Surge in IoT during COVID-19 pandemic helps pave the way for new IoT laws

The Internet of Things (or IoT) – ie connected 'smart' devices – is not new. But the number of innovative and sometimes unexpected use cases we see IoT being applied to each year is astonishing, and never more so than now, with it being used to help manage the COVID-19 crisis and improve healthcare.

The Vodafone IoT Spotlight Report (2020) identified that 84% of businesses claimed IoT was essential for their survival during the COVID-19 pandemic. In the same year, a DCMS study looking into consumer purchasing habits and attitudes towards IoT devices found that almost half of UK residents had purchased at least one smart device since the start of the outbreak and, perhaps unsurprisingly, over half of UK residents said their use of smart devices increased during this time. Here are just some IoT use cases from the last year.

IoT during the pandemic

Cold chain logistics

To be effective, the Pfizer and Moderna COVID-19 vaccines (along with many other pharmaceuticals) rely on stringent temperature controls during transportation and storage. Reports suggest that a quarter of vaccines are degraded by the time they reach their recipient. To minimise such loss, distributors are placing heat, humidity, motion and location sensors on the pallets (or even vaccines themselves) so stakeholders can monitor the vials of vaccine in real time wherever they are in the world and identify weak links in the supply chain.

Wearables

There are vast possibilities for wearable devices to help with getting the virus under control. Wearable devices such as smart watches, smart bracelets and patches are being used for the detection, monitoring, recovery and management of coronavirus symptoms and effects. Hong Kong, for example, is using consumer wearables to help enforce coronavirus quarantines – while Bump uses a combination of wearable devices and data management to help maintain social distancing in workplaces.

Drones

"Corona-combat" drones equipped with thermal scanning (along with night vision cameras, disinfectant tanks, loudspeakers, spotlights and portable medical boxes) were deployed in New Delhi in an attempt to contain the spread of the virus. The drones are said to have approached people on their balconies to monitor their temperature and provide medical supplies when required.

Robots

As one commentator put it:

"…so far, the robotics and IoT communities have been driven by varying yet highly related objectives. IoT focuses on supporting services for pervasive sensing, monitoring and tracking, while the robotic communities focus on production action, interaction and autonomous behaviour. A strong value would be added by combining the two and creating an Internet of Robotic Things".

This potential has already been realised in a COVID-19 context. A Japanese COVID-19 testing robot was created to independently conduct around 2000 PCR tests per day (using sensors to locate the selected tissue) without the need for a clinician to be present other than for collecting the samples. If successful, this could significantly increase the current global testing capacity. Meanwhile, Tharsus provides robotic horsepower to enable popular online UK supermarket delivery service Ocado to manage its smart platform and help fulfil the explosion in demand for online supermarket shopping and contactless grocery delivery.

Smartphone/speaker applications and functionality

Smartphone applications and functionality meant telemedicine went from being largely underutilised to a mainstream healthcare option during the outbreak. Patients can communicate with their health providers while practising social distancing. A professor of neurosurgery at the University of Oxford noted that "During the pandemic, in-person consultations dropped by 90% or more, with virtual visits at least partially filling the gap". Smartphones were also integral in the roll out of the many contact tracing apps deployed around the world. Smart speakers on the other hand can provide virtual healthcare support, with Amazon Alexa devices searching the official NHS website when asked for health-related advice under a partnership between Amazon and the NHS.

Environment management

Having high levels of cleanliness in areas of likely contamination is a key tactic to help reduce the spread of the virus. In hospital environments non-surgical robots are being used to disinfect re-useable items such as PPE, medical equipment and hospital beds. Other use cases include having heat sensors and thermal detectors in high foot traffic areas to help identify individuals with high temperatures, and placing IoT sensors in office spaces to monitor and report on air-quality and potentially even detect if the air contains COVID-19 particles.

How secure is IoT?

