Withtoday’ssignatureverificationtools,

74


and with hardware support for secure boot improving, the next challenge for many companies is“managingthekeys,”and“controllingaccesstothekeys”forcodesigningandprotectionofembeddedsoftware. Fortunately, some CAs also offer hosted services thatmake it easy to safely and securelyadminister code- signing programmes that ensure tight control over who can sign code, who canrevokesuchsignatures,andhowthekeysforsuchsigningandrevocationareprotected.In an embedded context where softwaremay need to be updated for security reasons, andwherebattery impact of updates must be handled carefully, it can be very important to sign and updateindividualblocksorchunksofsuchupdatesandnotforceanyonetosignentiremonolithicimages,orevenanentirebinary le. Instead,havingsuchsoftwaresignedat theblockorchunk levelcanenablesuchupdatestobedonewithmuchfinergranularitywithoutsacrificingsecurityandwithouthavingtosacrificethebatteryforsecurity.Insteadofalwaysrequiringhardwaresupport,thisflexibilitycanoftenbeachievedfromasmallpre-bootenvironment,whichmightrunonlotsofembeddedhardware.Ifbattery life is socrucial,whynot simplyconfigureadevicewithapermanentlyburned image thatcan’tbereplacedorupdatedbyanyone?Unfortunately,wemustassumethatdevicesinthefieldwillbe reverse engineered for malicious purposes. When the devices are reverse engineered andvulnerabilities arediscoveredandexploited, the vulnerabilitieswill need tobepatchedasquickly aspossible.Codeobfuscationandcodeencryptioncanconsiderablyslowdownthereverseengineeringprocess, anddeter themajorityof attackers,butnotentirelyprevent reverseengineering.Attackerswith nation-state levelsof resources, or the resources of sophisticated transnational maliciousorganisations, may still be able to reverse engineer programmes including programmes protectedthrough obfuscation and encryption, particularly since code must be decrypted to run. Suchorganisationswillfindandexploitvulnerabilitiesthatwillneedtobepatched.Forthesereasons,overtheair(OTA)updatecapabilitiesmustbebuiltintothedevicesbeforetheyleavethefactory.SuchOTAupdate capabilities, including software and firmware updates are crucial to maintaining a strongsecurityposture fora long listof reasons thatwe’ll elaborate ina section furtherbelow, “ManagingDevices.”However, obfuscation, granular code signing, andOTAupdatesmayeventually need to betightlyjoinedforalltoworkbotheffectivelyandefficiently.

Fortunately,bothgranularandmonolithiccodesigningleveragethesamecertificate-basedtrustmodeldescribed in the section on “Protecting Communications,” and the use of ECC in code signing canprovidethesamebenefitsofhigh-securitywithfastperformanceandlow-powerconsumption.Inthatcontext, we propose the following guidelines on key lengths for IoT code signing where securitymatters: (a)224-bitECCataminimumforend-entitycertificates,with256-bitand384-bitpreferred;(b)521-bitECCataminimumforrootcertificates,becausesignedcodeisgenerallyexpectedtobeinuseyearsorevendecadesaftersigning,andthesignaturesmustbestrongenoughtoremainsecureforsuchalongtime.

b) EffectiveHost-BasedProtectionforIoT

ThecornerstonesabovedescribefundamentalsofkeymanagementandauthenticationforIoT,aswellas code-signing and configuration signing to protect the integrity of the device, and the basics ofmanaging such codeandconfiguration, “OTA.”Unfortunately, evenafterprotecting communications

