[iot-discussion] European Commission Report: Workshop on Security & Privacy in IoT

Gergana and all,

[ Feeling a bit ranty. Must be the coming Easter holidays? ]

At 2017-04-13 12:57:02 +0200
Gergana Petrova <gpetrova at ripe.net> wrote:

> On 13/04/17 12:10, Bastiaan Goslings wrote:
> > On 13 January the European Commission organised and hosted a workshop in Brussels, the main purpose of which was ‘to discuss minimum baseline security and privacy requirements along the entire networked architecture and value chain similar in various sectors.’
> >
> > It took them a while for them to publish a report, but it’s an interesting read for this group nonetheless, I imagine.
> >
> > ‘Participants were asked to come with, reflect and comment on concrete minimum IoT privacy and security principles to create a trusted IoT environment’
> >
> > The results of the workshop can be found at https://ec.europa.eu/digital-single-market/en/news/internet-things-privacy-security-workshops-report
> >
> > (Was anyone on the list there btw?)  
> Yes, I was there. The report you linked is a very good summary. 
> Impression in the room was that the main goal (and challenge) is to 
> create trust in the IoT market, which is lacking at the moment. However, 
> trust takes time, while it takes only one incident to bring the IoT 
> market back to square one.

Thanks for your in-person observations!

I had a quick look at the PDF (all the way through page 10 of 9). ;)

While understandable, the goal of creating trust does point to slightly
misplaced motivations. Surely we want products that are worthy of
trust, rather than products that are trusted. (Consider how many people
believe that homeopathic remedies have any value; these products are
not worthy of trust, but marketing has made people trust them.)

For an example in the IoT space, one could establish a non-transparent
system where industry deals with security incidents. This could result
in more trust, because people might never find out about
vulnerabilities. However, it would possibly also be less secure than a
system relying on full disclosure.

To put it yet another way... for industry the problem is how to get
people to buy their gear, and making it high-quality is only one
possible way of achieving that end. :)

> There was also a lot of talk about data ownership, not just control. 
> Concerns were voiced that consumers might lose ownership of data they 
> are generating. And also concerns that manifacturers don't provide 
> consumers with enough choice, for example taking out the location 
> tracking device in some car models is a hassle and for someone buying 
> second hand - even more difficult.

This is great to hear! The model of throwing all data into the cloud
and hoping for the best will probably have to be challenged because of
this. :)

It does seem like a pity that nothing was mentioned as far as open
source or standards-based platforms (if we had something like EFI to
boot up WiFi routers then we might have a lot more 3rd party operating
systems and applications, which might have helped avoid a number of
vulnerabilities).

Oh well, thanks again for your personal observations. :)

Cheers,

--
Shane
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digitale handtekening
URL: </ripe/mail/archives/iot-wg/attachments/20170413/4514e651/attachment.sig>