Guiding the IoT to safety has been saved
Limited functionality available
Regulations should do more than tell companies what they can’t do—rules should help guide corporate players through minefields of uncertainty. It’s a lot of responsibility, especially when it comes to still-developing IoT technology that holds great promise—and real risks.
Imagine Pandora sitting and staring at her box. In a few moments, she will open its bronze lid and release fear, death, and plague into the world . . . but right now she is wracked with uncertainty. What’s inside? The box might contain untold riches to help her new kingdom—but Zeus warned her never to open it. Should she open it and risk punishment, or leave it shut and possibly leave valuable resources untapped?1
In many ways, the story of technological change and regulation is Pandora’s story—technology can be understood only through the lens of risk and uncertainty. Technological change by its very nature causes uncertainty: How could this new technology be used? How might it improve people’s lives? How may it harm those same lives? With the Internet of Things (IoT) at the peak of its hype cycle, these questions are swirling more than ever.2 The challenge is the risk that accompanies all of this uncertainty. Like Pandora, companies looking to implement IoT solutions are facing a box that may contain significant new revenues—and, quite possibly, technical difficulties, future regulatory challenges, or security breaches. Do they risk opening the IoT box and facing these uncertain regulatory issues, or do they leave it closed and risk missing out on the potentially most transformative technology since the Internet?
One key to making an informed decision and ameliorating risk is to reduce uncertainty—in particular, uncertainty about future regulation that may affect IoT practices. For regulators too, pressure is mounting to protect consumers even while IoT technology itself is still developing.3 But with the often-blunt instrument of regulation, this could become a catch-22 of inaction: Regulators take no action because they are uncertain about the technology, so companies take no action because of uncertainty about regulation, slowing technological adoption . . . and further slowing the action of regulators (see figure 1).
But it takes only a shift in perspective to break this catch-22. Consider that government’s relationship with IoT technology goes beyond regulation—agencies are also consumers and developers of IoT infrastructure and applications. In these two roles, government can influence the development of IoT technology, guiding it toward safe, secure, and responsible uses—and saving regulation for indisputably necessary areas such as critical infrastructure or health systems (see figure 2).
To illustrate exactly how governments at all levels can help to guide the IoT’s development—protecting citizens while still encouraging technological growth—this article makes use of a body of industry-specific use cases. The goal: to reduce overall uncertainty, allowing policymakers to understand this complex issue and businesses to see where government action is likely, thereby reducing the risk of their investments in IoT technology.
The first step to reducing the uncertainty and risk around the IoT is to get a better picture of what it is, and how government agencies may need to interact with it. The IoT is the architecture and suite of technologies needed to create, communicate, aggregate, analyze, and act upon digital information in the physical world (see figure 3).
With such a broad definition, the applications and impacts of connected technology on the public sector can cover an equally wide spectrum. Utility providers have created mesh networks of smart meters capable of hosting other communications.4 Automakers and tech companies are investing in autonomous vehicles that may require new public infrastructure.5 Customer advocacy groups are calling on government to create strenuous security and privacy standards for new connected devices.6 Even with this bewildering mix of uses, roles, and industries, agencies’ interactions with IoT technology can be grouped into three categories:7
Government as IoT end user. To the extent that reporters and academics have addressed the government’s relationship to the IoT, articles (including our Anticipate, sense, and respond8) have focused on the question of how government can harness connected technology to better provide services. These address how schools, public utilities, law enforcement, and other government functions can take advantage of the new technologies to break traditional trade-offs and find innovative ways to serve the public. In the interest of space, we will address less commonly discussed roles of government.
Government as infrastructure provider. The investigation of what government policies or regulation may be necessary for effective use of IoT technology begins with understanding connected infrastructure. Just as governments are responsible for building and maintaining their countries’ highways for vehicles, they may be called upon to provide the infrastructure for the IoT. However, with so many different types of communications mechanisms and protocols within the IoT stack, it is unclear at this point exactly what is required to create foundational infrastructure for IoT.
Government as regulator. New technologies necessarily bring with them new uncertainties about their use. These uncertainties represent a risk to the public, which governments at all levels are responsible for ameliorating. Complicating this issue is that, at the emergence of a new technology, the full array of its eventual possible uses cannot be known. Therefore, it can be quite difficult to forecast the potential dangers that such technologies pose to the public.
