Earlier this year, following its public consultation, the European Data Protection Board (EDPB) approved its guidelines on the processing of personal data in the context of connected vehicles and mobility related applications (here).

Why are these guidelines needed?

In the guidelines, the EDPB notes that “vehicles are becoming massive data hubs” and “connected vehicles are generating increasing amounts of data, most of which can be considered personal data since they will relate to drivers or passengers”. Interestingly, the EDPB is also of the opinion that “[e]ven if the data collected by a connected car are not directly linked to a name, but to technical aspects and features of the vehicle, it will concern the driver or the passengers of the car.” To illustrate this latter point, the EDPB lists the following types of data that would fall within this category: speed, distance travelled, engine coolant temperature, engine RPM and tyre pressure. This is a broad interpretation of what constitutes ‘personal data’ under the General Data Protection Regulation (GDPR).

Some of the risks of processing personal data in the context of connected vehicles include:

  1. Not adequately informing all data subjects that their personal data is being processed. More often, it is only the driver or owner who is provided with the required transparency information;
  2. Ensuring that a data subject’s consent qualifies as valid consent under the GDPR – consent needs to be considered in the context of personal data processing under the GDPR and in relation to the ePrivacy Regulations as it is likely that information will be stored or accessed in terminal equipment;
  3. Legitimately handling any additional processing of personal data not contemplated by the initial collection e.g. for the purposes of law enforcement;
  4. Collecting excessive amounts of personal data due to the vehicle manufacturer’s desire to use such data to develop new functionality; and
  5. The increased security risks due to the number of different types of technology used in connected vehicles (e.g. wi-fi, USB, RFID).

Continue Reading Processing personal data in the context of connected vehicles

The European Union Blockchain Observatory and Forum, on 21 April, published a report examining how blockchain can be combined with two other important emerging technologies – the Internet of Things (IoT) and artificial intelligence (AI) – to complement each other and build new kinds of platforms, products, and services.

The report first looks at the interplay of blockchain with the IoT, addressing how blockchain can aid its functioning by providing a decentralised platform to the otherwise centralised approach of the IoT. This centralisation poses a number of challenges while monitoring, controlling, and facilitating communication between the millions of heterogeneous devices. The report highlights how blockchain can provide a more robust, more scalable, and more direct platform to overcome these challenges.

The report similarly delves into the potential relationship between blockchain and AI. It explains some concerns surrounding AI, like how it is currently concentrated in the hands of a few large companies due to the high cost of gathering, storing, and processing the large amounts of data, as well as engaging AI experts. It then illustrates how blockchain can mitigate such concerns so that access to AI models is more readily available to individuals and small companies.Continue Reading EU Blockchain Observatory and Forum explores the convergence of blockchain, AI, and the IoT

On 19 November 2019, the European Union Agency for Network and Information Security (ENISA) released its report ‘Good practices for security of Internet of Things (IoT)’ (Report), providing a comprehensive analysis of security concerns surrounding IoT, secure Software Development Life Cycle (sSDLC) principles, and setting out best practices. Below, we highlight some of the key points. The Report can be read in full here.

Background

IoT refers to a network of internet-connected devices, ranging from microwaves to phones to smart homes. ENISA is tasked with improving the resilience of Europe’s critical information infrastructure and networks, and the Report focuses on establishing good practices for securing the IoT software development process. As a precursor to the Report, in 2017, ENISA released its study ‘Baseline Security Recommendations for IoT’ (here).
Continue Reading ENISA releases report detailing security guidelines for Internet of Things

Singapore has set up a new Telecom Cybersecurity Strategic Committee (TCSC) to develop a plan to tackle ‘next-generation cyber threats’ in the telecommunications sector.

The committee is expected to publish a strategy report and outline a roadmap for telecommunications operators to develop cybersecurity capabilities later in 2019. The report and roadmap will include recommendations for new initiatives such as capability development, technology innovation, regulation and international partnerships.

In his opening address at the inaugural Infocomm Media Cybersecurity Conference on 25 January 2018, Dr Janil Puthucheary, senior minister of state for the Ministry of Communications and Information, highlighted the following points.

As “Singapore aims to be a Smart Nation and a leading digital economy”, there is a vital need for cybersecurity. He added that the telecom industry is key and fundamental to secure Singapore’s connectivity infrastructure and services.

