The IoT Alliance Australia (IoTAA) has issued a guide to best practices for businesses providing IoT services to consumers, but it is debatable how much it will do to address the key issue of the lack of security in consumer IoT devices.
The 20-page publication Good Data Practice: A Guide for Business to Consumer IoT Services for Australia, is billed as “the product of a major collaborative effort by industry, consumer representatives and regulatory bodies to address consumer-related concerns about business to consumer IoT services.”
It outlines seven good data practice principles, dealing with: consumer protection, accountability, customer empowerment, cyber protection, customer data transparency, data minimisation and customer data control.
The guide focuses on “measures that IoT providers can take to build trust and understanding amongst consumers about collection and uses of data in the course of provision of operation of IoT devices and provision of IoT services, protection of privacy and secure installation and operation of IoT devices.”
According to its introduction, the guide has been “drafted principally to assist providers of IoT B2C devices and services to design fair and appropriate features and settings for privacy, security and accessibility into their products and services and to make available appropriate and readily understood guidance for consumers about their use.”
The lack of security in the design of many IoT products has precipitated moves in the US to legislate for better security in IoT devices sold to government and calls from security experts for such legislation to be generally applicable. However, IoTAA has said it favours a voluntary scheme for a ‘tick mark’ or similar to indicate a minimum level of security, and is working on developing such a scheme as priority.
On the subject of security, the guide notes these and other local initiatives and says IoTAA also supports ongoing efforts to develop Australian and international standards that facilitate information security, interoperability of IoT devices and services, and consumer choice.
It is clear that the supply of many devices that could fall within the ambit of IoT and that have little or zero security — such as some internet-connectable children’s toys – would breach the guidelines. They specify that “a provider should implement security by design in all IoT devices and IoT services.”
The guide makes it clear that such devices would fall within the ambit of IoT. It defines IoT devices as including “familiar devices that become ‘smart’ through being Internet enabled with sensor or actuator devices.”
However, many suppliers of such devices may not consider themselves providers of B2C IoT services.
The guide also has expectations that providers will be able to involve consumers in IoT security. Providers are expected to “make it as easy as is reasonably practicable (having regard to the nature of the IoT service or IoT device and its price point) for customers to: understand the customer’s responsibilities in relation to security settings and updates; implement security patches and updates; and understand what security vulnerabilities will remain and how best to address these vulnerabilities (including through monitoring or implementation of third party security products).”
However, IoT Hub has reported security experts suggesting this is expecting too much of consumers.
The guide has been authored by IoTAA’s Workstream 3: Data Use, Access and Privacy, chaired by Peter Leonard, principal of new data commercialisation consultancy Data Synergies, a business he started recently after retiring from law firm Gilbert & Tobin.