The Internet of Things Alliance Australia (IoTAA) last week launched its Good Data Practice: A Guide for Business to Consumer IoT Services for Australia. The 20 page Guide comes out of a major collaborative effort by industry, consumer representatives and regulatory bodies to address consumer-related concerns about business to consumer IoT services.
The Guide deals with what industry players need to consider when supplying IoT devices and services to consumers.
Gavin Smith, IoTAA Chair and President and Chairman of Robert Bosch Australia launched the Guide at the Comms Day/Communications Alliance IoT Summit in Sydney.
“The IoTAA is publishing the Guide to promote industry and consumer awareness of good practice in dealing with data associated with business to consumer (B2C) IoT services” Smith said.
“IoTAA believes that industry needs to step up and take responsibility for the inherent risks in internet of Things services. Providers can rely too heavily on consumers to understand and mitigate risks”, he added.
IoT devices and services, like all new consumer focussed, data driven services raise issues to do with privacy, security, consumer protection and unanticipated uses of data.
The Guide focusses on measures that IoT providers can take to build consumer trust and understanding of safe use of IoT products and services. Recommendations include that providers ensure the ‘terms of use’ of their products and services are fair, and clearly expressed, particularly on uses of consumer data and secure use of IoT devices.
The Guide is authored by IoTAA’s Workstream 3: Data Use, Access and Privacy, chaired by Peter Leonard, Principal, Data Synergies. Input came from many industry and regulatory bodies, including many members of Workstream 3 and staff of the Australian Competition and Consumer Commission (ACCC), Australian Communications Consumer Action Network (ACCAN) and the Office of the Australian Information Commissioner (OAIC).
Risks and challenges of IoT
Often many devices, parties and providers are involved in the IoT device and service delivery chain. For instance, data will often pass through multiple parties, e.g. cloud platform providers, data warehouses and billing service providers. Consumers are concerned about collection and uses of their business and personal information.
“Providers need to build understanding of consumers about good practice in consumer use of IoT and also address security and privacy vulnerabilities in IoT services end-to-end. Good practice includes providers ensuring that providers and their IoT data partners protect confidential information of businesses and promote privacy and information security”, says the chair of IoTAA’s Data Workstream Peter Leonard.
“These vulnerabilities need to be addressed through good business practices including ensuring data privacy and security by design and default, minimisation of data flows, helping consumers to anticipate risks and understand what they can do to help reduce them, and ‘transparency’ on collections, uses and disclosures of consumer data”, Peter Leonard said.
Internet connected toys well demonstrate the concerns. Kids love the interactivity that a smart voice activated toy can provide. But to deliver these smarts, a provider collects personal messages and information about kids. Spiral Toys, parent company of the popular CloudPets™ line of internet-connected toys, was hacked, exposing personal messages and information about children. My Friend Cayla™, an interactive doll, was banned in Germany as an unauthorised surveillance device. Cayla’s supplier did not make appropriate disclosures to parent buyers about collection of information from kids, and did not put in place controls to limit uses of information by various IoT partners in the data ecosystem between the doll and Cayla’s supplier.
Other risks include: poor IoT security by design, implementation, or coordination; and data quality, reliability or continuity issues, where data errors, omissions or breakdowns can lead to incorrect decisions being made.
Good Data Practice Principles
The Guide outlines seven Good Data Practice Principles, dealing with:
- consumer protection
- accountability
- customer empowerment
- cyber protection
- customer data transparency
- data minimisation and
- customer data control.
“Industry and consumers need a better engagement model to ensure IoT services deliver benefits without consumer detriment”, said Peter Leonard. “Industry can take the lead, but only through good engagement with consumers and regulators and open and frank discussions about how to work together to address and reduce risks.”
Good Data Practice: A Guide for Business to Consumer IoT Services for Australia is available online at http://www.iot.org.au/resources/
The IoTAA welcomes ongoing input as we continue to develop this Guide in line with the rapid evolution of IoT services and devices.