legal support of information security of the Internet of things
Internet of Things (IoT) home devices are gaining more and more popularity in the modern world. They provide their users with the convenience and ability to control devices inside the home from anywhere via the Internet. However, this surge in the popularity of IoT has led to legal issues related to consumer data privacy and protection.
The issue of protecting the user’s personal data is one of the main aspects requiring regulation by Russian legislation in the field of IoT. IoT devices collect and process large amounts of such data, including information about habits, personal life, preferences. Their misuse leads to violation of the rights and freedoms of citizens.
In this article, I would like to discuss in more detail the existing problems of legal support for the Internet of Things in our country, to understand what legal acts and how can be applied in this area today.
Introduction
Back in 1920, in the play R. W.R. (“Rossum’s universal robots”), the Czech writer Karel Capek first mentioned the term “robot”, which meant a creation consisting of materials that are different from those that make up a person and playing the role of a labor force. Then it was fantastic, but today a person has already invented many devices that can save him from unnecessary efforts and simplify his life: washing machines, refrigerators, smart speakers, and so on. And in the aggregate, we call all these things the Internet of things, or IoT (Internet of Things).
The basic concept of the Internet of Things is that multiple interconnected devices can collect and transmit data wirelessly without human intervention. In addition to the objects listed above, IoT can include any device that can transmit data over a network and has an IP address.
Of course, many would not give up the ability to remotely control absolutely all devices in your apartment, however, this technology has another side. The most important issue, the issue of information security, causes great distrust of the Internet of Things on the part of the user: it is difficult to say how secure all the information that devices receive, store and process is.
As a person who is a specialist in the field of information security, who is interested in innovations in the world of information technology, I have been interested in the security of the Internet of Things and the list of current threats directly related to them for a long time.
Moreover, on the part of an ordinary consumer who cares about the security of his personal data, I wanted to shed light on this topic and consider this issue in more detail before making a decision to purchase such devices.
In this article, I would like to highlight the main risks of threats to the security of users’ personal data, as well as analyze the existing regulatory legal acts of the Russian Federation applicable to the regulation of the Internet of things and draw conclusions about the future of the organizational and legal support of information security of these technologies .
What information security threats related to IoT are relevant today?
As we remember, the Internet of Things is a set of devices connected to each other via the Internet, through which they can be controlled. Of course, the presence of a large number of such devices can lead to the following risks:
Vulnerability of confidential information due to the generation of large amounts of data by IoT devices
The risk of hacking IoT technologies
Attackers use connected devices to eavesdrop on users’ homes
Collection of personal information about a person
I would like to reveal the last point in more detail, since it is directly related to our personal data and ensuring their safety.
How can attackers use our personal data against us?
As I mentioned earlier, IoT technology raises a number of questions related to its legal regulation. How secure are IoT devices? Who owns the data they store? How and by whom can they be used? Can this data be used by attackers against the device owners themselves?
One of the potential dangers is the possible receipt of such data by third parties, after which they can be sold to employers, insurers, creditors, and other individuals who are able to use this data for their own purposes.
So, for example, having received data stored on IoT devices installed on cars, insurance companies, owning this information, will be able to give insurance to drivers with more onerous conditions. Accordingly, in this situation, IoT devices worsen the user’s position before the process of obtaining insurance.
Another example is IoT related directly to our health, such as smart watches or scales. Such devices know our habits, track the physical activity of a person, pulse, heartbeat, number of steps. Having illegally acquired such data, the employer may, according to their personal preferences, decide to hire someone, which is not fair to the owner of the IoT device.
It is also worth noting that if a person uses several IoT devices at once, this can lead to even more serious consequences.
How does Russian legislation regulate the legal support of the information security of the Internet of things? (spoiler: none)
Unfortunately, the legislation of the Russian Federation is not able to fully disclose the scope of the Internet of Things, this area of legal regulation is not currently developed. Moreover, the legislation does not have a clear definition of what the Internet of things is. However, in forecast of the long-term socio-economic development of the Russian Federation for the period up to 2030 of the Ministry of Economic Development of the Russian Federation The Internet of Things is defined as “informatization of various subjects and their inclusion in a single network of networks”.
However, despite the lack of proper legislation, with the legal regulation of the Internet of things should be involved the following legal acts:
I propose to consider these legal acts in more detail.
No. 152-FZ “On Personal Data”
Here attention should be paid to paragraph 3 of Art. 5which says that unacceptable consolidation of databases when such data is processed for incompatible purposes. IN clause 2. art. 5 also states that the processing of personal data should be limited exclusively by the achievement of specific, legitimate and predetermined goals. That is, the specific purpose of processing human data must be indicated. Moreover, the data must also be destroyed or anonymized after the period for fulfilling the purpose of data processing has expired. Therefore, in the future, manufacturers of Internet of Things devices will have to inform the user about the purposes of processing personal data and the terms of their storage.
Art. 6 federal law establishes mandatory consent the user to the processing of his personal data, respectively, including data received through IoT devices.
No. 149-FZ “On Information, Information Technologies and Information Protection”
IN paragraph 7 of Art. 3 said that a person’s privacy is inviolable, collection, storage, use and distribution private life of a person without his consent. I think many of you have wondered: what information do we consent to collect when using IoT devices?
In fact, given all the functionality of IoT devices, it is difficult to say what kind of information about a person such a device can collect. From this we can conclude that in the field of the Internet of Things this paragraph should be revised, for example, fixing that each case should be considered by the court individually.
Doctrine of information security of the Russian Federation.
This doctrine postulates that information technologies are expanding their presence in human lifethat is why information security protection citizens is in the interests of the state.
This doctrine allows us to conclude that the state is increasingly understanding the importance of information law in our lives, including the importance of protecting information security in the field of the Internet of things, because the number of people using this technology is increasing.
State bodies are already creating the basis for the development of norms in the information sphere. An example of such a framework is the so-called “road map”mentioned in Order of the Ministry of Telecom and Mass Communications of Russia No. 637 “On Approval of the Plan (Roadmap) for the Implementation of the Concept for the Construction and Development of Narrowband Wireless Communication Networks of the Internet of Things in the Russian Federation. She must approve the list federal executive authorities, responsible for the development and approval of threat models of intruders for IoT systems, which already indicates that government authorities are aware of this problem.
Conclusion
Of course, the Internet of Things has shown us many gaps in the legislation, since clear measures to regulate this area have not yet been presented in it. The state should pay attention to existing problems and develop a clear legal regulation to solve these problems.
Currently, the Internet of Things, although rapidly developing, is fraught with a large number of threats to information security violations, including problems in the field of legal regulation.
Briefly formulating the main measures that the government should take to solve these problems, we can single out the following:
It is necessary to develop and implement specific requirements for manufacturers of IoT devices that will oblige them to provide clear and accessible information about the collection and use of personal data.
Issues related to the misuse of the user’s personal data should be resolved individually, since the possible functionality of the Internet of Things may inadvertently lead to violations of No. 149-FZ
The state should be interested in regulating the Internet of things and information technologies, support and implement methods for protecting these devices.
I personally urge you all to be careful in maintaining the security of your personal data, always have your own critical view of the situation, consider all the pros and cons in order to make the right choice.
Thanks for reading my article. I sincerely hope that you found it useful and interesting, that you learned something new for yourself in the field of legal regulation of the Internet of things.
