IERC Activity Chain 05 – IoT Privacy, Security and Governance

Internet of Things (IoT) is a broad term which indicates the concept of increasingly pervasive connected devices (embedded within, attached to or related to “Things”) supporting various applications to enhance the awareness and the capabilities of users. The adoption of IoT essentially depends upon trust. Moreover this trust must be established and maintained with respect to a broad group of stakeholders otherwise IoT will face, to some degree or other, challenges which may restrict adoption scope or delay its timing.

Without sufficient IoT security it is highly likely that some applications will more resemble the Intranet of Things rather than the Internet of Things as users seek to place their own proprietary protection barriers and thus frustrating broad interoperability. Many of the device connections to the Internet today more closely resemble the Intranet of Things which differs dramatically from the vision for the Internet of Things, the latter being a much more open and interoperable environment allowing in theory the connection with many more objects and, with their multiple IoT compatible devices.

One specific challenge within IoT is the control exercised over information collected by increasingly small and pervasive mobile devices, like RFID or future micro-nano sensors which can be ingested, implanted, worn or distributed elsewhere within the environment. In most cases, such devices have the capability of being wireless connected and accessible at all times and by anyone. In this context, the challenge is to ensure that the information collected and stored by the devices should be visible and distributed only by those legally permitted and authorized, acknowledging that permissions and authorizations may change throughout a devices or objects life or lives. This element of IoT represents one of a number of perceived and real concerns which are grouped under the title of IoT privacy.

One aspect which often gets overlooked particularly frequently by those of us who entered adulthood before the year 1990 is the importance of the virtual-world. The Internet is a virtual environment. IoT is capable of establishing an important new bridge between the real and virtual-worlds. This bridge is likely to grow and become more relevant to the lives of citizens in the future allowing real-world augmentation of virtual-worlds and conversely allow the virtual-world to be enhanced by real-world information. Noteworthy is that IoT devices may be real or, virtual or, include aspects of both, either instantaneously or one or the other over a device’s or thing’s lifetime.

IoT not only supports the exchange of information it nourishes the creation of greater automation. When IoT delivers this automation often reference is made to “smart” e.g. smart-city, smart-healthcare, etc. Trusted IoT therefore extends to confident and appropriate outcomes and not only the aggregation of clear dependable and timely information. Similar such “smart” automation has been widely used for investment banking transactions which has shown how a small change can cause an almost instantaneous and unstoppable global avalanche of stock values which was neither intended nor justified and resulting in severe penalties for a large number of stakeholders. IoT and “smart” applications effects need careful consideration and possibly some form of permanent monitoring to identity potential risks and oversee the development and introduction of suitably appropriate measures. A future IoT governance model has a role in overseeing such measures are put in place to protect IoT users and reinforce trust and confidence in “smart” applications.

This chapter provides an overview of how the FP7 projects iCore, BUTLER, GAMBAS and IoT@Work within IERC Activity Chain 05 have approached IoT – security, privacy and governance.