The IT Law Wiki

Internet of Things

29,582pages on
this wiki
With a trillion sensors embedded in the environment — all connected by computing systems, software, and services — it will be possible to hear the heartbeat of the Earth, impacting human interaction with the globe as profoundly as the Internet has revolutionized communication.
Peter Hartwell
Senior Researcher, HP Labs[1]
In 2008, the U.S. National Intelligence Council warned that the IoT would be a disruptive technology by 2025; six years later, it is clear that this will happen much sooner, if it has not already.[2]

Definitions Edit

The Internet of Things is

a technological revolution that represents the future of computing and communications, and its development depends on dynamic technical innovation in a number of important fields, from wireless sensors to nanotechnology.[3]
the ability of devices to communicate with each other using embedded sensors that are linked through wired and wireless networks. These devices could include your thermostat, your car, or a pill you swallow so the doctor can monitor the health of your digestive tract. These connected devices use the Internet to transmit, compile, and analyze data.[4]
the ability of everyday objects to connect to the Internet and to send and receive data. It includes, for example, Internet-connected cameras that allow you to post pictures online with a single click; home automation systems that turn on your front porch light when you leave work; and bracelets that share with your friends how far you have biked or run during the day.[5]
[t]hings having identities and virtual personalities operating in smart spaces using intelligent interfaces to connect and communicate within social, environmental, and user contexts.[6]
a world-wide network of interconnected objects uniquely addressable, based on standard communication protocols.[7]
[n]etworks of low-cost sensors and actuators for data collection, monitoring decision-making, and process optimization.[8]
'things' such as devices or sensors — other than computers, smartphones, or tablets — that connect, communicate or transmit information with or between each other through the Internet.[9]
an expansion of the global infrastructure through existing and evolving interoperable information and communication technologies. It incorporates the interconnection of physical and virtual systems to enable new and autonomous capabilities."[10]

Overview Edit

Big data and the growing "Internet of Things" have made it possible to merge the industrial and information economies.[11]

The term "Internet of Things" ("IoT") appears to have been coined by a member of the RFID development community circa 2000, who referred to the possibility of discovering information about a tagged object by browsing an Internet address or database entry that corresponds to a particular RFID. Since that time, visionaries have seized on the phrase "Internet of Things" to refer to the general idea of things, especially everyday objects, that are readable, recognizable, locatable, addressable, and/or controllable via the Internet — whether via RFID, wireless LAN, wide area network, or other means.

The idea is that physical objects can become part of an information network, whereby they can interact with both humans and with each other (also known as Machine-to-machine or M2M communication). "The IoT includes consumer-facing devices, as well as products and services that are not consumer-facing, such as devices designed for businesses to enable automated communications between machines. For example, the term IoT can include the type of Radio Frequency Identification ("RFID") tags that businesses place on products in stores to monitor inventory; sensor networks to monitor electricity use in hotels; and Internet-connected jet engines and drills on oil rigs. Moreover, the 'things' in the IoT generally do not include desktop or laptop computers and their close analogs, such as smartphones and tablets, although these devices are often employed to control or communicate with other 'things.'"[12]

"The IoT is characterized by four main attributes:

  • Time Scale: Automated systems that operate in the physical world and engage in analysis and action faster than humans can comprehend, participate in, or supervise.
  • Interdependence: Actions and consequences, some unanticipated, that can result from the interactions between systems.
  • Prediction/Learning: Systems that are constantly evolving through experiences and additional data.
  • System Management and Control: Emerging networked technologies that may not conform to older, established models."[13]


Everyday objects includes not only everyday electronic devices, and not only products of higher technological development such as vehicles and equipment, but things not ordinarily thought of as electronic at all — such as food, clothing, and shelter; materials, parts, and subassemblies; commodities and luxury items; landmarks, boundaries, and monuments; and all the miscellany of commerce and culture.

Today and increasingly in the future, computing and communications technologies (collectively, information technologies) are found and will be more likely to be found in places where they are essentially invisible to everyday view: in cars, wallets, clothing, refrigerators, keys, cabinets, watches, doorbells, medicine bottles, walls, paint, structural beams, roads, dishwashers, identification cards, telephones, and medical devices (including some embedded in human beings). These devices will be connected — the so-called Internet of Things. Computing will be embedded in myriad places and objects; even today, computing devices are easily transported in pockets or on wrists. Computing devices will be coupled to multiple sensors and actuators. Computing and communications will be seamless, enabling the tight integration of personal, family, and business systems. Sensors, effectors, and computing will be networked together so that they pass relevant information to one another automatically.

