The paper analyzes the various security and regulatory frameworks around "Internet of Things" put in place by prominent organizations and bodies across the globe and proposes a consolidated model for IoT ecosystem governance.

1. Security in IoT Ecosystem
Need for an International Policy Framework
This paper explores the importance of a holistic policy framework for governance in the new
world of the Internet of Things (IoT) by putting into perspective the need for such a
framework while citing the recent incidents that have taken place in this domain. The paper
goes on to evaluate the policies and frameworks put into place by international
organizations such as the European Union, Federal Trade Commission and ITU-T. The paper
concludes by proposing a single framework for policy development in an IoT ecosystem.
PREPARED BY
Mansi Bhargava Rahul Bindra
PGP-12-122 PGP-12-137
UNDER THE GUIDANCE OF
Dr. Anil Vaidya
Head of Department, Information Management
S.P. Jain Institute of Management & Research

2. P a g e | 2
Table of Contents
Executive Summary.................................................................................................................................3
Introduction ............................................................................................................................................4
Secondary Research................................................................................................................................6
Legal Framework: Models...................................................................................................................6
Self-Regulation................................................................................................................................6
International Agreements...............................................................................................................7
Global..........................................................................................................................................7
Regional.......................................................................................................................................7
Evaluation of International Policy Framework Approaches ...............................................................7
European Union Commission Approach.........................................................................................7
European Union Legislation........................................................................................................8
Legal scenarios and specific implementation.............................................................................9
Evaluation of European Union Legislations ................................................................................9
ITU Telecommunication Standardization (ITU-T) Approach...........................................................9
Legal Barriers: ITU.....................................................................................................................10
United States Federal Trade Commission on IoT..........................................................................10
Research Findings .................................................................................................................................12
Challenges posed by growing IoT Ecosystem ...................................................................................12
Need for a global policy framework for IoT......................................................................................13
Reconfirmation by Primary Research ...................................................................................................14
Approach to a Policy Framework......................................................................................................15
Globality........................................................................................................................................15
Ubiquity.........................................................................................................................................16
Verticality......................................................................................................................................16
Technicity......................................................................................................................................16
IBTCa Policy Framework for IoT............................................................................................................17
Information.......................................................................................................................................17
Business.............................................................................................................................................17
Trust..................................................................................................................................................18
Contextual abstraction......................................................................................................................18
Way Forward.........................................................................................................................................20
References ............................................................................................................................................21

3. P a g e | 3
Executive Summary
The Internet of Things (IoT) has grown from an interesting technology that offered to help
machines interact with each other to a phenomenon that has deeply pervaded into the daily
life of every human being. This transience in the ambit of IoT linking the digital or virtual
world with the real or physical world puts forth an equal number of questions as the ones it
answers. An ecosystem that already is thrice the size of human population on earth is big
enough to leave a lasting imprint on the face of human innovation and evolution.
However, with the opportunity of the large scale benefits is also associated the lingering
possibility of large scale exploitation of the system leading to potential economic,
technological, and societal damage. With news of refrigerators and personal devices being
used in massive attacks to the tune of hundreds of thousands of terminals in a system, the
need of having a security and privacy framework around the IoT ecosystem is gaining
prominence on the digital forums and conferences.
Such a policy framework has the unenviable objectives of not only placing an internationally
accepted framework of regulations and policies around the ever expansive system of Internet
of Things but also ensuring that the regulations provide the necessary innovative space and
protection to the scientific community and the industry from “speculative consumer harm” at
the same time maintaining the accountability and compliance parameters.
In effect, the framework must ensure support to the IoT ecosystem through trust building in
three important areas of Industry, System and User. While System Trust may be related
largely with technological advancements and the implementation of the “privacy enhancing
techniques”, the Industry and User Trust can only be cultivated by the right mix of
involvement of the consumer, private and regulatory bodies in the overall development of the
global policy framework for the governance of IoT ecosystem.
While the development of a single policy framework acceptable to and inclusive of cross-
boundary and function players would be an important step in the direction of governing the
IoT ecosystem, further research needs to be undertaken in the space of enhancing user
involvement, creating contextual abstraction and development of data privacy and security
for personal devices.