75


andprotectingthesecurebootofawell-manageddevice,thedevicestillneedsprotection longafterboot.Host-BasedProtectionsaddressthoseneeds.IoT devices face many threats, including malicious data that can be sent over authenticatedconnections,exploitingvulnerabilitiesand/ormisconfigurations.Suchattacksfrequentlyexploitmanyweaknesses,includingbutnotlimitedto(a)failuretousecodesignatureverificationandsecurebootand (b) poorly implemented verificationmodels, which can be bypassed. Attackers often use thoseweaknesses to installbackdoors, sniffers,datacollectionsoftware, file transfercapabilities toextractsensitive information from the system, and sometimes even command & control (C&C)infrastructuretomanipulatesystembehavior.Evenmoredisturbingly,somemaliciousdataattackscanexploit vulnerabilities to install malicious software directly into the running memory of “alreadyrunning” IoTsystems inwaysthatthemalwaredisappearsonre-boot,butdoestremendousdamagebetween reboots. This is particularly scary as some IoT systems, and many industrial systems, arealmost never rebooted. Sometimes such attacks come through an IT network connected to anindustrialor IoTnetwork.Othertimes,theattackcomesovertheInternet,orthroughdirectphysicalaccess to the device. Of course, regardless of the initial infection vector, if not detected, the firstcompromised device remains trusted and then becomes the avenue for infecting the rest of thenetwork, regardless of whether the target is the “in-car” network of a vehicle, or a plant-wideoperationalnetworkofamanufacturingplant.Forsuchreasons,IoTsecuritymustbecomprehensive.Closing a window but leaving a door open, “isn’t adequate.” All of the infection vectors must bemitigated.Fortunately,whencoupledwithastrongcodesignatureandverificationmodel,host-basedprotectioncan help secure the device against all of these threats by using a number of technologies includingsystem hardening, whitelisting, application sandboxing, reputation-based technology, anti-malware,andencryption.Dependingontheneedsof thespecificsystem,acombinationof thesetechnologiescanensurethehighestlevelofprotectionforeverydevice.System hardening, whitelisting, and application sandboxing can provide network protection, closingbackdoors, limitingnetworkconnectivitybyapplication,and restrictingboth inboundandoutboundtraffic flow. This can also provide protection against different exploits, restricting app behavior,protecting the system from buffer over flows and zero day attacks, while preserving control of thedevice. Such solutions can also beused to prevent unauthoriseduseof removablemedia aswell aslockingdowndeviceconfigurationandsettings,whilealsode-escalatinguserprivilegeswhereneeded.Such solutions can also provide auditing and alerting functions, helping monitor logs and securityevents. Policy based technologies can even be run in environments without the connectivity orprocessingpowerrequiredtoruntraditionalsignature-basedtechnologies.Reputation-based security technology can be used to put les in context, using their age, frequency,location,andmoretoexposethreatsotherwisemissed,aswellasprovideinsightonwhetherornottotrust a newdevice, evenwhen successfully authenticated. Such techniques can also identify threatsthatusemutatingcodeoradapttheirencryptionschemes,still separating lesatrisk fromthosethataresafe,forfasterandmoreaccuratemalwaredetection,evendespitesuchchallenges.Ofcourse,themixoftechnologieswilldependonusecase,buttheoptionsabovecanbecombinedtoprotectdevices,eveninresource-constrainedenvironments.

76


3) ManagingDevicesAsmentioned above, deviceswill be reverse engineered, vulnerabilities discovered, and deviceswillneed to be updated OTA. Of course, OTA update mechanisms add complexity, so many engineersattempt to avoid them at their peril. Fortunately, a good OTA mechanism can be used for manypurposes,notjustsoftware/firmwaresecuritypatchesandfunctionalityupdates,butalso:

• Configurationupdates• Managementofsecuritycontentandsecuritytelemetryforsecurityanalytics• Managementoftelemetryandcontrolforpropersystemfunction• Diagnosticsandremediation• ManagementofNetworkAccessControl(NAC)credentials• Managementofpermissions,andcountlessotherexamples