In this emerging era of truly pervasive computing, the ubiquitous integration of computing and communications technologies into common everyday objects enhances their usefulness and makes life easier and more convenient. Understanding context, personal information appliances will make appropriate information available on demand, enabling users to be more productive in both their personal and their professional lives. And, as has been true with previous generations of IT, interconnections among all of these now-smart objects and appliances will multiply their usefulness many times over.[14]

Although analysts define the IoT in terms of connected everyday objects, the nature of the connection remains to be determined. A two-way connection by means of the Internet Protocol constitutes the ideal case, but the originators of the IoT concept appear to have emphasized a simpler model of RFID query and response. The IoT will be inextricable from sensor networks that monitor things but do not control things. Both connected everyday objects and sensor networks will leverage a common set of technological advances toward miniature, power-efficient sensing, processing, and wireless communication. Analysts commonly describe two distinct modes of communication in the Internet of Things: thing-to-person and thing-to-thing communication.

Individuals, businesses, and governments are unprepared for a possible future when Internet nodes reside in such everyday things as food packages, furniture, paper documents, and more. Today's developments point to future opportunities and risks that will arise when people can remotely control, locate, and monitor everyday things. Popular demand combined with technology advances could drive widespread diffusion of an IoT that could, like the present Internet, contribute invaluably to the economy. But to the extent that everyday objects become information security risks, the IoT could distribute those risks far more widely than the Internet has to date.

In 2010, for the first time, the number of "things" connected to the Internet surpassed the number of people.[15]

By 2015, there will be 25 billion autonomous Internet-connected devices with sources estimating 35B-50B such devices by 2020.

"Some estimate that by 2020, 90% of consumer cars will have an Internet connection, up from less than 10 percent in 2013."[16]

The IoT will likely create whole new classes of devices that connect to broadband, and has the potential to generate fundamentally different requirements on the fixed and mobile networks: they will require more IP addresses, will create new traffic patterns possibly demanding changes in Internet routing algorithms, and potentially drive demand for more spectrum for wireless communications.

Security risks Edit

The IoT presents a variety of potential security risks that could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety. Privacy risks may flow from the collection of personal information, habits, locations, and physical conditions over time. Companies might use this data to make credit, insurance, and employment decisions. Perceived risks to privacy and security, even if not realized, could undermine the consumer confidence necessary for the technologies to meet their full potential, and may result in less widespread adoption.

There appeared to be widespread agreement that companies developing IoT products should implement reasonable security. Of course, what constitutes reasonable security for a given device will depend on a number of factors, including the amount and sensitivity of data collected and the costs of remedying the security vulnerabilities.

These potential risks are exacerbated by the fact that securing connected IoT devices may be more challenging than securing a home computer, for two main reasons. First, companies entering the IoT market may not have experience in dealing with security issues. Second, although some IoT devices are highly sophisticated, many others may be inexpensive and essentially disposable. In those cases, if a vulnerability were discovered after manufacture, it may be difficult or impossible to update the software or apply a patch.

And if an update is available, many consumers may never hear about it. Relatedly, many companies — particularly those developing low-end devices — may lack economic incentives to provide ongoing support or software security updates at all, leaving consumers with unsupported or vulnerable devices shortly after purchase.

So what should companies do?

  • Second, with respect to personnel practices, companies should train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization.

Privacy risks Edit

There are many types of privacy risks flowing from the Internet of Things. Some of these risks involve the direct collection of sensitive personal information, such as precise geolocation, financial account numbers, or health informationrisks already presented by traditional Internet and mobile commerce. Others arise from the collection of personal information, habits, locations, and physical conditions over time, which may allow an entity that has not directly collected sensitive information to infer it.

