Internet of things – Governance quo vadis?

The Internet of Things (IoT) as an emerging global Internet-based information architecture facilitating the exchange of goods and services is gradually developing. While the technical aspects are being discussed in detail a legal framework does not exist so far. The first supranational organization trying to work out an IoT governance framework has been the European Commission by appointing a large group of experts to examine the relevant aspects of a possible IoT governance regime. In the meantime, however, the activities have been degraded. Nevertheless, even if the differences between the IoT and the Internet have been overestimated at the beginning, many elements of the IoT differ in part from the corresponding problems in the Internet. Therefore, an analysis of the major IoT governance issues (legitimacy, transparency, accountability, anticompetitive behavior) seems to be worthwhile to conduct.     

Internet of things – Need for a new legal environment?

The Internet of Things as an emerging global, Internet-based information service architecture facilitating the exchange of goods in global supply chain networks is developing on the technical basis of the present Domain Name System; drivers are private actors. Learning from the experiences with the “traditional” Internet governance it is important to tackle the relevant issues of a regulatory framework from the beginning; in particular, the implementation of an independently managed decentralized multiple-root system and the establishment of basic governance principles (such as transparency and accountability, legitimacy of institutional bodies, inclusion of civil society) are to be envisaged.     

EU GDPR or APEC CBPR? A comparative analysis of the approach of the EU and APEC to cross border data transfers and protection of personal data in the IoT era

This article examines the two major international data transfer schemes in existence today – the European Union (EU) model which at present is effectively the General Data Protection Regulation (GDPR), and the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules system (CBPR), in the context of the Internet of Things (IoT).While IoT data ostensibly relates to things i.e. products and services, it impacts individuals and their data protection and privacy rights, and raises compliance issues for corporations especially in relation to international data flows. The GDPR regulates the processing of personal data of individuals who are EU data subjects including cross border data transfers. As an EU Regulation, the GDPR applies directly as law to EU member nations. The GDPR also has extensive extraterritorial provisions that apply to processing of personal data outside the EU regardless of place of incorporation and geographical area of operation of the data controller/ processor. There are a number of ways that the GDPR enables lawful international transfer of personal data including schemes that are broadly similar to APEC CBPR.APEC CBPR is the other major regional framework regulating transfer of personal data between APEC member nations. It is essentially a voluntary accountability scheme that initially requires acceptance at country level, followed by independent certification by an accountability agent of the organization wishing to join the scheme. APEC CBPR is viewed by many in the United States of America (US) as preferable to the EU approach because CBPR is considered more conducive to business than its counterpart schemes under the GDPR, and therefore is regarded as the scheme most likely to prevail.While there are broad areas of similarity between the EU and APEC approaches to data protection in the context of cross border data transfer, there are also substantial differences. This paper considers the similarities and major differences, and the overall suitability of the two models for the era of the Internet of Things (IoT) in which large amounts of personal data are processed on an on-going basis from connected devices around the world. This is the first time the APEC and GDPR cross-border data schemes have been compared in this way. The paper concludes with the author expressing a view as to which scheme is likely to set the global standard.     

IoT forensics: Exploiting unexplored log records from the HIKVISION file system

CCTV surveillance systems are IoT products that can be found almost everywhere. Their digital forensic analysis often plays a key role in solving crimes. However, it is common for these devices to use proprietary file systems, which frequently hinders a complete examination. HIKVISION is a well-known manufacturer of such devices that typically ships its products with its proprietary file system. The HIKVISION file system has been analyzed before but that research has focused on the recovery of video footage. In this paper, the HIKVISION file system is being revisited regarding the log records it stores. More specifically, these log records are thoroughly examined to uncover both their structure and meaning. These unexplored pieces of evidence remain unexploited by major commercial forensic software, yet they can contain critical information for an investigation. To further assist digital forensic examiners with their analysis, a Python utility, namely the Hikvision Log Analyzer, was developed as part of this study that can automate part of the process.     

Avoiding the internet of insecure industrial things

Security incidents such as targeted distributed denial of service (DDoS) attacks on power grids and hacking of factory industrial control systems (ICS) are on the increase. This paper unpacks where emerging security risks lie for the industrial internet of things, drawing on both technical and regulatory perspectives. Legal changes are being ushered by the European Union (EU) Network and Information Security (NIS) Directive 2016 and the General Data Protection Regulation 2016 (GDPR) (both to be enforced from May 2018). We use the case study of the emergent smart energy supply chain to frame, scope out and consolidate the breadth of security concerns at play, and the regulatory responses. We argue the industrial IoT brings four security concerns to the fore, namely: appreciating the shift from offline to online infrastructure; managing temporal dimensions of security; addressing the implementation gap for best practice; and engaging with infrastructural complexity. Our goal is to surface risks and foster dialogue to avoid the emergence of an Internet of Insecure Industrial Things.     

Data integration in IoT ecosystem: Information linkage as a privacy threat

Internet of things (IoT) is changing the way data is collected and processed. The scale and variety of devices, communication networks, and protocols involved in data collection present critical challenges for data processing and analyses. Newer and more sophisticated methods for data integration and aggregation are required to enhance the value of real-time and historical IoT data. Moreover, the pervasive nature of IoT data presents a number of privacy threats because of intermediate data processing steps, including data acquisition, data aggregation, fusion and integration. User profiling and record linkage are well studied topics in online social networks (OSNs); however, these have become more critical in IoT applications where different systems share and integrate data and information. The proposed study aims to discuss the privacy threat of information linkage, technical and legal approaches to address it in a heterogeneous IoT ecosystem. The paper illustrates and explains information linkage during the process of data integration in a smart neighbourhood scenario. Through this work, the authors aim to enable a technical and legal framework to ensure stakeholders awareness and protection of subjects about privacy breaches due to information linkage.     

IoT forensics: Exploiting log records from the DAHUA technology CCTV systems

CCTV surveillance systems are ubiquitous IoT appliances. Their forensic examination has proven critical for investigating crimes. DAHUA Technology is a well-known manufacturer of such products. Despite its global market share, research regarding digital forensics of DAHUA Technology CCTV systems is scarce and currently limited to extracting their video footage, overlooking the potential presence of valuable artifacts within their log records. These pieces of evidence remain unexploited by major commercial forensic software, yet they can hide vital information for an investigation. For instance, these log records document user actions, such as formatting the CCTV system's hard drive or disabling camera recording. This information can assist in attributing nefarious actions to specific users and hence can be invaluable for understanding the sequence of events related to incidents. Therefore, in this paper, several DAHUA Technology CCTV systems are thoroughly analyzed for these unexplored pieces of evidence, and their forensic value is presented.