4. P a g e | 4
Introduction
Imagine walking into your home with your smartphone in your pocket on a hot summer
afternoon. As you step into the drawing room, you notice that the air conditioner has
switched on 5 minutes ago and the room is now at the right coolness according to your
preferences. The television in your room is switched on automatically with your favorite
show for the time pre-selected and you don‟t have to wait for cooking the food because the
microwave already started pre-heating the food the minute you walked into the house.
Welcome to the world of Internet of Things (IoT). With a projected 50 billion devices1
to be
connected and speaking to each other by 2020 and an ecosystem worth slated to touch $14
trillion2
by the same time, Internet of Things (IoT) is the next big thing in the evolution of
technology.
Coined by Kevin Ashton at an MIT lecture in 1999, the concept has come a long way in how
machines and humans interact with each other to share information and perform tasks. There
are various large scale industrial programs taken up by technology giants such as General
Electric, IBM and Cisco that have brought Internet of Things (IoT) to the front of large scale
industrial usage. General Electric defines IoT as a large scale network of machine to machine
and machine to human interactions by leveraging advanced analytics and predictive
algorithms to ensure better service quality. Cisco, on the other hand, views IoT as a network
of functional networks such as home, energy etc. interacting with each other via secure
analytics techniques. The idea is echoed by IBM who views IoT as a large scale network of
interconnected devices.
1
Cisco, http://share.cisco.com/internet-of-things.html
2
Cisco, http://iotevent.eu/cisco-sees-14-trillion-opportunity-in-iot/
Currently there are more devices on
Internet than there are people on
Internet and that‟s Internet of Things
IBM

5. P a g e | 5
3 4
5
However, such an interconnected mesh of fairly autonomous nodes presents an equally
challenging scenario for the entities involved in it. The system raises questions on not only
the security, privacy and identity management aspects but also calls into question the laws or
framework of policies governing the administration of such a network. Such laws are difficult
into manage and envision because not only is there no single body for governing information
communication through IoT networks but also because the pervasion of information
exchange has covered ambit of devices previously un-thought of such as toasters and light
bulbs.
The alarmists cite recent examples of refrigerators being used for comprehensive spam
attacks and call into question the aspects of data ownership, exchange and reuse that take
place in such a network and how it impacts the security and privacy of the real owner of the
data. However, owing to the geographical spread and lack of single point of authority in this
space, there has been little progress in the development of a policy framework for IoT with
industrialists calling into question the need for such a framework with the apprehension of it
stifling the innovative edge that the technology presents with itself.
3
General Electric, Industrial Internet: Pushing the boundaries of minds and people, November 26, 2012
4
Cisco, The Internet of Things: How the next evolution of the internet is changing everything, April 2011
5
IBM, http://www.ibm.com/smarterplanet/us/en/overview/article/iot_video.html

6. P a g e | 6
Secondary Research
Development of an international legal/policy framework for IoT would be a tough take no in
the least because of the straddling with existing laws of data communication as well as the
fact that the technology and the interconnected devices cover international landscape even for
the ambit of a single transaction. In an attempt to realize a single policy framework for
governing IoT network, let us first analyze the individual organizational efforts that have
taken place in this field through independent international bodies such as US Federal Trade
Commission (FTC), European Union Commission and International Telecommunication
Union – Standardization (ITU-T).
However, before delving deep into the study of the above policies, it is important to first
develop a basic grounding on the different types of legal/policy frameworks and models:
Legal Framework: Models
International laws not merely incorporate relation among states but also players like
individual human beings, organizations and various legal entities. A legal framework for
international regulations will need to define structure and principal guidelines for IoT; how
rules are made as well as will be interpreted. The framework should also have the flexibility
for revisions based on context.
Establishment of a legal framework also raises the need for an appropriate legal source.
Various models can be applied to establish a framework. These include no regulation, self-
regulation, government regulation and international agreements. For the governance of a
network as large and expansive as the IoT, self-regulation and international agreements can
be considered important for further analysis.
Self-Regulation
Self-regulation responds to changes in the environment and works independent of
territoriality concept. Self-regulation as a social control model consists of normatively
appropriate rules of human behaviour which are enforced through reputational sanctions,
requiring effective communication channels to inform about the IoT participants behaviour.
Self-regulation tends to induce government not to introduce any formal laws. The rules
formed are more efficient as they respond to real needs and are flexible incentive driven. But
it might turn out to be interest driven as it is not legally binding.

