Von David Schwach

The Internet of Things – what is it and what numbers are we talking about?

The Internet of Things (IoT) is a network of physical objects and appliances that use various technologies (sensors, software etc.) to connect with each other over the internet. For the general audience it is mostly connected with the concept of the smart home but IoT is also applied in other areas such as security, smart cities,  industrial production (Industry 4.0), healthcare or in the banking sector. The IoT consists of connected, autonomous devices that also often have additional user interfaces, especially app- or web-based, as well as a basic infrastructure (often cloud-based).

It is thus not surprising that the top companies in the market belong to the digital giants: Microsoft Corporation, Amazon Inc., Cisco Systems Inc. (US), IBM Corporation, Bosch Software Innovations and Oracle Corporation.

The market potential for IoT-technologies is significant. While this technology reached 100 billion dollars in market revenue in 2017, forecasts suggest that the market revenue might reach 1.6 trillion USD by 2025. Other sources estimate a global market worth of about 1.46 trillion USD in 2027, with a compound annual growth rate of 24.9%. In terms of devices it is estimated that there will be about 10 billion connected IoT devices in 2021, which are assumed to increase to over 25 billion devices by 2030. In any case it is obvious that IoT has a massive market potential and might shape a vast part of our life and society in the future. This article shall therefore take a view at possible risks of IoT and how governments may address those issues.

The Internet of Things in Payment Services

The IoT today also finds increasing use in financial services, with digital payments growing ever more important during the Covid-19 crisis. The technology can be used to establish Wearables as payment applications (e.g. mobile phones via NFC) or Machine Payments (e.g. Pay per Use or M2M-Payments). The latter usually works without traditional payment methods, but is instead enabled via token-based systems.

1 Token-based Machine Payments using Machine Wallets to store payment tokens

Machine Payments have to master four technical and legal challenges in order to be viable.

• Authentication
• Transaction Security
• Attribution Security
• Data Security

To describe the solution to these challenges would exceed the frame of this article, but the following picture gives a good overview of such a system. When machines perform payment transactions autonomously, their security setup needs careful consideration. We should therefore take a look at the risks concerning the IoT technology next.

What risks are connected to the Internet of Things?

In order to do their job IoT devices process (collect, send, store, analyze) either large amounts of data (e.g. autonomous driving, networks of security cameras) or very sensitive, critical data (health care systems, fitness trackers, payment appliances). This can cause problems, as the technology still has glaring security issues. The primary concerns of many experts relate to cybersecurity and privacy risks.

Criticism of this technology concerns a wide area of security aspects, such as data protection, infrastructure security or hacking/hijacking of the devices. Improper device updates and lack of efficient and robust security protocols are among the challenges that IoT is facing. Security risks in IoT often also result from a user’s laziness or ignorance: unchanged standard passwords, unpatched software etc. While this is the root cause for risks in other, more traditional IT-devices as well, IoT cannot be compared to traditional computing devices and thus faces its own security challenges.

IoT-gadgets are usually designed for and applied on a massive scale while also communicating with the internet, each other and other devices in the same network. Potential security vulnerabilities therefore endanger a great amount of devices at the same time, creating multiple weak points in the system at once. Due to the devices’ connection among each other and to the internet, weak security leads to potential harm to other machines and users even internationally (e.g. with DDOS-attacks). A possible method to defend against IoT attacks and to protect valuable data, is the implementation of cryptography frameworks as this paper from the AICCSA shows.

Which legislation might be applicable to these problems?

In the last years, the European Union passed legislation that heavily influences the way businesses are allowed to work with data and defines their responsibilities in case of data breaches. Examples are

• General Data Protection Regulation / DSGVO concerning personal data of individuals
• EU-Cybersecurity Directive 2016/1148 concerning critical infrastructure
• ePrivacy-Directive concerning personal data in electronic communications (due 2022)

Even if IoT providers strive to do the best for their customers, they face (and regularly fail) security challenges. One of the biggest problems is the way user data is stored and processed by third parties. In this way, security gaps in IoT are in conflict with the GDPR. As there are no standardized, regulatory security methods prescribed for IoT-systems, it is up to the providers to implement security measures themselves (for example with guidelines). Alas, if they satisfy EU dataprotection regulation is yet to be seen. As is often the case, third parties (such as the insurance companies) can receive the users’ information if the users “consent” to it. The controllability of data flows in such circumstances is of course questionable.

