The UK Government announced its intention to introduce new legislation to regulate the security of consumer smart devices, including phones, televisions, speakers, toys, wearables, doorbells, and other consumer internet of things (IoT) devices, on April 21, 2021, in response to last year’s call for views on consumer smart device cybersecurity. Although the draught legislation has not yet been published, the first statement was made to provide a transition period for enterprises working in the sector of smart devices to convert to compliance. The rule would also require smart device and Internet of Things (“IoT”) businesses to ensure that no faulty or insecure products are available in the UK’s jurisdiction. This is a significant step in the United Kingdom’s post-Brexit data protection regime, as well as the Department of Digital Media, Culture, and Sports’ Code of Practice for Consumer IoT Security.
The introduction of the UK law ushers in a new era of digital security, taking into account the major security risks that consumers may face as the number of items connected to the Internet of Things grows. According to some estimates, there will be 75 billion internet-connected devices worldwide by 2025, with 10-15 devices per UK household. Data protection by design and default is required by the EU General Data Protection Regulation (GDPR). As a result, the UK government’s law would facilitate this part of legislation by ensuring a minimal level of consumer security.
What are smart devices and IoT?
The Internet of Things (IoT) is a critical digital idea that has emerged through time with the introduction of smart gadgets. The Internet of Things (IoT) is a potentially revolutionary technology with similar disruptive properties to Blockchain in that it promises a tremendous opportunity for data analysis and distribution via sophisticated device connections. The use of a huge network system would allow for widespread synchronization and the completion of activities in less time. Smartwatches and smart speakers, such as Google’s Nest and Amazon’s Alexa, are good examples of IoT-based smart products. This is why the UK is attempting to streamline its progress by drafting a consistent regulation. In essence, the internet of things (IoT) is a broad word that refers to a group of networks linked by the internet and each of which is embedded in technology. With the IoT, different objects that we see daily, such as home devices, vehicles, manufacturing devices, light bulbs, computers, and tech systems, can be connected via the internet. Machine to machine (M2M) technology, which allows machines of the same type to communicate, and mobile connections, where data can be exchanged via Internet Protocol networks, are examples of the IOT’s top technicalities.
IoT and smart devices are becoming increasingly important.
The IoT application has grown in popularity over time, aided by widespread internet access and increased network connectivity. Wi-Fi and broadband access are considerably more commonly available now, allowing for more efficient data transmission management. It is expected that the number of internet users would increase exponentially, accelerating the expansion of smart device applications. Sensor technology advancements will rocket growth since lower prices will make it affordable to deploy in any remote area and pre-installed in any device. The increasing sector of smartphone devices, which has a strong base of 5.6 billion individuals connected to smartphone ownership in 2019-20, makes one of the most significant contributions. Within the next five years, this is expected to expand by a billion units. According to IDC, the Internet of Things sector would be worth more than $1.7 trillion in 2015, with a 15 percent increase by 2025.
What are the issues and challenges associated with the use of IoT-smart devices?
The applicability of IoT Smart devices, like any other technology, comes with its own set of obstacles and issues. The UK legislation is being used to implement data security for individuals in addressing these issues. With the rapid growth of smart technologies, there will be greater challenges in understanding and operating these devices. As a result, such customers would be vulnerable to cyber-attacks and data mismanagement. For example, Google’s smart home system NEST was one of the first household systems to experience serious issues with its thermostats. As the final product of smart devices has a complex system of operators, this raises the issue of imposition of liability in terms of service default. A variety of players, including the ISP, the hardware operator, and a manufacturing business, are in charge of the smart devices. This raises significant concerns about how customers, or regulatory agencies, can figure out what went wrong, who is responsible, and how to fix it.
