Issue #29: Internet Of Things

On The Need Of Regulation In The IoT Industry

Reading this magazine is a political act. When choosing between Pravda or the Financial Times; Fox News or PBS; Daring Fireball or Paul Thurrott’s SuperSite for Windows, a reader should know what those publications stand for. Every newspaper, every magazine, every blog, every podcast has a point of view, a flag, a position, to be defended and to be upheld. Paraphrasing the words of the “Think Different” campaign, one can disagree with them, vilify them, but one must be sure that each of these publications tries hard not to be ignored. Choosing whichever option is, simply put, a political act.

This monthly publication you are currently reading is no different; particularly when the whole point of these lines is to highlight the conflicts in the crossing paths of technology and humanities. We uphold object-oriented programming and other stable, boring technologies. We encourage, promote, and defend the formation of worker unions in the technology field. We demand the examination of hype and novelty to closer scrutiny, and if all else fails, we subject them to be considered as mere reinventions. We think that online (and offline) privacy and security are basic human rights. But above all, we condemn and abhor both the growing technological analphabetism of ruling elites in the highest political circles, and the lack of political education, involvement, and interest of so-called “technology enthusiasts.”

The previous two paragraphs should have set the tone for the subject of this month: “Internet of Things.” TL;DR: it is not pretty, and we need global state intervention in this industry, fast.

The author types these words precisely when the Raspberry Pi Pico hits the newsstands (literally) at 4 USD. The specs are impressive, and they will get better in the following years. From the myopic point of view of cost management in a First World country, it seems as if any and every thing sold in the market could come bundled with a CPU and some on-board Flash memory. Now you can even embed a JavaScript engine inside of those “smart” things, because Atwood’s Law applies here as well.

Add to the mix a smartphone app, and now you can turn on and off your car parking doors from the confort of your Tesla (something you could already do in the 1970s with an infrared remote control, no Bluetooth needed), or even fancier, whoop whoop! Via an Alexa “Routine”. How about that. Poor Jeff Bezos needs to know more about you, he’s short on cash.

Light bulbs? Check. Thermostats? Check. Headphones? Check. Cars? Check. TV sets? Check. Security cameras? Check. Home weather stations? Check. Bycicle locks? Check. Smoke detectors? Check. Pet trackers? Check. Sex toys? Check.

Of course, after decades of growth, it would be disingenous to look away or pretend that this industry does not exist. At a time when there are already industry alliances ready to lobby for more “innovation” in the sector (read: less government intervention), what the IoT market needs (and fast) is, precisely, more and better regulation (or, as it is the case in many countries, any regulation at all).

Following the tracks of the GDPR and the CCPA I expect either the European Union or California to come up with a set or rules, including both suitable quality standards for IoT devices, as well as the creation of ruling bodies to uphold them. Standards which, in the opinion of this writer, should cover the following tenets (at the very least):

  • Openness: Source code of all approved IoT devices must be made available to the public (not necessarily with open source licenses, but openly available for download and inspection) and cryptographically signed. This is needed to verify the integrity of the binaries installed after each update, and to prevent the inevitable decay of closed-source code.
  • Security: Changing the default password on devices must be mandatory upon installation; data encryption standards must be provably used in all storage and communication; et caetera.
  • Privacy: The absolute and total disclosure of the use of personal data gathered by these devices is a conditio sine qua non for the marketing, distribution, and sale of these devices. This point should already be mostly covered by the aforementioned regulatory rules, GDPR, CCPA, and others similar, but should include extensions and provisions specific to IoT devices.
  • Traceability: Software updates must be submitted to a regulatory body for archival, so as to guarantee the perennity and accessibility of hardware devices using them in the future. IoT devices must have a longer life than what we have seen so far.
  • Compatibility: Existing standards (operating systems, networking protocols, hardware ports, power outlets, and others) must be preferred and prioritised above “innovations” at all times.  Users must be able to access their devices using any major commercial operating system of their choice, plus Linux or any other free software option. This includes mobile operating systems.
  • Accessibility: All users, regardless of their disabilities, must be able to configure, operate, and dispose of these systems freely and independently, at any time.
  • Environmental issues: companies producing IoT devices must be held responsible for the collection, disposal, and recycling of all IoT devices they have produced, including the components thereof.

The actual list of tasks of such a regulatory body would be much larger, of course; but this should provide a starting point for its activities. Plus, of course, the requirement for inspections and sanctions, if needed (hint: it will be needed. It is already the case.)

In these pages we have talked about similar issues many times: Graham mentioned the need to “…move from a situation in which we expect people to buy (or lease) a new handheld computer every 1-2 years, even if their existing one works fine.” This author talked about “…the idea that making a better world with software means being sincere to one another. Avoid the lies. Do not be a hypocrite. Be upfront about the shortcomings of your software” and even proposed a “Hippocratic Oath” for the software industry.

As funny and as entertaining as the “Internet of Shit” Twitter account might be, a foreseeable solution to the current broken state of the IoT industry will not come from the industry itself. It is the sincere hope of this author that governments around the world will regulate this space to mold (if needed, by brute force) this brute mess of unconcious VC-fueled “innovation” startups, into a responsible industry.

Cover photo by Tina Rataj-Berard on Unsplash.

Adrian Kosmaczewski is a software consultant and evangelist. He is a published writer, trainer and speaker. He holds a Master's degree from the University of Liverpool.