Already from these three roles, we can see a tension forming in governments’ goals with relation to new technology. As an infrastructure provider, governments seek to support and incentivize further technological development to create new value and new public goods. On the other hand, governments have a duty to protect the public from the risks of both the known and unknown uses of those new technologies. Striking the right balance between these goals, and then crafting appropriate policies to achieve them, is the chief challenge facing officials dealing with emerging technologies.
The first step in order to strike that balance is to understand what the IoT needs in order to reach its full potential. To do so, we’ll look at some industry-specific case studies that reveal the key bottlenecks impeding the IoT from creating new value.
The IoT is fundamentally about bringing the benefits of information to the physical world. Therefore, for the technology to create value for customers, companies, or society at large, the information created by sensors needs to reach those individuals or machines that can take informed action on it. In other words, information must be able to complete the Information Value Loop. In this sense, the race to create IoT solutions is really a race to alleviate a series of bottlenecks that restrict or stop that flow of information. Understanding where and how these bottlenecks are restricting the flow of information, then, can help companies and government alike understand what is holding back the development and implementation of IoT technology as a whole.
Through an extensive IoT research campaign, Deloitte has built up a large collection of use cases, with IoT examples in every industry.9 In analyzing these use cases, we found that once companies began generating data with IoT technology, the most common bottlenecks arose in the communication, aggregation, and analysis of that data.10 By looking at each of these bottlenecks, we can begin to sketch out where government action is needed and where it may be counterproductive. (See figure 4.)
At least as far back as the Industrial Revolution, there has been a clear role for governments to coordinate, if not directly provide, the basic infrastructure needed for economic development.11 When infrastructure meant highways, bridges, canals, and airways, the government’s role was rather clear: In situations where private industry could not or would not act, the public sector would provide the physical roads, ramps, and rails over which the traffic of commerce could move.12 Same with power lines and gas connections, and with telephone lines and submarine communications cables: The government has an interest in linking citizens, even in rural areas that companies might find unprofitable to service.
But when it comes to the Internet of Things, government’s role is less clear—as are its possible actions as an infrastructure provider. After all, with IoT technology, it is information—not trucks, planes, or rail cars—that creates value.
No question, though, that government does play a key role. While you may not be able to see it, information still travels via public-sector infrastructure much as cars traverse highways. For example, every smartphone is able to deliver driving directions only because of the multibillion-dollar government investment in GPS satellites13—not to mention the electromagnetic spectrum, a finite resource that government regulates to carefully share among competing public, private, and even military uses. With the number of IoT-connected devices expected to increase by 3 to 30 times over the next 15 years, the strain on existing spectrum allocations is enormous.14 So it is perhaps unsurprising that governments around the world are taking steps to open up more spectrum to wireless uses. Whether allocating previously unused spectrum to IoT applications or repurposing spectrum from older uses, governments are working to provide the raw materials that connected technology needs to grow.15
Perhaps most interestingly, where paving highways and laying track cost taxpayers millions, allocation of spectrum is technically free—save for the time it takes to do the work. In fact, the potential IoT-based advances mean that governments can in some cases actually generate significant revenue from reallocating portions of spectrum. Recently, both US and Canadian telecom regulators were able to raise billions of dollars from spectrum auctions, with the 2015 Canadian sale raising more than $2 billion and the US auction a year earlier generating a record $44.9 billion.16 In exercising its role as IoT infrastructure provider, a government may be able to efficiently allocate scarce wireless resources and, in the process, create benefits for both companies and taxpayers.
For connected technology to create real value, it should be able to sense not just one particular piece of data but data from multiple sensors and sources. In reality, this means that different devices from different manufacturers often must be able to seamlessly communicate and share data. To do so requires common standards for data format and communications protocols. At first glance, this represents a great opportunity for government to intervene in its role as regulator to create one common standard and accelerate the IoT’s growth.
However, government action on standards may be superfluous or even counterproductive. Industry is not insensitive to the need for standards and has formed a number of competing groups aimed at designing the standards of the future.17 While none of these standards has yet won out, that is more a function of the continuing development of the technology and market, rather than intransigence of the groups.
