Privacy and Security Issues plague IoT Industry

By Ishtiaq Wani

The draft policy on Internet of Things by the government proposes to create an IoT industry of USD 15 billion and India would have a share of 5-6 % in it. This looks achievable going by the current push given to startups and the Digital India campaign, but the draft policy on IoT fails to address the falling demand of IoT devices because of privacy and security concerns.

In recent past, there has been a tremendous progress. A considerable number of IoT devices have been launched in health care, wearable technology, and home automation fields. Cut-throat competition between manufacturers to push products into market without testing for security at the manufacturing stage has exacerbated the problem.

Going by the Accenture Plc survey, the demand of IoT devices is falling in the country owing to the privacy and security concerns that customers have. About 70% of the surveyed, put security and privacy concerns as one of the main reasons for not opting for IoT devices.

The draft policy that was put forth in April 2015 had little on the issue despite hundreds of IoT devices being launched in the country. It aims privacy laws to be made “congruent with the evolving IoT paradigm.”

There has been no move to amend the privacy laws to make them applicable to IoT devices and security and privacy of customers is at stake. The interconnectedness makes these devices more vulnerable and there are more chances that the data if leaked would result in harm because of the personal nature of data. Ranjeet Rane, a cyber-law expert who works at Symantec India says “Most IoT devices incorporate measures like encrypting end user data while transmitting it over the internet. I don’t think apart from this, any other measure is used as of now in IoT universe.”

There is no regulatory mechanism before the products are allowed in the market and the manufacturers, till now only concentrate on the design and the performance of the products.

“The multiple development platforms that IoT products have made it very difficult to have in place a standardized measuring/testing mechanism. As of now each product is more or less self-accredited than been accredited by regulatory/standard setting body” says Rane.

Rane feels that in the current legislative framework privacy cannot be taken care of, although some sections in IT Act do make an attempt to address the concerns. The privacy clause in the IT Act 2008 (Section 66e) is not comprehensive enough to deal with the security and privacy breaches in IoT devices, only penalizing for capturing, publishing or transmitting the image of a private area of any person without his or her consent.

Legal frame work has always lagged behind, which puts the privacy and security of individuals at stake. Experts are of the opinion that even having a policy at this time is a good step as IoT devices are at its first stage of adoption in the country and later the aspects related to security and privacy would be looked into by the government.

In the US, the regulator the Federal Trade Commission (FTC) in its report in 2015 asked device manufacturers to put a multi-layered security for a security risk and adhere to security by design approach meaning that to make devices  secure continuous testing and adherence to best programming practices. For now, we aren’t there.


Image Source:

Leave a Reply