Should Pakistan Regulate the Internet of Things?
New technologies invariably produce challenges and opportunities. The Internet of Things (IoT) is the latest of these technologies and is developing at a fast pace due to a combination of factors like the explosive growth of cloud computing and the availability of increasingly less expensive electronic devices. The chief question regarding the relationship of state power vis à vis emerging technologies has not settled yet. Raging debates include the possibilities of regulating social media platforms like Facebook under the law.
This write-up will briefly explore the attempted regulation of IoT through the law in the US and how the approach taken in the US may become relevant to Pakistan in future.
The Concept of Internet of Things (IoT)
The genesis of the concept of Internet of Things (IoT) has been recorded by the US Senate Judiciary Committee. It examined the law about connected devices that was enacted in September, 2018. The following excerpt from the Report of the Senate Judiciary Committee provides an introduction of the concept and the economic potential of IoT in the following words:
“Kevin Ashton is widely credited with coining the phrase “Internet of Things” (IoT). The concept arose from his research at MIT for Proctor and Gamble concerning “smart packaging.”
The phrase refers to technology that allows an ever-growing list of devices to communicate wirelessly with other devices. The concept seems to have become well known over the past two decades and has gained increasing steam in recent years. Currently everything from toasters and toys to cars and televisions are connected to the internet, gathering and applying a wide range of information – this technology has limitless possibilities! It has even revolutionized the capabilities of medical devices and made shopping easier. Industry experts foresee its dramatic expansion in the years ahead with household goods, such as refrigerators, washing machines, dishwashers and thermostats. The CEO of Cisco has even declared that IoT will generate $19 trillion in profits.
However, along with the promise that IoT brings, there are serious privacy and security concerns as well. Corporations are rapidly networking the physical world and gathering data from everything. Many of these devices collect a vast amount of personal and intimate information. If not properly secured, this immense amount of private information can be vulnerable to breaches. In addition, many of these devices can be directly hacked into, allowing strangers to conduct surreptitious surveillance in homes or communicate directly through devices. Perhaps the most disturbing thing is that consumers may not even be aware of the full capabilities of these products or the information that is being collected. Recent research indicates that the number of devices will climb from 6.4 billion at the end of last year to 25 billion by 2020. This incredible growth further emphasizes the need to address security and privacy concerns. The Director of FBI also recently expressed concerns that “zombie armies” created by IoT devices could do tremendous harm.
The above description not only elucidates the origin, concept and economics of IoT, it also refers to the threats associated with the concept. The phrase ‘zombie armies’ is enough to scare some of us.
Legislative Developments in the US and Lessons for Pakistan
In a country like Pakistan, where legal literacy is low and the trade-off between security and privacy is in the favour of the former, the concept may not excite immediate interest. However, in the long run, as and when the societal response increases, the likelihood of legislating on IoT may gather momentum. In this regard, three recent developments in the US may be instructive to firm up views for any future legislation in Pakistan on the subject.
The three developments are as follows:
I. In the first development, US Republican Senator Mark Warner moved a Bill titled the Internet of Things (IoT) Cybersecurity Improvement Act in August, 2017. The preamble states the aim of the bill in the following words:
“To provide minimal cyber security operational standards for Internet-connected devices purchased by Federal agencies…”
While the law’s title includes the term ‘Internet of Things’ (IoT), it does not define the term. Instead, it chooses the term ‘internet-connected devices’ and defines it in the following terms:
‘‘Internet-connected device’’ means a physical object that
(A) is capable of connecting to and is in regular connection with the Internet; and
(B) has computer processing capabilities that can collect, send, or receive data.”
The Bill then defines ‘security vulnerability’ as:
“…any attribute of hardware, firmware, software, process, or procedure or combination of 2 or more of these factors that could enable or facilitate the defeat or compromise of the confidentiality, integrity, or availability of an information system or its information or physical devices to which it is connected.”
The scheme introduced in the Bill essentially deals with regulation of public sector procurement and the liability matrix as developed under contract and insurance laws of the US. It also provides for a National Vulnerability Database (NVD) to be maintained by the National Institute of Standards and Technology (NIST). The Bill is in the process of consideration but can be used as an example to study the relationship between the society, technology and law.
II. The second development is the law that has been passed in the state of California in the US. California Governor Jerry Brown signed the Bill into law on 28th September, 2018. The law is titled The Security of Connected Devices Act. The preamble spells out that the law is designed to
“…require a manufacturer of a connected device…to equip the device with a reasonable security features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”
The law will take effect from 1st January, 2020. The law requires ‘adding of security’ features but does not require ‘removal’ of anything from the devices. The inclusionary approach instead of exclusionary, has been criticized by cyber security experts.
III. The third is a Bill that was introduced in the House of Representatives by Robert Ratta on 6th July, 2018. The Bill is titled State of Modern Application, Research, and Trends of IoT Act or SMART IoT Act. The Bill aims for the Secretary of Commerce to study the effects of IoT and submit a report to the Congress.
As stated earlier, the three latest examples of attempted regulation of IoT by law may not interest policy-makers in Pakistan, but they are likely to inform the students of law and policy that developed countries are trying to respond to technologically spurred societal changes through regulation by law. Pakistan’s experience with law so far may not be very impressive, however, the future lies in regulation not suppression of technologies.
 Preamble of the Bill
 Section 2(c) of the Bill
 Section 3(a)(1) of the Bill
The views expressed in this article are those of the author and do not necessarily represent the views of CourtingTheLaw.com or any organization with which he might be associated.