Ofcourse,alloftheabovemustbedonesafelyandsecurely,andrequiresmorethansecurelysigningcode and performing le transfers. Fortunately, strong standards exist for managing software andfirmwareinventoriesoneachdevice,aswellasdeviceconfiguration,andmanyvendorssupportsuchstandards including the Open Mobile Alliance (OMA). Some of these solutions scale to managingbillionsofdevices.Managing security for each device can include managing configuration of host-based securitytechnologies thatwedescribed in theprecedingsection.Ofcourse,somesecurity technologiesneedOTA updates of security content such as blacklists, whitelists, heuristics, intrusion preventionsignatures, and reputation data. Fortunately, some security technologies depend on policy basedmechanismsthatonlyneedupdateswhenthesoftwareonadevice is re-imagedforotherpurposes,such as adding functionality. However, both types of security technology can generate securitytelemetrythat isvaluable in facingAdvancedPersistentThreats (APT).Forsuchreasons, thesecuritytelemetry should alwaysbe aggregated from thosehost-based (device-based) technologies formorecentralanalysis.

Of course, the security components are not the only components on each device that need to bemanagedsafelyandsecurely.Mostdevicesgeneratesensordataortelemetrythatneedstobesafelyand securely collected and transmitted to a safe and secure place for storage and analytics. Manydevicesalsoactuatecontrolfeaturesthatneedtobemanagedcarefullywithconfigurationparametersthat need to be safely and securely kept up to date. Fortunately, infrastructures that use safe andsecure general device management protocols can be used for safely and securely managing thedevice’s primary functionality as well as the device’s security content and telemetry. In fact, suchframeworksarealreadybeingadapted forOTAmanagementof cars, andalreadyused to safelyandsecurely manage in-store interactivemarketing kiosks, as well as vendingmachines. Some of thesemanagementframeworksuseamixofagentbasedandexistingagentlessIoTmanagementprotocolswherethedeviceisbuilttosupportstandards-basedmanagementforsimplermanagementfunctions.Additionally,somemanagementframeworkscanevencouplethosetechniqueswithinsightscollected

77


fromnetworksniffers.Inthiscontext,IoTsystemsmusthaveupdatecapabilitiesbuiltintothemfromthebeginning.Failingtobuild in OTA update capabilities will leave devices exposed to threats and vulnerabilities for theentirety of their lifetimes. Of course, such update capabilities can be used to manage deviceconfigurations,securitycontent,credentialsandmuchmore.Similarly,suchupdatecapabilitiescanbeused to push functionality and collect telemetry in addition to collecting software inventoryinformationandpushingsecuritypatches.However,withorwithoutsuchadditionalfunctionality,basicupdatecapabilitiesandtheabilitytomanagethesecuritypostureofeachdevicemustbebuiltintothedevicefromthebeginning.

4) UnderstandingyourSystem

a) SecurityAnalyticstoAddressThreatsBeyondtheAboveCountermeasures

Ofcourse,nomatterhowwellyouprotectthedevice,protectthecode,protectthecommunications,and no matter how well you manage your security posture, even using the best possible OTAmanagementframework,someadversariesstillhavetheresourcesandcapabilitiestoriseabovethosedefenses. For such reasons, strategic threats require strategic mitigation technologies. Securityanalytics can leverage security telemetry from devices and network hardware to help provide anunderstandingofwhatishappeningintheenvironment,includingdetectionofstealthierthreats.Equally importantly, “monitoring” and analytics can often be deployed, as an interim solution inenvironments where upgrading devices to conform to the first three cornerstones above will takeyears. Examples of such environments include legacy devices such as industrial control systems(manufacturing,oilandgas,utilities)thatcannotbemodifieduntilanend-to-endreplacementsystemis ready, automotive cars already on the road whose deeply embedded microcontrollers obviouslycannot be “torn out and replaced,” and healthcare environmentswhere suppliers prohibit hospitalsfrom modifying the equipment to add security. In such cases, anomaly detection solutions can beextremelyvaluable.Thedeterministicnatureofmany IoTnetworksallows thesystemtobebaselineand deviations quickly identified. The wide variety of industrial and IoT protocols can make theproblemharder,butnewertechniquesusingadvancedmachinelearningcanallowtheproblemtobesolved. Considering that many IoT systems have high demands on availability, this solution is lessinvasivein“detect”modewhileensuringthatanyfalsepositivesdonotbringdownthesystem.Other examples include gateways, such as between legacy environments and better-protectedenvironments, particularly as an attack in one part of the ecosystem or environment could betransmitted across the entire network if not caught early. Similarly, other high priority targets fordistributedmonitoringandcentralisedanalytics includegatewaysbetween“industrial”networksand“IT”networks,residentialgatewaysseparatinghomesfullofdevicesfromtherestoftheinternet,theheadunitofacarasagatewaybetweenthe“in-car”networksandthecellularnetwork,andgatewaysbetweenautomotivedrivesysteminstrumentationandinfotainmentnetworksinthecar.For many of these examples, customers can work with security vendors to utilise existing big datasecurityanalyticsinfrastructureandlargethreatintelligence gatheringsystemstocollect,analyse,and

