Vodafone response to the European Commission consultation on governance of the Internet of Things

Transcription

1 Vodafone response to the European Commission consultation on governance of the Internet of Things Vodafone welcomes comments or questions on the views expressed in this submission. They should be directed to Robert MacDougall at 1

2 Summary 1. In this response, Vodafone sets out a number of considerations that we believe should underpin the future governance of the Internet of Things ( IoT ). The three key themes underpinning Vodafone s response are as follows: IoT simply represents a further evolution of connectivity technology. Where we have broad regulatory frameworks for important areas like data protection and privacy, these should remain the means by which we regulate; Focus needs to shift from operational risk management to design risk management; and Mandatory obligations and controls should not be introduced unless there is very clear public interest requirement for them, for example in relation to carbon savings or public safety. The presumption should be in favour of industry agreed self regulation and governance, which is already evident in this area. Privacy and Data Protection 2. One of the main concerns raised with the growth of the IoT is that automated machines will be making decisions about data capture, access, use and sharing and that this represents a loss of control. However, for the most part this is not actually a loss of control but rather a shift in the locus of control. There is nothing new about this shift. When a car owner upgrades from a manual gear box to an automatic, although it involves replacing a previously manual process with an automatic one, the owner remains in control of the car. The use of tools to replace low level actions with machine automated actions, leaving humans to focus on higher value actions, is a fundamental human desire. 3. The discussion around the IoT is just a continuation of this process. What has changed is the economics of connectivity and the availability of technology that is small and portable enough to be easily attached to or embedded in objects. So when a machine shares information with another machine it is often carrying out a low level action that was previously performed by a human. The IoT should not be perceived as a loss of control but rather a continuation of the shift from the manual / operational (characterised by the traditional role of the data controller) down the technology chain to those who write the code that make the applications that run the machines used by the data controllers. 4. The consultation asks whether additional data protection principles are required for IoT applications. They are not instead we need to recognise the role of technology and platform developers in the regulatory framework for privacy, i.e. actors other than data controllers and data processors. The same principles apply in terms of outcomes, but we need an accountability model that embraces privacy by design for these actors. 2

3 5. In order to achieve this, regulatory focus needs to shift from operational risk management to design risk management. With operational risk management, risk mitigation tends to be quite close to the risk event, (e.g. call centre staff informing incoming callers that their information will be collected and stored). With design risk management, the locus of managing the risk shifts further down the chain and away from the risk event (e.g. IoT machines need to be designed so that they give users transparent information about what is being collected or shared). 6. This necessitates a change in the culture of design and engineering. For those writing the software that is going to run on IoT machines, they need to be not only adept at creating the precise functionality specified for a given object, but to do so in a way where they are sensitive to the social context in which that object will be used. In other words, they have to be able to design out unintended social consequences, such as opaque data collection, or design in controls and protections, such as data obfuscation solutions, user controls or robust verifiable authentication. 7. Policy and regulation needs to be sophisticated enough to articulate broadly desired outcomes, and to create a framework capable of influencing and incentivising design risk decisions that support those outcomes. This will require a broader range of policy responses, in particular, the development of a more sensitive culture of privacy and security among the engineering community that are designing the population of connected devices. 8. Concepts like privacy by design within an accountability model are essential to helping regulate this fragmented environment in a way that is adaptive and flexible, but allows innovation and development. There is no need for specific IoT Privacy Impact Assessment ( PIA ) guidelines. Technology specific regulations should be avoided and a PIA should be a flexible tool that can be applied to any technology or business application. 9. In relation to user autonomy, and whether the IoT should operate under a model of explicit consent, the type of interaction required by an application is always context specific, and any requirement for consent should reflect this. The consultation asks whether, if it is not possible for IoT applications to operate under explicit consent, alternative solutions to safeguard autonomy should be sought. There should be many alternatives to a system of explicit consent. There are multiple justifications in the regulatory regime for the processing of data, consent only being one of them. Whether or not consent is required will depend on the results of a PIA. 10. Vodafone considers that there are likely to be many benefits from using data beyond the sole purpose of IoT applications. With the right proportional safeguards for privacy, personal data is arguably the most valuable asset in the digital economy and its use should be encouraged for economic and social benefits. 3

4 Safety & Security 11. The consultation asks whether there should there be standards for data confidentiality, integrity & availability. If the reference to standards in this question means those developed by policy makers and regulators, this is unlikely to be the case. Data protection law is a good example of where this has failed, the Italian regulatory practice of dictating password management being one such example. Policy and regulation must create the incentives for the industry (including not just the service providers who deploy the machines, but those who create them) to ensure that security is addressed, with dissuasive sanctions for getting it wrong. 12. Any requirement for standardisation and control will also likely differ according to nature of the connected application and type of data that is being processed. IoT standards in relation to the arrival of the next bus, or the functioning of a heart monitor, will obviously differ. 13. In relation to whether guidelines for enforcement are required, the key objective is to develop an effective enforcement regime that creates dissuasive sanctions for all actors involved. To the extent that guidelines will underpin this approach and create a culture of transparency around such enforcement, then they would be warranted. Security of critical IoT supported infrastructures 14. Vodafone s views on the application of reference by design principles apply equally to security of critical IoT supported infrastructures. We strongly support its use in this context. In relation to whether we need policy maker guidance on security by design and applicable security technologies, Vodafone believes that we need policy makers to focus on principles, and leave implementation to the industry. 15. The key will be forming effective multi stakeholder processes for helping industries create interoperable infrastructures that address security risks, within a framework that holds actors to account for their role. In practice this will involve close working between industry and government. Governance 16. Collective issues of IoT service deployment need to be considered as part of IoT governance. In fact, Vodafone is already working with existing industry bodies to ensure transparent and proportionate deployment of machine to machine devices. The GSMA s Embedded Mobile (EM) Guidelines (EM.48) provide guidance on technical design and operational issues in relation to deployment of machine to machine applications on a global basis. These are intended to reduce the cost of developing and deploying EM solutions through economies of scale by introducing common design guidelines for new embedded modules. Vodafone has actively contributed to this work, for example in relation to efficient use of network resources and roaming network control and overload, designed to ensure that connected devices are rolled out in a proportionate, transparent manner. 4

5 Standards for meeting policy objectives 17. Vodafone agrees that the policies addressed under an IoT Governance framework need to be implemented with the development of global standards, including a reference architecture for IoT standards. Such governance is likely to be only at the higher layers of the architecture or in providing high level requirements like addressing, which the standards bodies then develop into detailed working level architectures and protocol solutions. 18. Vodafone strongly agrees that existing standardisation frameworks should be considered as a basis for additional IoT standardisation requirements. We should build on what has already been done and adapt it, as established positions on issues such as authentication, trust, roaming support and network protection will be good starting points for further discussions. 5