The rapid growth of the Internet brings with it new technology and applications. Of these, the most significant is the Internet of Things (IoT) which is bound to transform the Internet and move it from a virtual platform into the real world. The IoT will interconnect many devices to each other via the Internet and in the process, collect, process, store and transfer a large volume of information collected via these devices sensors. This data includes personal data which if misused can lead to personal harm or financial loss. To prevent this from happening, the IoT device end user might need to be protected by use of legislation from unwarranted misuse of their private data. If the current state of Kenyas data protection is anything to go by, the IoT will dig us deeper into the privacy issues that arise due to the sheer amount of data collected. There is need to have laws in place that will protect the IoT end user’s private data from misuse. Upon my analysis of existing laws, the level of preparedness of the national regulator towards the privacy issues arising from the IoT use and adoption is wanting. Also, end users and would-be end users are not aware of the privacy concerns surrounding the IoT adoption.
The IoT stands to benefit Kenyas in many ways, the connection of previously unconnected items such as furniture, cars, manufacturing plants and many more will have a huge positive impact on the quality of life for many. An example closer to home of what connecting previously unconnected physical things has on our lives is the advent taxi hailing apps such as Uber and Taxify. A cab on any of these platforms is essentially a car that is connected to the internet (not to be confused with a car that has Internet). The connecting of cars to the Internet has led to the lowering of travel costs for many and increased convenience because of improved economies of scale and efficiencies introduced. Now imagine this at a grand scale where everything we use in our daily lives is connected. The benefits will be immense. Take for example in the health sector, IoT sensors connected to patients will collect vital patient statistics in realtime and share with medical personnel immediately a threshold is reached to enable them take action and save a life.
In January 2018, The Communication Authority of Kenya (CA) said that Kenya’s Internet penetration stood at 112.7% meaning that there are more Internet connected devices in Kenya than there are people. In other words, people own more than one device that is connected to the Internet. Between 2009 and 2010, the number of Internet connected devices in the world outnumbered the world’s human population (Ammar and Samer, 2016). Kenya is therefore a late entrant to the list of countries whose number of internet connected devices outnumbers the human population.
At the moment, most of these are personal computing and communication devices such as mobile tablets, mobile phones and personal computers. However, there is an increasing number of sensors and everyday objects that were previously unconnected that are now connected to the Internet. It is these new entrants into the connected space that will be the focus of this article. The IoT is what we get when we connect Things which are not operated by humans to the Internet (Waher, 2015). These things will not be general purpose devices such as smartphones and Personal Computers but dedicated-function objects such as furniture, vending machines, jet engines, connected cars and a myriad of other devices (Hung, 2017). The International Telecommunications Union defines IoT as “A global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication”. According to Gartner, there is estimated that there will be over 30 billion connected devices by 2020; this is projected to rise to 75 billion devices by 2025. These devices will initially be adopted in commercial and industrial settings before eventual adoption for personal use. One characteristic of the IoT devices is the presence of sensors that can electronically detect the environment and generate data. According to Kenny (2015), the data collected by sensors will exceed 1.6 Zettabytes by 2020. This data will include data of a personal nature that will have been collected with or without consent of the IoT direct users or bystanders. Six in ten IoT devices don’t properly tell end user how their personal information is being used or even when it is being collected. This leaves the end user in the dark as far as what happens to this data. The privacy risk posed to the end users whose personal data has been collected by IoT sensors. According to Renaud and Aleisa (2015), the percentage level of concerns identified by most scholars on IOT privacy is as below:
- Location and tracking, this is the threat of determining and recording a person’s location through time and space at 31.5%
- Identification threats that happen when sharing of un-anonymised data where a person’s identifier such as a pseudonym or an address is user to identify and locate the person in real life at 25.9%
- Analysis of individuals data by use of data mining techniques for the purposed of profiling them at 21.3%
- Inventory attacks, where the IoT device is hit by a Denial of Service attack to render it incapable of normal function at 8.3%
- Interaction and presentation threats which occur when a user’s private data is transmitted through a public medium such as the internet and in the process disclosing it to unintended audiences at 6.5%
- Life cycle transitions, where an end-of-life IoT device is discarded with it still holding private data at 3.7%
- Linkage where previously autonomous systems are interconnected such as the combination of data sources creates new information that would have been impossible to create before. This threat is at 3%
It is emerging that users do not have the power to control what data is collected about them and how this data can be used or stored, privacy concerns have been on the rise in recent times.
The government and the Communication Authority need to empower users through primary and secondary legislation to enable them control quantity and types of data collected about them. A starting point would be putting in place IoT device manufacturing best practices to give control to the individual about that data is collected and how it is stored or transmitted. Devices that do not meet this criteria shouldn’t be imported into the country. The empowered user should be in a position to:
- Know when and what type of data about them is recorded and transmitted by an IoT device before purchasing or using it
- Be adequately informed about how the IoT device protects any collected data on the device and also during transmission of this data.
- Carry out the configuration and customization of privacy preferences on IoT devices to their level of comfort as concerns their security.
There is a push in the industry that manufacturers of IoT devices that collect personal data should be able to self-regulate and not wait for external and forced compliance to the above-mentioned privacy best practices. However, history lends that self-regulation has rarely worked. A good example was the need to have all mobile phone handsets charge using a common micro USB charger; it had to take the European parliament to pass laws that forced all European handset manufacturers to have their devices charge through a micro USB port for this to happen. Several countries are proposing regulations around IoT privacy and security. Australia and the United States of America are working towards laws to regulate the IoT devices so that at the minimum all the IoT devices:
- Have non-default passwords on all manufactured IoT devices. This is because many devices today usually contain a default password to enable initial login in for device configuration purposes
- All IoT device software must be patchable for discovered vulnerabilities and should be based on standardized protocols
- Well laid down vulnerability handling and disclosure policies by manufacturers to ensure transparency and proper threat assessment of possible privacy and security weaknesses
One of the key roles of Communication Authority of Kenya is the safeguarding and protection of consumer interests in relation to the provision of ICT services (CA, 2015). This is achieved through the use of various regulatory instruments that are guided by laws. The current consumer protection regulations are as below:
- The Kenya Information and Communications (Consumer Protection) Regulations, 2010
- The Kenya Information and Communications (Dispute Resolution) Regulations, 2010
- The Kenya Information and Communications (Registration of subscribers of Telecommunication services) Regulations, 2012
None of the above regulations addresses the privacy concerns the IoT users have when using the IoT. It is worth noting that the Kenya Information and Communications (Registration of subscribers of Telecommunication services) Regulations were passed in 2012. This was after the fact that it was realized the lack of mandatory legislation-backed mobile subscriber registration hampered the fight against mobile phone-based fraud. Criminals had laid their hands on subscriber details from M-pesa outlet booklets and have been using them to carry out fraud and identity theft.
The lack of a legal and regulatory framework for the protection of consumer right to privacy on the IoT can lead to negative consequences such as those witnessed on the mobile telephony space where criminals perform fraud and identify theft.