The sheer volume of data that even a small number of devices can generate is stunning. "[R]esearchers are beginning to show that existing smartphone sensors can be used to infer a user's mood; stress levels; personality type; bipolar disorder; demographics (e.g., gender, marital status, job status, age); smoking habits; overall well-being; progression of Parkinson's disease; sleep patterns; happiness; levels of exercise; and types of physical activity or movement.” Such inferences could be used to provide beneficial services to consumers, but also could be misused. Relatedly, IoT enables the collection of "sensitive behavior patterns, which could be used in unauthorized ways or by unauthorized individuals.” There are also general privacy risks associated with these granular information-collection practices, including the concern that the trend towards abundant collection of data creates a "non-targeted dragnet collection from devices in the environment." Others noted that companies might use this data to make credit, insurance, and employment decisions. For example, customers of some insurance companies currently may opt into programs that enable the insurer to collect data on aspects of their driving habits — such as the number of "hard brakes," the number of miles driven, and the amount of time spent driving between midnight and 4 a.m. — to help set the insurance rate. Use of data for credit, insurance, and employment decisions could bring benefits — e.g., enabling safer drivers to reduce their rates for car insurance or expanding consumers' access to credit — but such uses could be problematic if they occurred without consumers' knowledge or consent, or without ensuring accuracy of the data.

Although a consumer may today use a fitness tracker solely for wellness-related purposes, the data gathered by the device could be used in the future to price health or life insurance or to infer the user's suitability for credit or employment (e.g., a conscientious exerciser is a good credit risk or will make a good employee). It would be of particular concern if this type of decision-making were to systematically bias companies against certain groups that do not or cannot engage in the favorable conduct as much as others or lead to discriminatory practices against protected classes.

The Fair Credit Reporting Act ("FCRA") imposes certain limits on the use of consumer data to make determinations about credit, insurance, or employment, or for similar purposes. The FCRA imposes an array of obligations on entities that qualify as consumer reporting agencies, such as employing reasonable procedures to ensure maximum possible accuracy of data and giving consumers access to their information. However, the FCRA excludes most "first parties" that collect consumer information; thus, it would not generally cover IoT device manufacturers that do their own in-house analytics. Nor would the FCRA cover companies that collect data directly from consumers' connected devices and use the data to make in-house credit, insurance, or other eligibility decisions — something that could become increasingly common as the IoT develops. For example, an insurance company may offer consumers the option to submit data from a wearable fitness tracker, in exchange for the prospect of lowering their health insurance premium. The FCRA's provisions, such as those requiring the ability to access the information and correct errors, may not apply in such circumstances.

Yet another privacy risk is that a manufacturer or an intruder could "eavesdrop" remotely, intruding into an otherwise private space. Companies are already examining how IoT data can provide a window into the previously private home. Indeed, by intercepting and analyzing unencrypted data transmitted from a smart meter device, researchers in Germany were able to determine what television show an individual was watching. Security vulnerabilities in camera-equipped devices have also raised the specter of spying in the home.

Finally, some participants pointed out that perceived risks to privacy and security, even if not realized, could undermine the consumer confidence necessary for the technologies to meet their full potential and may result in less widespread adoption.

Potential impacts of the Internet of Things on U.S. national power Edit

If the United States executes wisely, the IoT could work to the long-term advantage of the domestic economy and to the U.S. military. Streamlining — or revolutionizing — supply chains and logistics could slash costs, increase efficiencies, and reduce dependence on human labor. Ability to fuse sensor data from many distributed objects could deter crime and asymmetric warfare. Ubiquitous positioning technology could locate missing and stolen goods.

On the other hand, the U.S. may be unable to deny access to networks of sensors and remotely-controlled objects by enemies of the United States, criminals, and mischief makers. Foreign manufacturers could become both the single-source and single-point-of-failure for mission-critical Internet-enabled things. Manufacturers could also become vectors for delivering everyday objects containing malicious software that causes havoc in everyday life. An open market for aggregated sensor data could serve the interests of commerce and security no less than it helps criminals and spies identify vulnerable targets. Thus, massively parallel sensor fusion may undermine social cohesion if it proves to be fundamentally incompatible with Fourth Amendment guarantees against unreasonable search. By 2025, social critics may even charge that Asia's dominance of the manufacturing of things — and the objects that make up the Internet of Things — has funded the remilitarization of Asia, fueled simmering intra-Asian rivalries, and reduced U.S. influence over the course of geopolitical events.