7. P a g e | 7
Even if the legal framework to be established is self-regulated, some pillars need to be set by
the legal sources to be introduced at an international level.
International Agreements
Global
The approach towards establishing an international body as a legislator determines the
establishment of a new body with representatives from government, businesses and others
which poses challenges questioning the legitimacy of such a body. On the other hand
establishing a governing body within existing organizations would need lesser time
investment and requirements to adhere to.
Regional
Issues related to various policies need to raise awareness among all stakeholders, promote
IoT technologies/services and make sure that individuals get fundamental rights to privacy,
personal data and consumer identity protection apart from other information security
instances.
Having understood two of the primary approaches for development of a policy framework,
the different initiative by independent international organizations can now be understood in
greater detail:
Evaluation of International Policy Framework Approaches
Having discussed on the key aspects of a policy framework and the different types of models
that can be leveraged to achieve a policy/legal framework, let us now discuss some of the key
policy initiatives taken by prominent organizations across the globe.
European Union Commission Approach6
To establish a legal framework for IoT, EU invited comments from various stakeholders. Key
points involved are:
6
Weber, R.H. & Weber, R. (2010), Internet of Things: Legal Perspectives. Springer

8. P a g e | 8
EU recommended the commission to follow a technology neutral approach to IoT. Also, the
development of IoT cannot only go to the private sector but should be done in a coherent
manner with all public policy related to governance of the internet.
European Union Legislation7
It aims to issue a legislation which aims at a regional framework before applying it on a
global level making the whole system functional. EU laid down 14 lines of action which
include:
 Governance implementation
 Privacy monitoring and personal data protection
 IoT infrastructure of utmost importance
 Standardization of IoT technologies
 Promotion of R&D in IoT
 Public and private sector cooperation
 Institutional awareness
 Waste management and recycling
 International dialogues
From a legal perspective major points to be considered are:
7
http://innovation-regulation2.telecom-paristech.fr/wpcontent/uploads/2012/10/CS87_BARBRY.pdf
ANEC and BEUC - Privacy and data protection being the major challenges,
regulations other than self-regulation need to be implemented.
Amcham - Focus on RFID limits innovation; Technology independent rules should
be laid down after further development
Afilias- Recommended IoT root system to focus on backward compatibility,
identifier collusion, unilateral control authority, assurance of practicality,
openness to competition. Framework with local control and global
interoperability

