Roger Clarke's Web-Site

 

© Xamax Consultancy Pty Ltd,  1995-2020


Roger Clarke's 'IoT Needs Regulation'

Is Your Television Spying on You?
The Internet of Things Needs More Than Self-Regulation

Version of 16 October 2020
Submitted to Computers and Law Journal

Kayleen Manwaring & Roger Clarke **

© Xamax Consultancy Pty Ltd, 2020

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at http://rogerclarke.com/II/IoTCJ.html


1. Introduction

Security flaws in Internet of Things1 (`IoT') devices are acknowledged to be common. Security vulnerabilities have been found in Internet-connected toys, televisions, security cameras, door locks, medical devices, fitness trackers, baby monitors, cars and even guns.2 Hackers can use these vulnerabilities to take remote control of

devices, steal or change data, or spy on users.3 These activities can cause physical, psychological and economic harm, not just to the consumers who own these devices, but also to others who are connected to them.

The Australian Department of Home Affairs and the Australian Signals Directorate (`ASD') held a period of consultation from November 2019 to March 2020 on potential regulation of consumer IoT devices and received feedback from `critical infrastructure providers, cyber security companies, government bodies, domestic and international consumers and not-for-profit advocacy groups'.4 As a result, the Federal Government has released a voluntary `Code of Practice: Securing the Internet of Things for Consumers' (`Australian Code').5 Compliance is `encouraged but optional'.6 However, as the Australian Code is not mandatory, chances of compliance are low. The existence of a Code may even lend weight to the erroneous assumption that products allowed to be sold are secure by default.7 Even industry representatives have criticised the Code for `lack[ing] an implementation and compliance framework'.8


2. Many IoT devices are insecure

As foreshadowed by scholars investigating precursor technologies such as mobile and pervasive computing,9 it is now clear that many IoT devices designed for consumers are less secure than other information infrastructure, such as desktop computers.10 In 2017, researchers completed a research project investigating security vulnerabilities in consumer IoT devices funded by the consumer advocacy group Australian Communications Consumer Action Network (`ACCAN'). In this study, all 20 consumer IoT devices tested contained a security flaw, and many had potentially serious problems. These devices included a camera, a motion sensor, a smoke alarm, a sleep alarm, a weighing scale, an air quality monitor, a light bulb, power switches, a talking doll, a photo frame, a printer, a controller, a voice assistant, a smart TV and smart speakers.11

Factors leading to poor security outcomes for IoT devices include:


3. Poor security can cause harm to consumers and others

These security issues in IoT devices can give rise to significant consumer and community harm. People can be subject to unwanted surveillance and harassment18 in the home, not only by malicious strangers but also by intimate partners.19 Personal information can be exposed to the world20 at large. Physical harm can arise
from device failure or malfunction21 caused by hackers, and malicious remote control of inherently dangerous connected objects (such as cars).22

Consumers do not need to own, possess or be in proximity to devices to be harmed by them. Many IoT devices can be used in what is known as a `distributed denial of service' attack. In these attacks, large numbers of devices are hijacked and used to `flood' other Internet services with malicious traffic in order to make those services unusable.23 During these attacks, the entity that owns the device is usually unaware that their compromised devices are participating in the attack. The increase in people working from home during the COVID-19 pandemic may also enable the hijackers to start inside poorly-secured home networks, and apply the employee's privileges to get inside their employer's networks, further expanding the threats.24 Convergence of consumer and enterprise IoT such as medical devices and smart energy meters has also been identified as an additional risk.25

The foundations of security must be established by the manufacturer of the device, but end users must also play their part. In late 2019, remote hackers were accused of yelling racial slurs at a child and at adults in separate incidents, via the speakers in Amazon-owned Ring security cameras. Amazon blamed the security breach on consumers reusing the same passwords on multiple services. Once hackers cracked the password for one of those services, they had access to all the others as well.26


4. The Australian Code of Practice

The Australian Code is based in large part on another voluntary Code of Practice, the United Kingdom government's 2018 Code of Practice for consumer IoT security27 (`UK Code'). Like the UK Code, the Australian Code is directed towards industry. The ASD's Australian Cyber Security Centre has also issued guidance for consumers28 (as well as additional Guidance for Manufacturers.)29

Again like the UK Code, the Australian Code is based on 13 principles. Additionally, the government has recommended that providers prioritise Principles 1, 2 and 3 (`priority principles'), due to the belief that implementation of these three principles `will bring the largest security benefits in the short term'.30

The 13 principles are set out in Table 1. Additionally, the Australian Code follows the UK Code in recognising that IoT devices are hybrids of software, hardware, and physical object, and are also dependent on additional services.31 Unsurprisingly, the different businesses responsible for the different components have varying capacities to implement cyber security measures. Consequently, for each Principle, the Codes specify the entity or entities in the provider network32 to which the Principle primarily relates. However, this does not allocate responsibility or liability to any particular provider.

