Regulating ‘internet of things’ requires a better definition from lawmakers
The National Telecommunications and Information Administration—the U.S. Department of Commerce agency that advises the White House on telecom policy—published a green paper outlining what it saw as the department’s role in fostering development of the so-called “Internet of things.”
Indeed, NTIA is just the latest federal agency to suggest a significant government role in the world of networked devices, as it joined the Department of Homeland Security, National Institute of Standards and Technology, Federal Communications Commission and Federal Trade Commission.
But before we can determine what role, if any, the federal government should play in the internet of things, we first need to define what that phrase means, a task easier said than done.
Broadly, the internet of things is an array of connected objects with unique identifiers that transfer data over a network. These can include connected cars, drones, cities, physical infrastructure, household appliances, computers and smart phones, medical devices, internet infrastructure and wearables. The phrase is used to describe both software and hardware, with industrial, consumer and critical infrastructure applications. It is sometimes, though not always, associated with automation, distributed computing, ubiquitous computing, big data and smart technology. The devices will usually, but not always, make use of radio frequency identification, or RFID chips, beacons or other near-field communications technologies.
The term “internet of things” originated in 1999, when one of the founders of the Massachusetts Institute of Technology’s Auto-ID center used it to describe a class of identification technologies used in automation processes. A 2005 report from the International Telecommunication Union further popularized the term, defining it as “ubiquitous computing,” complete with machine-to-machine communication and real-time connectivity. In the decade since, the term “internet of things” has included and excluded various classes of connected objects.
The FTC’s definition focuses on devices originally intended to function as something other than computers; it thus excludes laptops, desktops, servers, tablets and smartphones. Other definitions exclude computers and smartphone apps because they are designed to receive intentional human input.
The NIST acknowledges “no formal, analytic or even descriptive set of building blocks that govern the operation, trustworthiness and lifecycle” of the internet of things. In order to address that challenge, the agency’s green paper identified four building blocks that characterize a network of “things”: a sensor, an aggregator, a communication channel and a decision trigger.
What all these various definitions have in common is the concept of connectivity. But connected devices are as old as the first computer network, which had its origins in the military in the late 1950s and early 1960s. In a sense, the first “internet of things” device was Carnegie Mellon University’s Internet-enabled Coke vending machine in the mid-1970s. The school’s computer science department installed microswitches to sense whether bottles were present and relayed the information to a server that students could access from anywhere on the internet.
The technology has come a long way since that Coke machine. Internet-enabled devices that can see, hear or otherwise sense, are now ubiquitous in public and private places. But the phenomenon of large-scale connectivity also raises serious concerns about privacy, cybersecurity and physical safety. Identifying technologies like RFID and “always on” sensing capabilities have privacy and surveillance implications.
Devices that interact directly with the physical world or have clear real-world consequences can result in safety issues, as the recent attacks on Ukraine’s power grid demonstrate. The Internet-enabled features of connected devices drive many cybersecurity concerns, including distributed denial of service attacks and other types of cyberattacks aimed at data exfiltration.
Because this is such a broad class of devices, policymakers should be wary of pursuing regulations specific to the internet of things. Vague or broad definitions could lead to regulatory uncertainty, issues with implementation and unintended consequences. It’s likely we will continue to see departments and agencies vying for jurisdiction over the internet of things. As those regulatory discussions advance, policymakers need to know what they are regulating.
Image by chombosan
