Internet of Things – New security and privacy challenges
Internet of Things –New security and privacy challenges
Rolf H.Weber
University of Zurich,Zurich,Switzerland,and University of Hong Kong,Hong Kong
Keywords:Data protection Internet of Things Privacy RFID Security
a b s t r a c t
The Internet of Things,an emerging global Internet-based technical architecture facili-tating the exchange of goods and services in global supply chain networks has an impact on the security and privacy of the involved stakeholders.Measures ensuring the archi-tecture’s resilience to attacks,data authentication,access control and client privacy need to be established.An adequate legal framework must take the underlying technology into account and would best be established by an international legislator,which is supple-mented by the private sector according to speci?c needs and thereby becomes easily adjustable.The contents of the respective legislation must encompass the right to infor-mation,provisions prohibiting or restricting the use of mechanisms of the Internet of Things,rules on IT-security-legislation,provisions supporting the use of mechanisms of the Internet of Things and the establishment of a task force doing research on the legal challenges of the IoT.
a2010Prof Rolf H.Weber.Published by Elsevier Ltd.All rights reserved.
1.Internet of Things:notion and technical background
The Internet of Things (IoT)is an emerging global Internet-based information architecture facilitating the exchange of goods and services in global supply chain networks.1For example,the lack of certain goods would automatically be reported to the provider which in turn immediately causes electronic or physical delivery.From a technical point of view,the architecture is based on data communication tools,
primarily RFID-tagged items (Radio-Frequency Identi?ca-tion).2The IoT 3has the purpose of providing an IT-infra-structure facilitating the exchanges of ‘‘things’’in a secure and reliable manner.4
The most popular industry proposal for the new IT-infra-structure of the IoT is based on an Electronic Product Code (EPC),introduced by EPCglobal and GS1.5The ‘‘things’’are physical objects carrying RFID tags with a unique EPC;the infrastructure can offer and query EPC Information Services (EPCIS)both locally and remotely to subscribers.6The
1
For a general overview see Rolf H.Weber,Internet of Things –Need for a New Legal Environment?[2009]25Computer Law &Security Review 521.2
RFID is a technology used to identify,track and locate assets;the universal,unique identi?cation of individual items through the EPC is encoded in an inexpensive RFID tag.3
The term ‘‘IoT’’has been ‘‘invented’’by Kevin Ashton in a presentation in 1998(see Gerald Santucci,Paper for the International Conference on Future Trends of the Internet,From Internet of Data to Internet of Things,at p.2,available at:ftp://ftp.cordis.europa.eu/pub/fp7/ict/docs/enet/20090128-speech-iot-conference-lux_en.pdf ).4
For general overviews of the technical background of the IoT see Christian Floerkemeier/Marc Langheinrich/Elgar Fleisch/Friede-mann Mattern/Sanjay E.Sarma (eds),The Internet of Things,Berlin/Heidelberg 2008;Lu Yan/Yan Zhang/Laurence T.Yang/Huansheng Ning (eds),The Internet of Things,New York/London 2008.5
See https://www.sodocs.net/doc/368076142.html, .6
See Benjamin Fabian,Secure Name Services for the Internet of Things,Thesis,Berlin 2008,30/31;to the details of the service orientation and the context-aware computing see Davy Preuveneers/Yolande Berbers,Internet of Things:A Context-Awareness Perspective,in:Yan/Zhang/Yang/Ning,supra note 4,288,at 296
ss.
c o m p u t e r l a w &s e c u r i t y r e v i e w 26(2010)23–30
0267-3649/$–see front matter a2010Prof Rolf H.Weber.Published by Elsevier Ltd.All rights reserved.doi:10.1016/j.clsr.2009.11.008
information is not fully saved on an RFID tag,but a supply of the information by distributed servers on the Internet is made available through linking and cross-linking with the help of an Object Naming Service(ONS).7
The ONS is authoritative(linking metadata and services)in the sense that the entity having–centralized–change control over the information about the EPC is the same entity that assigned the EPC to the concerned item.8Thereby,the archi-tecture can also serve as backbone for ubiquitous computing, enabling smart environments to recognize and identify objects,and receive information from the Internet to facilitate their adaptive functionality.9The central ONS root is operated by the(private)company VeriSign,a provider of Internet infrastructure services.
