The backstory

Internet of Things: Different Stakeholders for California Legislation

An employee who represents a big industry player would probably focus on the elusive nature of authorization as applied to IoTs. Let’s imagine the arguments below.

The proposed law states:

Drawing parallels with banking and medical industry’s use of “authorization”, for example, the following questions arise:

The law should clearly say how and under which circumstances the user will authorize “access, destruction, use, modification, and disclosure”. It is clear that the IoT industry will want to stay far away from the security liability level of the medical industry, arguing that restrictive legislation hampers innovation, market solutions and competition.

The likely proposed amendment from this point of view is to add to the 1798.91.06. the following (j) section:

j) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to:

From this point of view, the amendment should be approved exactly as it is written. “Reasonable” and “appropriate” security features mentioned in the law is an example of extremely vague, unspecific, non-technical language, which does not provide basis for any industry standards.

The industry argument will be built in the following way: such a law will promote unhealthy competition between the industry players, unnecessary government spending on enforcement, and lengthy courts proceedings to define what these terms actually mean. Do we really want the jury to define what a reasonable security feature is? This is essentially a compliance argument: limiting liability damages is a secure way to ensure compliance. In a fast changing landscape of IoT devices, it is better to move one concrete step at a time, rather than trying to legislate with vast brushstrokes.

Californians would like to use secure, reliable and easy to use IoTs with on time patches available at any moment and with robust policies in place to protect consumer data. Californians would like their government to step in to protect them from dangers of surveillance. For an average concerned citizen, however, the language of the law ensures that the manufacturer of IoTs will use reasonable precautions to install safety features required by law. The language does not seem vague. At the same time, citizens may actually will be willing to see more protective language on privacy issues, as they are probably under the impression that they are privacy is being constantly violated by foreign governments, private corporations and probably NSA, as asserted by articles in the most prominent newspapers. Therefore, the law should be amended to add a more protective article for privacy and collection of data.

Amendment by concerned citizens will be to add another article on data collection, such as:

Consumers have exclusive ownership over their data.

From this view, the proposed amendment should be accepted in this exact form, as it will limit how much consumers suffer in case of a breach, that is by limiting how much they could suffer in the worst case scenario. Companies would not be able to lose data other than what they were explicitly authorized to be able to lose. Data that can be breached in case of an offense should be only the data that was allowed to be collected in the first place. That is why security of IoTs is directly related to the limits on data collection and use.

If the very nature of the Internet is built on insecurity, how can we ensure that IoT manufacturers protect consumer data? By limiting what manufacturers collect in the first place.

Even without the proposed amendments (from both the industry representatives and from concerned citizens), the law broadly sets the stage for developing a framework for IoT security. It does not go into the granularity of technicalities of the nature of networked IoTs. It seems that each stakeholder is pushing for their own interests, and the legislator has a duty to ensure that the IoT are secure in the long term, sustainable way. The amendments are not enough to reconcile the viewpoints, and do not strike the balance between different viewpoints. So? Do not pass the amendments, as this is inconclusive.

My proposed amendment to the law is to require mandatory security certifications developed in the next two years in cooperation between the industry, public, academia and government. The EU legislated on certification of growing, networked living organisms, such as plants and livestock. In particular, organic wine certification takes into account process, product and producer certification. In IoT industry this can be translated into a holistic approach to certification of manufacturers, third-party software, quality of the code and the actual products and their features.

Why is organic certification relevant to IoTs:

Every little detail is important in the winemaking. This should serve as a n encouragement for creation of IoT security standards, with many voices commenting on complexity of IoTs and impossibility to group, limit and define features for common security standards.

6. Control and audits. Enforcement of quality, sustainability and food safety is ensured by a codified procedure of establishing certification bodies and measurement of their work. Food safety standards are voluntary, but almost always required by big clients, such as importers and supermarkets. Standards are only one version of a compromise, but they allow clear communication. In cybersecurity, California, together with other states, needs to define what is IoT, what are the goals for legislating IoT, and how could a common standard look like.

In sum, a lot can be learnt from the history of organic certification in the EU.

As can be seen from the six characteristics outlined above, there are specific restrictions and limitations on practices and substances used in conventional production for the wines to be labeled organic.

Certifications may be too slow as a solution to regulate rapidly growing IoT industry. However, certification levels or tiers have potential to bring back economic incentives to support policy solutions, which are currently missing in the IoT industry. Wine making is very complex and dependent on the weather. Like wine industry, the IoT industry, broadly defined as it is now, will benefit from more definitions, structure and standards.

Conventional practices of wine-making did not become illegal under the new law: conventional wines are being made, but they cannot be labelled organic. What is a conventional IoT and what is an “organically certified” IoT remains to be defined. Organic wine certification may provide surprising answers about how to sustainably navigate the complexity of legislating IoT world.

Related posts:

The Academy of Motion Picture Arts and Sciences announced the contenders for the 2020 Oscars race this morning, and people sure have a lot of opinions! While some shrug off the 90-year-old award show…

You have remained a multi-passionate entrepreneur and a leader for so many years now. Tell us how you discovered your passion for the coaching business. I discovered my passion for the coaching…

I recently asked Nintendo fans to tell me (by way of a survey) what they thought about the Nintendo Switch now that it’s been on the market for two years. I was overwhelmed by the response — over…