Consumer Protection and the Internet of Things

By: Lee Rickwood

January 15, 2016

Of all the things connected by the Internet of Things, it appears that a robust strategy for consumer protection, corporate security and individual privacy has not yet been fully hooked up.

The Internet of Things (IoT) broadly refers to a growing number of wireless products and IP-equipped devices that connect with the Internet in order to harness its processing, storage, tracking and communication capabilities.

From consumer gadgets to health care equipment to industrial machinery and much more, the IoT will connect billions of devices so that extensive data sharing can be conducted with the promise of providing predictive insights into activities of almost every kind, from consumer shopping habits to environmental monitoring, from medical treatment practices to the performance of industrial assembly lines, and much more.


Information about the Internet of Things is available, where else, at the Internet of website.

The opportunities are so great and the growth rate so high that the Internet of Things is suffering from a lack of underlying standardization, compatibility and security.

Identifying and implementing such a strategy is called ‘the Holy Grail of the IoT’ – perhaps an acknowledgment that the desired open, shared and robust security standards may be just as hard to find as the much-sought-after Golden Chalice.

At an industry event to be held later this month, technology experts will be seeking the Grail while knowing as event organizers do that: “We’ve been talking IoT standards for years….. But with so many hardware and software considerations and so many application sets, this holy grail of IoT has proven elusive.”

IoT developers and manufacturers face many first-to-market pressures, short product development cycles, backward compatibility and future-proofing challenges, as well as price point sensitivities. Unfortunately, such factors are often greater influencers of product features and functions than user privacy and network security.

That means many new products offered for our comfort and convenience are actually pretty convenient for digital intruders, computer hackers and cyber-criminals.

And is it not just the user’s safety and security that is at risk; because these devices are connected to the public Internet, they are dangerous doorways that expose many others to possible security and privacy threats.

Among the organizations seeking to bring safety and security and operational standards to the IoT is the Object Management Group (OMG), led by Dr. Richard Soley, a long-time proponent of collaboration and standardization across the IT industry.

Its advocacy for IoT standards is well-known and well-respected, and its concerns are clear, as OMG’s Julie Pike has noted:

“Ever since the IoT was first established, critics’ concerns have centered on the security issues of devices connecting with and having access to information from other devices. Without stringent measures in place, hackers can easily delve into personal information, including an individual’s bank account and credit card information, where they are currently located, and when their home is empty (and how to get past any home security systems).

“The possibility for attack through the IoT is alarming.”

Another organization, the Open Web Application Security Project, is also ringing some alarm bells, and members of its online community are creating methodologies, documentation, tools and technologies to enhance Web and mobile security.

OWASP releases a Top 10 list of software applications with flaws so prevalent and severe, it says, that “no web application should be delivered to customers without some evidence that the software does not contain these errors.”

The errors are dangerous because they can let attackers completely take over a targeted piece of software so that it gives up its data, or fails to work at all.

OWASP uses the Veracode Platform to detect literally hundreds of software security flaws, so many that it must prioritize and focus on finding the problems that are “worth fixing”.

It seems the popular PHP developer language and app platform is one, leading to concerns over potential security vulnerabilities in millions of websites, and in things accessed by online or mobile connectivity.

When it comes to mobile development, the single biggest security issue was weak or ineffective cryptography, the Veracode report said. More than eighty per cent of mobile apps have cryptographic issues – meaning sensitive data is at risk and protections for that data are inefficient.

Even existing (and widely used) security standards themselves are known to be at risk: vulnerabilities in the SHA-1 security standard long used in most Web browsers are well-known, so most major browsers are planning to stop using that particular security solution – in 2017!

So as new and promising as the Internet of Things (and its cousins, like the Industrial Internet of Things or IIoT and the Medical Internet of Things MIoT) appears to be, underlying the oft-touted potential of increased connectivity are existing and well-known threats.

While there are numerous statutes, regulations, and bylaws affect the relationship between businesses and consumers at the municipal, provincial, and federal level in Canada, and while violating these rules and regs can result in liability or even criminal or quasi-criminal charges, the need for added consumer protection in the IT space seems clear.

Knowing as we do the existing weaknesses, even threats, inherent in the IoT and many of the things it connects, suppliers, developers and manufacturers could be held accountable under consumer protection legislation if any statement concerning or which guarantees the performance, efficacy or length of life of a good or service unless it is based upon adequate and proper tests, is not valid.

Consumers should be aware, yes, but as with many other consumer protections, the burden of proof should lie with the provider, as should all considerations if protection or performance is not what is promised or required.





Leave a Reply

Your email address will not be published. Required fields are marked *