At NAMApolicy on the Security and Privacy of IoT at Delhi, Internet Society’s Rajnesh Singh started with a parable: Singh’s family works in the agricultural sector and operates farms in Australia. Singh’s family uses John Deere (which manufactures agricultural equipment) machines on their farms in Australia. John Deere announced that all its devices and machines are fully connected and automated.

Singh explained that John Deere now said that you are paying a subscription service for this device that will harvest the crop, dig or plow the ground. You’re not actually buying it, you don’t own it. We own it… they don’t want you to be able to control the software which actually runs the machine. So if it breaks down, you have no other choice but to wait for John Deere to come fix it.… There’s been a big outcry with this — it’s still ongoing. There was even a lawsuit filed against John Deere. Where do you draw the line?’

At MediaNama’s #NAMApolicy roundtable, stakeholders discussed issues with devices, what manufacturers can do to improve the security of IoT devices, the need for standardization, and how to deal with breaches of IoT ecosystems. The following are the key arguments and points made by stakeholders during the sessions. You can read the second part here.

This is a report on the first session about the privacy of IoT. What follows is a paraphrased, not verbatim, transcript of the discussion.

Issues with IoT devices

  • No ‘opt-in’ option: When I read through TomTom’s terms and EULAs and T&Cs — I found out that TomTom now owns everything I have, and there’s no way I can even switch it off. If you want access to your data, at least you need to allow the user to opt into things. Not even having an opt-out option is unacceptable in today’s day and age in my opinion. I can’t stop them from tracking my data, or from collating my data with other people’s data, based on my demographics, my age, and etc. It [the TomTom fitness band] asked for all that. If you don’t input that, the data you get back is skewed, because it doesn’t take into account your height and weight, etc. (Rajnesh Singh, Internet Society)
  • Data has value, although as a collective: A lot of people say, “Ehh I don’t care, my data’s out there anyway”, but data is now fundamentally a core part of us. The data that we generate has value. It may not have monetary value directly — you can’t say I’ll sell you all my data for a thousand dollars. But individual sets of data have value as a collective. How do you put a price on it? I don’t know. But the price we’re paying for it is very high right now. (Rajnesh Singh, ISOC)
  • On why he does not own many connected devices: Just because somebody has the technology for how to extract a liver, doesn’t make it legal anywhere in the world to extract and sell it. Whether it’s selling to somebody in India, or Saudi or the US. So far I’ve not found any tangible benefits from any of the IoT devices out there. (Vinish Kathuria, SenseAI)
  • How much of IoT data is trying to develop random forest AI, and how much of it is transactional? (Arijit Sengupta, The PRactice) 
    • Thee arguments usually seems to be that the ‘we will anonymize whatever we collect so that we can build a better thing, or extrapolate other things out of the dataset..’ The value I perceive of the data I generate is probably zero. But when seen within a larger collective, the value goes up exponentially. It is very hard to put a value on data, but you know its worth something because everybody is mining it, whether it be or ads or for other things. (Rajnesh Singh, ISOC)

On improving the security of IoT devices

  • Personalization should be an opt-in: I would like to reduce the role of personalization that companies use to push forward IoT devices… Personalization should be an opt-in, especially for IoT devices.. it should be significantly reduced, because security has a higher weightage than personalization — especially when I’m paying for that service. If I’m paying for a service, my expectation of security is much higher rather than when I’m not paying for it. (Vinish Kathuria, SenseAI)
  • Configurable servers: Manufacturers can let the server be configurable, to let me choose who I share the data generated by that device with. As soon as the device has that option, it shows to me that the device manufacturer is at least using some sort of open standards, because that data is going to be read by other people. (Adnan Hasnain Alam, Nutanix)
  • Standardization: There were security concerns when geysers or bulbs were being standardized. But that’s why they were being standardized, so that they are built to a certain standard. When the happens, I know that if I’m buying this product, there are other protocols standardizing this product, but not on security. (Kapil Chawla, Alpha Consultants)
  • Vendors are not the hardware manufacturers: With security, there are a lot of features which are very common across all devices. A part of the problem is that the vendors creating the IoT products are not hardware manufacturers. They buy the platforms from the manufacturers and take that as a trusted platform. Once you take that as a foundation, anything you built on top of it — if the underlying platform itself is weak, or has security issues, it’ll go up till the highest level of the software, including the communication. (Adnan Hasnain Alam, Nutanix)
  • Education: Vendors and developers need to know that when they buy a platform, it is by design an open platform. It is their responsibility to close all the loopholes. Since we’re talking about hardware, they take it as a trusted platform. They forget about closing a lot of things which would allow users or attackers access to the underlying access itself. (Adnan Hasnain Alam, Nutanix)
  • Encryption: The two aspects to IoT device security are: one is at the application level, another is at the transactional level. When we talk about standardization, we also need to focus on encryption, given that India does not even have an encryption policy; the draft that came out in 2015 was immediately withdrawn. This will be the key towards making these transactions seamless and more secure. We need to start focusing on that side. (Shagufta Kamran, USISPF)
  • As a customer, I’d like that security protocols be explained to me, and what they mean in simple terms. If that standardization can do that, fair enough. (Simrit Chhabra, The Quantum Hub)
  • Blockchain for standardization?: In my perspective, the solution is something like blockchain — breaking down a server on different devices, there’s no standardization yet till now… This can be for security of every individual node. There’s no centralize node where all this data is going. (Prashant Choudhary, NASSCOM Foundation)
  • And as an end-user, I won’t really understand the zillion pages of the T&Cs. Security is not only about encryption, it also includes access control at both the device and vendor’s end. The controls that a vendor has put in can include – standardization, audit and regulation. Even if you secure the end devices, do users really care? 
    • Security can be simplified by having 4-5 points explained to the end-user: what data is going to be used, where it’s going to be stored, and having an opt-out feature.
    • Security for data in transit depends on multiple layers — mobile device to IP device, IP device to the server, and from the server, it can get a forest of the data basis. Although encryption is an example, access control is another. Where data is stored physically, if the people accessing it really are qualified, what controls that administrators have. 
    • End users do not know how important or valuable their data is, so they won’t put a price tag on it. For them, they should simply know what data is going to be collected, how it is going to be used, they should have an option to opt out of it. It really won’t matter to the end user what is 40 bit or 128 bit or 256 bit. (Amandeep Singh, Amazon Web Services)