78


shareinformationacrossentirenetworksandecosystems.Someoftheseeffortsarealreadyongoingindifferentverticalssuchasretailandcritical infrastructure,andtheseeffortscanensurethatasystemasawholecanbequicklyupdatedtoprotectitselfagainstanyemergingthreats.

In many cases, the calibre of “data science” and security expertise required in the analytics fordetecting extremely advanced threats can be beyond the capabilities of companies who do notspecialiseinthoseareas.Forsuchreasons,manycompaniesareturningto“managed”solutionsakintomanagedsecurity solutions so that theycancountonexpertsdoing themonitoringandanalytics. Inother cases, companies arebuilding their own repositoriesof IoT security telemetry, and controllingaccess to that repository so that they enable multiple analytics partners to help them find suchadvanced threats. Some analytics products and platforms are even exposing API and SDK to bothenablesuchsharing,andtoensuresafecontrolofsuchsharing,suchasensuringonlyrelevantdataissharedwiththerightpartners,andensuringthateachpartner’saccessisappropriatelyrestricted.ForexamplesbridgingindustrialandITnetworks,werecommendcreatingasingledataplanespanningbothenvironments togetaprioritisedviewofdifferent threats,and tobestmitigate risksof threatstunnelingfromoneenvironmenttotheother.Suchsolutionsshouldworkacrossdifferentvendorsanddifferentdevicesandprotocolstoensurethateachcustomergetsaholisticviewwithoutblindspotsintheirnetwork.Throughsuchanalytics, “detectionandresponse”cancomplementstrongprotection technologies toprovidesecurityagainstthevastmajorityofattacks,aswellasmitigatingrisksofthemostseriousandcapableadversaries.

b) WhattoTrust

Today,countlessIoTtechnologiesandsystemsarereallynomorethan“intranetsofthings.”However,as more andmore of these systems will need to connect with each other, it becomes increasinglycritical to “know what to trust.” Device certificates can establish pedigree and lineage of a device.However,questionsonwhetherornot thatdeviceshouldstillbe trusted,willeventuallyneed tobeanswered by other services, such as reputation based services, or a “Directory of Things.” Such adirectory could track not only security information regarding each device and IoT system, but couldalso help track andmanage the permissions and entitlements that devices and systems grant eachother. In fact,asweeach findourselves surroundedbymoreandmore IoTdevices, suchdirectoriescouldalsohelpwith“discovery”ofdevicesinareasofinterest,andwithfeaturesofinterest.Insuchamodel,itmightevenbepossibletoquicklyfindaremotedevicethroughsuchadirectory,andquicklyagreetopurchasedataorservicesfromthatdevice.Evenifyou’veneverseenthedevicebefore,thedevicesdetails including its capabilitiesand reputationcouldallbe listed in suchadirectory. In fact,when you consider that the devicewillwant to knowwhether or not it can trust a user, perhaps a“Directory of Things” isn’t enough. Perhaps we need a “Directory of Everything,” including devices,systems, users, and perhaps even a kitchen sink, if the sink is “internet connected” like a recentStanfordprojectmonitoringwaterusagegivenCalifornia’sdroughtin2015.