Future scenarios and potential impacts on the United States Edit

When considering the spectrum of possibilities for the state of the IoT in 2025, the key uncertainties span a number of unresolved issues that fall along two major axes:

  • The timing of developments (slow versus fast)
  • The depth of penetration (niches versus ubiquity).

In terms of timing, just as the Internet and mobile telephony grew rapidly after their incubation periods, the IoT could emerge relatively rapidly if, on balance, the preponderance of conditions yields favorable policies, technological progress, and business collaboration. Or the IoT could arise more slowly if, on balance, conditions are less favorable in these dimensions.

In terms of depth of penetration, just as the Internet and mobile telephony penetrated deeply into the fabric of developed nations, the IoT could pervade everyday life if, on balance, the preponderance of conditions yields an enthusiastic public that uses its pocketbook to express strong market demand. Alternatively, if those demand signals do not materialize — for example if the public perceives costs, disadvantages, and risks that outweigh perceived benefits — then the IoT may remain limited to industrial, commercial, and government niches. Yet even those niches could include benefits and harms that would significantly affect the United States.

On the basis of these two axes of uncertainty, four scenarios highlight the spectrum of possibilities for how the future could play out until 2025. Whether fast and widespread, or slow and niche-driven, the emergence of the IoT has the potential to affect U.S. interests. We focus on the opportunities and threats that the two extreme scenarios present to the United States: Important risks and advantages will arise even in the "Connected Niches" scenario, which represents moderately-paced opportunistic developments of IoT technology. At the other extreme, "Ambient Interaction" highlights the implications of a rapid and deep penetration of information-communications technology into everyday objects — a scenario that is sufficiently plausible that its dramatic risks and advantages deserve consideration. We also describe briefly "Fast Burn" and "Slowly But Surely," which represent the middle ground among the four scenarios.

Scenario 1: Fast burn Edit

In "Fast Burn" the IoT develops rapidly but in a limited fashion, and fails to sustain its momentum. Although impacts become quite significant in particular application areas (industrial automation, health care, and security), the IoT doesn't fulfill the promise of becoming pervasive (and thus is of limited importance to everyday lifestyles, business operations, and the conduct of government). Ubiquitous positioning technology never materializes as military concerns about the risks of terrorists gaining access to improved geopositioning combine with inadequate local government funding for emergency service positioning. In this scenario, IoT technology confers similar risks and benefits to U.S. interests to those experienced in "Connected Niches," but neither the risks nor the benefits to U.S. interests inherent in "Ambient Interaction."

Scenario 2: Slowly but surely Edit

In "Slowly But Surely" the IoT becomes pervasive, but not until 2035 or so. Outcomes are somewhat similar to those of "Ambient Interaction," but there are substantial differences. The relatively slow development of the technology gives businesses and governments time to assimilate developments, allaying the most disruptive risks. Many risks remain, but the sheer complexity of technology in 2035 makes the IoT less accessible to hacking by mischief makers. Nevertheless, the most motivated malefactors and enemies of the United States can exploit the IoT in ways that are similar to those experienced in "Ambient Interaction," and benefits to U.S. interests do not materialize as dramatically as they do in "Ambient Interaction."

Scenario 3: Connected niches Edit

In "Connected Niches" the IoT evolves along application pathways that promise rapid payback and that can overcome resistance and indifference. Demand is commensurate with evolutionary but not revolutionary cost reductions, moderate technology progress that leaves some problems largely unsolved. Industries show reluctance to fully collaborate. Policies express at best a benign neglect for the potential advantages and, at worst, discriminate against innovation in favor of grandfathered interests. Even in 2025, positioning technology remains limited to outdoor use and many individual items lack RFID tags. Nevertheless, innovations encourage adoption of connected everyday objects and sensor networks in security, logistics, healthcare, document management, inventory management, fleet management, industrial automation, and robotics. In short, connected everyday devices are common in workplaces and military operations but not in households. Similarly, sensor networks mainly reside in workplaces and public places. Connected everyday objects and sensor networks deliver significant value to the economy and significant efficiencies to military organizations but also introduce significant vulnerabilities as new pathways for exploitation become available to mischief makers, criminals, and enemies of the United States. As niches grow, some interconnect, introducing unexpected interactions — some synergistic, others counterproductive.

