IoT: ‘Internet of Things’ or ‘Internet of Threats’?
Fri, 31 Aug 2018 || By Faiz Rahman

Introduction

In this information era, the development of digital technology accelerates the flow of information and enable the transfer of information among devices, especially those which are connected to the internet. According to the White Papers published by Richard Kemp, leader of Kemp IT Law (IT Law Firm), by 2017 there are 25 billion devices connected to the Internet and will rise to 50 million in 2020.[1] These devices can be connected to each other using technology that utilizes the internet, which often called the Internet of Things (IoT).

To date, there is no formally accepted definition of IoT. Basically, the IoT is a concept where things/objects (or devices) can “sense, communicate and share information, and connect to each other” using the Internet-based protocol through information-sensing facilities.[2] The application of IoT is notably known for the implementation of “smart” devices, which covers various areas of every-day life of society, such as smart health (e.g. patients surveillance), smart living (e.g. smart home appliances), smart cities (e.g. traffic control), smart environment (air pollution monitoring), etc.[3]

Although there are many benefits people can get from the IoT in various aspects of life, many threats also await. Considering the transforming technologies and the increasing number of things connected to the Internet as mentioned above, it is a logical consequence that cyber threats will also grow. Moreover, according to a report by Cybersecurity Ventures, it is predicted that by 2021, cybercrime damages will cost the world more than US$ 6 trillion annually.[4] This article discusses some common-but-essential questions arising concerning the IoT; firstly, the potential cybercrime attack to the IoT, and secondly, the legal issues on the IoT, especially relating to law enforcement.

 

Q1: What are the types of potential cybercrime related to IoT?

According to a report by Symantec, in 2017, 978 million adults in 20 countries were affected by cybercrime.[5] In Indonesia, around 59.45 million people experienced cybercrime and an approximate US$ 3.2 billion were lost because of cybercrime.[6] Furthermore, the development and growing number of IoT devices indirectly expands the targets of cybercrime. The statement confirmed by Cybersecurity Ventures in their report that said IoT devices will be the biggest technology driver of crime in 2018.[7] It is estimated that by 2021, the number of IoT devices will be three times as high as the global population.[8] Thus, combating IoT-related crime will be a big challenge for law enforcers in the future.

In general, cybercrime can be categorized to seven categories of substantial criminal law, based on the Convention on Cybercrime (Budapest Convention), namely illegal access; illegal interception; data interference; system interference; misuse of devices; computer-related forgery; and computer-related fraud.[9] Moreover, there are also content-related offenses such as child pornography, and offenses related to infringements of copyright and related rights.[10] The cybercrime categories mentioned in the Convention are still related to IoT-related crimes, as the IoT-related crimes might fall under one of those categories. Furthermore, from the IoT perspective, IoT-related crimes can be divided into three big categories, which are IoT as a Target, IoT as a Tool, and IoT as an Eyewitness.[11]

First, for the ‘IoT as a Target’ category, it shows that the objective of the crime is to attack the IoT devices. As there is an increasing number of IoT devices, new opportunities to exploit potential security vulnerabilities also grow.[12] Criminals target the security vulnerabilities in the IoT devices. One of the reasons is because IoT consists of more than one device that are connected to the Internet, and not all devices have the same security measures. Therefore, it can expose the IoT devices to cyberthreats. The latest example of the crime targeting the IoT is the use of cryptojacking malware to attack IoT networks.[13] Other than using malware, criminals can also hack the device to obtain benefits or information from the IoT networks and devices.

Second, as for the ‘IoT as a Tool’, the criminals are not primarily targeting the devices, but instead use the devices to commit cybercrime. The basis is still the same, which is the lack of security in the IoT devices and networks. For instance, in the Mirai Botnet case, the criminal uses IoT devices to build and execute distributed denial-of-service (DDOS) attacks, targeting various technology providers.[14] In this category, criminals usually exploit vulnerabilities such as fixed encryption keys, default passwords and failure to patch device firmware.[15]

The third category, ‘IoT as an Eyewitness’, is principally similar to the second category, as it utilizes IoT to commit a crime. The difference is that they use the IoT environments as part of the process of committing a cybercrime, not as an instrument to conduct a crime. For instance, the attacker can use IoT environments such as motion sensors, climate controls, and smart-light logs to determine where to look for fingerprints, which can be used to enter a smart home ecosystem.[16]

As described before, the IoT-related crimes can be any crime that falls under the Budapest Convention’s substantial criminal law section. What makes it different are the method and media used for committing a crime. The attackers are either targeting the IoT devices or using IoT to conduct a criminal act. The explanation above also exposes the bigger issues that relate to the IoT, which are security and privacy. These issues will be discussed in the next part of this article.

 

Q2: What are the legal issues around the IoT?

Historically, the existence of the Internet alone has become a challenge for law enforcers, as it makes possible for a crime to be committed not only from within the country but also from abroad. As the technologies are still transforming, the threats are also growing. In today’s context, the development of IoT is not only a challenge in the technical aspect, but also challenges the current legal frameworks. It also poses a bigger problem in the context of law enforcement, as the threats and crime methods are growing more sophisticated day-by-day.

The development of IoT specifically raises issues concerning security and privacy. Moreover, there are issues with potential consequences for data security, privacy, and liability.[17] What makes it a problem is that the IoT system allows the transfer of data, which includes personal data, on the Internet. Thus, a strong legal basis concerning personal data protection is essential for a country to protect its citizen in this IoT era. For instance, in the EU context, prior to the enactment of the General Data Protection Regulation (GDPR) in May 2018, the Article 29 Working Party in the EU (independent advisory body on data protection and privacy), previously published an opinion concerning the Internet of Things (WP 223).[18] The WP 223 sets out the main issues regarding how the current and future law deals with the IoT. It also states the consideration that IoT poses several significant privacy and data protection challenges, either new or traditional challenges, but then amplified regarding the exponential increase of data processing involved by its evolution.[19]

Furthermore, the development of IoT may also challenge the conventional understanding of what may be expected as individual “privacy” in a networked sensory environment like IoT.[20] In the IoT context, usually, an individual can be identified using the data that originates from “things.”[21] This identification might allow the data processor to understand the life pattern of an individual. If these data are misused, it can pose harm not only to the identified individual, but also other people that related to that individual.

