IGF 2019 Accountable development, purchase and use of IoT

DC

The Internet of Things towards the future, building on inherent Core Internet Values

Round Table - Circle - 90 Min

Description

While IoT development and deployment continues to expand and grow, it is also welcome that there are more and more actors in the world seeking ways forward that will allow it to do so in a responsible manner. With IoT becoming all pervasive, and increasingly a key part of our critical infrastructures, taking ethical considerations into account from the outset has become key. A precondition for responsible IoT is that it is "secure enough" to be used responsibly. The DC IoT is currently exploring what "ethical considerations" have to be taken into account, and what can be done to come to a base-level approach for further secure roll-out and use of IoT devices, that can be trusted to be used for their purpose, and not to harm their users, or the security and stability of the Internet, itself.

  1. What ethical considerations are important for development, deployment and use of IoT, in order to ensure that we are creating sustainable solutions with IoT? Aspects to be considered range from affordability and deployability where needed, to transparency of choice; clarity on data sharing and protection of privacy.
  • There were numerous acknowledgements / caveats made throughout the discussions during both panels that the development of IoT devices were not inherently good vs bad or raise such ethical issues.Rather, it was their use that did and so needed to consider what manufacturers and those in the chain could do to address such potential issues.
  • Discussion in both the morning and afternoon sessions focused on three key ethical considerations for the deployment and use of IoT:
    • Interoperability - This took on several meanings in the discussion, focusing not only across devices but between devices and ISPs.
    • Accessibility - The need for greater accessibility of interfaces was stressed by participants as particularly important for individuals with disabilities.
    • Transparency - Though not directly discussed, much of the discussion centered around the need for increased transparency of stakeholders in the IoT sector on matters related to security.This included, but wasn’t limited to: (1) the nature and frequency of software updates; (2) any additional steps needed (if any) to ensure high levels of security of the device; and (3) the degree to which parties engage in information sharing of security vulnerabilities to alert other stakeholders of known issues.

 

  1. What prerequisites are important from a security perspective, to ensure that IoT can be trusted not to be harmful to its users, nor the wider Internet; for example by being weaponised as a tool for DDOS attacks or being used as attack vector on the users, themselves?
  • Both panels agreed that, fundamentally, the question of security has to be looked at holistically - not only from the perspective of a single actor or even the IoT sector but larger internet environment - when attempting to understand what needs to be done to ensure that IoT can be trusted.As such, the security perspective of IoT is one that is having to constantly adapt to current circumstances, socioeconomic challenges, and general state of the industry. And the need for security is very much dependent on the use of the IoT device/service.
  • With this in mind, the discussion focused both directly and indirectly on Security by Design.
    • Panelists noted the need to consider the different levels of security that devices have embedded within them - as well as the multiple layers of potential security throughout the IoT chain. To this end, there were numerous questions presented about the need to ensure that minimum levels of security are met not only upon manufacturing but through software updates (and whether liability questions were presented when software updates meeting those minimum were not made).
    • Relatedly, panelists emphasized the need to think about this not only from the point of initial manufacturing but throughout the life of a device. To this end, there was considerable discussion about how to ensure that vulnerabilities / loopholes are addressed throughout the software updating process (i.e. quality vs quantity of such updates).
    • Further, panelists raised the point that “end of life” plans need to be considered to ensure the security (or proper destruction) of devices after they are no longer in use, as well as waste aspects of decommissioning devices.
  • One panelist noted that the Charter of Trust could play a significant role and potentially key stakeholder in the discussion going forward when considering how to establish a baseline of security throughout the connected chain of IoT devices, while recognizing that specific requirements depends on the specific use.

 

  1. Looking ahead – which issues will become relevant in the future for IoT development, affecting the broader Internet and that need to be tackled in the context of future use of IoT and recognition of Core Internet Values?
  • The fundamental question / issue relevant to the future of IoT development is the role of regulations versus industry best practices in establishing the security of the sector throughout the continued growth of its adoption.
  • Relatedly, participants and panelists presented the question of whether the sector has reached a point where a classification system was needed to certify a minimum level of security.
    • This then led to a number of questions regarding both the establishment and operation of such a classification system. These included:
      • Would it look like another standard setting process?If so, would there be an ability to “opt out” and what would that mean for the market of such devices?
      • Would require testing to ensure that certain minimum standards are met?If so, what does that process look like to ensure that this testing was meaningful in nature?
    • Relatedly, panelists and participants raised the question of regional challenges. Namely, given the fact that there currently is not a central body that is prepared to handle the certification of such a classification system, how was the market and consumers supposed to handle and / or comprehend the evolution of potentially regional classification systems?To this end, one panelist presented the question of whether this raised the need to take a sectoral specific approach (akin to financial services), but even then there were questions that remained about how that would evolve in the IoT sector.
      • Although this question was not explicitly discussed during the second panel discussion, it relates directly to one of the Core Internet Values that was discussed of being global - and not regional - in nature and reach but also necessarily coordinated by different levels of multi stakeholder engagements.
  • Panelists raised the need to distinguish between enterprise and consumer-facing IoT when considering standards and / or classification systems in the future.Relatedly, the proposition was made that perhaps IT procurement protocols of governments could provide some guidance to the larger IoT sector. While it was noted that there is still considerable work that needs to be done within the procurement process, there has been a considerable more attention / discussion in this area than IoT generally.
  • Although only briefly discussed, the need for greater information sharing was stressed heavily towards the end of the initial panel. This discussion highlighted the fact that the system is currently structured to villainize any party that publicly shares information about vulnerabilities and once something is known, it primarily focuses on design flaws. There was an emphasis on the need to discern ways to share more information about investigations into potential issues and how they were redressed prior to reaching a crisis point to ensure an overall more security environment for IoT devices.
Organizers