9. P a g e | 9
IoT security and “Silence of the chips”: need to be able to disconnect from the network
whenever required.
Legal scenarios and specific implementation
Legislation for privacy and data protection should be focused on these goals:
EU directives considers „specific implementation‟ i.e. - natural persons as objects of privacy
laws. But legal persons like corporations also should be included in privacy protection laws.
Evaluation of European Union Legislations
 Address many aspects but does not consider the merits of self-regulatory models and
industry standardization
 Ensures that the principles of verticality, ubiquity and technicity can be taken into account
 Only applicable for member States in Europe and not globally
 Attest that privacy and data protection problems in the field of the IoT are taken seriously
ITU Telecommunication Standardization (ITU-T) Approach8
Combining its expertise in setting standards for internet as well as radio communication
sector, ITU can provide necessary inputs for setting the rules for IoT ecosystem as well.
Currently ITU acts as a consultant for various bodies engaged in IoT and hence its activities
are not directly monitored by the users of IoT. But ITU has identified challenges in the use of
IoT wherein they believe that users are concerned about privacy and socio-ethical
implications of the use of tracking and geo-location: users have to be made aware of the
benefits of the IOT.
8
Weber, R.H. & Weber, R. (2010), Internet of Things: Legal Perspectives. Springer
Goals Right-to-know legislation: Users should know what data is collected and
should have the option to deactivate tags if needed
Prohibition legislation: If public community dislikes certain behavior, it should
be prohibited
IT-security legislation: Protect application from unwanted reading and
rewriting
Utilization legislation: Making information available in scenarios where it
might be required
Task-force legislation: research on legal challenges and resolution for the
same

10. P a g e | 10
Legal Barriers: ITU
Regulation of radio frequency
RFID which forms an important aspect of the IoT is controlled by national regulations. The
band allocation or usage conditions will vary between states. For a global network like IoT, it
is required that RFID attached to all objects operate at the same frequency for effective
information exchange.
ITU has regional differences within its system, efforts need to be made in this direction to
harmonize and establish specifically dedicated frequency bands for IoT usage for ensuring
interoperability.
Health impact
The effect of electromagnetic energy radiated by RFID tags on human body is yet to be
established. These tags might also interfere with other devices used by individuals. Before all
things are designated with electromagnetic tags health risks should be essentially considered.
These can otherwise contaminate the environment as well as interfere with wide frequency
range.
ITU has given many recommendations with respect to the environmental effects of
electromagnetic radiations. Its goal is also to provide consultation for the limits of human
exposure to these radiations. It had defined classes depending on transmitting antenna
directivity, accessibility to people and general public or occupational exposure. It also
provides guidance for telecommunication installation to comply with tolerable human
exposure to electromagnetic fields. ITU also helps in guiding migration to reduce radiation
levels in areas accessible to people. In all, ITU serves the aim of identifying potential sources
of radiation and modifying the same for decreasing it.
United States Federal Trade Commission on IoT
The privacy and security of consumer information have always been reflected in the policies
and directives of the US Federal Trade Commission (FTC). The idea has only expanded
recently with the emergence of the Internet of Things on an international stage and the
potential security and privacy concerns that it brings with itself considering the potential
stakeholders employed in the system as well as the potential uses of data. In a March 2012
report9
, the FTC highlighted the Department of Commerce (DoC) recommendation to
9
Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers,
http://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-
consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf

11. P a g e | 11
implement a Consumer Privacy Bill based on the Fair Information Practice Principles
(FIPP) along with a framework to assess how different scenarios in the regulation would
apply to different businesses. In the same report, the FTC highlighted five key points of
consideration for government policymaking efforts in the future years:
The workshop called for development of a policy where regulators work in tandem with
businesses and society to not stifle but protectively nurture a growing technological
revolution. It also underscored the need for developing a context-aware system inclusive of
the culture, demographics and user perceptions for data use to supplement the privacy and
security of consumer data in an interconnected world and increase the acceptability of IoT.
Do Not Track
Mobile
Data Brokers
Large Platform
Provides
Promoting
enforceable
self-regulatory
codes
 Do Not Track: Noting the efforts by Digital Advertising
Alliance (DAA), browsers (e.g. Mozilla) and W3C consortium in
helping the consumer with opt-out options, the commission
reiterated its support to the above stakeholders.
 Mobile: The commission planned on working with companies
providing mobile services on creating succinct and clear
messages for the customers for better transparency.
 Data Brokers: The commission called on data brokers who
collate and use consumer information to create a centralized
platform with ease of access of information for the consumers on
how their information is being used.
 Language Platform Providers: Large platforms like ISPs
actively track consumers‟ online activities and must be
enlightened for addressing privacy concerns.
 Self-Regulation: The FTC would work with the DoC on
creation of sector-specific regulatory codes and further work on
ensuring the compliance of these codes.
Understanding the need for a policy framework on IoT, the
FTC held a workshop in December 2013 to invite the public on
exploring the surge in consumer data security and privacy
issues posed by the surge in interconnected devices able to
transfer data amongst each other.