In fact, with many of the underlying standards in place for communication protocols, such as 4G and Wi-Fi, and device addressing, such as IPv6, the situation resembles the early days of mobile operating-system competition.18 In that arena, it was not government regulation but, rather, a dominant player creating a superior platform that created the de facto standard. Industry leaders produced winning mobile OS platforms that unified many elements of a fragmented technology landscape to produce industry standards.19
A similar process may be under way with IoT technology, leading both government and industry leaders to conclude that government regulation of IoT standards would be a mistake.20 While there may be a role for agencies to play in setting out IoT guidelines for specific critical industries—such as ensuring interoperability of electronic health data—full regulation of IoT standards may actually slow innovation rather than accelerating it.21
This is not to say that there is no role for government in its capacity as a regulator. The IoT’s expanding implementation means more and more data being generated about things and people. Companies aim to combine and analyze all of this data to create new insights and provide services to consumers. The catch: In the process, IoT technology may expose individuals’ privacy in new ways. Research shows that it can take as few as four data points from mobile communications to individually identify an individual.22 In analyzing data such as purchasing history or speed patterns of your connected car, an IoT system can unintentionally reveal sensitive private information such as attendance at a particular church or movements of a competitor’s sales force. Apart from obvious security concerns from such data attracting criminals and identity thieves, breaches may leave users justifiably uneasy.23
In the interest of building confidence in connected technology, there is an undeniable need for government to regulate the IoT from the perspective of consumer protection, especially as it relates to security and privacy. The difficulties will sound familiar to anyone involved in government regulation of technology: IoT applications are fast proliferating—with new technologies, processes, and uses emerging almost daily—while traditional regulatory processes are often measured and slow, with publishing a new rule in under three months usually possible only in an “emergency.”24 This is to say nothing of the legislative gridlock that can stall for years the authority to even make those new rules in the first place.25
Even beyond the general difficulties in regulating fast-moving technologies, privacy presents special challenges. As digital information moves rapidly around the globe, it can encounter many different regulatory regimes. Sure, companies can aim to comply with each nation’s privacy rules, but these different rule sets are often built upon entirely different legal conceptions of privacy, resulting in at times contradictory rules, making compliance with all rules impossible.26 If the IoT is to reach its potential, it will almost certainly involve collecting and transmitting data across national borders. Decades and centuries of transnational trade have firmly established regulation across borders, but data is both different and intangible, and nations’ underlying differences on the core concepts of privacy make such regulation highly unlikely for IoT technology. Issues with transnational fragmentation await resolution in a way that both protects consumers globally yet allows connected technology to thrive.27
In this way, we have returned to Pandora’s box—the fundamental issue of regulating new technology. Governments should step in to protect consumers in some way, despite uncertainty about rapidly changing technology. Similarly, companies working to develop IoT applications face uncertainty around potentially impactful regulations. That said, however new and expansive IoT technology might be, these uncertainties shouldn’t dramatically hold up development of either applications or regulations. For one thing, as we have seen, only a few areas actually demand regulatory intervention. Second, the consumer privacy and security issues raised by connected technology are not new. While the mobile nature of IoT technology may cause these issues to pop up in new and unexpected places, governments and companies are well equipped to deal with security and privacy issues once identified. In the United States, agencies such as the Consumer Protection Bureau and legislation like the Fair Credit Reporting Act are empowered to act to protect consumers from IoT-based security and privacy challenges, even if the pace of new IoT developments may require these familiar actors to pick up some new tools.
If regulation’s ultimate purpose is to encourage companies and others to take into account externalities such as security and privacy, there can be a number of effective tools that can accomplish this.28 Two untapped tools for governments at every level are their actions in other roles relating to IoT technology—namely, user and infrastructure provider—which, again, offer more certain and stable starting points than trying to hit the moving target of regulating a rapidly changing new technology. Agencies can use their activities as IoT users and infrastructure providers to help guide and shape the development of connected technology.
