See

discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/222708179

Internet of Things – New security and privacy

challenges

Article in Computer Law & Security Report · January 2010

DOI: 10.1016/j.clsr.2009.11.008

CITATIONS READS

185 13,434

1 author:

Rolf H. Weber
University of Zurich
117 PUBLICATIONS 488 CITATIONS

SEE PROFILE

Available from: Rolf H. Weber

Retrieved on: 06 July 2016
 computer law & security review 26 (2010) 23–30

available at www.sciencedirect.com

www.compseconline.com/publications/prodclaw.htm

Internet of Things – New security and privacy challenges

Rolf H. Weber
University of Zurich, Zurich, Switzerland, and University of Hong Kong, Hong Kong

abstract

Keywords: The Internet of Things, an emerging global Internet-based technical architecture facili-
Data protection tating the exchange of goods and services in global supply chain networks has an impact
Internet of Things on the security and privacy of the involved stakeholders. Measures ensuring the archi-
Privacy tecture’s resilience to attacks, data authentication, access control and client privacy need
RFID to be established. An adequate legal framework must take the underlying technology into
Security account and would best be established by an international legislator, which is supple-
mented by the private sector according to specific needs and thereby becomes easily
adjustable. The contents of the respective legislation must encompass the right to infor-
mation, provisions prohibiting or restricting the use of mechanisms of the Internet of
Things, rules on IT-security-legislation, provisions supporting the use of mechanisms of
the Internet of Things and the establishment of a task force doing research on the legal
challenges of the IoT.
ª 2010 Prof Rolf H. Weber. Published by Elsevier Ltd. All rights reserved.

1. Internet of Things: notion and technical primarily RFID-tagged items (Radio-Frequency Identifica-
background tion).2 The IoT3 has the purpose of providing an IT-infra-
structure facilitating the exchanges of ‘‘things’’ in a secure
The Internet of Things (IoT) is an emerging global Internet- and reliable manner.4
based information architecture facilitating the exchange of The most popular industry proposal for the new IT-infra-
goods and services in global supply chain networks.1 For structure of the IoT is based on an Electronic Product Code
example, the lack of certain goods would automatically be (EPC), introduced by EPCglobal and GS1.5 The ‘‘things’’ are
reported to the provider which in turn immediately causes physical objects carrying RFID tags with a unique EPC; the
electronic or physical delivery. From a technical point of view, infrastructure can offer and query EPC Information Services
the architecture is based on data communication tools, (EPCIS) both locally and remotely to subscribers.6 The

1
For a general overview see Rolf H. Weber, Internet of Things – Need for a New Legal Environment? [2009] 25 Computer Law & Security
Review 521.
2
RFID is a technology used to identify, track and locate assets; the universal, unique identification of individual items through the EPC
is encoded in an inexpensive RFID tag.
3
The term ‘‘IoT’’ has been ‘‘invented’’ by Kevin Ashton in a presentation in 1998 (see Gerald Santucci, Paper for the International
Conference on Future Trends of the Internet, From Internet of Data to Internet of Things, at p. 2, available at: ftp://ftp.cordis.europa.eu/
pub/fp7/ict/docs/enet/20090128-speech-iot-conference-lux_en.pdf).
4
For general overviews of the technical background of the IoT see Christian Floerkemeier/Marc Langheinrich/Elgar Fleisch/Friede-
mann Mattern/Sanjay E. Sarma (eds), The Internet of Things, Berlin/Heidelberg 2008; Lu Yan/Yan Zhang/Laurence T. Yang/Huansheng
Ning (eds), The Internet of Things, New York/London 2008.
5
See http://www.epcglobalinc.org.
6
See Benjamin Fabian, Secure Name Services for the Internet of Things, Thesis, Berlin 2008, 30/31; to the details of the service
orientation and the context-aware computing see Davy Preuveneers/Yolande Berbers, Internet of Things: A Context-Awareness
Perspective, in: Yan/Zhang/Yang/Ning, supra note 4, 288, at 296 ss.
0267-3649/$ – see front matter ª 2010 Prof Rolf H. Weber. Published by Elsevier Ltd. All rights reserved.
doi:10.1016/j.clsr.2009.11.008
24 computer law & security review 26 (2010) 23–30