12. P a g e | 12
Building a context aware system10
Research Findings
Challenges posed by growing IoT Ecosystem
The exponential growth of the devices and endpoints in the IoT ecosystem has resulted into a
variety of challenges being posed in front of the researchers such as:
10
Internet of Things: Privacy and Security in a connected world, Federal Trade Commission Workshop
http://www.ftc.gov/sites/default/files/documents/public_events/internet-things-privacy-security-connected-
world/internet_of_things_workshop_slides.pdf
Device growth (Host ecosystem diversity)
With a host of new ecosystems and mods of existing ones
appearing every day, consistency of host devices is a big
challenge.
Device growth (Internet bandwidth constraint)
Although IPv6 addressess the exhaustion problem of IPv4,
the transition time and complexity are still on higher side.
Information security and privacy
With a surge in the number of devices participating in
handling sensitive information, privacy enhancing
technologies (PET) must form the core of any IoT design.

13. P a g e | 13
Need for a global policy framework for IoT
Data Integrity/Access Control
With data travelling across diverse devices, it is important to
establish the contextual integrity of data
Breakdown immunity
With a breakdown potentially affecting millions of people, fallback
mechanisms must be developed for damage control
Establishing object trust/traceability
Since the data flows through multiple checkpoints and inter-device
boundaries, it may be difficult to trust and trace a specifc part of data
Data reuse
The data in an IoT network travels across multiple device boundaries
which raises the possibility of it being used outside of the intended
authorization
User maneuverability
With a large amount of user data shared for the IoT services of a
provider, data migration would be a challenge
Loss of human control
As technology develops, more predictive algorithms will result in
autonomous operation of systems which would subsequently make
human intervention difficult
Legal operability
As multinational organizations provide geographically dispersed data
and information services, compliance of local/national/international
laws may be a hurdle
“It is difficult to stop it as our ability to see is limited”
General Keith Alexander, Director NSA on cyber securityattacks

14. P a g e | 14
The challenges posed by an exponentially growing IoT network notwithstanding, the need for
establishing a global policy framework for the same has become prominent more than ever.
The claims by security researchers from Proofpoint11
and the Linux worm vulnerability of
routers uncovered by Symantec12
only serve as a reminder of the reach and potential impact
of a security vulnerability in IoT. With even mild security attacks costing the industry from
$40 to $80 billion each year13
, the implications of a large scale attack on the economy,
society, technology and above all, the user trust in IoT could be disastrous as evident from the
Malta smart meter electricity theft14
.
15
Moreover, although an ecosystem such as the IoT serves the grand purpose of bringing the
real and virtual worlds together, currently from a legal perspective at least, the laws
governing each of these worlds are different and thus arises the need for a policy framework.
Reconfirmation by Primary Research
Owing to the time constraints involved, the primary research for the purpose of this paper
was undertaken by adopting a two-pronged approach for reaching the industry professional
working in the field of IoT for their thoughts on the topic. Professionals from organizations
having a comprehensive IoT program such as General Electric were contacted and
interviews have been taken via email and phone calls.
11
http://www.bbc.co.uk/news/technology-25780908
12
http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices
13
http://www.industryweek.com/systems-integration/technology-rethinking-safety-iot-world
14
http://www.smartgridnews.com/artman/publish/Technologies_Metering/Malta-s-smart-meter-scandal----
41-million-worth-of-electricity-stolen-6360.html/#.Uw1szfmSzMU
15
Primary Research,
http://www.linkedin.com/groupItem?view=&gid=73311&item=5843314036610969603&type=member&com
mentID=discussion%3A5843314036610969603%3Agroup%3A73311&trk=hb_ntf_COMMENTED_ON_GROUP_
DISCUSSION_YOU_CREATED#commentID_discussion%3A5843314036610969603%3Agroup%3A73311
As the IoT network grows, the sheer deluge of devices and
nodes on the network will present a governance challenge too
big to manage without a policy framework in place. This
problem has already been brought to the fore with Verizon
admitting that it cannot see an IoT when connected to a
smartphone and Cisco admitting that it will not be able to secure
1 trillion IoTs.
“Technology and law
sometimes must work
together or neither
will be effective.”
Larry Karisny,
Security Expert