Ofcourse,notmanypeoplehavesmartsinksorevensmartrefrigerators“yet.”However,manyofus

79


haveacarthatfetchestrafficinformationovertheInternet,aSmartTVorBlu-rayplayersthatstreamvideo over the Internet, a fitness wearable, and we use ATM machines and digital Point-of-Salemachinesmoreoftenthanwecancount. Inthatcontext,wemighteachwantourown“DirectoryofThings” to manage them all sooner rather than later. Still, where protecting the communications,protecting thedevices,managing thedevices, and security analytics for addressing strategic threats,areallabsolutelyrequiredforIoTSecurity,wehavetoadmitthatthe“nice”conceptsof“Directories”for “knowingwhat to trust” are stillmore formativeandvisionary, andneither a cornerstone,nor arequired ingredient in “understanding your system” today, at least not formost parties.We includethese“nice”conceptsof“Directories”for“knowingwhattotrust”onlytogiveapreviewofchallengesahead for many in trying to manage such complexity at such scale. We include them as somecompaniesarealreadyfacingsuchchallenges,astheyarealreadyresponsibleforprotectingmorethanabilliondevices.Forthem,that“future”isalreadyhere,andtheyarenotalone.

5. WhyIoTSecuritymustbeComprehensiveToclarifywhynoneofthecornerstonesmentionedabovecanbeneglected,let’sconsideranexampleoftrains.Intrains,electricmotorcontrollersnotonlycontrolaccelerationofsuchtrains,theyoftenalsocontrolregenerative braking of trains. Even if mechanical brakes are included as a safeguard againstuncontrolled acceleration, no suchmechanical safeguards prevent amaliciously programmedmotorcontroller from sudden and disproportionate braking that could cause harmto the train and itsoccupants.Forthesereasons,itisessentialthatallcodeexecutinginsuchcontrollers,brakes,switches,andmore—allcodedrivinganykineticaspectofthetrain—beproperlysignedandallsuchcomponentsproperlyconfiguredtoneverrunanythingbutsignedcode.Similarly, if communications aren’t authenticated, bothwithin the train, and from the train tootherinfrastructure, theconsequencescanbesevere. It’snothard to imagine theconsequences if controlsignalswithin the train for acceleration and braking could be spoofed, nor is it hard to imagine theconsequencesforspoofinganallclearwhendangerlaysahead.Further, without host-based protections, the controllers themselves could be hacked, andmaliciouspartiescouldachieveanyofthesameevilobjectiveswithoutneedingtodefeattheauthenticationorcodesigningmechanisms.Moreover, the necessity of such comprehensive security is not limited to trains. As cars becomeincreasinglyconnected,theyrequiresimilarhost-basedprotections.Suchprotectionscanbedeployedontheheadunitofacarevenifthecarisrunningareal-timeoperatingsystem.Ofcourse,asthecodeisupdatedOTA,thesepoliciescanbeupdatedOTAusingthesameOTAsystem.Withouttheabilityto“adapt”securitypostureOTA,adversarieswillquicklyadapttofindyourweaknessesandexploitthem.

However,evenifalloftheaboveisdonecorrectly,themostsophisticatedadversariescanstilldefeatsuch countermeasures. For such reasons, backend security analytics are required to mitigate thesestrategicthreats.Suchsystemscancontinuouslycollectdata,formingbaselinesfortrains,planes,cars,