The ONS is based on the well-known Domain Name System(DNS).Technically,in order to use the DNS to?nd information about an item,the item’s EPC must be converted into a format that the DNS can understand,which is the typical,‘‘dot’’delimited,left to right form of all domain names.10Since EPC is encoded into syntactically correct domain name and then used within the existing DNS infra-structure,the ONS can be considered as subset of the DNS.For this reason,however,the ONS will also inherit all of the well-documented DNS weaknesses,such as the limited redundancy in practical implementations and the creation of single points of failure.11
2.Security and privacy needs
2.1.Requirements related to IoT technology
The described technical architecture of the IoT has an impact on the security and privacy of the involved stakeholders. Privacy includes the concealment of personal information as well as the ability to control what happens with this infor-mation.12The right to privacy can be considered as either a basic and inalienable human right,or as a personal right or possession.13
The attribution of tags to objects may not be known to users,and there may not be an acoustic or visual signal to draw the attention of the object’s user.Thereby,individuals can be followed without them even knowing about it and would leave their data or at least traces thereof in cyber-space.14Further aggravating the problem,it is not anymore only the state that is interested in collecting the respective data,but also private actors such as marketing enterprises.15 Since business processes are concerned,a high degree of reliability is needed.In the literature,the following security and privacy requirements are described:16
Resilience to attacks:The system has to avoid single points of failure and should adjust itself to node failures.
Data authentication:As a principle,retrieved address and object information must be authenticated.17
Access control:Information providers must be able to implement access control on the data provided.18
Client privacy:Measures need to be taken that only the information provider is able to infer from observing the use of the lookup system related to a speci?c customer;at least, inference should be very hard to conduct.
Private enterprises using IoT technology will have to include these requirements into their risk management concept governing the business activities in general.
2.2.Privacy enhancing technologies(PET)
The ful?lment of customer privacy requirements is quite dif?cult.A number of technologies have been developed in order to achieve information privacy goals.These Privacy Enhancing Technologies(PET)can be described in short as follows:19
Virtual Private Networks(VPN)are extranets established by close groups of business partners.As only partners have access,they promise to be con?dential and have integrity. However,this solution does not allow for a dynamic global information exchange and is impractical with regard to third parties beyond the borders of the extranet.
Transport Layer Security(TLS),based on an appropriate global trust structure,could also improve con?dentiality and integrity of the IoT.However,as each ONS delegation step
7Fabian,supra note6,at33.
8EPCglobal,Object Naming Service(ONS)Version1.0.1,at para 4.2,available at:https://www.sodocs.net/doc/368076142.html,/standards/ons/ ons_1_0_1-standard-20080529.pdf.
9Fabian,supra note6,at1.
10EPCglobal,Object Naming Service(ONS)Version1.0.1,supra note8,at para5.2.
11For more details see Weber,supra note1.
12Seda F.Gu¨rses/Bettina Berendt/Thomas Santen,Multilateral Security Requirements Analysis for Preserving Privacy in Ubiq-uitous Environments,in:Bettina Berendt/Ernestina Menasalvas (eds),Workshop on Ubiquitous Knowledge Discovery for Users
(UKDU’06),at51–64;for privacy as freedom see Gus Hosein, Privacy as Freedom,in:Rikke Frank J?rgensen(ed.),Human Rights in the Global Information Society,Cambridge/Massachu-setts2006,at121–147.
13Gu¨rses/Berendt/Santen,supra note12,at54.
14See also Ari Juels,RFID Security and Privacy:A Research Survey,IEEE Journal on Selected Areas in Communications,Vol. 24,2006,381–394,at383;Marc Langheinrich Marc/Friedemann Mattern,Wenn der Computer verschwindet,digma2002,138–142, at139;Friedemann Mattern,Ubiquitous Computing:Eine Ein-fu¨hrung mit Anmerkungen zu den sozialen und rechtlichen Fol-gen,in:Ju¨rgen Taeger/Andreas Wiebe(eds),Mobilita¨t.Telematik, Recht,Ko¨ln2005,1–34,at18s.
15Mattern,supra note14,at24.
16See Benjamin Fabian/Oliver Gu¨nther,Distributed ONS and its Impact on Privacy,1223,1225,available at:http://ieeexplore.ieee. org/stamp/stamp.jsp?arnumber?04288878.
17For RFID authentication see Juels,supra note14,at384s;Rolf H.Weber/Annette Willi,IT-Sicherheit und Recht,Zurich2006,at 284.
18See also Eberhard Grummt/Markus Mu¨ller,Fine-Grained Access Control for EPC Information Services,in:Floerkemeier/ Langheinrich/Fleisch/Mattern/Sarma,supra note4,at35–49.
19Fabian,supra note6,61s;Benjamin Fabian/Oliver Gu¨nther, Security Challenges of the EPCglobal Network,Communications of the ACM,Vol.52,July2009,121–125,at124s.
c o m p u t e r l a w&s e c u r i t y r e v i e w26(2010)23–30 24
requires a new TLS connection,the search of information would be negatively affected by many additional layers.
DNS Security Extensions(DNSSEC)make use of public-key cryptography to sign resource records in order to guarantee origin authenticity and integrity of delivered information. However,DNSSEC could only assure global ONS information authenticity if the entire Internet community adopts it.
