#CSE17: ICO Warns on IoT Data Collection

The upcoming General Data Protection Regulation (GDPR) will have serious ramifications on data collection and processing by Internet of Things (IoT) devices.

Speaking at Cloud Security Expo in London, Peter Brown, senior technology officer at the Information Commissioner’s Office, said that even though GDPR is set to come into force from May 25 2018, the 1998 Data Protection Act (DPA) still applies, and the principle around “processed fairly and lawfully” was most apparent to IoT devices.

Brown said that this will cover what data is being processed and what processing is going to take place, and not to ‘hoover everything up and collect only what you need at the time’.

“Under the GDPR, the principles are very similar, they expand on the current set [of principles] - it is an evolution rather than a revolution,” he argued. He said that principles six on the rights of individuals and eight on 'Sending personal data outside the European Economic Area' of the DPA are expanded into chapters in the GDPR.

Brown also said that distinguishing what personal data is is a key factor of the GDPR, as it is deemed to be “anything relating to a living individual - any information relating to an identifiable natural person” such as a name, identification number, location data or identifier to social identity of a person. In the case of IoT, the devices have unique device identifiers and MAC addresses, and while some IoT is not collecting personal data, in some cases of industrial machinery it can happen and in that case, the owner of the device becomes a data controller.

“Another thing that is a surprise is the number of data controllers in a device or application that is now a data controller, and that subject may be a data processor somewhere,” he said. “It may determine what it is doing and enable the subject to share data and therefore they become a data controller. It may be a third party who is also a data controller. Any data aggregated could be a data controller.”

Brown commented that the challenge is personal data and security, transparency and security, as we “still see a number of crucial errors and basic mistakes being made.”

He said: “IoT is not fundamentally flawed, but it has the same common mistakes – default passwords, inappropriate hashing algorithms, and not MD5 please! Also inappropriate encryption. These are all issues in play.”

He went on to say that under GDPR, consent should be as easy to withdraw as to give, but an issue will be about how to convey data processing and consent advice on a device, particularly where there is no screen. He recommended using pop-up notices or including details in the set-up guide on what is processed and how it works.

Asked by Infosecurity on whether there needs to be better advice on building IoT securely, Brown said: “It is more of an industry thing in that you have to select what it is that is going to be appropriate to a particular circumstance where you are processing data. Now the GDPR does have articles on certification so there could be a standard that is chosen that lets data processors choose a particular one, so there is an ability within GDPR to have standards.

“If you think about standards generally, these are widely-known and it is about choosing what works as some that were used 20 years ago like MD5 or SHA-1.

What’s Hot on Infosecurity Magazine?