Breaking into IoT: Internet of (every)thing - legal views
In our country, two of telecommunication operators independently launched their own centre of excellence and business hub for nurturing and advancing internet of things, popularly known as IoT (majalahict.com, 13/11/2018).
The term of IoT was reportedly introduced by Kevin Ashton, a British technologist, in 1999 (That ‘IoT’ Thing- RFID Journal, 22/6/2009). He elaborated on a premise that if today, or when internet was introduces, technological information is paramountly contingent on people who produce data and information underneath, the concept of IoT alters it. ‘Things’ are matter much more here where the basic idea is to empower (enhance) the capabilities of any computing power architecture to gather information on their own without any human’s help, so to say: they can have “eyes, ear, nose” to perceive and observe the world for themselves for their own needs. On this, some say the IoT also is colloquially referred to the Internet of Eyes.
Whereas none of an authoritative or standard definition of IoT exists, there is a consensus on this IoT concept (Rolf H. Weber & Studer, CLSR journal 32-2016 Elsevier). That means to transforms traditional objects into ‘smart’ one under scenarios where internet connectivity and computing capability expand to a variety of object, sensors, devices, and everyday items (e.g. smartwatch, refrigerators, thermostats, cars, health monitors and roads) across sectors ranging from agriculture, logistics, energy and utility, industrial IoT, security, healthcare, fintech, building automation, fleet management, and transport.
Likewise, ITU (International Telecommunication Union), gave an attribute to IoT on interconnectivity (overview of the IoT, ITU-T, 6/2012). The interconnectivity, however, is arguably not a true problem in regulating IoT according to the authority (postel.go.id as cited in cnnindonesia.com, 29/11/018) since the main problem underneath is the unforeseeable ecosystem and good business model.
Notwithstanding foregoing, we see that IoT development is no longer kept under architectural things, but, according to recent breakthroughs, technologists now enable to implant sensors in biological creatures. Accordingly, things are now perceived not only things as a material architecture (e.g. a grocery product), but also living organism (human being, animal, and plant), a transformation from thing to everything and getting closer to our bodies. Take Swedia for example, thousands of Swedish are inserting microchip under their skin (WEF, 16/5/2018), even further the UK business are planning to implanting microchips in their employee’s hands (the Guardian, 11/11/2018).
Rolf. H Weber (CLSR journal 32-2016 Elsevier) purported that various enabling technologies may be employed to enable IoT scenarios, such as RFID (radio frequency identification) system, WSNs (wireless sensors networks), M2M (Machine-to-Machine) system, big data, cloud services and smart application. The first introduction of IoT was under RFID system attached to consumer products. There is a popular industry proposal that employs RFID under IoT scenario, that is based on EPC (Electronic Product Code) where an industrial product is attached with a RFID tag to enable the product linked (and transmit) EPCIS (EPC Information Services), and that products are also individually assigned with a name using ONS (Object Naming Service) system that works like DNS (Domain Name System) on the Internet.
Looking for the legal framework, we note that the IoT give rise to complex issues. What regulator concerns on internet will also coexist in the IoT. In comparison, the European Commission held its communication with public in June 2009 (incl. experts and industries) on topic of ‘IoT – an action plan for Europe. The consultation report by EU produces several key points of importance with regard to the IoT, encompassing architecture, identification, privacy and data protection, security, governance, standards, as well as ethics (EC, Report on the Consultation on IoT Governance, 16 January 2013).
Security and privacy (with data protection) are contesting issues for IoT. Notion on security expresses the need to make the data (processed and stored by the IoT) treated with confidentiality, integrity and availability: collectively known as the CIA in the Information security industry. As the IoT linked to the Internet, a lot of microchips and IoT devices with poor security protection will be easily exposed with cyberattacks. The popular quote for this: “everything that can be connected to the internet can be hacked” (Sue Poremba as cited by RH Weber & Studer, as cited above).
Ministry of Communication and Information Technology (MoCIT) have several security and certification rules for such IoT devices. In general, the IoT architectures can be categorized as Electronic System (ES) and/or Telecommunication devices/instruments (see, various enabling technologies abovementioned). As an ES, MoCIT Regulation No 4/2016 (on information security) sets rules for technical standards compliance as well as the ES certification (e.g. ISO/IEC 27001 compliance) to ensure the CIA in the ES, divided into three levels: strategic-ES, high-ES, and low-ES. Whereas, if the IoT falls under the latter scope, it complies with, inter alia, MoCIT Regulation No 18/2014 amended by 1/2015 (on certification), MoCIT Regulation No. 35/2015 (on short range devices), and other concerned regulations on frequency allocations and radio microwave link.
As with privacy and data protection, even though IoT devices and software may not capture personal data on its face (unless otherwise) and no individual has been singling out, collection of vast amounts of information under the IoT scenarios apparently signifies the likelihood personal identification, especially when data processing carried out with help of big data analytics. On this, considering the IoT application is very large range and ubiquities, assessment of privacy and data proception risks should be taken into account at the outset to enable the proper interpretation of rules surrounding thereof.
The industry players may be recommended to apply data protection impact assessment, data protection by design (within the IoT production), ensuring user consent is truly granted, provision of right to erasure for the data subjects, and specifying data sharing purpose/scope. Those are non-exhaustive list of available recourses to anticipate and mitigate the normativity of privacy and data protection.
Notably, the outlook of IoT will be definitely even-increasing throughout the following years. Some predicted the quantity of IoT devices will be 20.8 billion (Gather) in 2020 or 100 billion in 2025 (Huawei), and the market value of IoT will reach 444 trillion rupiah in 2022 (Founder IoT Forum, majalahict.com, 30/11/2018). The government may already nudge those concerns through several mechanisms in sense of knowledge sharing, digital talents, and apps development. A robust regulatory and policy framework, however, should be encouraged effectuated through A proper guidance, standard, roadmap, or industry self-regulation approaches.
The writers are digital business and technology lawyers at Bahar & Partners Law Firm. The views expressed are their own.
Written by: Daniar Supriyadi (SH, LLM in Law and Tech) and Johana Tania SH
Member of Digital Business & Technology at Bahar & Partners Law Firm