15. P a g e | 15
In order to further reach the professional community working outside the ambit of our
immediate reach, we have leveraged the professional networking platform of LinkedIn16
to
pose our questions on the topic and invite comments from the community.
The primary research insights corroborated the secondary research findings on the need of
establishing a policy framework owing to the large size of IoT ecosystem but at the same
time brought to fore the skepticism and possible distaste for the same by industry due to fears
of scuttling innovation. As such, any policy framework aimed at governing IoT on a global
scale must have a fair representation of not only the consumers of the system but also the
service providers and the industrial giants with sizeable investment research projects in-
progress on IoT.
Approach to a Policy Framework
There are four key challenges in the establishment of a policy/legal framework17
:
Globality
IoT will be marketed and distributed globally; same technical processes will be applied all
over the world. To prevent the complexity which can arise in businesses and trade due to
differing laws globally, legal systems need to be synchronized.
16
Primary Research,
http://www.linkedin.com/groupItem?view=&gid=73311&type=member&item=5843314036610969603&qid=7
45c202a-ac89-4275-b530-5c723dbd57a3&trk=groups_items_see_more-0-b-ttl
17
Weber, R.H. & Weber, R. (2010), Internet of Things: Legal Perspectives. Springer
Globality Ubiquity
Verticality Technicity

16. P a g e | 16
Ubiquity
IoT environment should be ubiquitous encompassing persons, things, plants, animals
everything.
Verticality
IoT technical environment should be such that it is durable. Products should be such that they
last for duration long enough for going through the entire product life cycle.
Technicity
Technical considerations are important for developing rules for protecting objects privacy.
Based on the above requirements, a global framework established by an international
regulator is required which can be implemented on every object right from initiation to
destruction. Determining a legal framework will also require addressing technical issues.
Therefore a framework without involving technical experts seems inevitable.
As such, there is a need for a global policy framework for IoT that addresses the different
stakeholders‟ aspects for security and privacy such as regulatory, economic, socio-ethical and
technical.18
18
Weber and Weber, Internet of Things Legal Perspectives
• User rights
• Public awareness
• Disclosure
• User advocacy
• Encryption
• Identity Management
• Privacy Enhancing
Techniques
• Self-regulation
• Codes of conduct
• Privacy certification
• User education
• User Consert
• Collection Limitation
• Data Use
• Accountability
• Openness
Regulatory Market
Social-
Ethical
Technical

17. P a g e | 17
IBTCa Policy Framework for IoT
Based on our analysis of the viewpoints put forth by the various policymakers and stake
holders that form a part of the IoT ecosystem, the following four characteristics have come to
the fore as the integral part of any internationally accepted policy framework for IoT:
Information
This is the bottom-most layer of the framework and is responsible for ensuring the resilient
and up-to-date technologies enabled security and privacy enhancing implementations to
ensure the protection of user data and related information. This layer would be responsible
for increasing both user trust and participation in the system by ensuring that the personal
information travelling in the system is secure.
Business
The business layer sits on top of the information layer and would encompass the business or
industry specific laws of information exchange and governance. The idea behind placing this
layer separately is to ensure re-usability of a wide array of rules already in place for different
sectors and industries. This would further ensure adoption of the framework by a wider
audience.
Contextual abstraction
Trust
Business
Information