Onion Routing encrypts and mixes Internet traf?c from many different sources,i.e.data is wrapped into multiple encryption layers,using the public keys of the onion routers on the transmission path.This process would impede matching a particular Internet Protocol packet to a partic-ular source.However,onion routing increases waiting times and thereby results in performance issues.
Private Information Retrieval(PIR)systems conceal which customer is interested in which information,once the EPCIS have been located.However,problems of scalability and key management,as well as performance issues would arise in a globally accessible system such as the ONS,which makes this method impractical.
A further method to increase security and privacy are Peer-to-Peer(P2P)systems,which generally show good scalability and performance in the applications.These P2P systems could be based on Distributed Hash Tables(DHT).Access control, however,must be implemented at the actual EPCIS itself,not on the data stored in the DHT,as there is no encryption offered by any of these two designs.20Insofar,the assumption is reasonable that encryption of the EPCIS connection and authentication of the customer could be implemented without major dif?culties,using common Internet and web service security frameworks.21In particular,the authentica-tion of the customer can be done by issuing shared secrets or using public-key cryptography.22
It is important that an RFID tag having been attached to an object can–at a later stage–be disabled in order to allow for customers to decide whether they want to make use of the tag. RFID tags may either be disabled by putting them in a protec-tive mesh of foil known as a‘‘Faraday Cage’’which is impenetrable by radio signals of certain frequencies or by ‘‘killing’’them,i.e.removing and destroying them.23However, both options have certain disadvantages.While putting tags in a special cage is relatively safe,it requires that every tag from every single product is put in that cage if a customer desires so.Chances are that certain tags will be overlooked and left with the client and that he/she could still be traced. Sending a‘‘kill’’command to a tag leaves room to the possi-bility of reactivation or that some identifying information could be left on the tag.Furthermore,businesses may be inclined to offer clients incentives for not destroying tags or secretly give them tags.24Instead of killing tags,the dissolu-tion of the connection between the tag and the identi?able object could be envisaged.The information on ONS is deleted to protect the privacy of the owner of the tagged object.While the tag can still be read,further information with potential information concerning the respective person,however,are not retrievable.25
Moreover,transparency is also needed for non-personally identi?able information retrieved by RFID.An active RFID can for example trace movements of visitors of an event real time without identifying the persons as such who remain anony-mous;nevertheless,the question remains whether such information not covered by traditional privacy laws might be collected without any restriction.26
2.3.Legal course of action
The European Commission is aware of the security and privacy issues related to the RFID and the IoT.In a Recom-mendation of May12,2009on the implementation of privacy and data protection principles in applications supported by radio-frequency identi?cation27the European Commission invites the Member States to provide for guidance on the design and operation of RFID applications in a lawful,ethical and socially and politically acceptable way,respecting the right to privacy and ensuring protection of personal data(No.
1).In particular,the Recommendation outlines measures to be taken for the deployment of RFID application to ensure that national legislation is complying with the EU Data Protection Directives95/46,99/5and2002/58(No.2).Member States should ensure that industry in collaboration with relevant civil society stakeholders develops a framework for privacy and data protection impact assessments(PIA;No.4);this framework should be submitted to the Article29Data Protection Working Party within12months.Industry and civil society stakeholders are in the process of establishing the requested framework PIA until late2009.The objectives of the PIA are designed to identify the implications of the application on privacy and data protection,to determine whether the operator has taken appropriate technical and organizational measures to ensure respective protection,to document the measures implemented with respect to the appropriate protection,and to serve as a basis for a PIA report that can be submitted to the competent authorities before deployment of the application.Presumably,the framework should serve to determine a common structure and content of reports.In particular,RFID application description and scope,RFID application governing practices,accountability and analysis and resolution seem to be of importance.Furthermore,oper-ators are asked to conduct an assessment of the implications of the application implementation for the protection of
20Benjamin Fabian/Oliver Gu¨nther,Distributed ONS and its Impact on Privacy,1225,available at https://www.sodocs.net/doc/368076142.html,/ stamp/stamp.jsp?arnumber?04288878.
21Fabian/Gu¨nther,supra note19,at123.
22Fabian/Gu¨nther,supra note20,at1227.
23Gal Eschet,Protecting Privacy in the web of Radio Frequency Identi?cation,Jurimetrics,Vol.45,2005,301–332,at317s.
24Eschet,supra note23,at137ss.
