Policy and Regulatory Implications of IoT

The rapid explosion of technology, products, and services is leaving very few people and businesses untouched. While the possibilities are exponential, a number of new challenges and considerations are also coming to fore. Internet of Things (IoT) is changing the way we live, work and transact business. In May of this year, I was privileged to be part of an IoT expert panel hosted by the National Academy of Sciences and the US Government Accountability Office. This effort is part of an initiative to prepare a position paper briefing the US Congress on how IoT is impacting different aspects of society and business along with what kind of policy and regulatory framework the Congress should consider. This was a small group of about dozen experts identified from academia, government agencies, think-tanks, and two industry representatives. There were intense discussions over two days including some spirited debates on the impact of IoT and its policy and regulatory implications. It was interesting to see the differences between application areas – healthcare, consumer, industrial, smart communities, public service delivery, among others. This write-up is an attempt to capture some of the key aspects of policy and regulatory considerations in the context of IoT.

Dr. Shoumen Datta of Massachusetts Institute of Technology (MIT) made an interesting recommendation, do not think of IoT in terms of technology or products or services, think of IoT as a design paradigm. Shoumen is spot on, because IoT evolution does not yet know of any boundaries - IoT is really a combination of products, technology, data, analytics, services and outcomes. This makes the task of formulating policy frameworks even more complicated.

The top 15 (in my opinion, and in no particular sequence) are:

1.      Data ownership. IoT has transformed data into new currency and source of major economic value creation.  Data can be valuable for direct analytical purposes, and it can be sold or traded for value. Companies engaged in IoT space are incorporating contractual clauses to establish data ownership. However, while ownership is important, appropriate license rights may provide an entity with everything it needs to conduct its analysis or monetization activity. Each entity will need to determine how it approaches this own versus license issue. Some IoT companies will need to develop playbooks for scenarios where major clients are unwilling to allow the IoT company to own the data outright. One option, for example, is for the IoT company to have a perpetual license to the data so long as any personally identifiable information is removed from the data during further processing steps. 

2.      Rights around derivative use of data. Often, collected data can be used for purposes other than its original intent, without express consent from the generator/owner of the data. For example, the users of health/personal IoT devices like Fitbit may have allowed the equipment/service provider to take data for giving summary of lifestyle behaviors. Now an insurance company can acquire access to this data and modify the health insurance premiums based on the lifestyle behaviors – the device wearers may not have consented to this. Such a scenario could cause IoT adoption to be a disincentive to the user and pose regulatory hurdles around discrimination and denial of normative services. However, anecdotal evidence is that consumers are becoming more used to exposing data in exchange for functionality or analytical value in products and software.

3.      Dynamic decision rights. Typically, when people and businesses first start using IoT devices, the manufacturer or service provider ask for their consent to use data generated from their devices, and possibly even to share it with others. Even though people provide this consent at the onset, they might have second thoughts later due to evolving comprehension and preferences of how their data might impact their well-being or a change in perception about the value they expected from the device or service. Hence, the consumer might want to retain the right to un-consent and be forgotten. We will see more recurrences of such instances where IoT interfaces with people’s health and financials. 

4.      Consumer awareness. Often, users of IoT devices as well as service providers may not completely understand the nuances of technology and data-analytics. Considerations 1-3 mentioned above are examples of that. Today, manufacturers or service providers aren’t required to educate consumers about these implications or set up advisories, which is necessary in the space of healthcare, insurance, banking and several other industries. While IoT is not an industry by itself, its impact and implications are far reaching. So there is a need for better practices around providing transparency to consumers.

5.      Privacy rights. Starting with large search companies and social media, and now with IoT, we are always connected - and our every action is traceable. Privacy and anonymity are severely impaired in this environment. This could lead to infringement of personal freedom and even expose people to higher risks of fraud because their personal data is easily available.  

6.      De-aggregation standards for data privacy. A common way to improve privacy is to de-aggregate date and anonymize it. De-aggregation breaks up a logical group of data into isolated pieces which in itself may not make much sense or help create any value. For example, in an online purchase – capture, transport and storage of user’s name, address and credit card information happening separately is de-aggregation. If the transport and storage of data follows different routes, it creates a barrier for any hacker and prevents any unintended use of data.

7.      Cybersecurity. This has been a big concern for several years now because of the breaches and their impact on people’s lives, financials and businesses. With IoT, more connection points and thus, more breach points get created every day. There is no generally accepted standard for cybersecurity yet, nor any effective remedial measures for evolving threats and vulnerabilities.

8.      Liability. Data, analysis and control actions change multiple hands in a typical IoT ecosystem. For example, a wearable device might capture heartbeat and few other indicators, then transmits it to some processor of the data, which uses algorithms from another provider to calculate health risks and need for emergency response, and sends it to a healthcare provider, who in turn uses a different service for patient monitoring. So, if something goes wrong, accountability around outcome becomes a very tricky situation, because it is hard to determine what really caused the failure. Even if it is clear, the different participants might have different thresholds for accepting share of liability as their levels of economic benefit in the IoT processing chain is different. The legal framework from the industrial age handles single accountability scenarios better, but we are fast moving away from that world. 

