Feb. 20, 2015
Into The Next, by Gigaom
February 19, 2015
As the internet of things grows to encompass many more “things,” so are the number of wireless ways to connect them. Wi-Fi, ZigBee, Z-Wave, Bluetooth Low Energy and cellular are being embedded in every manner of gadget from thermostats to cars, but industrial IOT specialist Sigfox is suggesting one more type of connection: satellites.
Sigfox is partnering with aerospace company Airbus Defense and Space, French research institute CEA-Leti and engineering firm Sysmeca on project called Mustang that aims to build a hybrid terrestrial/satellite that can be used to connect the internet of things. Sigfox is already developing low-power, low bandwidth wireless networks in several countries designed to connect sensors, industrial appliances and other gadgets to the internet. Its work with Mustang could expand the scope of that network to the entirety of globe. Devices connect to a Sigfox terrestrial transmitter where available, but beam their information up to the heavens when not.
Sigfox satellite network
These kinds of satellite machine-to-machine (M2M) networks have actually been around for some time, run by big orbital communications provides like Orbcomm, Iridium and Globalstar. But Mustang seems to have something more ambitious — or less ambitious, depending how you look at — in mind. Instead of uploading telematics data from military tanks in the desert or collecting data from buoys in the ocean, Sigfox is geared at connecting more everyday objects, from the alarm system in your home to the tracking device on your dog’s collar.
These types of networks don’t have much bandwidth: they only need to transmit at few bits per second, they consume very little power and they cost very little to operate. If Sigfox, Airbus and their research partners can optimize a satellite network for those kind of use cases, they would have something quite impressive on their hands.
Mustang’s founders said that the project has a three year timeline, in which the plan to develop the modem technology and the communications protocols necessary to make the system work. So while my dogs are connected by Bluetooth and Wi-Fi today, it may take some time before they’re beaming info into space.
February 17, 2015
Great article, with solid advise:
Innovation is prized in the growing space of the Internet of Things (IoT). But an innovative product design is not enough, and potential pitfalls abound.
As demonstrated in a report published by the Federal Trade Commission (FTC), privacy and security need to be at the forefront of developers’ minds. Here are five lessons on what not to do when developing a connected product.
The Internet of Things is an expanding ecosystem of everyday objects that are embedded with technology, allowing them to connect, communicate and transfer information about users and their surroundings to each other.
IoT products boast beneficial effects such as increasing economic productivity and efficiency, encouraging robust innovation, and tailoring user experiences. However, by virtue of being connected to the Internet, IoT products also carry privacy and security risks. On Jan. 27, 2015, the Federal Trade Commission published a report focusing on privacy and security concerns for IoT devices sold to consumers.
Given the growing interest in how embedded computing advancements affect security and privacy issues, this Alert identifies what developers, investors and entrepreneurs should avoid when entering the IoT market.
Ignoring Washington, Sacramento and the European Union
Much has been written about how privacy and security laws are outdated and have not been able to keep pace with rapidly changing technology. While legislatures may not have succeeded in updating statutes, regulators are laser-focused on privacy and security. Ignoring the federal, state and international efforts to deal with these issues would be a mistake.
Indeed, the FTC has made embedded computing a top focus. In January, the FTC issued a report, Internet of Things: Privacy & Security in a Connected World, that recommended steps businesses should take to enhance and protect consumers’ privacy and security.
While the report is not formal legislation, it serves as a warning to IoT developers about the expectations of the FTC in this space. The report offers recommendations regarding data security, data minimization, privacy notices and consumer choice regarding collection of users’ data. The FTC also recommends that data security legislation be enacted by Congress.
Even without IoT-specific legislation, developers should understand how technology-neutral laws are being enforced in the IoT context. The FTC, for instance, has used its general consumer protection enforcement powers under the FTC Act, 15 U.S.C. § 45(a), regarding “unfair or deceptive acts or practices” to prosecute privacy and security violations.
Last year, in its first action against a marketer of IoT products, the FTC approved a final order settling charges that Trendnet engaged in lax practices that failed to prevent unauthorized access to sensitive consumer information, namely video and audio feeds from its home security cameras.
Failure to comply with the FTC report’s recommendations could result in FTC enforcement activity. FTC Commissioner Julie Brill has also encouraged state attorneys general to monitor the IoT industry, and to bring actions for privacy and security breaches under general state laws that may apply.
Developers should consider security issues from the very beginning of product development — in other words, IoT “security by design.”
While the IoT industry is in its early stages, and IoT-specific legislation has not materialized, stakeholders in IoT devices should also keep abreast of developments in general data security and privacy legislation.
Certain states, including California, have taken active roles in the privacy sphere and have passed sweeping privacy legislation that can impact IoT devices. Consumer class action plaintiffs and their attorneys are clearly paying attention to these developments, as evidenced by the onslaught of cases being filed.
Additionally, companies cannot forget that the federal government is increasingly requiring information technology devices and systems to have high levels of security before they will be bought by the government. Federal procurement policy is rapidly changing to integrate security into contractual obligations, so companies that fail to have adequate security may see their government contract opportunities limited or even eliminated.
To the extent the IoT device is marketed internationally, or if it is intended for travel, developers should also be familiar with privacy and data security regulation in other countries in which they are operating and where the IoT device is likely to be used. The European Union, for instance, has very restrictive privacy laws and, under new amendments, member state regulators have the ability to issue fines up to 5 percent of global revenues.