25Ju¨rgen Mu¨ller/Matthias Handy,RFID als Technik des Ubiquitous Computing–Eine Gefahr fu¨r die Privatspha¨re?,at17,available at: http://www.imd.uni-rostock.de/veroeff/handy_bamberg05.pdf. 26See Weber/Willi,supra note17,at245ss;Viola Schmid,Radio Frequency Identi?cation Law Beyond2007,in:Floerkemeier/ Langheinrich/Fleisch/Mattern/Sarma,supra note4,196–213,at 196;Benjamin Fabian/Oliver Gu¨nther/Sarah Spiekermann,Secu-rity Analysis of the Object Name Service,at1ss,available at http://lasecwww.ep?.ch/w gavoine/download/papers/FabianGS-2005-sptpuc.pdf.
27COM(2009)3200?nal.
c o m p u t e r l a w&s e c u r i t y r e v i e w26(2010)23–3025
personal data and privacy and take appropriate technical and organizational measures to ensure the protection of personal data and privacy(No.5),and a person within a business needs to be designated for the review of the assessments and the continued appropriateness of the technical and organiza-tional measures.In addition,Member States are invited to support the EU Commission in identifying those applications that might raise information security threats with implica-tions for the general public(No.6).Additional provisions of the Recommendation concern the information and transparency on RFID use,the RFID applications used in the retail trade,the awareness raising actions,research and development as well as follow-up actions(Nos.7–18).
In its speci?c Communication to the European Parliament, the Council,the European Economic and Social Committee and the Committee of the Regions on the Internet of Things (an Action Plan for Europe),the EU Commission again points to the importance of security and privacy in the IoT frame-work.28The particular Line of Action2encompasses the continuous monitoring of the privacy and the protection of personal data questions;as part of Line of Action3the EU Commission is envisaging to launch a debate on the tech-nical and the legal aspects of the‘‘right to silence of the chips’’and expresses the idea that individuals should be able to disconnect from their networked environment at any time.
https://www.sodocs.net/doc/368076142.html,estones of an adequate legal framework
The implementation of the IoT architecture and the use of RFID pose a number of legal challenges;the basic questions of the agenda can be phrased as follows29:
Is there a need for(international or national)state law or are market regulations of the concerned businesses suf?cient?
If legislation is envisaged:Would existing/traditional legislation be suf?cient or is there a need for new laws?
If new laws are to be released:Which kind of laws are required and what is the time frame for their implementation?
These legal challenges need to be embedded into the human rights and constitutional framework.Insofar,the decision of the German Supreme Court of27February2008 constituting an independent fundamental right of con?den-tiality and integrity related to info-technical systems merits attention.303.1.Systematic approach
The establishment and implementation of an appropriate legal framework31calls for a systematic approach32in relation to the legislative process.Thereby,the following aspects should be taken into account:33
Facts about RFID using scenarios are to be systematically developed;only under the condition that the facts are suf?ciently known,adequate legal provisions can be drafted.
A systematization of the legal problems potentially occur-ring can be done by coordination along the below discussed four technical axes,namely globality,verticality,ubiquity and technicity.
The legal challenges of security and privacy issues related to the IoT and RFID are to be qualitatively classi?ed.
In particular,the question must be addressed how much privacy the civil society is prepared to surrender in order to increase security.Solutions should be looked for allowing considering privacy and security not as opposites,but as principles affecting each other.34
In light of the manifold factual scenarios,it appears to be hardly possible to come to a homogenous legal framework governing all facets of the IoT and RFID.Moreover,a hetero-geneous and differentiated approach will have to be taken into account.Thereby,the technical environment can be crystallized along the four axes,representing the most important challenges to the establishment of regulation:35
Globality is based on the fact that goods and services in the IoT context will be globally marketed and distributed.The RFID technology is also‘‘global’’in the sense that the same technical processes are applied all over the world.Conse-quently,business and trade would be heavily complicated if differing national laws would be in place.If the RFID-tagged products are available on a global level,the legal systems need to be synchronized.
Verticality means the potential durability of the technical environment.In particular,it is important for the life of the IoT that RFID-tagged products are lasting long enough to not only use them in the supply chain until the?nal customer,but also for example in the waste management.For the time being, this requirement is not suf?ciently met in the EPC traf?c.
Ubiquity refers to the extent of the RFID-tagged environ-ment;technically,RFID could indeed be used ubiquitously encompassing persons,things,plants,and animals.
28COM(2009)278?nal.
29Schmid,supra note26,at200.
30See Decision1BvR370/07and1BvR595/07;to this decision see Rolf H.Weber,Grundrecht auf Gewa¨hrleistung der Ver-traulichkeit und Integrita¨t,digma2008,94–97;Thomas Sto¨gmu¨l-ler,Vertraulichkeit und Integrita¨t informationstechnischer Systeme in Unternehmen,CR2008,435–439;Bernd Holznagel/ Pascal Schumacher,Auswirkungen des Grundrechts auf Ver-traulichkeit und Integrita¨t informationstechnischer Systeme auf RFID-Chips,MMR2009,3–8.