Maarten Botterman, GNKS Consult BV Wolfgang Kleinwaechter, University of Arhus, GCSC Avri Doria, Technicalities Dan Caprio, The Providence Group Nigel Hickson, ICANN Peter Koch, DENIC

Speakers

DC IoT: Chair: Maarten Botterman. Moderator: Avri Doria. Committed contributors: Frederic Donck, Internet Society, Merike Kaeo, ICANN Board/SSAC, Max Senges, Google, Marco Hogewoning RIPE NCC, and others.

  • Please note that Maarten Botterman stepped down at the end of the session, and that Shane Tews, Logan Circle Strategies was elected as new Chair for the DC IoT with immediate effect.

DC CIV: Chair: Olivier Crépin-Leblond. Committed contributors: Alejandro Pisanty, UNAM, Mexico; Jimson Olufuye PhD CEO Kontemporary, Africa ICT Alliance, Nigeria; Sivasubramanian Muthusamy, Internet Society India Chennai; Thomas Rickert, Attorney at Law, Director Names & Numbers eco Association of the Internet Industry; Vint Cerf, Google, United States

Rapproteur: Ryan Triplette, Canary Global Strategic

 

SDGs

GOAL 2: Zero Hunger
GOAL 3: Good Health and Well-Being
GOAL 6: Clean Water and Sanitation
GOAL 7: Affordable and Clean Energy
GOAL 8: Decent Work and Economic Growth
GOAL 9: Industry, Innovation and Infrastructure
GOAL 11: Sustainable Cities and Communities
GOAL 12: Responsible Production and Consumption
GOAL 13: Climate Action
GOAL 14: Life Below Water
GOAL 15: Life on Land
GOAL 17: Partnerships for the Goals

1. Key Policy Questions and Expectations
  1. What ethical considerations are important for development, deployment and use of IoT, in order to ensure that we are creating sustainable solutions with IoT? Aspects to be considered range from affordability and deployability where needed, to transparency of choice; clarity on data sharing and protection of privacy;
  2. What prerequisites are important from a security perspective, to ensure that IoT can be trusted not to be harmful to its users, nor the wider Internet; for example by, for example, being weaponised as a tool for DDOS attacks or being used as attack vector on the users, themselves;.
  3. Looking ahead – which issues will become relevant in the future for IoT development, affecting the broader Internet. This provides an open microphone for new issues to tackle in the context of future use of IoT and recognition of Core Internet Values.
2. Summary of Issues Discussed

Topline Areas of Agreement:

  1. The need for security in the IoT sector has reached a critical juncture, its assurance depending on all of the stakeholders in the ecosystem, not only manufacturers.
  2. A classification system for IoT devices could address immediate questions regarding security, but could take some time to establish.
  3. There needs to be greater transparency throughout the IoT sector and increased accountability of participants in the chain from devices to end user - from initiatives taken to address vulnerabilities throughout the life of devices, and end-of-life of devices.
  • Topline Areas of Divergence:
    • What role for regulation and legislation in addressing security concerns, given both their complexity and immediacy of concern to the larger health and security of the IoT sector.
    • To what degree should developers and consumers bear responsibility/liability for breaches in security.
    • What willingness to pay for additional security.
3. Policy Recommendations or Suggestions for the Way Forward

Develop a classification system for IoT devices, raising both potential pros and cons in the future security of the IoT sector. We would propose the consideration of the formation of a sub-working group, comprised of members from both the DC IoT and DC CIV, to further examine the setup of such a system. Amongst other items, this working group could take up a number of the questions presented during the panels.

4. Other Initiatives Addressing the Session Issues

To support a secure IoT environment, there is a key distinction between what needed to be done to ensure that the devices / supply chain were secure and what needed to be done to ensure the ethical / secure use of those devices.This discussion highlighted the key and unique role that ethical frameworks versus legislation may serve to ensure security by design in future IoT development and deployment. Namely, the potential need for governments to outline the legal contours of accountability and responsibility. Also here the importance of classification of devices and services was emphasized.

 

5. Making Progress for Tackled Issues

We would propose the consideration of the formation of a sub-working group, comprised of members from both the DC IoT and DC CIV, to further examine the setup of such a system. Amongst other items, this working group could take up a number of the questions presented during the panels. THis should lead to proposals for IGF2020 sessions.

6. Estimated Participation

Total number of participants throughout the session: ~60; of which ~40% women.

7. Reflection to Gender Issues

The session did not specifically consider gender issues.

8. Session Outputs

[weblink to full report to be announced]

DC IoT website: https://www.iot-dynamic-coalition.org/