Regulations in IoT.Innovation stifle or an urgent need?
Rajesh Chitharanjan (@raj3sh1)
2© Copyright Publicis.Sapient | Confidential
3© Copyright Publicis.Sapient | Confidential
“Is there a God?”The machine answered, “Yes, now there isa God.”
– “The Answer” by Fredric Brown
4© Copyright Publicis.Sapient | Confidential
5© Copyright Publicis.Sapient | Confidential
6© Copyright Publicis.Sapient | Confidential
7© Copyright Publicis.Sapient | Confidential
We are on the verge of one of the biggest moments in human
history.
8© Copyright Publicis.Sapient | Confidential
But there are many weak links!Privacy, Security, Standardization, Interoperability etc.
9© Copyright Publicis.Sapient | Confidential
10© Copyright Publicis.Sapient | Confidential
11© Copyright Publicis.Sapient | Confidential
Experience is the best teacher.But the tuition is high.
12© Copyright Publicis.Sapient | Confidential
Drag and drop image
“It’s not that we didn’t think about security. We knew that there were untrustworthy people out there, and we thought we could exclude them.”
– David D. Clark, MIT (involved in the early days of internet)
13© Copyright Publicis.Sapient | Confidential
“People don’t break into banks because they’re not secure. They break into banks because that’s where the money is. They thought they were building a classroom, and it turned into a bank.”
– Janet Abbate
Source: https://mitpress.mit.edu/books/inventing-internet
14© Copyright Publicis.Sapient | Confidential
Do we need to regulate applications in IoT?
Will it stifle innovation?
Drag and drop image
01 A Case For Regulations
16© Copyright Publicis.Sapient | Confidential
17© Copyright Publicis.Sapient | Confidential
Will you give upyour first-born for
free WiFi?
18© Copyright Publicis.Sapient | Confidential
Drag and drop image
Does your flashlight need to know where you are?
19© Copyright Publicis.Sapient | Confidential
It’ll take
70+ DAYS year to read the Privacy Policies for an averageweb user
Source: Data Privacy Lab, Harvard
20© Copyright Publicis.Sapient | Confidential
Even bigger problem with IoTBorn Digital &Born Analog Data
21© Copyright Publicis.Sapient | Confidential
22© Copyright Publicis.Sapient | Confidential
Our data is anonymized. Isn’t that enough?
23© Copyright Publicis.Sapient | Confidential
What can you infer from a person’sZipCode, Gender & DoB?
Individually identifying 87% of Americans.
Source: Dr. Latanya Sweeney http://privacy.cs.cmu.edu/dataprivacy/papers/LIDAP-WP4abstract.html
24© Copyright Publicis.Sapient | Confidential
Is the old school PII based protection valid anymore?
25© Copyright Publicis.Sapient | Confidential
“Data can either be useful or perfectly anonymous, but never both.”
– Paul Ohm
26© Copyright Publicis.Sapient | Confidential
Standard(s) chaos?
Thread Group Backed by NEST and Google. an ambitious, wireless-centric standard that covers networking, power conservation, security, and product compatibility concept of a mesh network works well in an interconnected device environment where no device becomes a single point of failure
AllSeen/AllJoyn Designed by Qualcomm, backed by Linux fuondation Open-source framework that directs connectivity and service layer operations for IoT devices in order "to create interoperable products that can discover,
connect, and interact directly with other nearby devices, systems, and services regardless of transport layer, device type, platform, operating system, or brand." Backed by MS, Sony and 160 odd other companies
OIC/IoTIVITY Founded by Intel in response to AllSeen. Launched IoTivity framework that competes with AllJoyn May not make a big wave in this space.
Industrial Internet Consortium
Industrial Applications. Backed by GE, IBM, Cisco, AT&T outlines key characteristics of Industrial Internet systems, various viewpoints that must be considered before deploying an Industrial Internet solution, and an
analysis of key concerns for the Industrial Internet, including security and privacy, interoperability, and connectivity
ITU-T SG20 Created by International Telecommunication Union responsible for international standards to enable the coordinated development of IoT technologies, including machine-to-machine communications and
ubiquitous sensor networks Seems to be the most authoritative of the list despite not a huge industrial backing
IEEE P2413 IEEE’s own umbrella of standards more than 350 IEEE standards that are applicable to IoT, 40 of which are being revised to better support IoT. Furthermore, there are more than 110 new IoT‐
related IEEE standards in various stages of development) build a reference architecture that "covers the definition of basic architectural building blocks and their ability to be integrated into multi-tiered systems."
Others Apple Homekit, ZigBee (Radio protocol)…
27© Copyright Publicis.Sapient | Confidential
Interoperability?Interoperability?
28© Copyright Publicis.Sapient | Confidential
Not just data access!How about hacking garages in 10 seconds?
29© Copyright Publicis.Sapient | Confidential
Hospitals will have to deal with Computer viruses along with ones from the real world
30© Copyright Publicis.Sapient | Confidential
What if a new Stuxnet like worm does more than just sabotaging a nuclear
power plant?
31© Copyright Publicis.Sapient | Confidential
How long before a rogue nation or a terrorist group wages warfare through our ‘Things’?
© Copyright Publicis.Sapient | Confidential32
US Department of Commerce called for a Public RFC on regulations in IoT.
European Commission’s DG Connect, considering a separate IoT legislation.
