IoT Alliance Australia releases data best practice guide for B2C providers

While not legally binding, the guide is a step towards ensuring IoT device and service providers and consumers are working together to mitigate privacy and security risks associated with IoT.
Written by Tas Bindi, Contributor

The Internet of Things Alliance Australia (IoTAA) has published its general guide for B2C IoT device and service providers, outlining seven principles pertaining to customer protection, accountability, customer empowerment, cyber protection, customer data transparency, data minimisation, and customer data control.

Estimates by the not-for-profit body using industry data indicate that the widescale use of internet-connected devices could drive up to AU$120 billion of new economic activity in Australia in up to a decade. The main industries to benefit from the deployment of IoT are logistics, public health, retail, transportation, and worksite automation, the alliance has said.

However, there needs to be a better engagement model to ensure IoT services deliver benefits without consumer detriment, according to Peter Leonard, IoTAA chair of the data access, use, and privacy workstream.

"Industry can take the lead, but only through good engagement with consumers and regulators and open and frank discussions about how to work together to address and reduce risks," he said in a statement on Wednesday.

In Good Data Practice: A Guide for Business to Consumer IoT Services for Australia, the IoTAA recommends IoT providers incorporate privacy and security into the core design of IoT solutions, taking into consideration that the development environment for IoT spans many languages, operating systems, and networks.

IoT providers should additionally ensure its ecosystem partners -- which may include telcos and cloud platform providers -- similarly adopt appropriate security processes and practices such as taking "appropriate measures" to ensure the protection of personal and private customer data from attack during storage and transmission; providing regular security updates; deploying new software and hardware relating to authentication, identification, and data access controls; ensuring ongoing compliance with regulatory, product, and service security certification requirements; and developing strategies to limit reasonably anticipated loss or damage when data breaches or data corruption have occurred.

"Reasonable" steps should also be taken by IoT providers to protect the security of personal and private information from, for example, internal unauthorised access, improper use by sub-contractors, and external intrusions.

The IoTAA also advises IoT providers to apply the "accessibility by design" principle to ensure a broad range of consumers -- including those living with disabilities -- are able to "safely, securely, and autonomously" use IoT devices and services.

Importantly, IoT providers should be transparent with their customers by informing them, in "plain English", "customer friendly", and "prominent" form, of how their data is collected and used.

According to the guide, customers should also be informed of to whom their data might be shared in the future -- for example, insurers, loss adjusters, law enforcement agencies, environmental authorities, and other regulators.

Generally, collection and handling of personal or private customer information should be minimised by the IoT provider unless it's necessary for the operation of a device or service, expressly permitted under relevant Australian privacy laws, and transparently disclosed to customers.

Personal or private customer information should also be de-identified, according to the IoTAA, and de-identified information that is not fully anonymised should be handled in accordance with "reliable and verifiable technical, operational, legal, or other safeguards or controls reasonably required to ensure such information remains effectively, reliably, and verifiably de-identified".

De-identified information that is not fully anonymised should also not be made available to another party that might use it to re-identify an individual, whether from the information itself or when the information is combined with other information available to that party, the IoTAA added.

Where necessary, privacy impact assessments of new -- or changes to existing -- IoT services or devices should be conducted to ensure ongoing compliance with Australian privacy laws and best practices, the IoTAA said.

While the guide generally advises against IoT providers "unfairly" or "unreasonably" shifting certain responsibilities to customers, it acknowledges that customers will often be responsible for: The setup of an IoT service and IoT devices, including configuration of appropriate security settings; providing access to the internet of an IoT service, by configuration of appropriate security settings; monitoring the safekeeping and operating environment of an IoT device; ensuring availability of reliable power supply or other external requirements to ensure that IoT devices operate in accordance with their specifications; and installing patches and updates.

However, IoT providers have a role to play in informing customers of best practices around device handling and maintenance, as well as data security and information handling, that they are expected to implement to mitigate any known or anticipated vulnerabilities.

Gavin Smith, chair of the IoTAA, said IoT providers can "rely too heavily on consumers to understand and mitigate risks."

"Reasonable" steps should also be taken to educate customers about how particular IoT devices or services fit in the IoT supply chain, as well as the scope of the IoT provider's responsibility in ensuring personal and private data is secure, because data will often pass through multiple parties such as cloud platform providers, data warehouses, and billing service providers, creating the potential for misuse at various ends.

Additionally, the guide advises that customers be kept informed of the complaints process, and that IoT providers consider the Communications Alliance Telecommunications Consumer Protections Code as a guide for handling consumer complaints.

Lastly, IoT providers should take steps to ensure customers are aware of their rights around access to their own personal and private data, including limitations as to the portability of their data, according to the guide.

Customers should not be "unduly impeded" in exercising choice, including the ability to switch between multiple providers of products and services.