The government and telecommunication industry players should collaborate on cybersecurity matters. To date, some examples of such collaborative efforts include:

  • The Infocomm Media Development Authority of Singapore (IMDA)’s launch of the Infocomm Singapore Computer Emergency Response Team in 2015 to respond to cybersecurity threats within the telecommunications and media sectors; and
  • IMDA’s revision in 2018 of the Telecommunications Cybersecurity Code of Practice to ensure that best practices from the industry can be applied to the telecom space.
  • The TCSC will identify challenges, key telecommunication technologies and market developments that will shape the cyber threat landscape. This is to ensure that Singapore keeps up to date on global, technological and industry trends.

Continue Reading Singapore announces series of initiatives to boost cybersecurity in the telecoms sector

The UK government has launched a Code of Practice (CoP) for the Internet of Things (IoT) security. This is aimed at improving baseline security and ensuring that devices that process personal data are General Data Protection Regulation (GDPR) compliant, as well as advancing an industry-wide ‘security by design’ approach.

The CoP provides outcome-focused practical steps for IoT manufacturers and industry stakeholders to improve the security of their products. To achieve this, it has specifically identified thirteen guidelines that it considers essential to the safeguarding of IoT devices:

  1. No default passwords – all IoT device passwords should be unique and not resettable to a universal factory default value.
  2. Implement a vulnerability disclosure policy – companies that provide IoT devices and services are to provide a public point of contact as part of a vulnerability disclosure policy, to enable issues to be reported. A disclosed vulnerability should be acted on in a “timely manner”.
  3. Keep software updated – updates should be timely and should not impact on the functioning of the device, and the need for which should be made clear to consumers.
  4. Securely store credentials and security-sensitive data – credentials must be stored securely within services and on devices. Hard-coded credentials in device software are not acceptable.
  5. Communicate securely – security-sensitive data should be encrypted and all keys managed securely.
  6. Minimise exposed attack surfaces – devices and services should operate on the principle of “of least privilege”.
  7. Ensure software integrity – software should be verified using secure boot mechanisms.
  8. Ensure that personal data is protected – personal data should be protected in accordance with the GDPR and Data Protection Act 2018.
  9. Make systems resilient to outages – resilience should be built into IoT devices.
  10. Monitor system telemetry data – telemetry data should be monitored for security anomalies.
  11. Make devices easy for consumers to delete personal data – devices should be configured so that an individual can easily delete their personal data from it.
  12. Make installation and maintenance for devices easy – this should employ minimal steps and should follow security best practice. Consumers should be given guidance on how to set up their device securely.
  13. Validate input data – data input via user interfaces and transferred via application programming interfaces (APIs) or between networks in services and devices must be validated.

Continue Reading UK government releases IoT security code of practice

California enacted Internet of Things (IoT) legislation intended to help protect consumer privacy and safety from potential hacking of connected devices. Under the state legislation that may apply to any connected devices sold in California, manufacturers of connected devices are required to equip the devices with security options suitable to the nature of the device

The European Union Agency for Network and Information Security (ENISA) has published a paper on the security challenges that arise from the convergence of Internet of Things (IoT) and Cloud computing. The paper is directed at IoT developers, IoT integrators and Cloud service providers, and concludes with a number of suggested steps to achieve secure solutions.

ENISA defines IoT as “a cyber-physical ecosystem of interconnected sensors and actuators, which enable intelligent decision making”. This would include, for example, smart homes, Fitbits and Apple Watches. ENISA divides the IoT ecosystem into three components, (i) devices, (ii) communications and (iii) Cloud platform, backend and services.

The growth of IoT in recent years has put pressure on Cloud computing to evolve in order to accommodate IoT’s needs, including aggregating, storing and processing the data that it generates. This resulted in a new model, the “IoT Cloud”.

The emergence of the IoT Cloud poses potential security risks, and ENISA is primarily concerned about the fact that IoT devices provide access to Cloud systems, and therefore any attack on an IoT device can potentially lead to a more widespread attack.Continue Reading Security challenges arising out of the convergence of Internet of Things and Cloud computing

On February 28, 2018, the Federal Trade Commission (FTC) released a report about security update practices for businesses providing mobile phones and other connected devices. The report recommends that manufacturers and carriers provide security updates that are consistent with consumer expectations, provide better information regarding their security practices and educate consumers on their role in

Last year, we reported on Ofcom’s Statement on ‘Promoting investment and innovation in the Internet of Things (IoT)’ (Statement). IoT refers to the exponentially growing network of products that are capable of communicating with each other, such as smart watches and smart thermostats. The Statement identified four priority areas to support the growth of IoT