80


manufacturingplants,pointofsalesystems,nearlyanything.Withsuchbaselines,IoTsecurityanalyticscan quickly detect anomalies, helping detect stealthier threats, and feeding advanced threatcorrelationaspartofbroadersecurityanalyticsinhelpingfightthesestrategicthreats.Last, it’s importanttonotethat IoTsecuritydoesnotexist inavacuum.Manyofthesedevicesneed“physicalsecurity,”andthetypeofphysicalsecuritywilldependheavilyontheuse-case.AnIoTdeviceinthehomemightsimplyneedanenclosurethatpreventsamaidfromtamperingwiththedevicetospyonemployers.However,IoTdevicesinamanufacturingplantoftenneedlayersofphysicalsecuritythatincludekey-cardaccesstoeachroom,andsimilarrestrictionsouttoafencedistancedeterminedbyelectro-magneticriskdecisions.Personnelsecurityneedswillsimilarlyvarydramatically.However,physicalsecurityandpersonnelsecurityarenotuniquetoIoT.Mostcompaniesalreadyaddressthesewelltoday,andmustdososimplytoprotectnormalfactoryproduction,andprotecttheirtraditionalITsystems.Forthosereasons,thisdocumenthasfocusedexclusivelyontherequirementsforgettingIoTSecurity“right”inandbetweenIoTdevicesandtheircommunications.OfcoursemanyofthesedevicesfrequentlyinteractwithtraditionalbackendITsystemsoftenrunninginadatacentreorinacloud.Weassumethatyouwillgetsecurity“right”forthosesystems.However,pleasebearinmindthatwherethose“traditional”ITsystemseitherdriveIoTdevicesandsystems,orhandledatafromtheIoTdevicessystems,failuretogetsecurityrightforthose“traditional”ITsystemscancompletelyundermineallofthesecuritythatyouhavebuiltintoyourIoTsystem.AsIoTbecomesincreasinglycommonplace,andparticularlyaslifecriticalsystemslikecars,planes,andindustrialequipment increasingly leverage IoT,securitymustbecorrectlybuilt intothesesystems,sothattheyare“securebydesign”withsecurity“builtin”fromthebeginning.Thestakesaresimplytoohighformistakesinmostcases.Towardthatend,tohelpothersbuildsecurityintotheirsystems,andtoward helping achieve industry consensus on aminimalistic set of cornerstones that could provideadequatesecurityagainsttoday’sthreats,wehopethispaperhelps.

6. SummaryThispaperadvocatesasimpleandeffectivereferencearchitectureforIoTsecuritythatshouldbeeasytodeployandscale.

• Thearchitecturemitigatesmalicious codebyensuring that all code is cryptographically signed

andauthorisedforthedevice,andensuringthatunsignedcodeisnotpermittedtorun.• It protects communication through mutual authentication and encryption, leveraging time-

proven certificate authorities and time proven trust models already protecting more than abillion IoT devices, but leveraging newer ECC algorithms to provide that level of security inresourceconstrainedIoTdevices.

• The architecture further mitigates malicious data through host-based protection and furthermitigatesallremainingthreatsthroughsecurityanalytics.

• Asvulnerabilitiesandthreatsarediscovered,theycanbemitigatedthrougheffective,safe,andsecuredynamicmanagementofthesystem.

81


This referencearchitecture is groundedon time-proven fundamental tenetsof security.At the sametime, in stripping the architecture to a minimalistic “required” level of security, we have excludedsubstantialsecurity featuresandsecurity functionality thatwouldbevery“nice”tohave,even ifnotrequired to the same degree as the elements described above. We have stripped this securityreferencearchitectureintoitsbarestformforseveralreasons.Asengineeringprofessionals,weneedto establish an appropriate and easily reachedminimum level of security for any IoT systemwheresecuritymatters, and it is valuable toeveryone if the samearchitecturecanbeappliedacrossmanydifferentverticals,particularlywithprotectivesecuritytalentinsuchraresupply.Still,somecompaniesmaychoosetogo“aboveandbeyond”thelevelofsecuritythatwedescribehere.Weapplaudthatasoftengood,evenwhennotobligatory.Inmanycases,wehopethatverticals,topsuppliers,andserviceprovidersinthoseverticalsgofarbeyondtheminimumestablishedabove.Moreimportantlythough,“skimping” in any one of the four cornerstones invites harm in all of the forms that could be donethroughmisuseofyoursystem.

Date post:	30-Jun-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times