"In particular, provisions as to ownership of data should not confuse or undermine clarity as to rights of access by customers and affected individuals to [personal and private information] about them collected during provision of an IoT service," the IoTAA's good data practice guide states.

The IoTAA acknowledged that its guide is not tailored to the unique needs of specific industries and is intended as a supplement to Australian privacy and consumer laws. The alliance also said it will update the guide once industry-wide privacy and security standards are developed, which it is also advocating for.

During a public hearing in August, IoTAA said issues around technical standards, data sharing, and application interoperability require the government's attention if Australia wants to effectively grow smart infrastructure and smart cities using IoT.

Looking ahead, IoTAA CEO Frank Zeichner said citizens can play a greater role in the collection and sharing of data, and subsequently contribute on an ongoing basis to the development of sustainable and productive cities.

Zeichner called this the "Uberising of citizens", who are an "unrealised resource" in the IoT ecosystem.

He assured that citizens would be willing to share data -- such as that obtained from electricity, gas, and water meters installed on their properties -- with city councils as long as they get something in return, such as a discount on utility bills.

Smart city solutions will emerge from the effective and judicious use of data, but a trust framework for data sharing needs to be established first, according to Zeichner.

Earlier this year, the IoTAA released its Internet of Things security guideline, promoting a security-by-design approach to IoT development in Australia.

In February, the alliance said the proliferation of IoT means cybercriminals have more attack surfaces and personas that they can manipulate, and so it's important to incorporate security in the core design of IoT solutions, at every entry point.

There are also multiple parties surrounding a single IoT device -- such as the user, the manufacturer, the cloud vendor hosting the IT infrastructure, and third parties accessing the device via an API -- and so understanding how IoT devices self-organise and share information is a necessary precursor to developing an appropriate trust framework.

"For a route to be established, route information is transmitted from node to node (multi-hopping) until the desired destination is found. Throughout the route maintenance phase, nodes can add, delete, or needlessly delay the transmission of control information (selfish or misbehaving nodes). It is during route discovery or forwarding that malicious nodes can attack," the first version of the security guideline states.

The IoTAA also said that security needs to be considered in the context of how the device will be used, which means that different industries will require different approaches. Finding a universal solution applicable to all the routing attacks is also difficult, according to the guideline.

"Protocol designers must ensure protection from the known attacks while minimising the impact on sensor and network performance," the security guideline states. "There are five key issues to address: Secure route establishment, automatic secure recovery and stabilisation, malicious node detection, lightweight or hardware-supported computations, and node location privacy."

John MacLeod, Watson Internet of Things specialist at IBM, told ZDNet at the start of the year that while engineers need to assume responsibility for the security of their devices, it's also important that security is kept in mind when writing applications that run inside IoT devices and gateways.

"There was an incident where somebody hacked into hundreds of thousands of security cameras around the world and conducted a big denial of service because the software that had been loaded into these security cameras was not secure enough and allowed itself to be replaced by malicious software," MacLeod said. "Connecting to a secure platform is an important aspect of security, but it's not in itself sufficient to guarantee the security of the device."

Arron Patterson, CTO APJ Commercial division at Dell EMC, also told ZDNet at the start of the year that security is "difficult to bolt on afterwards".

"You really have to think about it at the beginning and make sure you're implementing policies and infrastructure that can respect those policies from the ground up," Patterson said.

"We've seen many many instances where datasets have been stolen or accessed and used. Once you've compromised someone's privacy and lost their trust, it's very difficult to get that back. These datasets are very valuable, there's a lot of intelligence that can be drawn from that around user behaviour and so forth, so it's well worth protecting.

"You really need to make sure that every time you collect a piece of information, you understand how you've collected it, what rights you have around it, what your consumer expects you to do with it."


    IoT enables the 'Uberising of citizens': IoT Alliance Australia

    Before smart cities are built and citizens are 'Uberised', a trust framework for data sharing needs to be established in Australia, according to the non-profit body representing IoT in Australia.

    IoT Alliance Australia releases security guideline for IoT development

    IoT Alliance Australia has released its IoT security guideline as a first step towards building industry-wide security standards.

    IoT adoption in the enterprise gaining momentum in Australia: Telsyte

    Majority of early IoT adopters claimed cost savings and increased customer satisfaction as a result, according to the analyst firm.

    Why big data leaders must worry about IoT security(TechRepublic)

    The security risks associated with IoT devices cannot be ignored. If your big data plans include IoT devices, follow these four steps to reduce your chances of a security breach.

    The security tsunami of the Internet of Things is coming, are you ready?(TechRepublic)

    Intel Security's Scott Montgomery took the stage at Structure Security to explain some of the core security and privacy challenges that are coming with the Internet of Things.

    Editorial standards