Table 1: Principles in the Australian Code

Principle
Relevant Provider Network Entity
(as specified in the Code)
PRIORITY PRINCIPLES
1. No duplicated default or weak passwordsDevice Manufacturers
2. Implement a vulnerability disclosure policy IoT Service Providers Device Manufacturers
IoT Service Providers
Mobile Application Developers

3. Keep software securely updatedDevice Manufacturers
IoT Service Providers
Mobile Application Developers

OTHER PRINCIPLES
4. Securely store credentialsDevice Manufacturers
IoT Service Providers
Mobile Application Developers
5. Ensure that personal data is protectedDevice Manufacturers
IoT Service Providers
Mobile Application Developers
Retailers
6. Minimise exposed attack surfacesDevice Manufacturers
IoT Service Providers
7. Ensure communication securityDevice Manufacturers
IoT Service Providers
Mobile Application Developers
8. Ensure software integrityDevice Manufacturers
9. Make systems resilient to outagesDevice Manufacturers
IoT Service Providers
10. Monitor system telemetry dataDevice Manufacturers
IoT Service Providers
11. Make it easy for consumers to delete personal dataDevice Manufacturers
IoT Service Providers
Mobile Application Developers
12. Make installation and maintenance of devices easyDevice Manufacturers
IoT Service Providers
Mobile Application Developers
13. Validate input dataDevice Manufacturers
IoT Service Providers
Mobile Application Developers


5. International approaches to IoT security threats
Voluntary approaches

Various overseas governments and international bodies have published 'good cyber security practice' documents for the IoT. These include:

and the standards bodies:

However, all of these `good practice' documents are merely educational. They contain no substantive incentive to drive industry change, particularly where significant cost is involved. The Australian Government has framed the introduction of the Australian Code as `encouragement' and a `signal' to Australian industry that IoT security must be improved.37 However, the efficacy of this approach must be doubted. Encouragement, even by the government, means little in an environment where directors are expected (and even legally required)38 to make decisions in the best interests of their shareholders.

Signals to the market might have better chances of success. Singapore has also just announced a voluntary code for labelling cyber security standards on IoT products.39 Industry advocates in Australia have suggested similar approaches to help address some of the shortcomings of the Australian Code. For example, the IoT Alliance Australia has suggested an industry-based accreditation scheme, with independent assessors and a security mark.40 However, such schemes primarily protect industry against regulation, and do little to protect the public against harm arising from technology.

Mandatory approaches

California has already introduced binding legislation, first operational in early 2020, that provides a specific enforceable requirement on cyber security in consumer `connected devices'. The Californian law requires manufacturers to equip these devices with `reasonable security feature[s] ... designed to protect the device and any information contained therein from unauthorised access, destruction, use, modification or disclosure'.41 The law in Oregon42 is substantially similar.

US federal laws also prohibit inappropriate cyber security practices to the extent they constitute `unfair ... acts or practices in or affecting commerce'.43 The most well- known actions brought by the US regulator, the Federal Trade Commission (FTC), relating to IoT devices were directed against D-Link (2019) and TRENDnet (2014), who both marketed insecure Internet-connected home security cameras. Both cases were settled on terms that required the defendants to implement comprehensive security programs.44

The US laws are far less specific about good cyber security practices than the Australian Code, but they have the advantage of being enforceable against those who fail to implement good practice.

The voluntary UK Code has been a failure, with the UK government concluding that `change has not been swift enough, with poor security still commonplace'.45 In a project running through 2020, the UK has been developing mandatory security obligations.46


6. Co-regulation may be the best approach

Voluntary codes have been recognised as inadequate. An accreditation scheme with visible labelling, such as a security mark, might have some chance of signalling quality standards to the market, but the right conditions do not exist for market forces to ensure compliance.47 Despite that, the Australian government ignored the submissions of entities such as ACCAN that security obligations should be mandatory.