18. P a g e | 18
Trust
It is both extremely critical as well as equally difficult to establish user trust in a widely
interconnected system such as IoT. In order to accomplish this feat, trust building measures
need to be taken at three levels of developing Industry, System and User trust.
Contextual abstraction
Displaying the right information to the right user at the right time is important to ensure user
involvement and association in the system. In order to ensure that the conveyed information
is acted upon/realized by the targeted recipient, it is important to ensure that the information
is customized to the need and knowledge level of the user as well as ensuring minimal action
on the user‟s part.
Rules on data privacy, security and protection
Public
Internet
Healthcare
PersonalDevices
Financial&Insurance
Retail
Mobile
Context/Situation specific abstraction layer
Data related
transparency
Industry Trust System Trust User Trust
Consumer
Regulators
Industry
Liberal
Regulations
Involvement of
LPPs and private
players
Work with Data
Brokers
Globality
Transparency
Security
Privacy by
design
Accountability
Do Not Track
Self-regulation
Opt-Out
Type, Use,
Origin,
Collection,
Usage
IBTCa
Policy
Framework

19. P a g e | 19
The above model adopts a bottom-up approach by proposing to continue the existing
protocols and regulations for data privacy, security and protection for the purpose of data
communication. On the basis of our primary and secondary research, we are of the opinion
that the existing sets of rules in this space are well defined and are suitable for cross-border
policy making. An offshoot of the above belief is the opportunity of further work on keeping
the systems updated with latest protocols and security measures. We believe that more
research can be done in this area on how to maximize the security upgrades on the user
terminal with minimum actions or assumption of knowledge on user‟s part.
On the basis of our research, instead of having a single law/regulation intended for all the
businesses and functions, it is much easier to devise function or context specific laws because
much of the work governing data security and privacy in this space is either already done or
in progress (as discussed in US FTC section). This would not only avoid re-inventing the
wheel but also keep the entire regime simple and easy to adopt. An addition to the existing
field of work for this section could be development of specific rules for data communication
to and from personal devices. This field of study would gain prominence with growth in the
ambit of devices covered by the IoT ecosystem and can be expanded as a separate field of
research.
Further, there is a need to develop the trust in three important components of IoT viz.
Industry, System and User. On the industry front, the regulators need to provide the right
amount of flexibility to the private players in order to
nurture and sustain the innovation in IoT. The policies
should not be drafted while only considering the
“speculative harm” that might befall the consumers but
should have good representation of the industry interests
as well. Therefore, any policy must be developed in
conjunction with different parties from the public and
private sector to ensure the continued growth in IoT.
“The Internet of Things is an
exploding innovation
ecosystem and is poised to be
a prime engine of economic
growth and mobile
opportunity globally. In these
very early innings of this
exciting technological
transformation, government
should avoid rigid,
prescriptive policies that
could stymie our rapidly
evolving wireless revolution”
Mobile Future (AT&T, Cisco,
Ericsson and Verizon)
“It is vital that government officials like myself
approach new technologies with a dose of
regulatory humility”
Maureen Ohlhausen, Member, US FTC

20. P a g e | 20
On the system front, it is important to ensure that right mix of transparency and privacy
enhancing techniques are used and continually upgraded in line with the latest developments
in security and privacy. These technologies and upgrades must then be ensured to find a way
to the terminal of the users so that attacks exploiting known vulnerabilities which form a
large part of the overall attacks on systems could be minimized.
It is also important to develop the user trust in the IoT ecosystem to ensure its adoption and
growth. Apart from user training, it is important to develop policies that assist the user
understand the flow of his/her personal information in the system and how it is being used by
the system. Coupled with options to opt out and view the data use, this would empower the
user and help in building the user trust in the system.
Finally, a lot of policies and measures do not percolate down to the user because of the sheer
technical and text-abundant nature of these directives. Therefore, a context-specific
abstraction layer needs to be developed that can convey the cause and effect of the policies on
the users in a context that relates to them.
Way Forward
While the proposed framework highlights the key components of a policy model, further
research on three important sections of the framework would help on further enhancing and
practically evaluating the ideas put forth in the model.
Firstly, development of data transfer, privacy and security regime for personal devices
presents an interesting research prospective that will not only further add value to the
proposal of developing business-specific rule base but also provide further insights in a
growing business to be increasingly impacted by IoT.
Secondly, as discussed earlier, further work is required on development of a methodology
that encourages the user to use and employ the latest security upgrades available to him/her
by minimizing the actions or technical knowledge required. This would help protect the
system from attacks on legacy vulnerabilities.
Finally, research on creation of a context-specific abstraction layer is crucial to the user
adoption of the system as it will help the user to personally relate his/her situation and
position in the system.