information is not fully saved on an RFID tag, but a supply of a basic and inalienable human right, or as a personal right or
the information by distributed servers on the Internet is made possession.13
available through linking and cross-linking with the help of an The attribution of tags to objects may not be known to
Object Naming Service (ONS).7 users, and there may not be an acoustic or visual signal to
The ONS is authoritative (linking metadata and services) in draw the attention of the object’s user. Thereby, individuals
the sense that the entity having – centralized – change control can be followed without them even knowing about it and
over the information about the EPC is the same entity that would leave their data or at least traces thereof in cyber-
assigned the EPC to the concerned item.8 Thereby, the archi- space.14 Further aggravating the problem, it is not anymore
tecture can also serve as backbone for ubiquitous computing, only the state that is interested in collecting the respective
enabling smart environments to recognize and identify data, but also private actors such as marketing enterprises.15
objects, and receive information from the Internet to facilitate Since business processes are concerned, a high degree of
their adaptive functionality.9 The central ONS root is operated reliability is needed. In the literature, the following security
by the (private) company VeriSign, a provider of Internet and privacy requirements are described:16
infrastructure services.
The ONS is based on the well-known Domain Name  Resilience to attacks: The system has to avoid single points of
System (DNS). Technically, in order to use the DNS to find failure and should adjust itself to node failures.
information about an item, the item’s EPC must be converted  Data authentication: As a principle, retrieved address and
into a format that the DNS can understand, which is the object information must be authenticated.17
typical, ‘‘dot’’ delimited, left to right form of all domain  Access control: Information providers must be able to
names.10 Since EPC is encoded into syntactically correct implement access control on the data provided.18
domain name and then used within the existing DNS infra-  Client privacy: Measures need to be taken that only the
structure, the ONS can be considered as subset of the DNS. For information provider is able to infer from observing the use
this reason, however, the ONS will also inherit all of the of the lookup system related to a specific customer; at least,
well-documented DNS weaknesses, such as the limited inference should be very hard to conduct.
redundancy in practical implementations and the creation of
single points of failure.11 Private enterprises using IoT technology will have to
include these requirements into their risk management
concept governing the business activities in general.
2. Security and privacy needs

2.1. Requirements related to IoT technology

2.2. Privacy enhancing technologies (PET)

The described technical architecture of the IoT has an impact

The fulfilment of customer privacy requirements is quite
on the security and privacy of the involved stakeholders.
difficult. A number of technologies have been developed in
Privacy includes the concealment of personal information as
order to achieve information privacy goals. These Privacy
well as the ability to control what happens with this infor-
Enhancing Technologies (PET) can be described in short as
mation.12 The right to privacy can be considered as either
follows:19
7
Fabian, supra note 6, at 33.
8
EPCglobal, Object Naming Service (ONS) Version 1.0.1, at para  Virtual Private Networks (VPN) are extranets established by
4.2, available at: http://www.epcglobalinc.org/standards/ons/ close groups of business partners. As only partners have
ons_1_0_1-standard-20080529.pdf. access, they promise to be confidential and have integrity.
9
Fabian, supra note 6, at 1. However, this solution does not allow for a dynamic global
10
EPCglobal, Object Naming Service (ONS) Version 1.0.1, supra information exchange and is impractical with regard to
note 8, at para 5.2.
11 third parties beyond the borders of the extranet.
For more details see Weber, supra note 1.
12  Transport Layer Security (TLS), based on an appropriate global
Seda F. Gürses/Bettina Berendt/Thomas Santen, Multilateral
Security Requirements Analysis for Preserving Privacy in Ubiq- trust structure, could also improve confidentiality and
uitous Environments, in: Bettina Berendt/Ernestina Menasalvas integrity of the IoT. However, as each ONS delegation step
(eds), Workshop on Ubiquitous Knowledge Discovery for Users
15
(UKDU ’06), at 51–64; for privacy as freedom see Gus Hosein, Mattern, supra note 14, at 24.
16
Privacy as Freedom, in: Rikke Frank Jørgensen (ed.), Human See Benjamin Fabian/Oliver Günther, Distributed ONS and its
Rights in the Global Information Society, Cambridge/Massachu- Impact on Privacy, 1223, 1225, available at: http://ieeexplore.ieee.
setts 2006, at 121–147. org/stamp/stamp.jsp?arnumber¼04288878.
13 17
Gürses/Berendt/Santen, supra note 12, at 54. For RFID authentication see Juels, supra note 14, at 384 s; Rolf
14
See also Ari Juels, RFID Security and Privacy: A Research H. Weber/Annette Willi, IT-Sicherheit und Recht, Zurich 2006, at
Survey, IEEE Journal on Selected Areas in Communications, Vol. 284.
18
24, 2006, 381–394, at 383; Marc Langheinrich Marc/Friedemann See also Eberhard Grummt/Markus Müller, Fine-Grained
Mattern, Wenn der Computer verschwindet, digma 2002, 138–142, Access Control for EPC Information Services, in: Floerkemeier/
at 139; Friedemann Mattern, Ubiquitous Computing: Eine Ein- Langheinrich/Fleisch/Mattern/Sarma, supra note 4, at 35–49.
19
führung mit Anmerkungen zu den sozialen und rechtlichen Fol- Fabian, supra note 6, 61 s; Benjamin Fabian/Oliver Günther,
gen, in: Jürgen Taeger/Andreas Wiebe (eds), Mobilität. Telematik, Security Challenges of the EPCglobal Network, Communications
Recht, Köln 2005, 1–34, at 18 s. of the ACM, Vol. 52, July 2009, 121–125, at 124 s.
 computer law & security review 26 (2010) 23–30 25