Considerable risk exists of significant physical, economic and emotional harm, so mandatory obligations to produce secure devices and maintain their security against evolving threats are needed as a matter of priority. The government has already acknowledged that `most consumers aren't best placed to protect themselves'.48 Australian consumers are habitual early adopters49 of new gadgets, so the country cannot afford to lag behind. The Government's argument that this is `an important first step' is weak, and contradicts its additional perspective that `[g]lobal alignment is important'. We are already well behind our international associates such as the UK and US and `the Code may already be obsolete relative to the standards of Australia's intelligence partners'.50

Drafting laws that work with today's technologies, and tomorrow's as well, is challenging. Rules that quickly become obsolete fail to provide the intended protection, and may slow down innovation. These types of considerations may well have been in the government's mind when it decided to make the Code voluntary rather than mandatory. But we argue that this is an abrogation of the government's obligations to protect consumers and others from serious harm, as it is likely to do little to change current practice.

A robust `co-regulatory approach'51 should involve collaboration among government, industry and the community to produce binding rules. Descriptions of co-regulatory approaches often concentrate only on industry and government stakeholders,52 but this omits a vital component. Strong community involvement53 is also vital to its success. The public consultation process engaged in by the Australian government, which included consumers and third sector advocacy agencies, would constitute a useful first step in this process. However, the next part of the approach should not be `let's leave it up to industry', but rather a process which enables these rules to be quickly amended as experience is gained, and conditions and technology change. To induce compliance, however, this accelerated process cannot operate well without the imposition of formal sanctions54 and an empowered and resourced regulator.55


7. Conclusion

Government guidance on security is welcome. However, manufacturers need a sufficiently strong mix of incentives and legal obligations to ensure they deliver what society needs. International experience has shown that a merely voluntary Code of Practice cannot achieve the objectives of consumer safety and security.


End notes

1 For a useful explanation see Richard Mortier, `Explainer: the Internet of Things' The Conversation (2 August 2013) <https://theconversation.com/explainer-the-internet-of-things-16542>
2 Kayleen Manwaring, 'Emerging information technologies: challenges for consumers' (2017) 17(2) Oxford University Commonwealth Law Journal 265, 267.
3 Ibid.
4 Australian Government Department of Home Affairs, Draft Code of Practice: Securing the Internet of Things for Consumers - Summary of Public Consultation November 2019 - March 2020 (2020) <https://www.homeaffairs.gov.au/reports-and-pubs/files/consultation-summary.pf> (`Consultation Summary').
5 Commonwealth of Australia, Code of Practice: Securing the Internet of Things for Consumers (2020), available at https://www.homeaffairs.gov.au/reports-and-pubs/files/code-of-practice.pdf (`Australian Code').
6 Commonwealth of Australia (n 5), 2.