Depending on the area of application, IoT can potentially collect and process vast amounts of sensitive data, especially personal data, thus falling into the jurisdiction of the GDPR. When IoT data is stored or processed in a cloud, this becomes a highly sensitive topic. The GDPR also regulates the topic of data localization, that means where the data is stored (inside vs outside EU). IoT service providers have to take this into account when they want to expand into other legal jurisdictions. Their IT-architecture must be flexible enough to deal with relatively sudden changes in the data protection assessment of certain jurisdictions. While data processors could previously rely on the „EU-US Privacy Shield“ to justify processing personal data on US-servers, this changed with the Schrems II verdict of the European Court of Justice, which left companies all over the EU and US scrambling to mitigate suddenly outdated data localization concepts and business models.

Will regulation help or hinder the market potential of IoT?

At the moment most companies are focusing on optimizing already existing processes or cost reduction instead of developing new business models or services. While about 40% of companies use IoT to optimize business processes, reduce costs or increase revenues, only one-fifth are using IoT to develop new business models, as shown by a study from the magazines COMPUTERWOCHE and CIO. The same study suggests that insecurities about possible conflicts of IoT with data protection regulations are causing this reluctance. Considering this, data protection might currently be a bigger threat to the adaptation of the Internet of Things than vice versa, at least in the German and European Markets.

While concerns about data security are currently impeding the market potential of IoT, binding regulation and security standards could soothe those concerns and thus improve acceptance of IoT technologies. These concerns with IoT are not only limited to consumers in the EU, though. Another survey conducted in Japan, Canada, the UK, Australia, the USA, and France discovered that 63% of the IoT consumers in these countries distrust IoT devices due to their improper security. This is interesting, considering that innovative technologies and lower data protection standards are generally more accepted in those countries, compared to technologically more conservative countries like Germany.

Nevertheless, all stakeholders have to take care of implementing binding rules which are still flexible enough to adapt to the rapid development. In order for IoT to succeed in Europe, not only lawmakers, but also IoT developers and producers must diminish security issues to earn the trust of European customers. This is also a chance for European IoT-providers to attack the currently dominant market positions of non-EU providers.

One way to mitigate security risks is to regulate the IoT-industry and its security and production standards, especially when we consider that many of these devices are imported from countries like China. While a fast growing and changing technology will usually always outrun the slow-moving lawmaking process, this field is not wholly unregulated. Firstly, there are arguments to be made, that IoT-providers and their technologies should fall at least partly under the scope of already existing telecommunication legislation. Moreover, the EU undertook efforts in the last years to regulate how data can be used with modern technology. See for instance the above mentioned GDPR or ePrivacy-Directive. Additionally, current movements try to impose specific regulations on security aspects of IoT products, for example in the Netherlands.

When planning and evaluating the security level of IoT-systems, it is wise to adhere to industry standards. One regulation regarding IoT is the Cybersecurity Act, since IoT falls under the scope of ICT products. The real effect of this Act on IoT-standards seems questionable though, as the provided framework is purely voluntary. As of now, there is not one singular, established standard yet, but rather a diverse range of them. Besides an arrangement of guidelines and consortia, there is ISO/IEC 27001, which covers information security management in general and is internationally recognized. Equally important  standards for consumer IoT security are ETSI TS 103 645 and the IoT guidelines from GSMA. Considering that IoT is seeing more usage in critical infrastructure, and that cyberattacks on these infrastructures is constantly rising, lawmakers should move to even further, mandatory regulation of IoT-systems in the future.