Exploring the regulatory and legislative landscape for IoT devices
by Alex Rennie on 03 Sep 2020
The Internet of Things (IoT) promises to transform societies and economies. Such widespread transformation is bound to attract increased regulatory and legislative scrutiny. Here we explore the issues on which governments are most likely to focus their attention.
The Internet of Things (IoT) is starting to transform modern economies and the way we live. The first wave focussed on smart home devices, including smart speakers, virtual assistants such as Amazon’s Alexa, and smart TVs. A techUK report in 2019 found that 60% of British consumers own at least one such item. Yet improvements in processing power, device miniaturisation and wireless connectivity will increasingly bring benefits outside of the home, from autonomous cars to climate efficient buildings. Governments are keen to harness the productivity and connectivity benefits. The UK Government has established the Connected Places Catapult, a public-private initiative, to help the country create the connected cities of the future.
Despite this official enthusiasm, however, the World Bank has highlighted that existing policy and regulatory frameworks across the globe are “underdeveloped.” Governments are becoming aware of this, leading to a recent surge in regulatory and legislative activity. The UK’s Department for Digital, Culture, Media & Sport has recently opened a consultation on the new cybersecurity requirements for smart devices that it first proposed back in January 2020. The Department also contributed to the creation of the ETSI international standard for the security of smart devices. Meanwhile, the European Commission has opened an antitrust competition inquiry into the IoT sector for ‘consumer-related products’ such as voice assistants.
These latest actions by the UK and EU form part of their broader push to focus on technology issues over the next few years. At the UN in September 2019, UK Prime Minister Boris Johnson argued that governments around the world need to “find the right balance” between private enterprise and government oversight with regards to technology regulation, whilst in Brussels, the new Commission President Ursula von der Leyen has made no secret of the EU’s ambition to rewrite the rulebook for the digital economy.
With all this in mind, it is a safe bet that further smart device regulation will be forthcoming. Here are the four policy areas on which governments are most likely to legislate, and of which smart device manufacturers should be aware.
1. Consumer protections
The rise of internet-connected, software-dependent hardware is quickly demonstrating that existing consumer protection laws designed for an analogue age are insufficient to protect consumers in 2020 and beyond. Existing consumer laws are designed to reflect consumers’ expectations that goods will function as advertised and, in the case of expensive items, will last for a reasonable amount of time. In effect, present day regulations tip the scales in favour of the consumer by imposing stringent obligations on manufacturers to ensure their goods are of a certain (high) standard. They are also easy to enforce and monitor because goods are tangible.
Yet the rise of software-dependent goods tends to favour instead the producer, since software is often licensed rather than sold. This means that producers are able to modify or restrict software as they see fit, even after purchase. Since consumers still expect that goods will continue to function as advertised for a reasonable amount of time, there is potential for conflict in a world of software-dependent devices where consumers will continue to expect big-ticket items such as washing machines to function for over ten years, when the norm for software updates is half that time. Put bluntly, if a hardware manufacturer loses interest in a product or wants to nudge consumers to buy a newer model, they could decide to stop issuing software updates, thereby rendering many goods less useful.
This dissonance between existing consumer protections and the nature of today’s software-dependent hardware has begun to gain the attention of legislators. The European Commission, for example, has confirmed in its updated 2020 work programme that it still plans to evaluate the Low Voltage Directive (LVD) 2014/35/EU, which ensures that electrical equipment within certain voltage limits provides a high level of protection, by the end of 2020 to assess if the LVD is fit for purpose in terms of effectiveness, efficiency, relevance, coherence, and EU added-value. The evaluation will also look at the digitalisation of electrical devices, household appliances and broader IoT issues, as well as assessing how the LVD interacts with other EU product safety laws.
This is the area where the UK Government has been most active so far with regards to IoT legislation. It is currently consulting on proposals for all “network connectable products” that include a ban on universal default passwords and a requirement to inform customers of the minimum length of time during which a product will receive security updates. The focus on enhanced cyber security legislation for such products is understandable; the more connected the economy is in future, the greater the risks of a whole range of threats from data theft to attacks from terrorists or hostile state actors. Several incidents have also attracted substantial media attention, including an attack using malware called Mirai that exploited a list of default usernames and passwords, which most users never change, to infect hundreds of thousands of connected devices, from smart energy meters to home CCTV cameras and connected baby monitors.
The Government expects that its proposed legislation will be only the first step towards further legislation. The UK Government’s action is in line with legislation introduced in California, which became the first US state to mandate minimum security standards for IoT products, including a ban on the use of default passwords.
In addition to new legislation, the UK Government has also been involved in standards setting and industry-led assurance schemes. It supported the work of the European Standards Organisation ETSI Standard 303 645, which establishes a security baseline for internet-connected consumer devices and provides a basis for future Internet of Things product certification schemes. The Government also announced over the summer new funding for an industry-led assurance scheme for IoT devices.
Amidst a growing focus on the rise of surveillance capitalism, highlighted by the recent furore over Barclays’ use of a staff tracking system, questions of privacy are likely to be another key focus of legislative and regulatory action over the next few years. Whilst many applications of such technology, such as the use of heat and motion devices to monitor when desks are being used, have positive benefits for efficiency and the environment, the Barclays case shows the potential for the widespread rollout of internet connected devices to result in a public backlash based on privacy fears.
Such a public backlash always runs the risk of legislators becoming over prescriptive, although where privacy-focussed IoT laws have so far been introduced this has not happened. California again led the way in this area and has a specific law on privacy and IoT devices that places the onus on manufacturers to ensure their devices are specifically secure against unauthorised use and hacks. Whilst not challenged for being over prescriptive, some have criticised it for being too vague, causing confusion for smart device manufacturers.
Concerns over privacy and surveillance capitalism could also dovetail with growing fears over the influence and control that certain technology giants, which are often smart device manufacturers too, receive from the network effects created by integrated services and the data they generate. The new European Commission antitrust competition inquiry into the IoT sector, “to make sure that market players are not using their control over… data to distort competition”, is the most obvious example of this.
4. Geopolitical tensions
Simmering away in the background are growing tensions between the US and China, a rift that is increasingly enveloping the UK and the EU. Yet the growing trade war between Washington and Beijing poses a particular problem for smart device firms because of the importance of chips to such devices. The sanctions announced by the US in May on Huawei, which seek to stop companies around the world from using software or hardware that originally comes from America to manufacture components based on Huawei’s designs, are forecast to have a severe impact on the Chinese giant’s ability to secure chips from its traditional suppliers. Given this, smart device manufacturers could have difficulties sourcing chips or even face the possibility of having to pay tariffs or establish separate operations to serve an increasingly bifurcated technological sphere. Beyond the obvious problems, if one effect of such a scenario were to make IoT devices expensive, this could have a detrimental impact on the uptake of consumer smart devices given that a recent report by techUK found that cost was already one of the biggest barriers to the take up of such devices.
In short, these are the main areas that are likely to pose the biggest legislative and regulatory challenges for smart device manufacturers in the years ahead. Despite the potential for some of these concerns to lead to overly-restrictive solutions, especially given the more general backdrop of increased wariness of technology companies, the leaderships in both the UK and the EU have made it clear that digitalisation and technology are policy priorities. Given the centrality of the Internet of Things to many of the most promising technological developments, there will be significant benefits for those companies that are aware of the challenges and work proactively to address and neutralise them. Forewarned is forearmed.
Topics: Data policy, Big Tech, GDPR, Technology
Written by Alex Rennie
Alex provides political analysis and monitoring for clients in the emerging technology sector, with a particular focus on drones.