By Dhruv Somayajula
On 21st October 2016, multiple cyber-attacks on the Internet infrastructure company Dyn shut down web browsing across America and Europe for hours. Over 100,000 devices were reportedly connected via a malware botnet named Mirai for this attack. The attack was a Distributed Denial of Service attack (DDoS), which is carried out by flooding the bandwidth of a web server with artificial traffic from multiple devices. This causes it to crash and renders it inaccessible. This attack specifically was carried out by using a medley of devices connected over the internet, including security and street view cameras used for industrial security.
The Dyn attack was another reminder to the global community about the potential dangers of unregulated devices connected over the internet, otherwise known as the ‘Internet of Things’ (IOT).
This post, the first of a two-part series, will examine the IOT framework, its practical applications and the risks associated with it. The second part will discuss the challenges to law that IOT may possibly create, the existing legal framework to deal with them, and the areas where change is required to accommodate the IOT.
What is the Internet of Things?
First coined by Kevin Ashton, the phrase ‘Internet of Things’ describes the network of devices connected via the internet promoting a smarter way of life. Any device with a function that connects it to the internet is a part of the IOT. These devices include smart home devices, cameras, wi-fi routers, television sets and smart cars.
A comprehensive definition of the ‘Internet of Things’ is offered by the International Telecommunications Union (ITU) which defines it as “a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies.”
The Indian Government, in a draft policy released last year, defined the ‘Internet of Things’ as “a seamless connected network of embedded objects/ devices, with identifiers, in which M2M communication without any human intervention is possible using standard and interoperable communication protocols.” This definition only covers a small subset of the IOT since it makes exclusive reference to machine-to-machine communication (M2M communication). This includes only isolated device-to-device communication through embedded hardware and cellular or wired networks. In general, however, the IOT is a broader collective of devices, which also includes communication of data through wireless and cloud-based networks.
Uses and Applications of the Internet of Things
The IOT operates as a network of devices that can share data among themselves to help create convenience for people, by creating patterns of daily activity and executing them. This convenience is in relation to both ease of living, as well as adding value to necessary infrastructure.
There are many practical applications for consumers using IOT devices, including through the usage of wearable devices, sensors for quantification of personal data, and home automation. The use of smartwatches and trackable bands for fitness is an example of devices sharing data over the IOT. Quantified self apps, which claim to track one’s heart rate, calories consumed sleep cycles through sensors for keeping track of one’s habits are examples of sensor-based devices on IOT networks. Another growing category of devices for personal consumption is home automation, where light bulbs, thermostats and alarm clocks are connected to each other in a smart home.
However, in addition to consumer-oriented uses, smart cities like Barcelona, Amsterdam and Singapore are using IOT to improve road safety management, traffic diversion into alternate routes, waste accumulation triggers and water management portals by use of data accumulated from sensors. For example, the project Autonomous Intersection Management was designed to demonstrate how smart cars can avoid traffic congestion at intersections through the Internet of Things. The UN Commission for Broadband Commission for Sustainable Development also identifies specific IOT devices as useful for developing industries, including devices that can collect medical data to check for epidemics, measure water quality, enable remote access to irrigation pumps in farms and monitor wildlife.
Risks posed by increasing use of the IOT
The collection of data through the IOT creates databases for accurately predicting actions. This accumulation of sensitive data (including mapping of personal habits, geo-tracking, video recording on CCTVs and home electricity patterns) needs to be safeguarded against cyber-attacks or theft. Information concerning the activity patterns of consumers can be mapped through the data collected to accurately predict the activities of a person, and this power can be susceptible to misuse in the wrong hands.
This is where the fundamental risks of the IOT lie – in the twin issues of security and privacy. The DDoS attack on Dyn last month was caused by an estimated 100,000 unsecured devices, using malware to flood the server with requests, causing it to crash. Moreover, recent security breaches by online hacker groups using the IOT create a legitimate concern for the safety of the devices used on the IOT and a need for evaluation of India’s level of preparedness for a possible attack. Breaches of IOT devices in the past have led to disastrous consequences, such as a smart car being switched off remotely in a busy intersection, or baby cams activated to spy on over 700 people. A huge number of devices, especially pre-2000s devices, have extremely low protection due to outdated standards and are vulnerable to cyber-attacks. The onus is on the industry to reduce the gap between the vulnerabilities of older devices and the global standards for cyber security adopted by IOT devices.
Attacks such as that on Dyn also raise questions about the safety of the data which the device seeks to utilize for its application, and whether a person’s privacy can be breached by way of these cyber-attacks. A smart city monitoring roadways and controlling traffic, or an automated smart lock used for home security, can also potentially be breached by hackers, or misused for surveillance purposes. These concerns will only grow with the increasing adoption of IOT devices. A secure IOT framework would need to include include robust laws on security standards, data protection and privacy. The next post in this series will examine the legal framework for data protection with particular reference to the IOT in India and across the world, and evaluate how Indian laws can best accommodate the challenges thrown up by the rising use of online devices.
About the author: Dhruv Somayajula is a third year student at NALSAR University of Law, Hyderabad and is currently interning at CCG.
Crossposted with permission from CCG at NLU Delhi.