31A general overview in respect of the globalization develop-ments which confront privacy issues is given by Herbert Burkert, Globalization–Strategies for Data Protection,Weblaw-Jusletter,3 October2005,at nos.11–25.
32See also Pieter Kleve/Richard De Mulder,Privacy protection and the right to information:in search of a new symbiosis in the information age,in:Sylvia Kierkegaard Mercado(ed.),Cyberlaw, Security and Privacy,Beijing2007,201,at205/06.
33Schmid,supra note26,at201s.
34Kleve/De Mulder,supra note32,at207.
35For more details see Schmid,supra note26,at204ss.
c o m p u t e r l a w&s e c u r i t y r e v i e w26(2010)23–30 26
Technicity is an important basis for the development of rules protecting privacy objectives.Several differentiations can be taken into account,namely(i)the complexity of the tag (active and passive,rewritable,processing and sensor provided products),(ii)the complexity of background devices(reader or other linked media)and the maximum reading range which is particularly designed to cover transparency demands.36
These four requirements have to be taken into account when establishing a legal framework binding all participants of the IoT.Resulting from these four requirements,the framework to be established has to be global,i.e.established by an international legislator,and applicable to every object on earth from its becoming until its destruction.The ubiquity needs to be addressed in particular if various objects are put together to form a new‘‘thing’’.
This new‘‘thing’’can either be attributed with a new tag,or the creation can carry multiple tags.While the?rst scenario is more practical,this solution may leave businesses with the problem that individual parts cannot be traced back to their origin.A solution may be that the one tag attached to the object makes reference to the different sources of all indi-vidual parts.A global consensus needs to be found,which is then generally applied.The question raised is also connected to the fourth requirement,technicity.If composed objects keep all the tags of integrated parts,tracing all relevant information concerning that object becomes extremely complex and dif?cult.As this discussion demonstrates, determining an appropriate legal framework raises various technical questions.Therefore,the inclusion of technical experts in the process-making seems inevitable.Furthermore, the discussion also shows that the framework needs to be established at an international level and address all funda-mental issues.Otherwise,the IoT becomes impractical and cannot be used ef?ciently.
The following conclusion for a potential legislation can be drawn from the mentioned systematic approach37:A unique strategy will not be suitable to satisfactorily cope with the privacy challenges of the IoT.Inevitably,legislators have to make good use of several of them.In particular,due consid-eration of technicity seems to be of major importance. Furthermore,data protection and privacy need communica-tion strategies establishing an effective platform for dialogue between state legislators,non-governmental organizations, public interest groups and the international private sector.
3.2.State law or self-regulation
The establishment of an adequate legal framework for the protection of security and privacy in the IoT is a phenomenon giving rise to the question of the appropriate legal source. Various regulatory models are available in theory:Apart from the possibility of no regulation at all,which cannot be considered as a real‘‘solution’’,the choice is principally between traditional national regulation,international agree-ments and self-regulation.38As mentioned,national regula-tion has the disadvantage of not meeting the globalization needs of an adequate legal framework in view of the fact that transactions through the IoT are usually of a cross-border nature.
(i)So far,the regulatory model in the IoT is based on self-
regulation through manifold business standards,starting from technical guidelines and leading to fair information practices.In particular,the EPC-Guidelines39rely on components like‘‘Consumer Notice’’,‘‘Consumer Education’’and‘‘Retention and IT-Security Policy’’.
Consequently,the compliance with the EPC-Guidelines is driven by a self-control strategy.40This self-regulatory model follows the well-known principle of subsidiarity, meaning that the participants of a speci?c community try to?nd suitable solutions(structures,behaviors)them-selves as long as government intervention has not taken place.41The legitimacy of self-regulation is based on the fact that private incentives lead to a need-driven rule-setting process.Furthermore,self-regulation is less costly and more?exible than State law.42In principle,self-regulation is justi?ed if it is more ef?cient than state law and if compliance with rules of the community is less likely than compliance with self-regulation.43
The theoretical approaches to the self-regulatory model show a multi-faceted picture44:In many cases,self-regulation is not more than a concept of a private group,namely a concept occurring within a framework that is set by the government(directed self-regulation or audited self-regula-tion).This approach has gained importance during the last decade:if the government provides for a general framework which can be substantiated by the private sector often the term‘‘co-regulation’’is used.The state legislator does not only set the legal yardsticks or some general pillars of the legal framework,but eventually the government remains involved in the self-regulatory initiatives at least in a monitoring function supervising the progress and the effectiveness of the initiatives in meeting the perceived objectives.