requires a new TLS connection, the search of information object could be envisaged. The information on ONS is deleted
would be negatively affected by many additional layers. to protect the privacy of the owner of the tagged object. While
 DNS Security Extensions (DNSSEC) make use of public-key the tag can still be read, further information with potential
cryptography to sign resource records in order to guarantee information concerning the respective person, however, are
origin authenticity and integrity of delivered information. not retrievable.25
However, DNSSEC could only assure global ONS information Moreover, transparency is also needed for non-personally
authenticity if the entire Internet community adopts it. identifiable information retrieved by RFID. An active RFID can
 Onion Routing encrypts and mixes Internet traffic from many for example trace movements of visitors of an event real time
different sources, i.e. data is wrapped into multiple without identifying the persons as such who remain anony-
encryption layers, using the public keys of the onion routers mous; nevertheless, the question remains whether such
on the transmission path. This process would impede information not covered by traditional privacy laws might be
matching a particular Internet Protocol packet to a partic- collected without any restriction.26
ular source. However, onion routing increases waiting times
and thereby results in performance issues.
2.3. Legal course of action
 Private Information Retrieval (PIR) systems conceal which
customer is interested in which information, once the EPCIS
The European Commission is aware of the security and
have been located. However, problems of scalability and key
privacy issues related to the RFID and the IoT. In a Recom-
management, as well as performance issues would arise in
mendation of May 12, 2009 on the implementation of privacy
a globally accessible system such as the ONS, which makes
and data protection principles in applications supported by
this method impractical.
radio-frequency identification27 the European Commission
invites the Member States to provide for guidance on the
A further method to increase security and privacy are Peer-
design and operation of RFID applications in a lawful, ethical
to-Peer (P2P) systems, which generally show good scalability
and socially and politically acceptable way, respecting the
and performance in the applications. These P2P systems could
right to privacy and ensuring protection of personal data (No.
be based on Distributed Hash Tables (DHT). Access control,
1). In particular, the Recommendation outlines measures to be
however, must be implemented at the actual EPCIS itself, not
taken for the deployment of RFID application to ensure that
on the data stored in the DHT, as there is no encryption
national legislation is complying with the EU Data Protection
offered by any of these two designs.20 Insofar, the assumption
Directives 95/46, 99/5 and 2002/58 (No. 2). Member States
is reasonable that encryption of the EPCIS connection and
should ensure that industry in collaboration with relevant
authentication of the customer could be implemented
civil society stakeholders develops a framework for privacy
without major difficulties, using common Internet and web
and data protection impact assessments (PIA; No. 4); this
service security frameworks.21 In particular, the authentica-
framework should be submitted to the Article 29 Data
tion of the customer can be done by issuing shared secrets or
Protection Working Party within 12 months. Industry and civil
using public-key cryptography.22
society stakeholders are in the process of establishing the
It is important that an RFID tag having been attached to an
requested framework PIA until late 2009. The objectives of the
object can – at a later stage – be disabled in order to allow for
PIA are designed to identify the implications of the application
customers to decide whether they want to make use of the tag.
on privacy and data protection, to determine whether the
RFID tags may either be disabled by putting them in a protec-
operator has taken appropriate technical and organizational
tive mesh of foil known as a ‘‘Faraday Cage’’ which is
measures to ensure respective protection, to document the
impenetrable by radio signals of certain frequencies or by
measures implemented with respect to the appropriate
‘‘killing’’ them, i.e. removing and destroying them.23 However,
protection, and to serve as a basis for a PIA report that can be
both options have certain disadvantages. While putting tags
submitted to the competent authorities before deployment of
in a special cage is relatively safe, it requires that every tag
the application. Presumably, the framework should serve to
from every single product is put in that cage if a customer
determine a common structure and content of reports. In
desires so. Chances are that certain tags will be overlooked
particular, RFID application description and scope, RFID
and left with the client and that he/she could still be traced.
application governing practices, accountability and analysis
Sending a ‘‘kill’’ command to a tag leaves room to the possi-
and resolution seem to be of importance. Furthermore, oper-
bility of reactivation or that some identifying information
ators are asked to conduct an assessment of the implications
could be left on the tag. Furthermore, businesses may be
of the application implementation for the protection of
inclined to offer clients incentives for not destroying tags or
secretly give them tags.24 Instead of killing tags, the dissolu- 25
Jürgen Müller/Matthias Handy, RFID als Technik des Ubiquitous
tion of the connection between the tag and the identifiable Computing – Eine Gefahr für die Privatsphäre?, at 17, available at:
http://www.imd.uni-rostock.de/veroeff/handy_bamberg05.pdf.
20 26
Benjamin Fabian/Oliver Günther, Distributed ONS and its See Weber/Willi, supra note 17, at 245 ss; Viola Schmid, Radio
Impact on Privacy, 1225, available at http://ieeexplore.ieee.org/ Frequency Identification Law Beyond 2007, in: Floerkemeier/
stamp/stamp.jsp?arnumber¼04288878. Langheinrich/Fleisch/Mattern/Sarma, supra note 4, 196–213, at
21
Fabian/Günther, supra note 19, at 123. 196; Benjamin Fabian/Oliver Günther/Sarah Spiekermann, Secu-
22
Fabian/Günther, supra note 20, at 1227. rity Analysis of the Object Name Service, at 1 ss, available at
23
Gal Eschet, Protecting Privacy in the web of Radio Frequency http://lasecwww.epfl.ch/wgavoine/download/papers/FabianGS-
Identification, Jurimetrics, Vol. 45, 2005, 301–332, at 317 s. 2005-sptpuc.pdf.
24 27
Eschet, supra note 23, at 137 ss. COM (2009) 3200 final.
26 computer law & security review 26 (2010) 23–30

personal data and privacy and take appropriate technical and 3.1. Systematic approach
organizational measures to ensure the protection of personal
data and privacy (No. 5), and a person within a business needs The establishment and implementation of an appropriate
to be designated for the review of the assessments and the legal framework31 calls for a systematic approach32 in relation
continued appropriateness of the technical and organiza- to the legislative process. Thereby, the following aspects
tional measures. In addition, Member States are invited to should be taken into account:33
support the EU Commission in identifying those applications
that might raise information security threats with implica-  Facts about RFID using scenarios are to be systematically
tions for the general public (No. 6). Additional provisions of the developed; only under the condition that the facts are
Recommendation concern the information and transparency sufficiently known, adequate legal provisions can be
on RFID use, the RFID applications used in the retail trade, the drafted.
awareness raising actions, research and development as well  A systematization of the legal problems potentially occur-
as follow-up actions (Nos. 7–18). ring can be done by coordination along the below discussed
In its specific Communication to the European Parliament, four technical axes, namely globality, verticality, ubiquity
the Council, the European Economic and Social Committee and technicity.
and the Committee of the Regions on the Internet of Things  The legal challenges of security and privacy issues related to
(an Action Plan for Europe), the EU Commission again points the IoT and RFID are to be qualitatively classified.
to the importance of security and privacy in the IoT frame-
work.28 The particular Line of Action 2 encompasses the In particular, the question must be addressed how much
continuous monitoring of the privacy and the protection of privacy the civil society is prepared to surrender in order to
personal data questions; as part of Line of Action 3 the EU increase security. Solutions should be looked for allowing
Commission is envisaging to launch a debate on the tech- considering privacy and security not as opposites, but as
nical and the legal aspects of the ‘‘right to silence of the principles affecting each other.34
chips’’ and expresses the idea that individuals should be In light of the manifold factual scenarios, it appears to be
able to disconnect from their networked environment at hardly possible to come to a homogenous legal framework
any time. governing all facets of the IoT and RFID. Moreover, a hetero-
geneous and differentiated approach will have to be taken
into account. Thereby, the technical environment can be
crystallized along the four axes, representing the most
3. Milestones of an adequate legal important challenges to the establishment of regulation:35
framework
 Globality is based on the fact that goods and services in the
The implementation of the IoT architecture and the use of IoT context will be globally marketed and distributed. The
RFID pose a number of legal challenges; the basic questions of RFID technology is also ‘‘global’’ in the sense that the same
the agenda can be phrased as follows29: technical processes are applied all over the world. Conse-
Is there a need for (international or national) state law or quently, business and trade would be heavily complicated if
are market regulations of the concerned businesses differing national laws would be in place. If the RFID-tagged
sufficient? products are available on a global level, the legal systems
If legislation is envisaged: Would existing/traditional need to be synchronized.
legislation be sufficient or is there a need for new laws?  Verticality means the potential durability of the technical
If new laws are to be released: Which kind of laws are environment. In particular, it is important for the life of the IoT
required and what is the time frame for their that RFID-tagged products are lasting long enough to not only
implementation? use them in the supply chain until the final customer, but also
These legal challenges need to be embedded into the for example in the waste management. For the time being,
human rights and constitutional framework. Insofar, the this requirement is not sufficiently met in the EPC traffic.
decision of the German Supreme Court of 27 February 2008  Ubiquity refers to the extent of the RFID-tagged environ-
constituting an independent fundamental right of confiden- ment; technically, RFID could indeed be used ubiquitously
tiality and integrity related to info-technical systems merits encompassing persons, things, plants, and animals.
attention.30

31
A general overview in respect of the globalization develop-
28
COM (2009) 278 final. ments which confront privacy issues is given by Herbert Burkert,
29
Schmid, supra note 26, at 200. Globalization – Strategies for Data Protection, Weblaw-Jusletter, 3
30
See Decision 1 BvR 370/07 and 1 BvR 595/07; to this decision October 2005, at nos. 11–25.
32
see Rolf H. Weber, Grundrecht auf Gewährleistung der Ver- See also Pieter Kleve/Richard De Mulder, Privacy protection
traulichkeit und Integrität, digma 2008, 94–97; Thomas Stögmül- and the right to information: in search of a new symbiosis in the
ler, Vertraulichkeit und Integrität informationstechnischer information age, in: Sylvia Kierkegaard Mercado (ed.), Cyberlaw,
Systeme in Unternehmen, CR 2008, 435–439; Bernd Holznagel/ Security and Privacy, Beijing 2007, 201, at 205/06.
33
Pascal Schumacher, Auswirkungen des Grundrechts auf Ver- Schmid, supra note 26, at 201 s.
34
traulichkeit und Integrität informationstechnischer Systeme auf Kleve/De Mulder, supra note 32, at 207.
35
RFID-Chips, MMR 2009, 3–8. For more details see Schmid, supra note 26, at 204 ss.
 computer law & security review 26 (2010) 23–30 27

 Technicity is an important basis for the development of rules between traditional national regulation, international agree-
protecting privacy objectives. Several differentiations can ments and self-regulation.38 As mentioned, national regula-
be taken into account, namely (i) the complexity of the tag tion has the disadvantage of not meeting the globalization
(active and passive, rewritable, processing and sensor needs of an adequate legal framework in view of the fact that
provided products), (ii) the complexity of background transactions through the IoT are usually of a cross-border
devices (reader or other linked media) and the maximum nature.
reading range which is particularly designed to cover
transparency demands.36 (i) So far, the regulatory model in the IoT is based on self-
regulation through manifold business standards, starting
These four requirements have to be taken into account from technical guidelines and leading to fair information
when establishing a legal framework binding all participants practices. In particular, the EPC-Guidelines39 rely on
of the IoT. Resulting from these four requirements, the components like ‘‘Consumer Notice’’, ‘‘Consumer
framework to be established has to be global, i.e. established Education’’ and ‘‘Retention and IT-Security Policy’’.
by an international legislator, and applicable to every object Consequently, the compliance with the EPC-Guidelines is
on earth from its becoming until its destruction. The ubiquity driven by a self-control strategy.40 This self-regulatory
needs to be addressed in particular if various objects are put model follows the well-known principle of subsidiarity,
together to form a new ‘‘thing’’. meaning that the participants of a specific community try
This new ‘‘thing’’ can either be attributed with a new tag, or to find suitable solutions (structures, behaviors) them-
the creation can carry multiple tags. While the first scenario is selves as long as government intervention has not taken
more practical, this solution may leave businesses with the place.41 The legitimacy of self-regulation is based on the
problem that individual parts cannot be traced back to their fact that private incentives lead to a need-driven rule-
origin. A solution may be that the one tag attached to the setting process. Furthermore, self-regulation is less costly
object makes reference to the different sources of all indi- and more flexible than State law.42 In principle, self-
vidual parts. A global consensus needs to be found, which is regulation is justified if it is more efficient than state law
then generally applied. The question raised is also connected and if compliance with rules of the community is less
to the fourth requirement, technicity. If composed objects likely than compliance with self-regulation.43
keep all the tags of integrated parts, tracing all relevant
information concerning that object becomes extremely The theoretical approaches to the self-regulatory model
complex and difficult. As this discussion demonstrates, show a multi-faceted picture44: In many cases, self-regulation
determining an appropriate legal framework raises various is not more than a concept of a private group, namely
technical questions. Therefore, the inclusion of technical a concept occurring within a framework that is set by the
experts in the process-making seems inevitable. Furthermore, government (directed self-regulation or audited self-regula-
the discussion also shows that the framework needs to be tion). This approach has gained importance during the last
established at an international level and address all funda- decade: if the government provides for a general framework
mental issues. Otherwise, the IoT becomes impractical and which can be substantiated by the private sector often the
cannot be used efficiently. term ‘‘co-regulation’’ is used. The state legislator does not
The following conclusion for a potential legislation can be only set the legal yardsticks or some general pillars of the legal
drawn from the mentioned systematic approach37: A unique framework, but eventually the government remains involved
strategy will not be suitable to satisfactorily cope with the in the self-regulatory initiatives at least in a monitoring
privacy challenges of the IoT. Inevitably, legislators have to function supervising the progress and the effectiveness of the
make good use of several of them. In particular, due consid- initiatives in meeting the perceived objectives.
eration of technicity seems to be of major importance. In this context, the legal doctrine has developed the notion
Furthermore, data protection and privacy need communica- ‘‘soft law’’ for private commitments expressing more than
tion strategies establishing an effective platform for dialogue just policy statements, but less than law in its strict sense, also
between state legislators, non-governmental organizations, possessing a certain proximity to law and a certain legal
public interest groups and the international private sector. relevance.45 Nevertheless, the term ‘‘soft law’’ does not yet
have a clear scope or reliable content. Particularly in respect to
the enforceability of rules, law is either in force (‘‘hard law’’) or
3.2. State law or self-regulation
not in force (‘‘no law’’), meaning that it is difficult to distin-
guish between various degrees of legal force. Generally, it can
The establishment of an adequate legal framework for the
only be said that soft law is a social notion close to law and
protection of security and privacy in the IoT is a phenomenon
that it usually covers certain forms of expected and acceptable
giving rise to the question of the appropriate legal source.
Various regulatory models are available in theory: Apart from 39
See http://www.epcglobalinc.org/public/ppsc_guide.
the possibility of no regulation at all, which cannot be 40
Schmid, supra note 26, at 199.
considered as a real ‘‘solution’’, the choice is principally 41
Weber, supra note 38, at 18.
42
Eschet, supra note 23, at 322 s.
36 43
Schmid, supra note 26, at 205 s. Weber, supra note 38, at 18.
37 44
See also Burkert, supra note 31, at nos. 21–23. For further detail see Weber, supra note 38, at 18 s with further
38
Rolf H. Weber, Shaping Internet Governance: Regulatory references.
45
Challenges, Zurich 2009, at 10 s. Weber, supra note 38, at 20.
28 computer law & security review 26 (2010) 23–30

codes of conduct.46 This concept of self-regulation cannot The alternative to the creation of a new body is to integrate
overcome the lack of an enforcement strategy if compliance is the task of international legislator for the IoT in an existing
not done voluntarily.47 Therefore, the involvement of the organization. Bearing in mind the globality of the IoT, this
legislator seems to be inevitable. organization has to have a certain scope of territorial
While self-regulation has gained importance during the application. Furthermore, the organization should have
last years, there are still critics thereof, pointing out that self- a structure that allows for the inclusion of a body only
regulatory mechanisms only regulate those motivated or responsible for the IoT. Finally, legislation and governing of
principled enough to take part in them as market pressure is the IoT should be encompassed by the overhead responsi-
not yet strong enough to oblige everyone to adopt the bilities of the organization to be appointed. When consid-
respective rules. Furthermore, it is argued that self-regulation ering these requirements, the World Trade Organization
is only adopted by stakeholders to satisfy their own interests (WTO) and the Organization for Economic Co-Operation and
and is therefore not effective in the protection of privacy.48 Development (OECD) come to mind. A special Committee
responsible for rule-setting and supervision in the IoT could
(ii) Therefore, even if the manifold merits of self-regulation be established as an answer to the question of an interna-
are to be honoured, some pillars of the legal framework in tional legislator. This Committee would be made up of
the context of security and privacy need to be set by the representatives of WTO or OECD member States, thereby
legislator. Such law would have to be introduced on an assuring an international approach. The Committee could,
international level. Contemporary theories addressing after deliberations, issue formal agreements, standards and
international law aspects tend to acknowledge a wide models, recommendations or guidelines on various issues of
definition of international law, according to which this the IoT.
field is no longer limited merely to relations between This evaluation coincides with the experiences made in the
nation states but generally accepts the increasing role of field of Internet governance in general. An internationally
other international players such as individual human binding agreement covering privacy and data protection does
beings, international organizations and juridical enti- not yet exist. Even if international human rights instruments
ties.49 Since customary rules can hardly develop in a fast usually embody the essence of privacy, at least to a certain
moving field such as the IoT, the main legal source is to be extent, the protection cannot be considered as being suffi-
seen in the general principles of law, such as good will, cient; only ‘‘extreme’’ warranties are legally guaranteed, such
equal treatment, fairness in business activities, legal as the respect for private life or the avoidance of exposure to
validity of agreements etc.50 These general principles can arbitrary or unlawful interference.53 Therefore, it is widely
be illustrated as ‘‘abstractions form a mass of rules’’ accepted that co-regulation is needed to secure the imple-
which have been ‘‘so long and so generally accepted as to mentation of effective principles of privacy in the online
be no longer directly connected with state practice’’.51 To world. Possible elements of a self-regulatory scheme may
some extent, basic legal principles are considered to be an include codes of conduct containing rules for best practices
expression of ‘‘natural law’’; practically, general legal worked out in accordance with substantive data protection
principles may be so fundamental that they can be found principles, the establishment of internal control procedures
in virtually every legal system.52 (compliance rules), the setting-up of hotlines to handle
complaints from the public, and transparent data protection
The specific problem in view of security and privacy, policies.54 Many international instruments, such as the
however, consists in the appreciation that privacy concerns Guidelines of the OECD and Art. 27 of the EC Directive on the
are not identical in the different regions of the world which Protection of Personal Data (1995),55 mention self-regulation
makes the application of general principles difficult in cross- as an appropriate tool.56
border business activities. Therefore, a basic legal framework Nevertheless, security and the protection of privacy is not
should be introduced by an international legislator; however, a matter to be addressed exclusively by a legislator. Research
the details of the legal rules for the protection of security and and development in the field of information technology
privacy needs are to be developed by the private sector. should also consider ethical consequences of new
The IoT being a new system itself, the idea of entrusting inventions.57
a body with its legislation and governing that is new, too, is
not far-fetched. A new body would be in the position to take
into account all the characteristics of the IoT. Furthermore, 3.3. Legal categories and scenarios
considering the complexity of the IoT, this body could be
construed in a way to dispose of the necessary capacities. Future legislation encompassing privacy and data protection
issues of the IoT and RFID could have five different goals58:
46
Weber, supra note 38, at 20, with further references.
47 53
Schmid, supra note 26, at 199. Weber, supra note 38, at 239.
48 54
Michael Froomkin, The Death of Privacy?, Stanford Law Weber, supra note 38, at 240.
55
Review, Vol. 52, 2000, 1461–1543, at 1524 ss. For an evaluation see Yves Poullet, The Directive 95/46/EC: Ten
49
Weber, supra note 38, at 12. years after, Computer Law and Security Report, 2006, 206–217.
50 56
Weber, supra note 38, at 15. For further detail see Rolf H. Weber, Regulatory Models for the
51
Ian Brownlie, Principles of Public International Law, 7th Online World, Zurich 2002 at 165 ss.
57
edition Oxford/New York 2008, at 19. Langheinrich/Mattern, supra note 14, at 142.
52 58
Weber, supra note 38, at 15. Schmid, supra note 26, at 207.
 computer law & security review 26 (2010) 23–30 29

