We live in a connected world. And the problem with a connected world, is that every connection is potentially vulnerable to cyber attack. This is part of the reason why the Government has recently published proposals to legislate for more stringent security measures to be implemented by those who manufacture, and provide related services in respect of, consumer Internet of Things (IoT) products.
This article takes a look at the current regulatory landscape which device manufacturers, service providers and app developers must adhere to when it comes to addressing the security risks associated with both the use and proliferation of consumer IoT devices, and how this might change as a result of the Government's proposals.
What are consumer IoT products?
First, let's be clear what exactly we mean by consumer IoT products.
They include smart watches, wearable health trackers which connect to GPS and tell you how far you've walked, security alarm controls which enable you to switch your burglar alarm on with your mobile phone when you are half way down the M25, thermostats which you can activate remotely so as to get your house cosy for when you arrive home, and connected appliances such as washing machines, and fridge freezers which can alert you when the time comes to re-stock your favourite ice cream.
Another prime example is Cayla. Marketed as the "World's First Interactive Doll" and the "Smartest Friend You Will Ever Have", concerns over its use led German authorities to warn consumers back in 2017, that hackers could exploit an insecure Bluetooth device embedded in the toy to allow strangers to speak directly to children via the unfortunate doll.
The factor which all these products have in common, is that they are all connected to the internet. Which in turn poses two issues. Firstly, the potential invasion of privacy that these products expose individuals and their homes to, and the proliferation of personal data which manufacturers and service providers can now collect about users of IoT devices. The way in which Amazon's Alexa can play new music she thinks you might want to listen to, based on your preferences, is not only handy for you, but also useful for advertisers and music retailers.
Secondly, that individuals and their homes might be exposed to cyber attacks in a way which would never have been possible in an "offline" world.
Privacy by design
When it comes to personal data, you have to consider the General Data Protection Regulation (GDPR) and related data protection legislation. IoT products are complex beasts, in the sense that there are usually many different stakeholders involved in bringing them to market and ensuring their ongoing operation. Who collects and processes personal data will differ depending on what the product is, how it works, and who it is offered by. However, one thing is for sure, at least in relation to products which are put on the EU market for sale: anyone who processes personal data as a data controller in relation to that product must comply with the requirements of the GDPR (see box for details).