The Internet as we know it today consists of two quintessential elements, i.e. the global wide-area network and the Internet Protocol Suite (also known as “TCP” or “IP”). These are required to browse, communicate, store data, share files, stream media services, and do other activities.
A network of interconnected computing devices, mechanical and digital equipment, objects, animals, or people who may transport data via a network (using TCP or IP) without needing to interact with other people or computers. These devices carry unique identifiers (hereinafter referred to as “UIDs”) and are called the Internet of Things (hereinafter referred to as “IoT”).
It is a network of small, intelligent hosting devices that are always, anywhere, and anytime connected and sending data or information that can then be processed over the cloud to produce useful analytical results that can be extremely helpful or to start an automatic action based on the analysis.
The niche environment of IoT is made up of three components as follows:
Collectively, popularly called as the “DNA of the Internet of Things” IoT has increased the ubiquity of the internet by integrating every object for interaction via embedded systems.
INTERPLAY BETWEEN LAW AND TECHNOLOGY
Technology has brought and continued to bring many changes in society at a rapid rate. In no time, it seems we are making the transgression to the world of artificial intelligence and 5G technology. The green shoots of the future are already visible if we know where to look.
The field of law is not adrift from this highly technologically dominated and globalized world. It is extremely easy to surf for a particular provision of law on the internet. Thus, technology has become an integral part of the legal field.
Law and technology are interlinked and complement each other brilliantly. Technology is used to apply, execute, or study law, and law to regulate the use of technology.
CYBERSECURITY AND COMPLIANCE LEGISLATIONS IN INDIA
Cybersecurity is the practice of protecting computers, servers, mobile devices, electronic systems, networks, and data from malicious cyber-attacks. The National Cyber Security Policy, 2013 also lays down that protection of information infrastructure and preservation of confidentiality, integrity, and availability of information in cyberspace is the essence of secure cyberspace.
The Indian legislators recognized the need for cyber-security and passed some laws, rules, and regulations that need to be followed by everyone who works on networks, computers, or the internet.
THE INFORMATION TECHNOLOGY ACT, 2000
The Information Technology Act, 2000 (hereinafter referred to as the “IT Act”) is the complete code regulating and governing the use of Information Technology and cyber-based devices.
Section 43 of the IT Act lays down the penalty and compensation for damage caused to a computer, computer system, or computer network. This section is equipped to deal with the following instances, incidents, or situations:
- unauthorized accessing or securing of access to a computer, computer system, or computer network;
- damaging or causing damage to any computer, computer system or computer network, data, computer database, or any other programs residing in the computer, computer system or computer network;
- disrupting or causing disruption or any computer, computer system, or computer network;
- denying or causing the denial of access to any person authorized to access any computer system or computer network by any means;
- assisting any person to facilitate access to a computer, computer system, or computer network;
- charges the services availed of by a person to the account of another person by tampering with or manipulating any computer;
- destroying, deleting, or altering any information residing in a computer resource or diminishing its value or utility or affecting it injuriously by any means; or
- stealing, concealing, destroying, altering or causing any person to steal, conceal, destroy or alter any computer source code used for a computer resource to cause damage.
Section 43A of the IT Act makes a corporate body liable to pay compensation for failure to protect their data. Section 70B(7) lays down that if an intermediary fails to report to the Indian Computer Emergency Response Team ( hereinafter referred to as “CERT-In”), it may be punished with imprisonment or a fine. These are important rules that aim to deal with cyber-attacks and lay down mechanisms to ensure cyber-security.
Information Technology (Intermediaries Guidelines) Rules, 2011
The government amended the Information Technology (Intermediaries Guidelines) Rules, 2011 (hereinafter referred to as the “IT Rules”) in 2018 with the aim to make internet security more stringent. The IT Rules also require the companies having more than 5 lakh users to have an office in India duly registered under the Companies Act, 2013 and an appointment of a nodal officer who will be able to work with the legal enforcement.
Though these rules don’t have a direct connection with the IoTs, these make companies more accountable and responsible for their content.
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
The Computer Emergency Response Team- India, a functional organization of the Ministry of Electronics and Information Technology, Government of India, lay down cyber-security as its key objective. The IT Act, of 2000 designated CERT-In to serve as the national agency to perform the following functions in the area of cybersecurity:
- collection, analysis, and dissemination of information on cyber incidents;
- forecast and alerts of cybersecurity incidents;
- emergency measures for handling cybersecurity incidents;
- coordination of cyber incident response activities; and
- issue guidelines, advisories, vulnerability notes, and whitepapers relating to information security practices, procedures, prevention, response, and reporting of cyber incidents.
IoT and Intellectual Property Laws
IoT manufacturers are starting to get inclined towards licensing and protecting their innovation rights to ensure their designs and developments. There have been discussions over the patentability, copyright, and infringement of IoT for quite a while now. In the current times, to offer better IoTs, the manufacturers need to associate together with the numerous gadgets that are in use with the help of some standard technologies that exist.
The number of IoT patents filled in India has increased from 74 in 2009 to 1,820 in 2017. In the landmark judgment by Delhi High Court in the case between Ferid Allani v. Union of India [W.P.(C) 7/2014 & CM APPL. 40736/2019], the Intellectual Property Appellate Board relied on Section 3(k) of the Indian Patents Act, 1970.
Provisions of Law of Contracts
With the evolution of IoT devices, customers can enter into contracts for the sale of goods in a Machine to Machine mode (also known as “M2M”). This form of contract is referred to as a Smart Contract. There are no provisions in the Indian Contracts Act, 1872 to govern IoTs.