21. P a g e | 21
References
The Internet of Things [Online] Available from:
http://share.cisco.com/internet-of-things.html [Accessed: 4th
February 2014]
Cisco sees $14 trillion opportunity in IoT [Online] Available from:
http://iotevent.eu/cisco-sees-14-trillion-opportunity-in-iot/ [Accessed: 4th
February 2014]
Huansheng, N. & Hong, L. (2012) Cyber-Physical-Social Based Security Architecture for
Future Internet of Things. Scientific Research. p. 2, 6
Karisny L. (2014) Security in the IoT Ecosystem [Online] Available from:
http://www.linkedin.com/groupItem?view=&gid=73311&type=member&item=58433140366
10969603&qid=745c202a-ac89-4275-b530-5c723dbd57a3&trk=groups_items_see_more-0-
b-ttl
European Union. IoT Privacy, Data Protection, Information Security [Online] Available
from:
ec.europa.eu/information_society/newsroom/cf/dae/ [Accessed: 4th
February 2014]
BBC (2014). Fridge sends spam emails as attack hits smart gadgets. [Online] Available
from:
http://www.bbc.com/news/technology-25780908 [Accessed: 4th
February 2014
Symantec (2013). Linux Worm Targeting Hidden Devices [Online] Available from:
http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices [Accessed: 5th
February 2014]
Hessman T. (2013). Technology: Rethinking Safety in the IoT World - When everything is
online, security is everyone's job. Industry Week. [Online] Available from:
http://www.industryweek.com/systems-integration/technology-rethinking-safety-iot-world
[Accessed: 6th
February 2014]
Weber, R.H. & Weber, R. (2010). Internet of Things: Legal Perspectives. Springer.
United States. Federal Trade Commission (2012). Protecting Consumer Privacy in an Era of
Rapid Change: Recommendations for Businesses and Policymakers [Online] Available from:
http://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-
protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf
[Accessed: 9th
February 2014]
Gartner (2013). Gartner's 2013 Hype Cycle for Emerging Technologies Maps Out Evolving
Relationship Between Humans and Machines. [Online] Available from:
http://www.gartner.com/newsroom/id/2575515 [Accessed: 10th
February 2014]
Evans, D. (2011). Cisco. The Internet of Things How the Next Evolution of the Internet Is
Changing Everything [Online] Available from:
https://www.cisco.com/web/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf [Accessed:
10th
February 2014]

22. P a g e | 22
Evans, P. C. & Annunziata M. (2012). Industrial Internet: Pushing the Boundaries of Minds
and Machines [Online] Available from:
http://www.ge.com/docs/chapters/Industrial_Internet.pdf [Accessed: 10th
February 2014]
IBM. The Internet of Things [Online] Available from:
http://www.ibm.com/smarterplanet/us/en/overview/article/iot_video.html [Accessed: 11th
February 2014]
United States. Federal Trade Commission (2013). Internet of Things: Privacy and Security in
a connected world [Online] Available from:
http://www.ftc.gov/sites/default/files/documents/public_events/internet-things-privacy-
security-connected-world/internet_of_things_workshop_slides.pdf [Accessed: 12th
February
2014]