Treating security as an afterthought
It may be tempting to add security features to a device at the final stages of development so as not to hinder ingenuity or innovation in the early stages. This approach, however, may allow for more security vulnerabilities to slip through the cracks than if security were considered at every stage of the design cycle.
Developers should consider security issues from the very beginning of product development—in other words, IoT “security by design.” IoT stakeholders would also benefit from acknowledging the risk of a data breach or use of the IoT device to conduct a cyber attack inherent in a connected product, and proactively developing an action plan in the event of a data breach or cyber attack.
In the Trendnet case mentioned above, the FTC alleged that faulty software for home security cameras left the live feed from the cameras open to online viewing by anyone with the camera’s Internet address. When, according to the complaint, a hacker exploited this flaw and posted links to the live feeds to certain cameras (including babies asleep in their cribs and young children playing), it appears that the company did not have a way to repair the security flaw without forcing users to visit the website and download a software patch.
Stakeholders should think about these security issues from the start:
- How can the company integrate security measures into the product as a way of enhancing the user experience?
- Has the company completed a privacy or security risk assessment?
- How will IoT devices be monitored for security vulnerabilities when they are out-of-date and new products are released?
- Does the company have a system in place to receive information about security flaws?
- How will software patches be released to users?
- What is the procedure for handling a data breach, and how will customers be notified?
Overlooking internal security risks
While a “security by design” approach to developing an IoT product is essential, it is not foolproof. Developers need to think about security threats not just by hackers, but by their own employees and vendors. As the FTC report explains, companies must ensure that “personnel practices promote good security,” and that “product security is addressed at the appropriate level of responsibility within the organization.” In addition, companies should consider the security practices of their contractors and vendors.
Companies that handle data derived from IoT devices should consider the following issues about who has the data:
- Who needs access to user data? Are there ways that access can be limited?
- Are there clear policies in place regarding employees’ handling of user data? Do those policies have buy-in from all of the important stakeholders?
- Is the company providing reasonable oversight of employees’ handling of user data?
- Has the company considered the data security policies of contractors and vendors?
Collecting as much data as possible, even when you don’t need it
Data collection is a powerful tool for analyzing behavior, developing innovative products and providing valuable insights to users. Collecting and retaining large amounts of consumer data, however, can present a more attractive target for data thieves. When a large variety of data is collected, it also increases the risk that some of the data that is collected will be used in ways contrary to consumers’ expectations.
While data minimization in the IoT context is challenging because a new use for data may be just around the corner, the FTC has encouraged companies to have data practices and policies that impose reasonable limits on consumer data collection and retention in light of that company’s business needs. One option to reduce privacy concerns is to immediately de-identify the collected data so as to minimize harm if there is a data breach.
Developers should consider:
- Are the types of data being collected needed at this particular stage of design or implementation?
- Is de-identifying the data an option? Is there a legal obligation to de-identify consumer data?
- How long does the company need to keep the data to accomplish its objectives? When should the data be deleted?
Believing that what users don’t know won’t hurt them
The IoT presents many challenges to traditional consumer protection methods of notice and choice. For certain data collection that is consistent with the consumer’s expectations, providing choices for every instance of data collection may be overly burdensome to the consumer, and not necessary to protect privacy.
However, where the data being collected is sensitive in nature or beyond what a user might expect to be collected, developers should consider methods to provide users with notice and choice regarding data collection. The provision of notice to consumers about what data is being collected and with whom it is being shared is governed by a labyrinth of privacy regulations.
As to providing notice and choice to users, developers should consider:
- Is data collection limited to data consistent with the context of the consumer-device interaction?
- Are the company’s privacy policies and terms and conditions of use customized, up to date, clear, prominent and written in a way that is understandable to consumers? Has the company resisted the urge to cut and paste “boilerplate” policies used by others in the space?
- When and how are notifications regarding collection of data provided?
- In what situations will the company request users’ express consent before their sensitive data is collected?
- What options will users be given to control privacy settings?
If you want to avoid these pitfalls, start asking critical questions about the security and privacy implications of your IoT device from inception through implementation.
Pillsbury Winthrop Shaw Pittman LLP is a full-service law firm with an industry focus on energy and natural resources, financial services including financial institutions, real estate and construction, and technology. Based in the world’s major financial, technology and energy centers, Pillsbury counsels clients on global business, regulatory and litigation matters.
Join the conversation:
February 11, 2015 (Washington, DC) —
Just ran across this related blurb from Politico today…
SENATE TAKES UP ‘INTERNET OF THINGS’ — Congress is dipping its toes into the world of interconnected devices today as the Senate Commerce Committee holds a hearing on the “Internet of Things.” The hearing comes as connected devices like fitness trackers, computerized thermostats and digital refrigerators continue to garner attention for their novelty as well as privacy and security concerns. Earlier this week, Senate Commerce Committee Democrat Ed Markey released a report criticizing automakers for how they handle security issues in connected cars, and late last month, the FTC released its report on the topic, recommending that companies build privacy and security protections into their products and pledging to use its current authority under existing statutes to regulate the budding industry.
In his opening statement, Commerce Chairman John Thune will push for regulators to take their cues from the industry and consumers. “If evidence shows there are discrete problems, we should examine ways to solve those problems,” he’ll say. “But let’s have the humility to recognize that the best solutions are often not government solutions, and let’s not stifle the Internet of Things before we and consumers have a chance to understand its real promise and implications.”