Moreover, the security issues in the IoT is closely related to data protection issues. The IoT devices are expected to exchange data and store them on service providers’ infrastructure.[22] Thus, the existence of legal guarantee of the data security held by the providers are also important to be regulated, to ensure the providers’ liability in respect of the safety of the individual data held by the providers. Furthermore, there is also a risk that the IoT may turn an everyday object into a potential privacy and information security target while delivering those targets far more widely than the current version of the Internet.[23] The less secure connected devices can be used as new ways of attack that might result in personal data being stolen.[24] The EU GDPR that entered into force since May 2018 introduce some legal measures such as Data Protection Impact Assessment,[25] data breach notification,[26] and high administrative fines in relation to infringements of the GDPR,[27] that can be used in relation to IoT related legal issues.

In Indonesia, there is no specific Data Protection Law. Even though Indonesia has the Ministry of Communication and Informatics Regulation No. 20 of 2016 concerning Protection of Personal Data in the Electronic System (MENKOMINFO PDP Regulation), the protection for IT-related objects and the law enforcement in relation to cybercrime still depends on the Law No. 11 of 2008 jo. Law No. 19 of 2016 concerning Information and Electronic Transaction (IET Law). It is mainly because, according to Indonesian laws and regulation hierarchy, only Law (Act) and Regional Regulations can regulate criminal sanctions.[28] Furthermore, in the context of cybercrime, international cooperation is also vital for fighting cybercrime, considering the borderless nature of the Internet – which is used in the IoT devices and networks. Therefore, a strong regulation concerning data protection in Indonesia is essential to protect the citizens’ rights in the cyberspace, especially regarding the privacy right, which are increasingly becoming exposed to cyber threats, especially in the context of IoT.

 

[1] Kemp. R. (2017). Legal Aspects of the Internet of Things (White Papers). London: Kemp IT Law, 1.

[2] Katel, K.K and Patel, S.M. (2016). Internet of Things-IOT: Definition, Characteristics, Architecture, Enabling Technologies, Application & Future Challenges. International Journal of Engineering Science and Computing, 6(5), May 2016, 6122.

[3] See Ibid.

[4] Cybersecurity Ventures. (2017). 2017 Cybercrime Report [online] Cybersecurity Ventures. Available at: https://cybersecurityventures.com/2015-wp/wp-content/uploads/2017/10/2017-Cybercrime-Report.pdf [Accessed 19 August 2018].

[5] Symantec Corporation. (2018). Norton Cyber Security Insights Report: Global Results [online] Symantec. Available at: https://www.symantec.com/content/dam/symantec/docs/about/2017-ncsir-global-results-en.pdf [Accessed 19 August 2018], 4.

[6] Ibid, 10 and 13.

[7] Cybersecurity Ventures, above n 4, 10.

[8] McCraw, D. B. (2017). 6 Stats that Prove the Value of Cybersecurity Pros [online] CompTIA. Available at: https://certification.comptia.org/it-career-news/post/view/2017/10/04/6-stats-that-prove-the-value-of-cybersecurity-pros [Accessed 19 August 2018].

[9] See Convention on Cybercrime 2001. ETS No. 185, entered into force 1 July 2004, Arts. 2 – 8.

[10] Convention on Cybercrime 2001, Arts. 9 – 10.

[11] See Salama, U. (2017). Investigating IoT Crime in the Age of Connected Devices [online] Security Intelligence. Available at: https://securityintelligence.com/investigating-iot-crime-in-the-age-of-connected-devices/ [Accessed 19 August 2018].

[12] Rose, K. Eldridge, S. and Chapin, L. (2015). The Internet of Things: An Overview. The Internet Society (ISOC), 31.

[13] See Gross, G. (2018). The Week in Internet News: Criminal Cryptocurrency Miners Target IoT [online] Internet Society. Available at: https://www.internetsociety.org/blog/2018/05/the-week-in-internet-news-criminal-cryptocurrency-miners-target-iot/ [Accessed 19 August 2018].

[14] Salama, U., above n 11.

[15] Ibid.

[16] Ibid.

[17] Fabiano, N. (2017). Internet of Things and the Legal Issues related to the Data Protection Law According to the New European General Data Protection Regulation. Athens Journal of Law 3(3), 201.

[18] Article 29 Data Protection Working Party, Opinion 8/2014 on the on Recent Developments on the Internet of Things, 14/EN/WP 223, adopted on 16 September 2014.

[19] Ibid, 6.

[20] Bousa, R., et al. (2017). Privacy in a World of the Internet of Things: A Legal and Regulatory Perspective. Networked Society Institute, University of Melbourne, 5.

[21] Opinion 8/2014 on the on Recent Developments on the Internet of Things, 10.

[22] Ibid, 9.

[23] Ibid, 9.

[24] Ibid.

[25] For instance, see General Data Protection Regulation (EU), Art. 35 and Recitals 90, 91, 92, and 93.

[26] See General Data Protection Regulation (EU), Art. 33.

[27] See General Data Protection Regulation (EU), Arts 83 and 84.

[28] See more in Law No. 12 of 2011 concerning Formulation of Law and Regulations, Art. 15.

 

Editor: Atin Prabandari, MA & Nabeel Khawarizmy Muna, S.IP