Set a good example: government as an IoT user. First and foremost, governments exist to provide services to citizens. Given the IoT’s tremendous power to increase efficiency and provide new services, it is no surprise that much of the discussion center on how agencies can use connected technology to better serve citizens. Hardik Bhatt, CIO of the state of Illinois, summarizes: “The first and very active role of government is government as a customer.”29 It is exactly by being large-scale consumers of connected services and technology that agencies can influence IoT development through buying power, not regulations. By setting responsible requirements and buying secure, privacy-respecting solutions, government can, as Bhatt describes, “start being the role model of how the Internet of Things technology can be used.”30
The impact of a public-sector role can go beyond the economic impact of the dollars that agencies spend to set up IoT solutions. It can extend to the heart of the technology itself. Humans can be both incredibly creative and also incredibly lazy, and programmers are no exception. As a result, once a programmer finds a successful solution to a certain problem, others tend to copy that code and paste it into new applications, skipping the usual rounds of testing. The jumbled result, dubbed “spaghetti code,” can introduce unintended bugs and flaws,31 and with fast-moving technologies, this problem has the potential to quickly spread security holes. While spaghetti code is a problem in every industry, government’s open, public-service nature may put it in a unique position to help the situation: By creating good, solid code and making it publicly available, an agency can be the source or seed for other organizations using connected technology more responsibly.
Reduce function creep: government as infrastructure provider. There’s no question that function creep—a product being used in unanticipated ways—can be an incredibly powerful tool for innovation, such as when a teacher noticed that a wallpaper cleaning putty made a good toy, giving birth to Play-Doh. But function creep can introduce critical security and privacy flaws into new technologies,32 exacerbated by a lack of purpose-built tools, forcing developers to plug in close-enough hardware and software. Government can play a strong role in limiting function creep—and thereby reducing the likelihood of security and privacy vulnerabilities—by making available stable infrastructure for connected technology.
Enable transparency: government as both user and infrastructure provider. The IoT-based distributed denial-of-service attack that shut down Internet access to millions of people on October 21, 2016, highlights a key vulnerability of connected technology. Many people whose devices were compromised by the Mirai malware that launched the attack were unaware that their devices’ security might be substandard; in fact, many did not even know their devices had been compromised.33
Whether dealing with security or privacy, transparency is a critical virtue. In the United States, for example, privacy is governed largely by contracts and user agreements, an arrangement that is untenable if companies conceal their usage of consumer data. Similarly, both governments and companies are powerless to begin to plug IoT cyber vulnerabilities unless they are aware of the basic state of their hardware and software. And when that hardware and software is compromised, each party needs to be able to share information about the attacks and signatures with each other.
In its dual role as IoT user and infrastructure provider, government can help to lay the foundation for this needed transparency.34 Transparency is a critical unsolved challenge in IoT technology, since there’s no practical way to adequately inform consumers about all the uses of their data stemming from potentially hundreds of small devices. Agencies can serve as a model of transparency by finding new ways to solve this challenge, clearly and concisely communicating to users what data is collected and how it will be used.
Similarly, as infrastructure providers, governments can begin to create stakeholder groups and information-sharing venues that can allow for the transparency necessary to combat cyber threats. Here companies can share information on attacks and threats, preemptively benefiting from shared information and concerns—better for everyone than regulators requiring them to reveal data losses. Finally, given the continued threat posed by botnets such as Mirai, governments should consider establishing a security rating system or evaluation organization for new hardware and software products. A public-private working relationship on the model of Underwriters Laboratory may be an effective model for quickly and efficiently establishing the baseline of transparency required for IoT security.35
These same principles can have a double impact at reducing uncertainty: Not only do they help governments act amid uncertainty around connected technology—they can help companies understand how regulators are likely to respond to IoT-related issues. These seemingly small actions can give companies the confidence to innovate and drive the technology further, while protecting citizens’ rights and personal information.
In this way, the IoT resembles Pandora’s box less than it does Schrödinger’s box:36 You can never know ahead of time whether the cat is alive or dead—if the technology will be a boon or a hazard—so you need to plan for both eventualities and try to build in as much certainty as possible. Of course, unknowns are inevitable and not necessarily fatal—after all, uncertainty around the state of the electron did not stop Erwin Schrödinger and others from building modern electronics; in fact, chances are that the touchscreen of the laptop or phone on which you are reading this article harnesses exactly those quantum effects.37 And for government, the key to ameliorating uncertainty, encouraging corporate innovation, and protecting citizens is to consider IoT technology as both user and regulator.