Roger Clarke's Web-Site

© Xamax Consultancy Pty Ltd,  1995-2024
Photo of Roger Clarke

Roger Clarke's 'Regulation of IoT'

Is your television spying on you?
The Internet of Things needs more than self-regulation

Version of 7 September 2020

Editorially somewhat dumbed-down version published in The Conversation on 11 September 2020, as 'Are your devices spying on you? Australia's very small step to make the Internet of Things safer'

Kayleen Manwaring & Roger Clarke **

© Xamax Consultancy Pty Ltd, 2020

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at http://rogerclarke.com/II/IoTC.html


Security flaws in Internet of Things (`IoT') devices are common. They have been found in Internet-connected toys, televisions, security cameras, door locks, medical devices, fitness trackers, baby monitors, cars and even guns. Hackers can use these vulnerabilities to take remote control of devices, steal or change data, or spy on users. These activities can cause physical, psychological and economic harm, not just to the consumers who own these devices, but also to others who are connected to them.

The Federal Government has just launched a new Code of Practice intended to encourage manufacturers to make IoT devices more secure. However, it may lull consumers into a false sense of security when buying IoT devices. As the Code is voluntary and not binding on manufacturers, the chances of compliance are low.

Many IoT devices are insecure

IoT devices designed for consumers are generally less secure than other elements of the world's information infrastructure, such as desktop computers. In a research project funded by consumer advocacy group ACCAN, all 20 consumer IoT devices tested contained a security flaw, and many had potentially serious problems. These devices included cameras, a motion sensor, a smoke alarm, a sleep monitor, bathroom scales, an air quality monitor, light bulbs, power switches, a talking doll, a photo frame, a printer, voice assistant, a smart TV and a smart speaker.

Factors leading to poor security in IoT devices include low profit margins, the inexperience of manufacturers of consumer goods in cyber security practices, and the `form factor' (shape and size) of the IoT device. Also, many consumers do not understand, or have access to, the various security practices needed to protect themselves across the diverse devices used for health, safety, food, information, entertainment and transport.

Poor security can cause harm to consumers and others

These security issues in IoT devices can give rise to significant consumer and community harm. People can be subject to unwanted surveillance and harassment in the home. Personal information can be exposed to the world at large. Physical harm can arise from device failure or malfunction caused by hackers, and malicious remote control of inherently dangerous connected objects (such as cars).

It's not just your own IoT devices that can harm you. Many IoT devices can be hijacked and used to `flood' other Internet services with malicious traffic in order to make those services unusable. Alternatively, if an attacker can compromise one device, it may enable them to break into other connected infrastructure. This is a particular concern as more people are connecting to workplace networks from home during the COVID-19 pandemic. People are usually unaware when their compromised devices are used in such attacks.

Proper security protection starts with the manufacturer of the device, but we all contribute to the risk. In late 2019, remote hackers were accused of yelling racial slurs at a child and at adults in separate incidents, via the speakers in Amazon-owned Ring security cameras. Amazon blamed the security breach on consumers reusing the same passwords on multiple services. Once hackers cracked the password for one of those services, they had access to all of the others as well.

Voluntary codes of practice are not binding on manufacturers

In recognition of these threats, IoT security `good practice' documents have been proposed by governments and international bodies. These include the UK, the US National Institute of Standards and Technology, and the standards bodies ETSI and the Internet Engineering Task Force. But such documents are merely educational, and contain little incentive to drive industry change, particularly where significant cost is involved.

The UK government has already concluded that its voluntary code is insufficient, in that `change has not been swift enough, with poor security still commonplace'. Both California and Oregon already have binding legislation (first operational in early 2020), and now the UK is moving to impose a mandatory Code. It is necessary for manufacturers of IoT devices to be required by law to deliver reasonable security features in every device that is able to connect to the Internet.

Co-regulation may be the best approach

Voluntary codes have been recognised as inadequate. Considerable risk exists of significant physical, economic and emotional harm. Australian consumers are habitual early adopters of new gadgets, so the country cannot afford to lag behind. Mandatory obligations are needed as a matter of priority.

Drafting laws that work with today's tech, and tomorrow's as well, is challenging. Rules that quickly become obsolete fail to provide the intended protection, and slow down innovation. But there is a way.

A robust `co-regulatory approach' will involve collaboration among government, industry and the community to produce binding rules. A key part of the approach is a process which enables these rules to be quickly amended as experience is gained, and conditions and technology change. Descriptions of this approach often concentrate only on industry and government stakeholders. However, strong community involvement is vital to its success, as are formal sanctions and an empowered and resourced regulator.

Government guidance on security is welcome. However, manufacturers need a sufficiently strong mix of incentives and legal obligations to ensure they deliver what society needs. A merely voluntary Code of Practice cannot achieve the objectives of consumer safety and security.


Author Affiliations

Kayleen Manwaring is a Senior Lecturer in the UNSW Business School, and an associate of the Allens Hub for Technology, Law and Innovation in UNSW Law. Her research interests lie at the intersection between emerging technologies, particularly information technology, and the law of contract, consumer protection and competition law, intellectual property law and corporations law. She has recently completed a major research project on the implications for consumer contracts of the Internet of Things and associated technologies. She teaches corporations and business associations law, intellectual property law and information technology law. She previously taught law in the Business & Economics Faculty at Macquarie University, and practised as a commercial lawyer and in law firm management, in Sydney and London. Her work in practice primarily focussed on technology acquisition and licensing, intellectual property, and communications.

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor associated with the Allens Hub for Technology, Law and Innovation in UNSW Law, and a Visiting Professor in the Research School of Computer Science at the Australian National University.



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 75 million in late 2024.

Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 7 September 2020 - Last Amended: 7 September 2020 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/II/IoTC.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2024   -    Privacy Policy