7 United Kingdom Government, Proposals for regulating consumer smart product cyber security - call for views (Policy paper, 1 October 2020) (`UK Call for Views')
8 Tom Burton, 'Internet of things sets the cat among the pigeons', Australian Financial Review (online, 12 October 2020) <https://www.afr.com/technology/internet-of-things-sets-the-cat-among-the-pigons-20201001-p5612g> quoting Frank Zeichner, CEO IoT Alliance Australia and Adam Beck, Smart Cities Council.
9 Mahadev Satyanarayanan, 'Fundamental challenges in mobile computing' (Pt ACM) (1996) Principles of distributed computing: Proceedings of the fifteenth annual ACM symposium 1, 1; Mahadev Satyanarayanan, 'Pervasive computing: vision and challenges' (2001) 8(4) IEEE Personal Communications 10, 10; Frank Adelstein et al, Fundamentals of mobile and pervasive computing (McGraw-Hill, 2005) 5; Stefan Poslad, Ubiquitous computing: smart devices, environment and interaction (John Wiley & Sons Ltd, 2009).
10 Kayleen Manwaring, 'Kickstarting reconnection: an approach to legal problems arising from emerging technologies' (2017) 22(1) Deakin Law Review 51, 63-68.
11 Vijay Sivaraman, Hassan Habibi Gharakheili and Clinton Fernandes, Inside job: Security and privacy threats for smart-home IoT devices (Report, Australian Communications Consumer Action Network, 2017) (`Inside Job')
12 Katie Boeckl and others, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (National Institute of Standards and Technology Internal Report 8228 (Draft), September 2018) 7-8.
13 Scott R Peppet, 'Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security & Consent' (2014) 93(1) Texas Law Review 85, 94.
14 Karen Rose, Scott Eldridge and Lyman Chapin, The Internet of Things: An Overview. Understanding the Issues and Challenges of a More Connected World (Internet Society, October 2015) 21; American Bar Association Section of Science & Technology Law, Submission to the National Telecommunications and Information Administration, US Dept of Commerce, in response to Docket No. 160331306-6306-01: The Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things (2016) 11.
15 Boeckl (n 12) 9.
16 Ibid; William J. Buchanan, Shancang Li and Rameez Asif, Lightweight cryptography methods (Taylor & Francis, 2017) vol 1., 187.
17 Inside Job (n 11).
18 Donna Lu, `How Abusers Are Exploiting Smart Home Devices' Vice (online, 17 October 2019) <https://www.vice.com/en_au/article/d3akpk/smart-home-technology-stalking-harssment>
19 Nellie Bowles, `Thermostats, Locks and Lights: Digital Tools of Domestic Abuse' The New York Times (online, 23 June 2018) <www.nytimes.com/2018/06/23/technology/smart-home-devices-domestic-abuse.htmlgt;
20 David Sun, `Singapore home cams hacked and stolen footage sold on pornographic sites' The New Paper (online, 12 October 2020) <https://www.tnp.sg/news/singapore/hackers-hawk-explicit-videos-taken-spore-hme-cams>
21 Phys.org, `Security flaw could have let hackers turn on smart ovens' (26 October 2017) <https://phys.org/news/2017-10-flaw-hackers-smart-ovens.html>
22 Andy Greenberg, `Hackers Remotely Kill a Jeep on the Highway - With Me in It' Wired (online, 21 July 2015) <www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/>

23 Tim Stevens, `Internet of Things: when objects threaten national security' The Conversation (online, 29 May 2018) <https://theconversation.com/internet-of-things-when-objects-threaten-nationa-security-96962>
24 Brian Buntz, `Cybersecurity Crisis Management During the Coronavirus Pandemic' IoT World Today (online, 24 March 2020) <https://www.iotworldtoday.com/2020/03/24/cybersecurity-crisis-management-durng-the- coronavirus-pandemic/>

25 Burton (n 8), quoting Lani Refiti, IoTSec Australia.
26 Neil Vigdor, 'Somebody's Watching: Hackers Breach Ring Home Security Cameras', The New York Times (online, 15 December 2019) <https://www.nytimes.com/2019/12/15/us/Hacked-ring-home-security-cameras.htmlgt;
27 United Kingdom Government, Code of Practice for consumer IoT security (14 October 2018), available at https://www.gov.uk/government/publications/code-of-practice-for-consumer-iot-secrity/code-of-practice-for- consumer-iot-security (`UK Code').
28 Australian Cyber Security Centre, Internet of Things devices (Web page) <https://www.cyber.gov.au/acsc/view- all-content/advice/internet-things-devices>
29 Australian Cyber Security Centre, IoT Code of Practice: Guidance for Manufacturers (Web page) <https://www.cyber.gov.au/acsc/view-all-content/publications/iot-code-practic-guidance-manufacturers>

30 Australian Code, 1.
31 Manwaring, 'Emerging information technologies: challenges for consumers' (n 2) 283.
32 In this paper, we use the term `provider network' instead of `supply chain'. In this context, connections between providers are more likely to be distributed rather than linear. Ibid., fn 16.

33UK Code (n 27).
34 NIST, `NIST Cybersecurity for IoT Program' (Web page) <https://www.nist.gov/programs-projects/nist- cybersecurity-iot-program>
35 ETSI, ETSI TS 103 645 V1.1.1 (2019-02) Technical Specification CYBER; Cyber Security for Consumer Internet of Things <https://www.etsi.org/deliver/etsi_ts/103600_103699/103645/01.01.01_60/t_103645v010101p.pdf>
36 IETF, Manufacturer Usage Description Specification RFC 8520 (last updated 20 January 2020) <https://datatracker.ietf.org/doc/rfc8520/>

