Nº 4 2015 > Global Symposium for Regulators
Regulation and the Internet of Things
The GSR Discussion Paper by Professor Ian Brown of the Oxford Internet Institute, University of Oxford, United Kingdom, examines the implications of the Internet of Things (IoT) for individuals, businesses and societies, and especially issues that telecom and other regulators need to consider, as IoT systems proliferate in developed and developing economies.
It is estimated that between 20–50 billion “things” will be connected to the Internet by 2020, including mobile devices, parking meters, thermostats, cardiac monitors, tyres, roads, cars, supermarket shelves and many other types of objects and devices. Rapid growth in the IoT is being driven by rapid falls in the cost of sensors, processing and networking technologies.
The Discussion Paper describes a broad range of IoT applications for monitoring and managing health and wellbeing, improving energy efficiency, increasing the quality and reliability of industrial processes, reducing traffic congestion, and enabling the development of new products and services. Technology companies and consulting firms have estimated that IoT technologies could have a significant impact on the global economy amounting to several additional trillions of dollars within a decade.
IoT devices will have the biggest impact where they are used in large, interconnected systems, including smart cities, smart power and water grids. Closer to the individual, “connected cars” with hundreds of separate sensors will offer safer and more reliable transport. Devices such as insulin pumps and blood-pressure monitor arm cuffs can give warning signs of conditions such as diabetes and heart disease. Another major opportunity for the IoT lies in the use of data and Application Programming Interfaces (APIs) in interactions between the IoT and individuals. The Figure opposite shows the relationship between IoT devices and applications, and the types of data they can generate at the individual, community and social levels.
Professor Brown's Discussion Paper provides an excellent, brief overview of advances in several sectors. Examples of smart city systems using IoT technology include:
- buildings that save power by adjusting heating and lighting according to the movements of their users and the weather;
- networked traffic signals that dynamically manage traffic movement across cities in response to measured and predicted changes in congestion and accidents;
- infrastructure that senses wear-and-tear and issues repair alerts (including bridges, cables and water pipes);
- road lighting that dims during low traffic periods; and
- smart electricity and water meters that record real-time data about usage, can interact with other household devices, and provide information to help residents reduce consumption levels at peak demand periods and/or peak rates.
With respect to connected cars, the Discussion Paper notes that the European Union (EU) is close to agreeing a requirement for all new cars and small trucks sold in the EU to feature a system that will automatically transmit vehicle data to public or private emergency response services following an accident. The top 14 car manufacturers in the world, which account for 80% of the global market, all have connected car strategies.
In the healthcare sector, the IoT can improve health and wellbeing by:
- increasing efficiency and care in existing healthcare settings;
- enabling greater use of remote telehealth provisions; and
- letting individuals monitor their own health condition on a daily basis, potentially promoting earlier diagnosis and/or encouraging compliance with treatment regimes.
The public and private sectors are continuing to fund significant levels of IoT research and development, in areas such as modularity, reliability, flexibility, robustness and scalability. High reliability becomes especially important in large-scale systems with hundreds of thousands of sensors, devices and readers. Radio-frequency identification (RFID) tags could minimize energy consumption by extending battery life and the battery replacement cycle. We are gaining a better understanding of the technical capabilities needed for many applications, although cost, connectivity and reliability remain challenges for large-scale systems.
The paper explores the regulatory implications of the IoT for licensing, spectrum management, standards, competition, security and privacy. Telecom/ICT regulators are very familiar with some of these areas (e.g. competition, privacy and data protection), but may not typically take lead responsibility in them. The regulatory consequences are in some cases obvious — such as the need for a large address space to identify each connected object (as provided by Internet Protocol version 6, IPv6, for example).
Other implications, however, are less obvious. A United States Federal Communication Commission expert working group predicts that IoT will add significant load to existing services such as Wi-Fi and 4G mobile networks, but expects that new spectrum will not need to be explicitly allocated to IoT communications. Studies for the European Commission have suggested that a licence-exempt model could support IoT development by avoiding contractual negotiations before devices are manufactured and used, promoting large-scale production of cheaper devices. Competition regulators will need to keep under review whether ex post investigations of abuse of market dominance are sufficient to foster a competitive market and innovation.
Privacy and security are two significant (and closely related) issues in large-scale IoT deployment. Without adequate security, intruders can break into IoT systems and networks, accessing potentially sensitive personal information about users, and using vulnerable devices to attack local networks and other devices. In large IoT systems such as smart cities, the lack of IoT security can create significant vulnerabilities, and be extremely complex to address given interdependencies and links to older public and private sector systems. Regulators have suggested that IoT companies should follow a security and privacy “by design” approach, building security and privacy functionality into the device from the outset of the development process, when it is much more likely to be effective. Companies developing and operating IoT systems need to conduct security testing, and consider how security vulnerabilities discovered after devices are sold can be fixed during their likely lifetime. Privacy regulators also agree that data minimization is an important principle for protecting privacy in consumer IoT devices, limiting the amount of personal data collected or retained, and therefore reducing the risk of data breaches and/or use of the data for other than the intended purpose(s).
The Discussion Paper cites a 2013 European Commission consultation exercise, which found a diversity of views on whether IoT-specific regulation is actually necessary. Industry respondents argued that State intervention would be unwise in this still-young sector, and that general rules such as the EU’s forthcoming General Data Protection Regulation will suffice. Privacy advocacy groups and academics responded that IoT-specific regulation is necessary to build public confidence, as well as to ensure a competitive market. Meanwhile, a United States Federal Trade Commission (FTC) staff report suggested that IoT-specific legislation would be “premature”, encouraging self-regulatory programmes for industry sectors to improve privacy and security practices — while also reiterating its call for “strong, flexible, and technology-neutral federal legislation” to strengthen its data security enforcement powers and require consumer notification following a security breach, and for broad-based privacy legislation.
The Discussion Paper notes that there is a pressing need for more widespread, common technical standards, which are likely to prove key to a low-cost, interoperable IoT. To date, IoT standards have evolved from a variety of different applications and stakeholders, who have different aims and requirements. The ITU Telecommunication Standardization Sector (ITU–T) has created a Global Standards Initiative on Internet of Things (IoT-GSI) to “promote […] a unified approach in ITU–T for development of technical standards (Recommendations) enabling the Internet of Things on a global scale”. Standardization bodies such as IEEE, IETF and OneM2M are also developing IoT standards, while application-specific frameworks such as the M/490 Smart Grid reference architecture have been developed. Finding efficient mechanisms to encourage the adoption and use of the standards under development is an urgent issue for policy-makers to consider.
The Discussion Paper provides an excellent introduction to the opportunities and challenges opened up by the Internet of Things for anyone interested in gaining a greater understanding of our digital world. It provides a thorough overview of recent regulatory developments, as regulators, policy-makers, industry stakeholders and consumers get to grips with the opportunities and risks of living in a hyperconnected world.
The Discussion Paper is available at: www.itu.int/gsr15