  • Potential opportunities. The United States gains short-term economic advantages by adopting technologies that streamline commercial logistics and industrial automation, the combined effect of which lowers costs and boosts corporate profits. When retailers choose to keep RFID at the pallet level, technology suppliers aggressively seek and find alternative growth pathways via vertical-market opportunities. Airports and other public-transit hubs become venues for large-scale sensor networks that support the missions of private-security and public-safety agencies. For recognizing patterns of behavior indicating ill intent, software helps but does not reduce the need for human observers and analysts. Similarly, the IoT deters theft and helps locate missing goods, albeit indoor location is limited to perimeter-secured environments. Many hospitals and long-term care facilities become high-tech havens, resulting in significantly improved qualities of care. Two key niches — fleet management and document management — provide growth pathways for the IoT that confer decisive advantages over traditional approaches. Government and commercial operators of vehicle fleets find substantial value in advanced vehicle diagnostics and prognostics, enabling maintenance as-needed rather than on a schedule, concurrently yielding both reduced costs and increased reliability. Also, as solution prices fall, by 2020 paper documents and publications as well as electronic substitutes for paper e-books, smartcards, and other devices — commonly contain RFID tags, enabling automation of many formerly tedious and time-consuming processes.
  • Potential risks. The IoT's advantages to the U.S. economy are moderated by trade imbalances that favor the adding of value to everyday things by overseas manufacturers. First responders have poorer geolocation capability than terrorists (who use real-time kinematic and/or satellite-based augmentation solutions that are far less expensive to a small cell of individuals than to large public safety agencies). The IoT's contributions to physical security come at the cost of a high rate of false positive and false negative detections, so that while people consider that the cost-benefit balance is favorable, it is only marginally so; thus, depth of support is shallow. Similarly, while the IoT proves to be a boon for healthcare overall, some hospitals and long-term care facilities reduce costs by trading away the "care" in healthcare in favor of surveillance and restrictive, access control policies. While the IoT is decisively beneficial for vehicle maintenance and document management, serious risks and unavoidable annoyances accompany even these applications. A host of risks accompany people's overconfidence in technical solutions, often at the neglect of common sense.

Scenario 4: Ambient interaction Edit

In "Ambient Interaction" the IoT arises rapidly and pervasively, favored by technology progress, business collaboration, and innovation-friendly policies. Strong demand arises across several major sectors of the economy, as technological wizardry combined with creative business developments stimulate people's appetites for killer applications that reduce labor and tedium, confer peace of mind, and blur the lines between work, play, and commerce. Connected everyday objects and sensor networks are common in workplaces, public places, and households. By 2017, walk-through checkout procedures are the norm for retailing, and nationwide positioning technology is in place, including indoors. Strategic initiatives have ensured that the United States enjoys long-term economic and military advantages. Nevertheless, great risks accompany great benefits as pervasive computing introduces equally pervasive vulnerabilities. Just as the Internet aggravated the risks of cyberwarfare, spam, identity theft, and denial-of-service attacks, connected everyday objects become targets for malicious software that causes everyday devices to fail or spy. Sensor networks become channels for unauthorized surveillance by mischief makers, criminals, and enemies of the United States.

