How can we secure consumer trust in the Internet of Things?
A blog post by ANEC, BEUC, Consumers International and ICRT
The Internet of Things will bring great social and economic benefits to consumers. And a whole load of headaches.
The potential benefits of the Internet of Things will be achieved only if the services and products consumers buy (or contract) are designed with trust, privacy, and security built in. ANEC, BEUC, Consumers International & ICRT have identified the challenges and opportunities consumers may face in specific areas and have established recommendations based on a set of principles, which it is essential to use if we are to build a thriving and trusted digital environment for consumers.
Connectivity & Inclusion
A first essential element for consumers in an Internet of Things environment is connectivity & inclusion. Indeed, with widespread use of connected products in our daily lives, having access to a high-quality and affordable internet connection should not be an option. Particular attention should be given to ensuring access for marginalised, disadvantaged, or vulnerable groups of consumers, and those in remote or under-served geographical areas.
The Internet of Things: a complex ecosystem
In the Internet of Things, devices can connect with one another thereby creating a complex ecosystem. This increased number of connections between devices and systems creates vulnerabilities hackers are able to exploit more easily. Security is therefore essential and must be ensured in ALL parts of a connected system, as vulnerabilities in any given component can compromise the entire system.
In terms of safety, the current product safety legislation and standards cover the safety of individual devices and may therefore not be fit to protect consumers in the Internet of Things environment where devices are part of a bigger system. Additional provisions and standards will need to be adopted to ensure the safety of the system as a whole. Also, the concept of ‘safety’ in general and sector specific product safety legislation should be broadened to reflect new cybersecurity, data security and product safety concerns.
This complex ecosystem makes it also harder under traditional laws and regulation to identify who is responsible when something goes wrong. A new approach to liability is required, one with a clear and robust product liability framework that protects consumers if they suffer a damage caused by unsafe connected products or services. It should be clear which entity is responsible for performance and security at each point of the product delivery and during the full lifespan of the connected product.
The rules on liability should also cover compensation rights to which consumers are entitled if they are harmed. Where complaints or problems involve multiple providers and/or sectors, it should be clear for consumers where to go for help.
Similarly, complexity of the interconnected system should not affect consumers’ right to obtain redress. Rights to redress for Internet of Things products and services should not be weaker than those available for other forms of commerce.
Data protection & privacy online
A significant data-privacy risk related to the Internet of Things arises from devices being able (and indeed designed) to communicate with each other and to transfer data autonomously to an external partner. The vast scale of the types and volumes of data able to be collected, aggregated, and merged with other data poses a huge risk to privacy. Indeed, objects within a connected Internet of Things system may collect data or information that is innocuous on its own but which, when collated and analysed with other information, could reveal quite accurate knowledge of an individual resulting in increased user-traceability and profiling.
Privacy aspects and impacts must be assessed and integrated throughout the whole conception, design and development cycle of a connected product, and the networked ecosystem in which it operates (privacy by design). By default, the settings of any connected product need to be set to the highest level of privacy protection from the outset (privacy by default), preventing unwanted tracking of a user’s behaviour and activities.
Also, consumers must have full control over the data that stems from their connected products and their use. Companies should provide simple, secure ways for consumers to access and control their data, including the possibility to transfer data to other services as they see fit. In this regard, data portability fosters competition between services, and combined with interoperability, makes it easier for consumers to compare or switch to another provider. This also prevents them from being locked into a closed Internet of Things ecosystem.
Finally, consumers should be able to benefit from the economic value of their data, and opportunities of sharing their data, in line with their preferences, expectations and legal rights.
What are the implications on the environment?
The relentless pace of innovation, and competition for market-share, bring about shorter lifecycles for most electrical appliances. This has consequences for the environment, particularly resource use and disposal, as only a small fraction of e-waste is recycled. E-waste is often toxic, leaching heavy metals and dangerous chemicals into the soil around landfills, and releasing greenhouse gas and mercury emissions when burned.
To avoid obsolescence of perfectly functional products, connected products need to be easily upgradeable and devices, adaptors and other connection points should be compatible with each other as far as possible.
Products should be designed and built with resource efficiency in mind: from using sustainably-produced materials and sustainable construction methods to providing clear guidance to consumers on the most efficient use, re-use/repair and disposal of the product and its components. Measures should be taken to ensure that the disposal of heavy metals and other dangerous substances contained in connected products is not harmful to the environment or human health.
To ensure these principles for the Internet of Things are addressed, ANEC, BEUC, Consumers International & ICRT recommend:
- Having a regulatory framework requiring international collaboration across governments, international organisations, and businesses, with effective, proportionate, and accessible legal, judicial, and supervisory mechanisms available to consumers;
- That all providers of Internet of Things applications and services adopt responsible business conduct, and adhere to the best practices provided by the UN Guidelines for Consumer Protection. These state that all consumers of digital products and services should be treated equitably, honestly, and fairly. Additionally, countries should have oversight bodies responsible for all aspects of digital consumer protection including the Internet of Things;
- That education and awareness are used to complement regulatory and legislative protection. Companies, regulators, consumer protection bodies and consumer organisations should collaborate to develop systems to make it easier for consumers to know the risks and opportunities of connected products and services.