In this context,the legal doctrine has developed the notion ‘‘soft law’’for private commitments expressing more than just policy statements,but less than law in its strict sense,also possessing a certain proximity to law and a certain legal relevance.45Nevertheless,the term‘‘soft law’’does not yet have a clear scope or reliable content.Particularly in respect to the enforceability of rules,law is either in force(‘‘hard law’’)or not in force(‘‘no law’’),meaning that it is dif?cult to distin-guish between various degrees of legal force.Generally,it can only be said that soft law is a social notion close to law and that it usually covers certain forms of expected and acceptable
36Schmid,supra note26,at205s.
37See also Burkert,supra note31,at nos.21–23.
38Rolf H.Weber,Shaping Internet Governance:Regulatory Challenges,Zurich2009,at10s.
39See https://www.sodocs.net/doc/368076142.html,/public/ppsc_guide.
40Schmid,supra note26,at199.
41Weber,supra note38,at18.
42Eschet,supra note23,at322s.
43Weber,supra note38,at18.
44For further detail see Weber,supra note38,at18s with further references.
45Weber,supra note38,at20.
c o m p u t e r l a w&s e c u r i t y r e v i e w26(2010)23–3027
codes of conduct.46This concept of self-regulation cannot overcome the lack of an enforcement strategy if compliance is not done voluntarily.47Therefore,the involvement of the legislator seems to be inevitable.
While self-regulation has gained importance during the last years,there are still critics thereof,pointing out that self-regulatory mechanisms only regulate those motivated or principled enough to take part in them as market pressure is not yet strong enough to oblige everyone to adopt the respective rules.Furthermore,it is argued that self-regulation is only adopted by stakeholders to satisfy their own interests and is therefore not effective in the protection of privacy.48
(ii)Therefore,even if the manifold merits of self-regulation are to be honoured,some pillars of the legal framework in the context of security and privacy need to be set by the legislator.Such law would have to be introduced on an international level.Contemporary theories addressing international law aspects tend to acknowledge a wide de?nition of international law,according to which this ?eld is no longer limited merely to relations between nation states but generally accepts the increasing role of other international players such as individual human beings,international organizations and juridical enti-ties.49Since customary rules can hardly develop in a fast moving?eld such as the IoT,the main legal source is to be seen in the general principles of law,such as good will, equal treatment,fairness in business activities,legal validity of agreements etc.50These general principles can be illustrated as‘‘abstractions form a mass of rules’’which have been‘‘so long and so generally accepted as to be no longer directly connected with state practice’’.51To some extent,basic legal principles are considered to be an expression of‘‘natural law’’;practically,general legal principles may be so fundamental that they can be found in virtually every legal system.52
The speci?c problem in view of security and privacy, however,consists in the appreciation that privacy concerns are not identical in the different regions of the world which makes the application of general principles dif?cult in cross-border business activities.Therefore,a basic legal framework should be introduced by an international legislator;however, the details of the legal rules for the protection of security and privacy needs are to be developed by the private sector.
The IoT being a new system itself,the idea of entrusting a body with its legislation and governing that is new,too,is not far-fetched.A new body would be in the position to take into account all the characteristics of the IoT.Furthermore, considering the complexity of the IoT,this body could be construed in a way to dispose of the necessary capacities.The alternative to the creation of a new body is to integrate the task of international legislator for the IoT in an existing organization.Bearing in mind the globality of the IoT,this organization has to have a certain scope of territorial application.Furthermore,the organization should have a structure that allows for the inclusion of a body only responsible for the IoT.Finally,legislation and governing of the IoT should be encompassed by the overhead responsi-bilities of the organization to be appointed.When consid-ering these requirements,the World Trade Organization (WTO)and the Organization for Economic Co-Operation and Development(OECD)come to mind.A special Committee responsible for rule-setting and supervision in the IoT could be established as an answer to the question of an interna-tional legislator.This Committee would be made up of representatives of WTO or OECD member States,thereby assuring an international approach.The Committee could, after deliberations,issue formal agreements,standards and models,recommendations or guidelines on various issues of the IoT.
This evaluation coincides with the experiences made in the ?eld of Internet governance in general.An internationally binding agreement covering privacy and data protection does not yet exist.Even if international human rights instruments usually embody the essence of privacy,at least to a certain extent,the protection cannot be considered as being suf?-cient;only‘‘extreme’’warranties are legally guaranteed,such as the respect for private life or the avoidance of exposure to arbitrary or unlawful interference.53Therefore,it is widely accepted that co-regulation is needed to secure the imple-mentation of effective principles of privacy in the online world.Possible elements of a self-regulatory scheme may include codes of conduct containing rules for best practices worked out in accordance with substantive data protection principles,the establishment of internal control procedures (compliance rules),the setting-up of hotlines to handle complaints from the public,and transparent data protection policies.54Many international instruments,such as the Guidelines of the OECD and Art.27of the EC Directive on the Protection of Personal Data(1995),55mention self-regulation as an appropriate tool.56
Nevertheless,security and the protection of privacy is not a matter to be addressed exclusively by a legislator.Research and development in the?eld of information technology should also consider ethical consequences of new inventions.57
3.3.Legal categories and scenarios
Future legislation encompassing privacy and data protection issues of the IoT and RFID could have?ve different goals58:
46Weber,supra note38,at20,with further references.
