Demystifying IoT standardisation and data ownership
Data is a real asset not only for marketers who constantly strive to produce consumer centric products and services, but also for governments who are setting benchmarks for good governance and citizen centric services.
In the digital world, while it is easy to collect data, its legal consumption is still a grey area and a matter of concern as data has no legal boundaries. For example, data can be generated in Spain, stored in Thailand, backed up in Australia and used for analytics running on a virtualised server in the USA.
Let’s take few use cases to understand the implications of the absence of standardisation and regulations related to data ownership.
The telemedicine market has been around for more than a decade. It involves medical consultations via the internet and smartphone apps and requires that doctors have licences to treat patients wherever they are, not just in a single location. This market is expected to hit $130bn by 2025, as more insurance plans start covering the cost of virtual visits. While the US leads the market with 50 per cent market share, both India and China are poised for growth.
Telemedicine heavily depends upon connectivity. Medical devices could be operated from within the patient’s room or from a central location in the hospital, and possibly even from a remote location on the other side of the planet. Standards need to be in place to allow these medical devices to operate with each other, within the hospital control system and with a doctor’s computer system which can be located anywhere.
Additionally, since the information is privileged and private, regulatory standards are required for ensuring data security, defining clear ownership and conditions for data release to others. For example, handling medical data in the United States requires strict compliance to the HIPPA laws which state that medical data may not be shared without the permission of the patient. This leads to legal concerns when the location of many medical devices and systems storing, analysing and transmitting data is unknown.
Another use case worth considering are the autonomous cars which are going to dominate the roads in the future, with a market expected to cross 60 million units by 2024. It’s a marvel to witness the rapid pace of technological advancements in the autonomous vehicle industry. Ironically, its growth is outdoing the existing regulatory environment – widening the gap between the regulatory and policy framework and the self-driving technology.
And these are real concerns. On 6th November 2019, CBC News posted a video of a driverless Tesla at Richmond Centre mall parking lot, rolling in the wrong lane. The car was likely activated with Tesla’s Smart Summon mobile app feature which enables Tesla owners to activate the vehicle to drive autonomously to their location within a 60 metre radius.
Vancouver lawyer Paul Doroshenko said there are no laws against what he saw in the video and he doesn’t know what charges would apply if the driverless car ran someone over. Adding to the confusion is a statement from the province’s Ministry of Transportation and Infrastructure, which said that driverless vehicles are banned on provincial roads, despite the growing number of autonomous-capable Teslas being sold in British Columbia!
So imagine, if this car did actually crash:
- Would the police have access to the data repository within the car which maintains a GPS record of everywhere it’s been, what speeds it’s travelled, and the driver’s habits? Imagine what happens to an individual’s privacy when you consider that some cars have dash, rear and even internal cameras recording the passenger and driver conversations and actions!
- Will a search warrant be required to obtain this information, even if it has been transmitted into the cloud and no longer exists on the car itself?
- How must the data be secured?
- Do the owners of autonomous cars have any rights over the usage of the data originating from their car?
Global data privacy laws and IoT standardisation
With IoT, data ownership is even more complicated as multiple devices and systems communicate not only with each other, but also with various data aggregators, and with multiple command and control stations which may be located across different countries.
IoT implementations still face a host of technical and non-technical challenges and require globally uniform standards and policy frameworks which are both relevant and acceptable to the territory of execution. Most of the current solutions to these issues rely on higher-level computational and memory-intensive processes that tend to be limited in IoT devices.
The huge lacuna of uniform policy framework at the global level needs to be addressed. Many countries have issued guidelines on data privacy and use. The most recent one is the European Parliament and Council of the European Union which announced implementation of General Data Protection Regulation (GDPR) on May 25th, 2018.
GDPR is designed to modernise laws protecting the sensitive and personal information of individuals. This has direct implications for the IoT players as many of the data processing activities in IoT operations will fall directly within the material scope of GDPR. For example, the healthcare industry makes use of wearable devices which collect the personal data of individuals, and so do connected vehicles and smart home solutions.
In need of clarification
The outpacing of regulations by the accelerated speed of technology innovations and their adoption have left entrepreneurs and businesses unsure of how potential business could be affected in the future by later government action. Hence, regulations and voluntary compliance is required to clarify the ownership of data – how it is collected and who is authorised to collect it? How and under what conditions may it be shared? What are the legal requirements for privacy, and who will authenticate the factual correctness of the information produced?
Standardisation across the IoT landscape is also important because this reduces the gaps between protocols and associated security lacunas. It also reduces the overall cost of data, the associated transport costs and the cost of manufacturing individual components. This is because fewer standards enable more compatible components, which all leads to reduced cost of design, manufacturing and a reduced time to market.
Standardisation also streamlines the overall integration at an application level (aggregation of data, interoperability of data, reports and business processes) without being concerned with individual IT devices, unique protocols and non-standard data formats.
Looking towards the future
In a nutshell, the IoT’s full potential can be realised with uniform standardisation and data privacy laws defined at the global level. Security needs to be incorporated at the ‘Design’ level for ensuring authorised access to data.
IoT systems need to be developed with proper checks for breaches, as well as being regularly monitored to ensure bad actors cannot exploit them, particularly when they feed back into the physical world. Significant hardware support, such as encryption, authentication, and attestation, and software support, such as run-time self-healing architecture, are required for future IoT devices, if their data is to be secure and trustworthy.
For more from D/SRUPTION’s expert guest contributors, sign up to our weekly newsletter.