  • Potential opportunities. Geopolitical advantages arise as the United States uses sensor networks to foil terrorists and asymmetrical warriors. The U.S. military gains long-term advantage by quickly streamlining operations and adopting strategic initiatives for continuous innovation, specifically for the purpose of sustaining that advantage. The United States also gains long-term economic advantages by embracing technologies (notably, item-level RFID and indoor location) that concurrently streamline commercial logistics and add value to physical products, the combined effect of which stimulates GDP. In fact, the pervasive IoT enables logistics to undergo a revolution rather than merely streamlining. By 2025, robotic supply chains are common and considered more secure and less prone to human tampering than traditional shipping and receiving. At ports, containers report their contents to heavy equipment, which routes goods to trucks automatically; at distribution points, pallets and forklifts similarly communicate and route goods which arrive in stores largely untouched by human hands. RFIDs in individual food packages drive popular adoption of RFID readers in cell phones that provide an indication of food origins and provenance. Makers of other packaged goods leverage the universality of RFID readers in cell phones. A combination of useful advice and marketing gimmicks yields a remarkable mix of "advertainment" and social benefits, such as cell phones that double as displays for multilingual user manuals and recycling instructions. Individuals enthusiastically adopt objects having embedded positioning capability, dramatically reducing the incidence of misplaced and stolen goods.
  • Potential risks. The incidental risks mentioned in the "Connected Niches" scenario (above) threaten to multiply by an order of magnitude. As the United States increases its reliance on the IoT, supply disruptions will yield operational disruptions. Asia's role as single-source manufacturing center establishes a single point of failure for mission-critical materiel when new vehicles arrive on U.S. shores "contaminated" by malware. Terrorists can exploit sensor networks, whose encryption technology threatens to lag far behind the cracking capabilities of East- and North-European teenagers equipped with massively-multicore laptop computers. The same corporate and government misunderstanding of security issues that yielded email-propagated viruses and spam-generating "zombie" computers could end up providing the means for criminals and mischief makers to exploit connected everyday objects through lax security systems.

Signposts to monitor Edit

Scenarios exist because of the uncertainty that is inherent with any view of the future. Determining which scenario best mirrors reality at any one time depends on careful assessment of reliable information and knowledge and monitoring various signposts that would indicate the direction and pace with which any field of uncertainty (in this case, relative to enabling the disruptive potential of a technology to U.S. interests) is advancing. Key variables, which, if positive, would indicate environments that are supportive toward development of the Internet of Things, include:

  • The size and nature of demand for expedited logistics in commerce and military organizations,
  • The effectiveness of initial waves of IoT technology in reducing costs, thereby creating conditions for diffusion into vertical application areas including civilian government operations, law enforcement, healthcare, and document management,
  • The ability of devices located indoors to receive geolocation signals, possibly, distributing such signals by leveraging available infrastructures (cell towers, broadcasters, and other means),
  • Closely related technological advances in miniaturization and energy-efficient electronics, including reduced-power microcomputers and communications methods, energy-harvesting transducers, and improved microbatteries,
  • Efficient use of spectrum, including cost-effective solutions for wide-area communications at duty cycles that are much smaller (e.g., the equivalent of a few minutes per month) than those of cell phones (averaging many minutes per day), and
  • Advances in software that act on behalf of people, and software that effectively fuses ("makes sense of") sensor information from disparate sources.

References Edit

  1. Quoted in Dave Evans, The Internet of Things: How the Next Evolution of the Internet Is Changing Everything, at 4 (Cisco Internet Business Solutions Group (IBSG)) (Apr. 2011) (full-text).
  2. NSTAC Report to the President on the Internet of Things, at ES-2.
  3. International Telecommunication Union, The Internet of Things, Executive Summary, at 3 (Nov. 2005) (full-text).
  4. Big Data: Seizing Opportunities, Preserving Values, at 2.
  5. Internet of Things: Privacy & Security in a Connected World, at i.
  6. Internet of Things in 2020: A Roadmap for the Future, Executive Summary.
  7. Id.
  8. Risk and Responsibility in a Hyperconnected World, at 28.
  9. Internet of Things: Privacy & Security in a Connected World, at 6.
  10. Industrial Internet Scoping Report, at 1.
  11. Big Data: Seizing Opportunities, Preserving Values, at 5.
  12. Internet of Things: Privacy & Security in a Connected World, at 5.
  13. Industrial Internet Scoping Report, at 1.
  14. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues, at 8.
  15. The Internet of Things. How the Next Evolution of the Internet Is Changing Everything, at 3.
  16. The Internet of Things. How the Next Evolution of the Internet Is Changing Everything, at 3.

Source Edit

  • Privacy risk section: Id. at 14-18 (footnotes omitted).

See also Edit

External resources Edit

  • Michael Chui, Markus Löffler & Roger Roberts, "the Internet of Things," McKinsey Qtly. (Mar. 2010) (full-text) (Free registration required.)
  • Bruce Schneier, "The Internet of Things Is Wildly Insecure — And Often Unpatchable." Wired, Jan. 6, 2014 (full-text).

Around Wikia's network

Random Wiki