47Schmid,supra note26,at199.
48Michael Froomkin,The Death of Privacy?,Stanford Law Review,Vol.52,2000,1461–1543,at1524ss.
49Weber,supra note38,at12.
50Weber,supra note38,at15.
51Ian Brownlie,Principles of Public International Law,7th edition Oxford/New York2008,at19.
52Weber,supra note38,at15.
53Weber,supra note38,at239.
54Weber,supra note38,at240.
55For an evaluation see Yves Poullet,The Directive95/46/EC:Ten years after,Computer Law and Security Report,2006,206–217. 56For further detail see Rolf H.Weber,Regulatory Models for the Online World,Zurich2002at165ss.
57Langheinrich/Mattern,supra note14,at142.
58Schmid,supra note26,at207.
c o m p u t e r l a w&s e c u r i t y r e v i e w26(2010)23–30 28
Right-to-know-legislation;
Prohibition-legislation;
IT-security-legislation;
Utilization-legislation;
Task-force-legislation.
The different categories of future legislation should be evaluated in the light of the objectives of privacy and personal data protection depending upon the use of RFID which can concern the following aspects,namely59:
Monitoring products(EPC),
Monitoring animals(real-time authentication and moni-toring of animals),
Monitoring persons(real-time authentication and moni-toring of persons),
Collecting data for pro?ling purposes(aggregation).
In the context of the IoT,the EPC scenario concerning products is practically the most important application. Theoretically,EPC does not directly trace relational personal data,however,a person carrying an RFID-tagged item discloses to the organization using the RFID system certain data or gives at least the opportunity to collect information.
A speci?c legislative aspect concerns the term‘‘person’’. The EU Directives as well as many national laws only consider individuals(‘‘natural persons’’)as objects of privacy laws.In particular,in the context of the IoT,this understanding is too narrow.Legal persons(e.g.corporations)do also have privacy interests;as for example in the Swiss legislation,the scope of application of data protection law needs to be extended to legal persons.60
(i)The right-to-know-legislation has the purpose to keep the
customer informed about the applied RFID scenarios.In other words,the customer should know which data are collected and should also have the possibility to deacti-vate the tags after a purchase.In the United States, several attempts have been take to realize such kind of legislation.61
(ii)The prohibition-legislation introduces provisions which envisage to forbid or at least to restrict the use of RFID in certain scenarios.62Such an approach is traditional in state legislation if the public community dislikes a certain behavior;enforcement of prohibition is possible(at least in the books).Self-regulatory mechanisms rather tend to introduce incentives(if at all)instead of prohibition. (iii)IT-security-legislation encompasses initiatives that demand the establishment of certain IT-security stan-dards which should protect that application of RFID from unauthorized reading and rewriting.63Such kind of provisions can be introduced by the state legislator,but also by self-regulatory mechanisms;typically,industry
standards are developed by the concerned market participants,having therefore the chance to be observed by the respective developers.Technologically,a new ‘‘fourth generation’’framework of data protection proto-cols should be developed allowing the setting-up of stringent safeguards as to reporting and frequent audits of the measures.64
(iv)Utilization-legislation intends to support the use of RFID in certain scenarios.65Insofar,this approach stands contrary to the prohibition-legislation;it envisages making the RFID available in the relevant identi?cation documents.Therefore,the legislative approach has to ?ne-tune an appropriate balance between prohibited and utilizable approaches.
(v)The task-force-legislation covers legal provisions supporting the technical community to invest into the research of the legal challenges of RFID66;the purpose of this approach consists in a better understanding of the relevant problems.
3.4.Evaluation of the European legislative approach
The Recommendation of May12,2009,of the European Commission is a framework approach to legislate in the?eld of Internet security.The Recommendation provides guidance to Member States which then have to enact speci?c rules. While the Recommendation makes reference to EU Data Protection Directives,it does not stipulate any speci?c provisions itself.The European Commission furthermore introduces a framework privacy and impact assessment, established by the industry and the relevant civil society stakeholders,and the publication of an information policy for applications should also be ensured by Member States.