02 A Case For Self-regulation
34© Copyright Publicis.Sapient | Confidential
Enforced Regulations just won’t work
It will likely end up to be too restrictive
It’ll not be expected to keep up with the pace in which innovations happen in the Market
May cripple smaller startups by enforcing constraints
Will introduce more red tape with respect to auditing, compliance etc.
May end up weakening control as compared to what would have happened through market forces
Can be used by Companies to restrict competitors
Complete enforcement will unlikely happen because of the effort involved.
Overall, could slow down investors and scare developers away
© Copyright Publicis.Sapient | Confidential35
Survival & Financial incentives will be the biggest motivator for Companies
36© Copyright Publicis.Sapient | Confidential
Birth of PCI-DSS
Visa and MasterCard reported $750
Million lost in credit card fraud
1998and
1999
In2000 2001 In
2004
Total revenue lost touched $1.5 Billion
Visa reported that online credit card fraud rates were4 times greater
than the average transaction…
PCI DSS 1.0was announced
37© Copyright Publicis.Sapient | Confidential
Source: http://www.valuewalk.com/wp-content/uploads/2015/02/Hacks-And-Data-Breaches-Infographic.jpg
38© Copyright Publicis.Sapient | Confidential
Many successful self-regulation models
Financial rating services, such as Dun & Bradstreet and Moody’s. Better Business Bureau Certifications for kosher and halal food. Fair Trade food Responsible Care by the Chemical industry
39© Copyright Publicis.Sapient | Confidential
40© Copyright Publicis.Sapient | Confidential
Are Privacy concerns hyped up?
41© Copyright Publicis.Sapient | Confidential
People are not as concerned about Privacy if trading information makes
life convenient
Source: http://trak.in/tags/business/2014/06/21/indians-online-privacy-concern/
03 So, Do We Need To Regulate Or Not?
43© Copyright Publicis.Sapient | Confidential
Need to look at this in 3 parts
2. Policies related to specific domains
such as healthcare, automotive etc.1. Policies that are
Common across domains – such as
interoperability, security standards
etc.
3. Policies/Guidelines related
to responsibilities of the Developers
& Vendors
44© Copyright Publicis.Sapient | Confidential
Data Security - Promising Options
De-Centralized data management
Secure Multiparty Computation
Homomorphic encryption
Oblivious Messaging
Zero-Knowledge Systems
45© Copyright Publicis.Sapient | Confidential
Drag and drop image
Secure Multiparty Computation
Method by which a bunch of parties come together to jointly perform a function to arrive at an outcome without exposing the private data that they have.
46© Copyright Publicis.Sapient | Confidential
The Enigma Project
47© Copyright Publicis.Sapient | Confidential
48© Copyright Publicis.Sapient | Confidential
49© Copyright Publicis.Sapient | Confidential
Privacy by Design
“All in or nothing” kind of an approach to Privacy Policy should change.
Granular controls to privacy, ability to change controls, flexible policy.
Clear indication of Services the User gets upon giving the permission.
Support Users to change preferences any time in the future with hard delete.
Display Information collected under each section and allow to edit or modify it.
Source: CUPS – Cylab Usable Privacy and Security Laboratory
(Carnegie Mellon University)
50© Copyright Publicis.Sapient | Confidential
Drag and drop image
51© Copyright Publicis.Sapient | Confidential
Governments Need To Be A Regulator, A Facilitator And An Active Influencer.
Drag and drop image
52© Copyright Publicis.Sapient | Confidential
“The fundamental problem is that security is always difficult, and people always say, ‘Oh, we can tackle it later,’ or, ‘We can add it on later.’ But you can’t add it on later. You can’t add security to something that wasn’t designed to be secure.”
– Peter G. Neumann
53© Copyright Publicis.Sapient | Confidential
Vulnerability still in your router.After it was detected more than 14
years ago.
© Copyright Publicis.Sapient | Confidential
55© Copyright Publicis.Sapient | Confidential
56© Copyright Publicis.Sapient | Confidential
Not just some trivial applications!
Industrial Development Could boost GDP of the world’s economies by Trillions of Dollars in a decade
Environment Could support reducing Carbon by 7 Billion Tons by 2020
Health Care Expect significant contributions in preventing and managing diseases, drug management etc.
Food and Agriculture Applications like Connected Kitchen, Inventory Management could contribute up to 15% savings
in food waste.
Human Enablement Evolution of TransHumanism and H+.
57© Copyright Publicis.Sapient | Confidential
How do you measure the success of your radio ads?
58© Copyright Publicis.Sapient | Confidential
How many large scale, life changing ideas have we seen here?
Not Many!
Why Not?
59© Copyright Publicis.Sapient | Confidential
What’s stopping BIG ADOPTION?
RoI Concerns Constraints in large cale implementation
Concernsfrom Users
Implementations& Rollout
Lack of Success Stories
Concerns over justificationof Business Case
No Clearunderstanding of TCO
Most solutions are standalone task specific, usecase specific.
Standards, Protocols abound.
Confusing messages from vendors, products and
services providers
No clear authority
Technology Immaturity
Backlash on privacy intrusions
Concerns on Data Security
Won’t participate unless there’s clear value
Not integrated enough with existing Digital Offerings
Scaling of solutionsis a problem
Tend to offer incremental benefits – rather than fundamental changes
Constraints with thePhysical Environment
Very expensive