Regulating Internet Of Things (IoT): Senate Bill 327 of the United States
On 28th of September, California has passed Senate Bill No. 327 regarding Internet of Things (IoT). IoT can be briefly defined as a broad network in which many devices are sharing information by connecting with each other. As technology rapidly expands, certain matters that are compelling to predict are becoming current issues in the agenda of the lawmakers. In this respect, California’s first-ever bill on IoT devices is setting an example for the following regulations with its precedential qualification. Therefore, it is crucial to keep track of these legal and technological novelties in order to comprehend the related concepts and benefit from the legal protection that will be provided with this bill and similar prospective regulations.
In order to scrutinize the related technological and legal matters, the notion of Internet of Things should be clarified. IoT is considered as a worldwide network of unique addressable objects and objects in that network communicate with each other through a specific protocol. In other words, the devices and similar items fixed on a certain network are all connected while they are collecting, transmitting and processing data among each other. Therefore IoT identifies this abstract concept as the Internet itself in an utterly different manner in which the devices become the primary object. The items embedded to the networks are dispersed in a large scale and they are far beyond from the traditional perception of the items being connected to the internet. Even domestic equipment, automobiles, smart TVs and many other similar devices are communicating through these networks in order to complete their tasks. IoT devices withhold certain utilities especially from user’s perspective such as improving user experience and enhancing the devices with required developments. Beyond all of the advantageous aspects, it is important to design a solid legal basis which presents the issues that are needed to be foreseen along with the integration of this qualified technology.
Security and privacy are the main issues that can be regarded as matters concerning the concept in a legal manner. The IoT devices and the networks that they are connected are being subject to cyber-attacks resulting in the breach of data security and privacy. For instance, in 2016, a malware known as Mirai was used for the execution of several DDoS (Distributed Denial of Service) attacks which imply the cyber-attacks carried out by multiple sources targeting only one computer. With this specific malware, the usernames and passwords of the IoT devices are determined by scanning the IP addresses of the devices. Therefore, adequate regulations are deemed to be essential in order to prevent the harmful consequences that may arise due to this privacy and security obstacles. Accordingly, even though the protection of IoT devices were not the main objective, they can be included under the scope of certain regulations, such as EU’s GDPR (General Data Protection Regulations) and guidelines released by US’s Federal Trade Commission since the common aspect desired to be protected is data and the data subject.
California, has very recently set an example with the Senate Bill No. 327 concerning the manufacturers of IoT devices. The bill orders that by January 1, 2020, manufacturers of the connected devices will be responsible for furnishing the connected devices with “reasonable security features” which should be in accordance with “the nature and the function of the said device” and the “information it may collect, contain, or transmit”. The bill’s objective is to provide protection for these connected devices in order to prevent any harmful consequences that the information they embed may face due to “unauthorized access, destruction, use, modification, or disclosure”. The bill prohibits the default passwords and requires the devices to be convenient for the user to generate a new authentication for the first time. Moreover, the following notions “authentication”, “connected devices”, “manufacturer”, “security feature” and “unauthorized access, destruction, use, modification, or disclosure” are defined along with the bill. The new regulation includes exemptions exhibiting manufacturers which will not be held liable. The bill is qualified as an important example for the upcoming regulations, however, it is not content-wise sufficient and its execution area is also limited to one state, California. Therefore, the bill must be regarded as the draft regulation and should be adopted by developing the content according to the requirements and the current conditions.
Nonetheless, the regulations to enter into effect, regarding this issue, should provide for the strengthening of the security of the networks, protection of the user’s data by introducing user’s rights and include manufacturer’s obligations that will continue throughout the utilization of the device.