Data ownership, security, and privacy in an IoT environment can be reasonably addressed by contracts between device manufacturers or/ and IoT service providers and IoT users. These contracts may be entered by way of End User Licensing Agreements (herein referred to as EULA) governing the terms and conditions of use of the software or device.
EMERGING TRENDS FOR IoT DEVICES IN INDIA
5 G-driven IoT
5G will expand the possibilities for IoT-powered tools and technology. Low latency and hyper-connectivity are essential for a successful IoT application, and consequentially a useful 5G connection. With such connectivity the user can experience increased flexibility, mobility, dependability, and security.
Artificial Intelligence-Driven IoT (“AIoT”)
IoT devices will be more proactive than reactive because they are built on intelligence, ensuring quicker and more efficient processing. IoT operations are made more efficient and data analytics are boosted thanks to Artificial Intelligence (hereinafter referred to as “AI”) of things (hereinafter abbreviated as “AIoT”). This combines the capabilities of AI technologies with IoT devices and sensors.
Enhanced Integration Of IoT With Wearables
Smartwatches, fitness trackers, VR headsets, etc. work well with IoT devices to improve data collection and analytics. Remote monitoring of health metrics and other warning indications is where IoT wearable medical devices work best. There is better visibility, connection, and enhanced service quality for the public.
Block-chain technology has been getting enormous attention due to its impact in areas of cyber-security, crypto-currency, and IoT, among others. This technology allows us to keep track of records of property rights, identities, money balances, or medical records, without being tampered with.
Blockchain enables the fast processing of transactions and coordination among billions of connected devices. As the number of interconnected devices grows, the DLT provides a viable solution. This way blockchain technology can improve not only compliance in the IoT but also features and cost-efficiency.
Blockchains have the potential to alleviate all major security concerns with IoT devices. In India, at the moment, there is no law or policy specifically addressing blockchain technology. The combination of IoTs and block-chains in the future, if not the present.
Data Protection Laws
India did not have any laws governing data protection and ensuring data privacy. In June 2017, a committee was set up to study issues related to data protection. The committee formulated a Draft Personal Data Protection Bill, 2018 and after various deliberations and amendments, the Cabinet approved the bill on 4th December 2019 as the Personal Data Protection Bill, 2019. (hereinafter referred to as the “PDP Bill”)
The framework of the PDP Bill lays down requirements of taking informed consent of the data subject before collecting or sharing data. It lays down explicit purposes for which the personal data collected will be used, destructing of data after the purpose has been fulfilled, etc.
The Bill seeks to address the core concern of data privacy but does not take into account the practical enforceability of it in IoT-enabled environments. It is very difficult to determine the exact purpose of data collection beforehand in an environment where the uses for the same datasets are constantly evolving.
The PDP Bill 2019, though well-intentioned and in the right direction to protect data privacy and give control of own data to the data subject might not be best suited for IoT devices. However, it still plays a key role in addressing one of the core concerns of privacy.
CHALLENGES IN INDIAN IoT SECURITY STANDARDS
The whole security of an IoT network depends on a single device in the chain. If one of the devices gets breached, it compromises the entire security of every other device connected to the chain. Data Security Council of India (hereinafter referred to as “DSCI”) identifies the following issues in securing IoT.
Privacy has been declared a Fundamental Right by the Supreme Court of India. Sensors can collect a treasure trove of sensitive information about people, directly or indirectly.
The data networks are delicate and their operation of storage in data clouds is still developing in India. India’s Draft IoT Policy fails to address this crucial issue and warrants immediate attention.
The data stored in a cloud service and not protected properly and may result in unauthorized third-party access. For example, data collected by a smart fridge can be used by insurance companies to detect food habits and health conditions.
Risks and Security on IoT Devices
There are risks of data theft, cyber-attacks, and hacking of personal information. Each IoT device represents a point of vulnerability for intruders to access information. A connected device can be an entry point for an attacker on an entire network or other connected systems.
Ensuring effective security practices is an essential practice in the development and design stage of IoT devices. With an increase in the demand for IoT devices, developers and manufacturers have shifted their focus to increasing the number of devices. This has resulted in the mass manufacture of cheap and low-standard designed devices.
The use of blockchain technology in IoT will be risky as currently, it is completely unregulated. The Government’s Data Protection Bill has its own set of problems and currently it is unrealistic that all IoT manufacturers and devices can adhere to it.
Given below are some of the recommendations for securing the Internet of Things for IoT Manufacturers, service providers, and mobile application developers:
- Device manufacturers, service providers, and mobile application developers should ensure that any type of credentials should be stored securely.
- Passwords should not be embedded in device software or hardware so they are not discoverable via reverse engineering.
- Devices and services should be easy for consumers to delete their data. The IoT would create a modern contracting environment where electronic agents are commonly used for interface-free automated shopping and consumer use.
- The service provider must strike the perfect balance about “allocation of risk”.
- Risk allocation may be handled by adding the applicable requirements into the terms and conditions for the utilization of the service. The issue of who controls the details would be focused solely on the arrangement between the two agencies. Courts should consider whether one claimant to a transaction has much more useful information than others, as well as information asymmetry.
-Team AMLEGALS, assisted by Mr. Saksham Trivedi (Intern)
For any query or feedback, please feel free to get in touch with firstname.lastname@example.org or email@example.com.