9.      Reliability and accuracy standards. Already a number of critical services like healthcare monitoring and weather monitoring are transitioning to more IoT type devices. This impacts people’s lives and livelihood. So there are expectations of an extremely high level of reliability and accuracy of data coming from IoT devices, as the central processing algorithms and control functions rely entirely on the incoming data. For example, due to some communication break, if a pacemaker fails to transmit data for a certain period, it should not turn off; if a drug delivery system receives wrong readings from sensors attached to a human body, the effect could be fatal; if sensors collecting pollen count are not calibrated right, it can lead to incorrect allergy reporting, which can result in serious health issues. To make IoT devices for all such applications affordable to increase their infiltration, we run the risk of compromising on their reliability and accuracy of data capture, data transport and local compute capabilities. We need standards on how to balance affordability and quality.

10.  Trustworthiness. IoT does not translate into a single device or service, it is usually part of a larger and wider communication fabric where data is generated, captured, transported, analyzed, processed, insights derived, actions taken, value captured and reported. For such an intricate system to work with multiple hand-offs, it is critical that safety, security and resilience of data between the different participants and processing chains is maintained. If the data, insights and actions cannot be trusted without a doubt, and each step of the processing chain or participant has to account for gaps, the benefits and value will get compromised. This is similar to the banking and financial industry in many ways. Only accepted industry standards or government recommended policies can help address such trust issues.

11.  Public profit sharing. This applies to IoT initiatives and associated data driven economic value creation for public private partnership (PPP). Due to innovative opportunities, there is good potential of generating more than the expected profits. In such scenarios, what should be the model for profit sharing between public and private entities when part-government (thereby, public) investments were employed to generate profit? We need evolved models to address such scenarios, as large public infrastructures like smart cities will see greater number of PPP initiatives leveraging IoT technologies and services.

12.  Preventing oligopolies. Large technology or service providers have the advantage of resources and scale. They are trying to influence technology ecosystems and technical standards to create advantages for them, often partnering with friendly companies to create proprietary technical or service closed infrastructure that create barriers for competition. In the process, consumers of such technology might have limited choices, and innovation from new entrants get scuttled. Free economies and operating landscapes are critical to human progress -figuring out how to prevent oligopolies of major technology original equipment manufacturers (OEMs) is a task yet to be accomplished.

13.  Education. If we look at the evolving space of IoT, it brings together devices and data-analytics. In the past, we used to treat any sort of device design and data-analytics design as separate disciplines. The former required deep knowledge of mechanical, electrical and electronics engineering, while the later required skills in computer sciences and statistics. Now, communication and compute capabilities have to be built into devices, while data analytics require understanding of device design and behavior. Our traditional education systems evolved to maximize the learning of different skills in neatly segregated disciplines. This approach is not most efficient for a world dominated by IoT. Knowledge of programming alone is not adequate for students pursuing engineering degrees - they need more exposure to communication and data-analytics principles and practices. Promoting more interdisciplinary education in undergraduate and graduate studies will help further the IoT revolution, and will require some policy encouragement.

14.  Fairness. Sometimes, IoT devices and services may be unaffordable for society sections that are economically challenged or lack adequate communication infrastructure critical for effective usage of IoT devices. In such scenarios, these sections are at a disadvantage, as more goods and services transition to take advantage of IoT capabilities. This will further accentuate inequalities and breed societal divides. The goal for most democratic and progressive governments is that nobody is left behind. Inadvertently IoT might raise some fairness issues in its early days until affordability and equal access concerns are addressed.

15.  Disposal of electronic waste. All IoT devices have some electronic content. With increasing expectation of feature and functionality, such content in IoT devices is on the rise. Moreover, the rate of IoT device proliferation is extremely high. This is generating lot of electronic waste. Disposing this waste will require global, national and local jurisdictional action, as this calls for policies and legislative rules.

It will be challenging to develop the right policy and regulatory framework to address the issues discussed above. More so, as the IoT space is fast evolving, and implications of any policy are far reaching - with the possibility of impacting the progress of IoT. Usually a good standard for any policy framework is that it is technology and business model neutral while being business model focused. This will be hard to maintain while developing policies around IoT, as technology, business and outcome are deeply intertwined. Nevertheless, we need ongoing debates and dialogue for more clarity and consensus around these topics.

Please note that these comments are summaries of topics, and are intended to present viewpoints from both the IoT company side and the consumer’s, all in the spirit of being thought provoking discourse. None of these comments are intended to reflect any current philosophy, strategy, or policy of any particular company.