37 Australian Government, Australia's Cyber Security Strategy 2020 (6 August 2020) https://www.homeaffairs.gov.au/cyber-security-subsite/files/cyber-security-stratgy-2020.pdf, 32.
38 Corporations Act 2001 (Cth) s 181(1)(a); Mills v Mills (1938) 60 CLR 150; Westpac Banking Corporation v The Bell Group Ltd (in liq) (No 3) (2012) 44 WAR 1; [2012] WASCA 157; Ngurli v McCann (1953) 90 CLR 425, 438; Kinsela v Russell Kinsela Pty Ltd (in liq) (1986) 4 NSWLR 722, 730.
39 Cyber Security Agency of Singapore, Cybersecurity Labelling Scheme (CLS) <https://www.csa.gov.sg/programmes/cybersecurity-labelling/about-cls>br>40 Burton (n 8) citing Frank Zeichner, IoT Alliance Australia.
41 Cal Civil Code [[currency]] 1798.91.04(a)
42 Or Rev Stat [[currency]] 646A.813

43 The US Court of Appeals confirmed this interpretation of 15 USC [[currency]][[currency]] 41-58 in Federal Trade Commission v Wyndham Worldwide Corporation [2015], No 14-3514, F 3d (Aug 24, 2015).
44 Federal Trade Commission, `D-Link Agrees to Make Security Enhancements to Settle FTC Litigation' (Press Release, 2 July 2019) <https://www.ftc.gov/news-events/press-releases/2019/07/d-link-agrees-make-seurity- enhancements-settle-ftc-litigation>; Federal Trade Commission, `Marketer of Internet-Connected Home Security Video Cameras Settles FTC Charges It Failed to Protect Consumers' Privacy' (Press Release, 4 September 2013) <https://www.ftc.gov/news-events/press-releases/2013/09/marketer-internet-conected-home-security-video- cameras-settles>

45 UK Call for Views (n 7).
46 United Kingdom Government, Consultation outcome: Consultation on regulatory proposals on consumer IoT security (last updated 3 February 2020) <https://www.gov.uk/government/consultations/consultation-on- regulatory-proposals-on-consumer-iot-security>
47 Roger Clarke, 'The prospects of easier security for small organisations and consumers' (2015) 31(4) Computer Law and Security Review 538, 543-547.

48 Consultation Summary (n 4) 3.
49 Peter Dinham, 'Smartphones dominate the Òdigital experienceÓ research reveals', IT Wire, 25 February 2020 <https://www.itwire.com/market/smartphones-dominate-the-%E2%80%98digital-expeience%E2%80%99- research-reveals.html>
50 Melissa Fai, Jen Bradley and Mitch Bennett, 'The `Security of Things' - Government releases Voluntary IoT Code of Practice' (Digital Domain, 9 September 2020) <https://www.gtlaw.com.au/insights/security-things-government- releases-voluntary-iot-code-practice>
51 Roger Clarke, 'Internet privacy concerns confirm the case for intervention' (1999) 42(2) Communications of the ACM 60, 63-4.
52 Australian Communications and Media Authority, Optimal Conditions for Effective Self- and Co-regulatory Arrangements (Occasional Paper, June 2015) 10-11; Department of Prime Minister and Cabinet, The Australian Government Guide to Regulation (March 2014) 28.
53 Roger Clarke, 'Regulatory Alternatives for AI' (2019) 35(4) Computer Law & Security Review 398, 406-7.

54 Clarke, `Internet Privacy Concerns Confirm the Case for Intervention' (n 51) 64-5.

55 Clarke, `Regulatory Frameworks for AI' (n 53) 406-7.


Acknowledgements

This article is a substantially more developed version of a short opinion piece by the authors: 'Are your devices spying on you? Australia's very small step to make the Internet of Things safer' The Conversation (online, 11 September 2020), at https://theconversation.com/are-your-devices-spying-on-you-australias-very-small-step-to-make-the-internet-of-things-safer-145554, mirrored at http://www.rogerclarke.com/II/IoTC.html


Author Affiliations

Kayleen Manwaring is a Senior Lecturer at the University of New South Wales, and a researcher at the Allens Hub for Technology, Law and Innovation and the Centre for Law, Markets & Regulation.

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor associated with the Allens Hub for Technology, Law and Innovation in UNSW Law., and a Visiting Professor in the Research School of Computer Science at the Australian National University.



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 60 million in early 2019.

Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 16 October 2020 - Last Amended: 17 October 2020 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/II/IoTCJ.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy