Blockchain and IoT: secure future or regulatory minefield?

Summary

Blockchain’s main proposition benefit is of a ledger which is distributed rather than centralised. While simple-sounding, this technological innovation has the potential to transform many areas of business activity and transaction, including in the financial service relating to payments and banking (through uses of cryptocurrencies (Bitcoin, Ethereum and the like) and initial coin offerings (ICOs), to smart contracts to digital manufacturing and supply chain logistics and audit, digital certification to combat counterfeiting, smart cities and digital IDs, governance and compliance in various industries. A number of jurisdictions have invested in exploring distributed ledger technology (DLT), the underpinning technology to blockchain, including its application to Internet of Things (IoT). We explore some key considerations and concerns currently encountered by IoT relating to privacy and security, including whether blockchain solutions may overcome some of the privacy and security concerns which may be inhibiting wider IoT adoption, as well as briefly assess how such issues are regulated in some major jurisdictions.

Key points

Security, privacy and IoT

The promise of a highly connected world, where previously inert devices become “smart”, has driven a boom in the uptake in IoT technology over the past decade. From an estimated two billion devices in 2006, it is predicted that IoT numbers worldwide will reach 82 billion by 2025 (source: IDC Worldwide Internet of Things Installed Base by Connectivity Forecast, 2017–2021 (March 2017). Globally, it is projected that businesses  and consumers will contribute a total IoT spend of $745 billion in 2019. This is set to top $215 trillion in aggregate investment by 2025. At its simplest, IoT is the concept of connecting any device powered by electricity to the internet and/or other devices.

Despite the inexorable rise in IoT adoption, business and consumers have voiced broad concerns about the security of using such devices. Research conducted by Cisco in 2017 revealed that 60% of IoT projects stall before being implemented, while less than a third of companies have implemented IoT projects that they considered a commercial success.

A key question that has slowed the rollout of IoT has been its weak security. A primary reason for the implementation of IoT devices by business is the vast quantities of data they can generate. It is estimated that in every minute of 2018, 4756 IoT connections were made, and 3,138,420 GB of information were  processed through those connections. However, the data being generated by these devices is rarely secured effectively. In fact, IoT devices are considered by some to be the greatest threat to individual data security today.

IoT security concerns are twofold. In the first instance, consumers and businesses are aware of the risks to their own networks and data posed by an unsecured network of IoT devices. The security of individual devices is often severely lacking when they come out-of-the-box. IoT developers often prioritise getting their devices to market ahead of ensuring that they are stable and secure (source: D V Posadas Jr “The Internet of Things: The GDPR and the blockchain may be incompatible” (2018) 21(11) Journal of Internet Law 1 at 20). A breach in the network may lead to compromised or stolen data or information, prompting regulatory responsibilities. This issue has become front of mind for many consumers, as concerns around the capacity for conversations to be surreptitiously recorded by devices such as Amazon Echo or Google Home having listening devices that are “always on” are raised and debated.

The second security issue surrounding IoT is the harnessing of IoT devices for their IP addresses to be used in large-scale distributed denial-of-service (DDoS) attacks (source: N Kshetri “Can blockchain strengthen the Internet of Things?” (2017) 19(4) IEEE IT Professional 68). The largest DDoS incident ever recorded was orchestrated by malicious agents hacking into IoT devices and coordinating those devices to target specific websites with enormous amounts of traffic, forcing them down.

Despite no clear improvement in the way that IoT is secured, businesses are continuing to act bullishly in procuring and implementing IoT solutions, with 69% of companies having adopted, or intending to adopt, IoT infrastructure. The coming years are presenting as a tipping point for IoT: with increasing quantities of valuable information being produced by increasing numbers of businesses and consumers alike, how is the IoT going to be secured?

IoT and blockchain from a technical perspective

The IoT is known to be particularly susceptible to malicious cyber attacks. Over the course of 2018 almost every industry was impacted to some degree by such attacks on exposed IoT systems. In 2016, the US-based domain name system provider Dyn was subject to a massive DDoS attack originating from “tens of millions of IP addresses”, many of which were determined to have been IoT devices. These devices, including cameras, baby monitors and home internet routers, were infiltrated and co-opted into flooding Dyn with traffic from their unique IP addresses.

The typically weak out-of-the-box security settings and subsequent reliance of each IoT network on a centralised cloud for storage prompt the concerns for the security of each network, and the data generated.

Blockchain has been presented as a possible solution to at least one aspect of the security issues that affect IoT networks. The centralised nature of cloud storage has meant that once an attacker breaches the initial security of one IoT device, they can gain access to the network, and therefore centralised cloud all devices on the network contribute data too. Given the data produced by these devices is a key reason many commercial enterprises are implementing IoT networks, vulnerabilities relating to the security of the cloud are of particular concern. Breaches of IoT security that lead to compromised data also raise concerns around regulatory compliance with privacy and data security regimes.

Blockchain allows data management in IoT networks to become decentralised. As a distributed ledger, a blockchain relies upon network participants to verify data transactions whereupon they are recorded into immutable blocks as links in a chain. This function allows the data history of an IoT network to be tracked and provides certainty that once data is entered into the blockchain, it cannot be removed or edited. Access to the blockchain is also safeguarded by more stringent security systems than typically are available in IoT devices, typically requiring users to present a private key to gain access to a block containing data. Blockchain may hold significant potential in bridging a number of the security gaps currently evident in IoT implementation, however there are a number of technical shortcomings that need to be considered.

Technical shortcomings

It is not universally agreed that blockchain will provide the silver bullet to solve security issues in the IoT. There are several technical stumbling blocks which need to be overcome by each IoT network before blockchain is a viable security solution.

Blockchains are traditionally authenticated by asking specific members of a network (known as miners) to confirm, independently, that a transaction has occurred and that the details of the transaction are correct. This requires miners to solve a cryptographic algorithm to produce a “hash” which then locks the block, and its list of transactions, in place. The hash can then be easily verified by the other members of the network, providing the certainty that underpins blockchain as a value proposition. The process involves significant amounts of energy and computational power to process the authentication, access to a network of independent actors, and delays as each block in the chain is authenticated by those decentralised actors (source: ADorri, S S Kanhere, R Jurdak and P Gauravaram “Blockchain for IoT Security and Privacy: The Case Study of a Smart Home” (Paper presented at IEEE PerCom Workshop on Security Privacy and Trust in the Internet of Things, March 2017). Given most IoT networks consist of lightweight, low-power devices, the potential to generate the levels of energy and processing power required are often limited or expensive. This presents a major drawback to the use of blockchain in IoT.

Researchers from the School of Computer Science and Engineering at the University of New South Wales have proposed a workaround by introducing an online device with high levels of processing power known as a “miner” to manage and authenticate a private blockchain used for controlling and auditing communications between devices in the context of a “smart home”. The research group developed a slimline version of the traditional blockchain which, they argue, is more suited to the IoT setting.

Progress in the space of IoT-optimised blockchain solutions demonstrates the clear potential for blockchain to help secure the IoT, however there is still work to be done.

Regulation: will blockchain help or hinder?

Australia
The regulatory environment surrounding IoT security in Australia is currently limited to the obligations placed upon data controllers by the Privacy Act 1988 (Cth), in particular the Australian Privacy Principles (APPs). These principles are technologically neutral, principles-based legal obligations that apply to:

• most Australian Government agencies
• private sector and not-for-profit organisations with an annual turnover of more than $3 million
• all private sector health service providers
• some small businesses such as businesses trading in personal information

IoT networks built and operated for personal use by consumers will not be subject to these privacy principles. However, for businesses, many of the APPs will be relevant in the context of operating an IoT network. While the use and management of data gathered using IoT networks will be subject to the governance of the APPs and the Privacy Act, these principles do not represent a dedicated or nuanced approach to managing the unique security issues associated with IoT, rather they dictate the repercussions of failing to adequately secure data.

Agencies and government groups, such as the Australian Communications and Media Authority (ACMA) and IoT Alliance Australia (IoTAA), are collaborating to resolve the cybersecurity issues that the IoT industry presents. Still, a coordinated strategy is still lacking.

In the absence of current applicable regulation in Australia, it is helpful to look to other jurisdictions for guidance as to how the management of IoT security risks
may be achieved.

Hong Kong
We won’t be discussing the potential regulation of blockchain/DLT as it relates to ICOs, which in Hong Kong could be regarded as “regulated activities” under the Securities and Futures Ordinance, Cap 571 (HK) (SFO) and peer-to-peer lending may also (depending on scale and nature) be subject to the requirement of a licence under the Money Lenders Ordinance, Cap 163 (HK) as well as the SFO.

For data protection and privacy issues as they relate to IoT, organisations have an obligation under Data Privacy Principle (DPP) 4 (Data Security) under the Personal Data (Privacy) Ordinance, Cap 486 (HK) (Ordinance) to take all practicable steps to ensure that personal data under their control are protected against unauthorised or accidental access, use or loss. Security measures should be proportionate to the risk of harm of any potential breach.

In early 2017, the Office of the Privacy Commissioner for Personal Data (PCPD) released findings from a study and made recommendations on privacy protections amid rapid developments in IoT. The PCPD noted in its study that there was a general lack of awareness amongst IoT device manufacturers of communicating privacy and security protection measures to consumers, and the PCPD urged manufacturers engaged in the development of IoT devices to improve their privacy communications so that consumers could assess the privacy impact and take necessary steps to protect their personal data. To tackle the security problem at source, the PCPD encouraged IoT device manufacturers to adopt the practice of “Privacy by Design”, and that consumers only deploy those IoT devices which have incorporated such design. The PCPD provided non-binding, persuasive guidance and recommendations, including in connection with updates to reader-friendly privacy policies, adopting “Privacy by Design” frameworks from the outset, adopting “Privacy by Default” approaches (namely adopting default settings which are least privacy-intrusive) and allowing data subjects to exercise their rights to delete data as well as access and correction rights.

In more recent times, the PCPD has also stressed the importance additionally of an “Ethics by Design” approach to IoT development, arguing that ethical use of personal data makes good business sense. Respectful, beneficial and fair use of customers’ personal data is recommended for development of IoT solutions by business.

United States
IoT specific regulation in the US is limited, however California recently introduced legislation that works to address the issue of IoT security.

The California Consumer PrivacyAct of 2018 (CCPA) is the first attempt by any state within the US to impose security requirements on IoT devices. This new law requires manufacturers of IoT devices to install minimum reasonable security features in internet-connected devices in a manner that is appropriate for the nature and function of the particular device.

The CCPA is currently scheduled to come into force on 1 January 2020, and in effect requires manufacturers to provide authentication credentials that are unique to each device or install prompts for users to change the password before they can make use of the device. Despite being a clear move in the right direction, the details of the CCPA have drawn mixed reactions from security experts.

Bruce Schneier, a security technologist at the Harvard Kennedy School, claims that the Act doesn’t go far enough in protecting IoT devices and networks, but insists that it can lay the groundwork for stronger legislation at both the state and federal levels moving forward.

The US has demonstrated a regulatory focus on the specific threats to IoT, and the use of blockchain has the potential to align closely with these goals. Should Australia move to join with the US in specifically requiring improved security features from IoT manufacturers, then the proliferation of blockchain-based technologies in the IoT space would also be consistent with any new regulation as well as the existing privacy obligations. Blockchain has the potential to further these regulatory goals.

GDPR
The General Data Protection Regulation 2016/679 (GDPR) represents the global high-water mark for individual privacy and data security regulation. The framework is incredibly far-reaching, applying to “the processing of personal data of data subjects who are in the [European Union (EU)] by a controller or processor not established in the [EU]”. This extraterritorial function puts all entities that control data collected from members of the EU on notice that they must comply with the standards of the GDPR.

Given IoT networks often function to collect vast quantities of data from customers and consumers, the implications of using blockchain to secure an IoT network on compliance with the GDPR is a live issue for many Australian businesses.

The fundamental contradiction between blockchain technology and the GDPR is summarised by John Mathews, the CFO of Bitnation, when he stated, “the GDPR was written on the assumption that you have centralized services controlling access rights to the user’s data, which is the opposite of what a permission-less blockchain does.”. The GDPR is seen as having been developed for a cloud-based services model which breaks down with the introduction of decentralised authentication.

Further, since the immutable nature of blockchain represents one of the fundamental value offerings of the technology, it is problematic that the GDPR is predicated on handing control of data back to the data subject. The right to rectification and erasure is an example of this regulatory goal.

These rights provide each EU data subject with the opportunity to have “incomplete personal data completed, including by means of providing a supplementary statement”, as well as the right to require data controllers to completely remove information about an individual from their records when requested. To edit or remove the contents of a block within a chain that has already been authorised would be to undermine the trust that is placed in the security of that blockchain. In effect, the right to rectification and erasure is directly counter to the security proposition that blockchain offers.

Australia has demonstrated an inclination to align privacy and data security policy with the principles of the GDPR — the APPs are a clear example of this. It is
entirely possible that, for example, concepts of data rectification and erasure will become a feature of Australian privacy legislation which would compromise any existing blockchain-based IoT security systems. A movement further towards the GDPR would make the implementation of current blockchain systems with IoT a difficult proposition.

Osborne Clarke comment:

The IoT is becoming relevant to many aspects of our society, with most people connected to an IoT network through their phones or other smart devices. It is evident that security is a major concern for these networks, and the security of individual personal information is a paramount issue

Blockchain technology represents an effective solution to those security concerns. It is considered to be effective in protecting the individual devices as well as the data that is produced and stored through the use of a permanent record of data transactions that is incapable of being edited. While there are several technical drawbacks to the use of blockchain with IoT networks, developments are constantly being made which work to solve or minimise those issues.

Regulatory principles in Australia, Hong Kong and other key jurisdictions will be fundamental to businesses that are beginning to roll out IoT security programs founded on the principles of blockchain. As it stands, generally speaking, the privacy and data protection principles of major jurisdictions do not directly conflict with these blockchain principles, however as discussed there are several directions that the regulatory landscape could travel in.

Following a similar pathway to the US by focusing on the security of IoT specifically will allow for blockchain implementation to be consistent with national regulation. Blockchain, if implemented effectively, solves fundamental security problems faced by IoT networks. Conversely, should a broader approach to privacy regulation be taken and adopt a regime that looks to prioritise the rights of data subjects over their data, the immutable nature of the blockchain may fundamentally contradict that goal.

This article from Albert Yuen of Osborne Clarke and Matthew Hargreaves of Gilbert + Tobin originally appeared in the September 2019 (Vol 22 No 4) issue of Internet Law Bulletin