The sheer volume of data that smart device operators will aggregate and collect presents a significant problem in terms of data privacy and security. Strong data protection regulations have been enforced in the EU-UK region with the adoption of the GDPR, but the risk remains, depending on the applicability of strong legislation in the area. Complying with privacy and data protection standards such as informed consent and data minimization is going to become increasingly difficult. Data analysis reveals a slew of security flaws in smart gadgets and IoT-enabled equipment that hackers can exploit. The most well-known example was the situation in the United States, where several occurrences of Alexa being hacked and accessed by the hacker’s receiving Internet Protocol were documented. In 2015, Samsung was widely chastised for exploiting its voice-activated software to capture and distribute private household conversations with a third party. “Samsung… could record vocal commands and the text that goes with them.” One of the most important hazards posed by smart device operators is their ability to communicate with one another and transfer data independently to an external party (such as a device manufacturer). With these problems, determining when and how processing occurs becomes extremely difficult, and data subjects’ capacity to exercise their data privacy and protection rights may be severely hampered. According to a survey conducted by cybersecurity firms, about 80% of smart gadgets have severe vulnerabilities that may be easily hacked and accessed by malicious individuals. Not only would this expose consumers to major data scams, but it also had the potential to compromise sensitive personal data.
LEGISLATION IN THE UNITED KINGDOM THAT APPLIES TO SMART AND IOT DEVICES
Manufacturers would be required to meet additional security requirements for any smart device product distributed in the UK under the proposed legislation governing smart devices. The draught legislation’s goal is to create standard security protocols that can endure huge changes in the industry while yet allowing for innovation. The UK government announced a Code of Practice for IoT security in October 2018, to provide a harmonized set of principles for makers of IoT devices to ensure product security for consumers who are often unaware of potential cybersecurity risks when using smart products. The Department for Digital, Culture, Media, and Sport (DCMS) undertook a consultation in May 2019 on prospective regulatory recommendations in this area, believing that the self-regulatory rules did not go far enough to safeguard consumer security.
The UK government issued its draught regulations governing smart gadgets and other IoT-related products on April 21, 2021. Any network-connected devices (i.e., those connected via Wi-Fi, Bluetooth, data cable, etc.) and their associated services that are made available principally to consumers in the UK would be affected by the legislation. Some devices, such as laptops, tablets without a cellular connection, and second-hand electronics, are specifically excluded from the law’s scope. Manufacturers, importers, and distributors are all “relevant economic actors” involved in the transmission of smart gadgets to UK customers, according to the legislation’s definition.
The law has made it mandatory to follow three important criteria, which were previously reproduced in the Code of Practice for Consumer IoT Security and significant clauses in the standard EN 303 645:
- Prohibiting the use of universal default passwords, which are usually simple to guess and are preinstalled in factory reset mode when the device is turned on.
- Sending security updates on time and assuring customers that a product would receive security updates for a certain period. The legislation, on the other hand, is likely to enable the UK government to update security requirements through secondary legislation to keep up with technology and threat advances.
- Manufacturers will be required to make a public declaration of conformity available. They would be required to take action and cooperate with law enforcement agencies if the smart device did not comply with the legislation. Operators with a business headquarters outside the UK will be represented in the UK by their authorities, who will be responsible for ensuring compliance with the proposed legislation.
- Smart device distributors in the UK, such as wholesalers and retailers, are expected to be obliged to ensure that the makers have published a declaration of conformity and to assist with any enforcement authorities.
The enforcement authority will have the capacity to investigate and take action in the event of non-compliance, according to the proposed law. However, no clear policy has been established as to which entity will be in charge of enforcement and what powers it would have.
WRAP-UP The UK government intends to implement the proposed legislation “as soon as parliamentary time allows,” which will be postponed until the end of 2021 because of the disruption created by the covid epidemic. While such legislation will enhance data protection regulation following Brexit, the question of whether there is a need for separate legislation for every area of technology remains. This would prompt a discussion about the need for uniform data protection and efficacy legislation. Specific laws, such as this one, should be thorough in enacting or revamping consumer law to embrace more flexible approaches to protecting individuals’ rights.