Security updates on IoT devices

  • Secure updates, not just security updates: When you do an update, it’s not really important whether you’re doing a security or a firmware update, everything goes as an update. But if the security update itself is going in plaintext, what’s the use of it? (Aseem Jakhar, Payatu)
  • Encryption and security from vendor, developer, and user: Whoever implements the encryption has to have brains on what to use and how to implement it. To solve the problem, we need to look at privacy, and the security of the device, the security of the vendor, which means the cloud that will host the data itself. It is not simply about user data. (Aseem Jakhar, Payatu)
  • On consumer awareness of security: Most of the time, a user is unable to calculate his/her data’s worth. For example, we just lack around updating our systems, but we don’t understand the consequences of not doing it. We should work on public awareness of securing our devices. (Guneet Singh Gudh, Panag & Babu Law Offices)
  • Updates should be done over-the-air, not physically. It should be easy and convenient. (Amandeep Singh, Amazon Web Services)

Certification and standardization

  • Certification: I would certainly want a certification authority. One of the excuses against standardization is that the consumer won’t understand. The Data Protection bill tries to address this by proposing the concept of a data trust scope. (Renjini Rajagopalan, The Quantum Hub)
  • Rating system: There could be benchmark parameters like a rating system. Every time I get a user update, I seek the security score or privacy rating going up and down, or how they perceive it to be. So if there’s a patch which probably increases the security, but there could be a privacy issue, I need to know that security/privacy has gone from 8.5 to 6.5. (Rahul Ajatshatru, Ajatshatru Chambers)
  • I wonder whether standardization will be effective given the rate at which encryption is changing. Should this regulation mandate the standards for encryption, and if so what are the downstream encryption standards? If not, how are you going to set a basic minimum standard for encryption that devices should incorporate? (Tuhina Joshi, Ikigai Law)
  • Standardization requirement for OEMs: Some sort of standards should be pushed on the OEMs. And a marketplace where vendors can pick up certified platforms from the OEMs. Vendors can be made aware at a basic level, such that they can simply pick up certified platforms which are easily accessible, and then downstream encryption standards build on top of it. (Gautam Vohra, Hike)
  • Disclosures before purchase: I want disclosures regarding how it is going to help me, what my responsibilities are in terms of knowing what is going to happen with my data, what they are using my data for, and the provision of opting-out and how to opt-out. (Amrita Choudhary, CCOAI)
  • Certification standards would help users and should be simple… from an organizational perspective, there has to be a policy and regulation. (Amandeep Singh, Amazon Web Services)

Co-operation of IoT device security

  • If I have a chain of security devices, how are all these vendors going to coordinate and cooperate with each other, because if a single breaks it, there’s no need for me to go for high end devices. I have a lot of smart devices, they should coordinate with each other so that I’ll be secure. (Sheikh Raashid Javid, Amity University)
  • Companies operate at several levels — One is products and solutions that are offered for defence and critical infrastructure. Two is enterprise. Three is consumer. My recommendation is that IoT devices should have the same security as for defence and critical infrastructure, because of the importance that it may play in our ecosystem. (Vinish Kathuria, SenseAI)

Dealing with breaches

  • Companies’ response to a breach: Companies definitely need to have a person to handle incident response, or to act when someone finds a vulnerability response. We either don’t get responses from vendors, or the response is very cold. We wait for a standard period of 90 days, and disclose it barring the technical details. (Aseem Jakhar, Payatu)
  • One has to be careful when revealing a breach to the public, although you should tell the authorities ASAP. There is a possibility of other bad actors exploiting it, or of creating public panic. If people run to their banks, it’ll affect the whole banking system. (S. Chandrasekhar, Microsoft India)
  • Time period for notification: Looking at DPAs around the world — two of which I’ve been involved with Singapore and the Philippines — the reporting requirements are very finite. It’s within 72 hours, and within 24 hours in some cases, depending on what the nature of the breach is, and what the data in question is. It’s not 3, 6, or 9 months, but hours. (Rajnesh Singh, ISOC)
  • Notification standards, time period and public panic: We also need to be mindful of what is a vulnerability and what’s a breach, and not intertwine the two issues. If a device has a vulnerability, there has to be some reporting period through ISO guidelines. But its a different matter if data is breached — it means your stuff is out there in the wild. I was one of the breachees in the Cathway Pacific breach, they sent me a nice email, and promised to pay for my data security thing for a year. All that is useless to me because my data is already gone. (Rajnesh Singh, ISOC)

Other notes

  • Interoperability: Interoperability at times is really bad. For example if you look at Zigbee devices, most home automation devices have interoperability so that different Samsung devices can talk to Huawei devices. These devices can connect just with proximity since they’re interoperable. So even though they have 128 bit encryption, they’ve defined a global encryption keys which has to be used by all the vendors, and all the vendors will follow that standard. (Aseem Jakhar, Payatu)