wordpress blog stats
Connect with us

Hi, what are you looking for?

How consumer IoT devices need to handle personal data, security gaps is outlined by DoT

The Department of Telecommunications sets the bar for data protection in consumer IoT devices which is likely to get bigger in India.

Consumer Internet of Things (IoT) devices should not have universal default passwords, and users should find it easy to delete on-device data, a working group under the Department of Telecommunications (DoT) has recommended in a new code of practice for securing IoT devices announced on October 12.

The DoT had recommended in 2017 that IoT devices adopt ‘security by design’ and that such devices be certified by a National Trust Center created especially for certification. The code of practice outlines the requirements for manufacturers to implement these recommendations.

What are the security guidelines outlined in the Code?

The code outlines 13 guidelines that manufacturers of IoT devices should follow to implement security by design:

  1. Default Passwords: All default passwords on IoT devices should be unique per-device and require users to choose a secure password.
  2. Vulnerability reports: Manufacturers and app developers need to provide a public point of contact for customers to disclose vulnerabilities.
  3. Software updates: Updates should not adversely impact device functioning. An end-of-life policy should be published outlining the assured duration until which the device will receive software updates. Devices with a UI should inform users about the risk of no longer receiving updates.
  4. Data security: Sensitive security data stored on the device must be able to resist physical, electrical or software tampering. Sensitive data, including personal data, should also be encrypted in transit.
  5. Minimising exposure: Unused functions should be disabled, and web management interfaces should only be available on the local network. Remote access must require proper authentication.
  6. Resilience to Outages: “As far as reasonably possible, IoT devices should remain operating and locally functional in the case of a loss of network, without compromising security or safety,” the code says.
  7. Deleting user data: Consumers should be able to easily delete personal data, and be given clear instructions on how to factory reset the device.
  8. Monitoring for anomalies: Software should be verified using secure boot mechanisms, and consumers alerted in case any unauthorised change is detected. Telemetry data collected should also be monitored for security anomalies.
  9. Validating Input Data: IoT device software must validate data input since systems can be subverted by malicious code to exploit security gaps, the guidelines mention.

How consumer IoT devices need to handle personal data

Aside from the guidelines, the code of practice also outlines the practices IoT devices manufacturers need to follow while handling personal data:

  • Information: Manufacturers need to provide consumers with clear information about what personal data is processed, how it is used, by whom, and for what purposes.
  • Consent: Collection of consent needs to be free, obvious, and explicit. Customers must also be able to withdraw consent for processing personal data. Notably, the code does not mandate that IoT devices seek consent before processing personal data.

How big will Internet of Things be in India?

Across the world, IoT devices are gaining popularity amongst consumers. That is why countries like Singapore and the United States governments are rushing to formulate security guidelines to ensure the protection of consumers. Here are some estimations of how big IoT will be in India:

  • 3 billion devices in India by 2022: The Department of Telecommunications report expects that “3 billion connected devices may exist in India by 2022.” Globally, it is anticipated that 11.4 billion consumer IoT devices will be operating by 2025.
  • Rs. 10,000 crore market: Cellular-based IoT is estimated to be a ₹10,000 crore market by next year, Airtel said in a press release earlier this year. Both Vi and Airtel have recently announced business-oriented IoT solutions.

Also read:

Have something to add? Post your comment and gift someone a MediaNama subscription.

Advertisement. Scroll to continue reading.
Written By

Figuring out subscriptions and growth at MediaNama. Email: nishant@medianama.com

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