Standards body wants standards for IoT. Vendors don't care
Good luck, ISOC, you'll need it given some thing-makers still haven't discovered IPv6
The Internet Society (ISOC) has added its name to the growing list of groups concerned that insecurity and a cavalier attitude to privacy pose a risk to the Internet of Things (IoT).
In a paper published last Friday, ISOC notes that individual threats and vulnerabilities are, in aggregate, what's going to make-or-break the IoT as a whole.
While users are identified as part of the problem, ISOC notes that they can't choose the amount of security they want on a refrigerator (for example) if they don't understand the issue.
However, the paper says, the
buck back packet stops with vendors, as the paper notes “developers of smart objects for the Internet of Things have an obligation in ensuring that those devices do not expose either their own suers or others to potential harm."
It may be sad that ISOC's been infected by the kind of phraseology beloved of economists, but this is worth unravelling: “lack of security for IoT deices results in a negative externality, where a cost is imposed by one party (or parties) on other parties”.
In other words, at least one reason cheap broadband routers (for example) are hopelessly insecure is because vendors don't bear the cost of insecurity. That falls on the Internet as a whole.
There are, ISOC notes, challenges specific to the IoT – the huge scale anticipated by IoT-boosters is far beyond that of computers or even the huge smartphone market; and vast numbers of identical devices is going to massively amplify the reach of any security vulnerability that's discovered.
Similar considerations apply to privacy – particularly since the coolest of IoT companies are and proudly building their business case on the mass collection of end user data.
“Respect for privacy rights and expectations is integral to ensuring trust,” ISOC notes – and users can't make meaningful choices about what they buy if those rights aren't respected.
Today's model of “notice and consent” – already meaningless when a lawyer can wrap a $1.99 song purchase in a contract longer than a home purchase – is irrelevant for the IoT world, ISOC says, since a refrigerator might provide no user interaction whatever.
ISOC calls on the industry to be fair in how it collects and handles data, transparent in what it intends to do with that data, and to make privacy a design consideration.
+Comment: The Register is both appreciative and depressed by the ISOC document. Unfortunately one of the other things that's breaking down in the IoT era is the fragile collaboration that used to characterise the Internet.
In the face of their old complaint that standards efforts move too slowly, IoT device vendors appear to have collectively decided to ignore as many standards as they can – many haven't even noticed that a preference for IPv4 over IPv6 is the height of stupidity.
The vendor clubs hoping to impose proprietary interfaces and communications on the IoT are also a threat not just to users but to the IoT as a whole, making it more expensive to develop standards, check interoperability, or ensure security.
Don't, however, try to batter that idea through the self-interested C-level cretins who are almost certainly considering their own alternative to the Open Interconnect Consortium that competes with the AllSeen Alliance, both of which were formed by the kinds of lobotomised “visionaries” that could look at the 160 or so members of the Industrial Internet Consortium and say “naah”.
Good luck, ISOC: you'll need it. ®
Sponsored: Becoming a Pragmatic Security Leader