EPCglobal and industry are currently establishing the requested framework(Private Impact Assessment,PIA).Even if its details are not known as of early November2009,it can be said that the objectives of the PIA are designed to identify the implications on privacy and data protection,to determine whether the operator has taken appropriate technical and organizational measures to ensure respective protection,to document the implemented measures,and to serve as a basis for a PIA report to the competent authorities.Important aspects concern the RFID application description and scope, the RFID application governing practices,the accountability challenges,as well as analysis and resolution aspects.Finally, while the European Commission provides for this framework, Member States are strongly encouraged to support the Commission in identifying threats to information security.
The regulatory approach of the European Commission consists in vague framework guidelines which address many aspects without considering the merits of the self-regulatory models and industry standardization.The framework is formulated in an open way and thereby ensures that technical principles such as verticality,ubiquity and technicity can be
59Schmid,supra note26,at206.
60Art.2para.1of the Federal Act of19June1992on Data Protection,SR235.1.
61Schmid,supra note26,at208,with further references.
62See also Schmid,supra note26,at208.
63Schmid,supra note26,at208.
64See Gehan Gunasekara,The‘‘Final’’Privacy Frontier?Regu-lating Trans-Border Data Flows,International Journal of Law and Information Technology,Vol.17,2009,147–179.
65Schmid,supra note26,at209.
66Ibid.
c o m p u t e r l a w&s e c u r i t y r e v i e w26(2010)23–3029
taken into account.However,being established by the Euro-pean Commission,it is only applicable for Member States in Europe and not globally.Moreover,the fact that it is up to Member States should establish more detailed regulation is even more prejudicial to the principle of globality.
Nevertheless,the recent Recommendation and Commu-nication by the European Commission attest that privacy and data protection problems in the?eld of the Internet of Things are taken seriously and that there is a strong will to establish mechanisms to ensure that those do not become accurate once the Internet of Things operates large-scale.
4.Outlook
With the emergence of an Internet of Things,new regulatory approaches to ensure its privacy and security become neces-sary.In particular,attacks have to be intercepted,data authenticated,access controlled and the privacy of customers (natural and legal persons)guaranteed.The nature of the IoT asks for a heterogeneous and differentiated legal framework that adequately takes into account the globality,verticality, ubiquity and technicity of the IoT.
Geographically limited national legislation does not seem appropriate in this context.However,self-regulation as it has been applied up to now may not be suf?cient to ensure effective privacy and security,either.Therefore,a framework of substantive key principles set by a legislator at the inter-national level,complemented by the private sector with more detailed regulation seems to be the best solution.Through such a framework,general pillars of regulation could be set for everyone,which are then suitable to be supplemented by the individuals concerned in a way that suits their current needs. Furthermore,the inclusion of an international legislator in the process also ensures the continued involvement of the public sector,contributing at least by monitoring the process.
The approach chosen by the European Commission goes in that direction.However,it would be preferable to have an international(not European)legislator setting the framework; such an approach would better adapt to the needs stemming from the globality of the IoT.Furthermore,if a more detailed regulation should be established by the private sector,lessons can be drawn from Internet governance in general,where the private sector has already marked presence in the rule-setting.67
The content of the respective legislation has to cover the right to information,provisions prohibiting or restricting the use of mechanisms of the Internet of Things,rules on IT-security-legislation,provisions supporting the use of mecha-nisms of the Internet of Things and the establishment of a task force doing research on the legal challenges of the IoT.
While according mechanisms still need to be developed, the early recognition of eventual problems and suggestions for their encounter leaves hope that effective regulation can be established before the Internet of Things is in full operation.
Prof.Dr.Rolf H.Weber(rolf.weber@rwi.uzh.ch)is professor at the University of Zurich and a visiting professor at the University of Hong Kong.
Rolf H.Weber studied at the University of Zurich and at the Har-vard Law School.Since1995he is chair professor at the University of Zurich and since2006a visiting professor at the University of Hong Kong,teaching and publishing in civil,commercial and European law with special topics in Internet,media and competition law,interna-tional?nance and trade regulation.He is director of the European Law Institute and the Center for Information and Communication Law at the University of Zurich;in addition he is member of the directory of the Postgraduate Studies in International Business Law and the MBA-Program at the University of Zurich.Since2008Prof. Dr.Rolf H.Weber is member of the Steering Committee of the Global Internet Governance Academic Network(GigaNet)and since2009he is member of the High-level Panel of Advisers of the Global Alliance for Information and Communication Technologies and Development (GAID).Besides,he is engaged as an attorney-at-law and as a member of the editorial board of several Swiss and international legal periodicals.A?rst version of this contribution has been pub-lished in Sylvia M.Kierkegaard(ed.),Legal Discourse in Cyberlaw and Trade,2009,1–14.The author expresses his gratitude to lic.iur. Romana Weber for her valuable research support.
67Weber,supra note38,at17ss.c o m p u t e r l a w&s e c u r i t y r e v i e w26(2010)23–30
30