 Right-to-know-legislation; standards are developed by the concerned market

 Prohibition-legislation; participants, having therefore the chance to be observed
 IT-security-legislation; by the respective developers. Technologically, a new
 Utilization-legislation; ‘‘fourth generation’’ framework of data protection proto-
 Task-force-legislation. cols should be developed allowing the setting-up of
stringent safeguards as to reporting and frequent audits
The different categories of future legislation should be of the measures.64
evaluated in the light of the objectives of privacy and personal (iv) Utilization-legislation intends to support the use of RFID
data protection depending upon the use of RFID which can in certain scenarios.65 Insofar, this approach stands
concern the following aspects, namely59: contrary to the prohibition-legislation; it envisages
making the RFID available in the relevant identification
 Monitoring products (EPC), documents. Therefore, the legislative approach has to
 Monitoring animals (real-time authentication and moni- fine-tune an appropriate balance between prohibited and
toring of animals), utilizable approaches.
 Monitoring persons (real-time authentication and moni- (v) The task-force-legislation covers legal provisions
toring of persons), supporting the technical community to invest into the
 Collecting data for profiling purposes (aggregation). research of the legal challenges of RFID66; the purpose of
this approach consists in a better understanding of the
In the context of the IoT, the EPC scenario concerning relevant problems.
products is practically the most important application.
Theoretically, EPC does not directly trace relational personal
data, however, a person carrying an RFID-tagged item 3.4. Evaluation of the European legislative approach
discloses to the organization using the RFID system certain
data or gives at least the opportunity to collect information. The Recommendation of May 12, 2009, of the European
A specific legislative aspect concerns the term ‘‘person’’. Commission is a framework approach to legislate in the field
The EU Directives as well as many national laws only consider of Internet security. The Recommendation provides guidance
individuals (‘‘natural persons’’) as objects of privacy laws. In to Member States which then have to enact specific rules.
particular, in the context of the IoT, this understanding is too While the Recommendation makes reference to EU Data
narrow. Legal persons (e.g. corporations) do also have privacy Protection Directives, it does not stipulate any specific
interests; as for example in the Swiss legislation, the scope of provisions itself. The European Commission furthermore
application of data protection law needs to be extended to introduces a framework privacy and impact assessment,
legal persons.60 established by the industry and the relevant civil society
stakeholders, and the publication of an information policy for
(i) The right-to-know-legislation has the purpose to keep the applications should also be ensured by Member States.
customer informed about the applied RFID scenarios. In EPCglobal and industry are currently establishing the
other words, the customer should know which data are requested framework (Private Impact Assessment, PIA). Even
collected and should also have the possibility to deacti- if its details are not known as of early November 2009, it can be
vate the tags after a purchase. In the United States, said that the objectives of the PIA are designed to identify the
several attempts have been take to realize such kind of implications on privacy and data protection, to determine
legislation.61 whether the operator has taken appropriate technical and
(ii) The prohibition-legislation introduces provisions which organizational measures to ensure respective protection, to
envisage to forbid or at least to restrict the use of RFID in document the implemented measures, and to serve as a basis
certain scenarios.62 Such an approach is traditional in for a PIA report to the competent authorities. Important
state legislation if the public community dislikes a certain aspects concern the RFID application description and scope,
behavior; enforcement of prohibition is possible (at least the RFID application governing practices, the accountability
in the books). Self-regulatory mechanisms rather tend to challenges, as well as analysis and resolution aspects. Finally,
introduce incentives (if at all) instead of prohibition. while the European Commission provides for this framework,
(iii) IT-security-legislation encompasses initiatives that Member States are strongly encouraged to support the
demand the establishment of certain IT-security stan- Commission in identifying threats to information security.
dards which should protect that application of RFID from The regulatory approach of the European Commission
unauthorized reading and rewriting.63 Such kind of consists in vague framework guidelines which address many
provisions can be introduced by the state legislator, but aspects without considering the merits of the self-regulatory
also by self-regulatory mechanisms; typically, industry models and industry standardization. The framework is
formulated in an open way and thereby ensures that technical
principles such as verticality, ubiquity and technicity can be
59
Schmid, supra note 26, at 206.
60 64
Art. 2 para. 1 of the Federal Act of 19 June 1992 on Data See Gehan Gunasekara, The ‘‘Final’’ Privacy Frontier? Regu-
Protection, SR 235.1. lating Trans-Border Data Flows, International Journal of Law and
61
Schmid, supra note 26, at 208, with further references. Information Technology, Vol. 17, 2009, 147–179.
62 65
See also Schmid, supra note 26, at 208. Schmid, supra note 26, at 209.
63 66
Schmid, supra note 26, at 208. Ibid.
30 computer law & security review 26 (2010) 23–30

