As the Internet of Things (IoT) becomes more and more prevalent, the big question local governments should ask themselves is “Are we prepared to steward the public’s data in the context of IoT?” While there are exceptions, we suspect that in many cases, the answer to that question is “no.” As technology continues to evolve faster than organizations, there is a gap between IoT products and services and the public policies and government practices designed to effectively manage them. All governments considering the IoT should acknowledge this capability gap and carefully consider the following three issues in order to design policies and practices that allow government to maximize the benefits and minimize the risks of IoT investments.
IoT data ownership is conflated by the mix of vendors needed to deploy and support a network. Several models exist to finance, maintain and support an IoT network, and the IoT can be purchased or paid for as a service. It’s in this type of IoT-as-a-service model that data ownership can become less clear, similar to how information in cloud computing services raises concern of data ownership and appropriate access. Different components of the IoT network may be operated by different partners, each with their own interests.
When IoT devices, communication networks, analytical tools and storage systems run as a service, the terms of service agreements with the system vendors may claim that they have both data ownership and use. And when data from multiple sources and devices are combined and aggregated, new data is created, making it difficult to identify the original owner of data sets. Therefore, effective data stewardship relies on the government’s ability to address data ownership from the perspectives of all stakeholders involved (e.g., citizen, government, vendor). Once ownership is established and agreements are struck about how to manage changes to the existing stakeholder mix, effective stewardship practices can be put in place.
An IoT device has three major components: hardware, operating system software, and the data it creates or senses. All three of these components are vulnerable to attack, perhaps even more so than other IT innovations due to the fact that IoT devices typically live outside an organization’s normal IT boundaries (both in a network firewall and physical location sense). This limits IT managers’ ability to use existing security infrastructure to provide security and management for IoT devices. And the security of the data is dependent on the security of the hardware and software generating it; hardware and software vulnerabilities contribute to data vulnerability.
Furthermore, some IoT products are simply not equipped with high-level computing capability, restricting the ability to encrypt and secure the devices and the data they generate. An additional challenge lies in the fact that the low-powered devices are remotely connected and software-related security updates and configuration changes are generally harder to maintain. Therefore, governments should develop a comprehensive approach to IoT security and start by asking themselves: What are the risks if the IoT gets hacked? What are the dangers in loss of control of the IoT? Has a formal security assessment been performed on the IoTs being purchased?”
Sensors have the ability to collect many different types of data from a wide range of sources including people, environment, buildings and machines. With the large range of capabilities of sensors, and the networking capabilities to combine the data, sensors used in public spaces need a new set of rules to meet expectations of privacy.
For example, traffic light cameras capture images of cars running red lights, which are then quickly processed by computers trained to track changes in the street light and placement of cars. This generates different types of data including pictures of people in their cars, license plate information and if a car ran a light. Therefore, government needs to ask data management questions when considering IoT options. For example: What portion of this data should be kept and for how long? What is the data classification for each type of data? Can some (or all) of the data be sold or published?
As local governments consider deploying cyberphysical systems, whether in the form of new sensor networks on light poles and cameras on parking spaces or others, they must invest in new understanding of the accompanying policy and management infrastructure required to ensure that they continue to meet their obligations as stewards of the public’s data. Put simply, local governments need to think holistically and in terms of capability when considering the IoT.
Derek Werthmuller is the director of technology innovation and services at the Center for Technology in Government at the University at Albany.