As the Internet of Things (IoT) becomes increasingly prevalent, the government will play an important role in enabling and regulating how the industry will develop, according to panelists at Thursday’s National Telecommunications and Information Administration workshop.
“Developers need advice now,” said Craig Spiezle, executive director, founder, and president of the Online Trust Alliance. He and other panelists listed a number of areas in which that advice can take shape.
1. Look to Past Policy
Many panelists pointed to current Federal policies and legislation that can stand as a starting point for government treatment of IoT.
Dan Caprio, co-founder and chairman of the Providence Group, championed the 1997 Clinton Framework for Global Electronic Commerce as a basis for how the government should regulate IoT. The 1997 framework puts the private sector in the lead and, only when needed, calls for the government to intervene with a simple, predictable legal framework.
Cameron F. Kerry, senior counsel at Sidley Austin, pointed to the the Consumer Bill of Rights as a good basis for IoT policy, and John Kuzin, vice president and regulatory counsel at Qualcomm, said the FTC’s privacy framework and NIST Cybersecurity Framework were good models to work off of.
2. Bring Together the Policy Patchwork
“[IoT] is going to affect every sector of our society,” said Leonard Cali, senior vice president of global public policy at AT&T. He and other panelists at the workshop agreed that because IoT is a part of health, education, transportation, and other aspects of life, it would also fall under the purview of many different government agencies and levels.
“Trying to do this sector by sector, state by state, problem by problem is a losing game,” said Kerry.
To address this patchwork, Sen. Deb Fischer, R-Neb., introduced the Developing Innovation and Growing the Internet of Things (DIGIT) Act to put the Department of Commerce in charge of convening a working group to inform IoT policy.
“One of the things I think the Federal government should do is have agencies like the FTC and NIST talking to each other,” said Julie Brill, partner and co-director of privacy and cybersecurity practice at Hogan Lovells.
On the state level, Hardik Bhatt, CIO and secretary designate for the Illinois Department of Innovation & Technology, said that his state has created an Internet of Things Center of Excellence to bring together all organizations that have an investment in IoT policy.
3. Address ‘Data Feudalism’
Michelle De Mooy, acting director of privacy and data projects at the Center for Democracy and Technology defined Data Feudalism as the concept that more devices with more data provide the companies that control that data with increasing levels of power. A power that is currently not addressed in policy or legislation.
“I think that’s a really crucial policy question that has not been addressed,” De Mooy said.
4. Encourage Independent Security Research
Harley Geiger, director of public policy at Rapid 7, said that current legislation has a chilling effect on cybersecurity research, such as the Computer Fraud and Abuse Act and section 1201 of the Digital Millennium Copyright Act (DMCA). According to Geiger, these policies don’t leave enough differentiation between criminal hacking for malicious purposes, and hackers that breach device security in order to reveal flaws to the manufacturer.
“Ideally, this prompts appropriate fixes,” Geiger said. De Mooy also agreed that the DMCA needed revision.
5. Take an Active But Cooperative Role
“Government should facilitate until it knows what to regulate and how to regulate,” said Bhatt. This includes bringing the private sector, state and local governments, and international partners together to inform consumer and regulatory needs in IoT.
“It’s going to be a conversation,” said Cali. “Our government can be a real voice.”