Despite the enormous potential for IoT to help accelerate an end to the pandemic, there are still a number of obstacles to navigate for it to be a success.

Privacy issues and the lack of rigor around cybersecurity are often cited as key factors holding back the growth of IoT. Experts predict that "in 2021 we will see a dramatic increase in cybersecurity attacks on IoT devices. As consumers embrace wearable tech, smart homes and other connected devices, the number of devices for hackers to target will grow exponentially".

Whether intentionally or not, many IoT devices are designed and manufactured without security in mind. When those devices make their way into homes and onto wider networks, sensitive information can be left exposed and those connected networks vulnerable to cyberattacks. As a result, governments around the world are turning their attention to smart device regulation.

Plans for new UK IoT laws

The UK government recently published an updated policy in response to its call for views regarding new legislation to help mitigate the cybersecurity risks associated with consumer IoT devices.

What?

The UK government intends to introduce new legislation that imposes security obligations on manufacturers and distributors of IoT devices. It will do so "when parliamentary time allows". Business will have an "appropriate grace period" to adjust their practices before the laws kick in.

Key drivers

The key objectives are to protect citizens, networks and infrastructure from harm; enable emerging technology to grow and flourish by improving security and increasing consumer confidence; and to adopt a proportionate approach to placing obligations on relevant economic actors without compromising effectiveness of innovation.

Scope

In-scope: Any network-connectable devices and their associated services that are made available primarily to consumers are in scope. This includes all consumer connected products such as smart speakers, smartphones, smart doorbells, fitness trackers and connected appliances such as washing machines and fridges.
Exemptions: Certain categories of products will be exempt, namely products that the government deems inappropriate to include, until additional engagement and analysis is conducted to further assess business impact (eg laptops and desktop computers); products for which security is already covered by existing regulation or planned future regulation (eg smart meters); and products where inclusion would impose impractical obligations on businesses (eg second hand products).

Obligations

Manufacturers will be unable to put their consumer connected products on the UK market unless they comply with specific security standards. This includes, for example, tightening up the rules on default and easily guessable passwords within IoT devices (both in the network and on a per device basis), giving third parties (such as consumers) a route to report vulnerabilities in a device so the manufacturer can resolve security issues, and notifying consumers of the minimum time periods for which a product is supported by security updates.
Manufacturers must publish a declaration of conformity with those security measures and take action (and work with authorities) if they place a non-conforming product on the market. Retailers, wholesalers, and any other party involved in the distribution of in-scope products must verify that the manufacturers of the consumer connected products they are involved in the transmission of have published a declaration of conformity.
Consumer connected products made in and imported to the UK are to be captured.
Conformity will be achieved through compliance with legislative security standards (derived from the top three guidelines in the existing Code of Practice for Consumer IoT Security and key provisions in the ETSI European Standard (EN) 303 645) or designated (but largely similar) alternative standards (to help facilitate alignment across jurisdictions).
Ministers will have powers to update the security requirements and designated standards (for example using secondary legislation) over time to ensure the laws remains relevant. They may also mandate product assurance for certain categories of consumer connected products where the risk to consumers is considered high (although this is likely to be exercised infrequently, at least in the early stages of the legislation).

Enforcement

An enforcement body will be set up with powers to investigate allegations; take action against non-compliance, including through exercising appropriate corrective measures, sanctions (civil and potentially criminal); and support the relevant stakeholders.

Connecting the dots (and the devices)

The new IoT laws will help ensure consumer connected devices are more secure, but the plans only go part of the way with cybersecurity still largely unregulated for non-consumer devices. Legal issues such as product liability, IP issues, risk allocation and competition/antitrust concerns, compatibility challenges (in terms of devices talking to each other), the energy and bandwidth intensive nature of many IoT devices, and difficulties in securing the materials required to build IoT technologies, are all issues to work through. But if we can connect the dots on these things – or at least some of them – huge potential is on the horizon for the IoT ecosystem.