taken into account. However, being established by the Euro- from the globality of the IoT. Furthermore, if a more detailed
pean Commission, it is only applicable for Member States in regulation should be established by the private sector, lessons
Europe and not globally. Moreover, the fact that it is up to can be drawn from Internet governance in general, where the
Member States should establish more detailed regulation is private sector has already marked presence in the rule-
even more prejudicial to the principle of globality. setting.67
Nevertheless, the recent Recommendation and Commu- The content of the respective legislation has to cover the
nication by the European Commission attest that privacy and right to information, provisions prohibiting or restricting the
data protection problems in the field of the Internet of Things use of mechanisms of the Internet of Things, rules on IT-
are taken seriously and that there is a strong will to establish security-legislation, provisions supporting the use of mecha-
mechanisms to ensure that those do not become accurate nisms of the Internet of Things and the establishment of
once the Internet of Things operates large-scale. a task force doing research on the legal challenges of the IoT.
While according mechanisms still need to be developed,
the early recognition of eventual problems and suggestions for
4. Outlook their encounter leaves hope that effective regulation can be
established before the Internet of Things is in full operation.
With the emergence of an Internet of Things, new regulatory
approaches to ensure its privacy and security become neces- Prof. Dr. Rolf H. Weber (rolf.weber@rwi.uzh.ch) is professor at the
sary. In particular, attacks have to be intercepted, data University of Zurich and a visiting professor at the University of
authenticated, access controlled and the privacy of customers Hong Kong.
(natural and legal persons) guaranteed. The nature of the IoT
asks for a heterogeneous and differentiated legal framework Rolf H. Weber studied at the University of Zurich and at the Har-
that adequately takes into account the globality, verticality, vard Law School. Since 1995 he is chair professor at the University of
ubiquity and technicity of the IoT. Zurich and since 2006 a visiting professor at the University of Hong
Geographically limited national legislation does not seem Kong, teaching and publishing in civil, commercial and European law
appropriate in this context. However, self-regulation as it has with special topics in Internet, media and competition law, interna-
been applied up to now may not be sufficient to ensure tional finance and trade regulation. He is director of the European
effective privacy and security, either. Therefore, a framework Law Institute and the Center for Information and Communication
of substantive key principles set by a legislator at the inter- Law at the University of Zurich; in addition he is member of the
national level, complemented by the private sector with more directory of the Postgraduate Studies in International Business Law
detailed regulation seems to be the best solution. Through and the MBA-Program at the University of Zurich. Since 2008 Prof.
such a framework, general pillars of regulation could be set for Dr. Rolf H. Weber is member of the Steering Committee of the Global
everyone, which are then suitable to be supplemented by the Internet Governance Academic Network (GigaNet) and since 2009 he
individuals concerned in a way that suits their current needs. is member of the High-level Panel of Advisers of the Global Alliance
Furthermore, the inclusion of an international legislator in the for Information and Communication Technologies and Development
process also ensures the continued involvement of the public (GAID). Besides, he is engaged as an attorney-at-law and as
sector, contributing at least by monitoring the process. a member of the editorial board of several Swiss and international
The approach chosen by the European Commission goes in legal periodicals. A first version of this contribution has been pub-
that direction. However, it would be preferable to have an lished in Sylvia M. Kierkegaard (ed.), Legal Discourse in Cyberlaw
international (not European) legislator setting the framework; and Trade, 2009, 1–14. The author expresses his gratitude to lic. iur.
such an approach would better adapt to the needs stemming Romana Weber for her valuable research support.

67
Weber, supra note 38, at 17 ss.