eIDAS and Trusting the Internet of Things

The Internet of Things (IoT) is a broad term for the billions of connected physical devices, including vehicles, appliances, and other electronics that can communicate and exchange data with each other. These devices are everywhere; by 2020, there are likely to be anywhere from 3 to 7 connected devices for every living person!

IoT devices are not just restricted to personal use, this category includes infrastructure services such as power plants, railways, streetlights, and even some military vehicles. This makes the IoT perhaps the most useful as well as the most vulnerable asset of modern civilizations. Increasingly, this vulnerability is being taken advantage of by state actors or criminal elements for their own benefit.

The criticality of the threat to us, as a result of IoT, perhaps gets enhanced due to the fact that it can affect the physical world rather than impact digital data or records. A bad actor can hack into a car and cause it to lose control or hack into a power grid and cause an outage. All of this has put a new emphasis on closing loopholes and erecting barriers against potential breaches.

The need to bring “trust” to the Internet of Things

The vulnerabilities of the IoT and its criticality mean that certain improvements need to happen immediately. The eIDAS regulation ensures trust in digital services and is also required for IoT platforms.

The primary way in which a standardized regulatory framework can make the IoT ecosystem more secure is by providing “Proof of Identity”. This is the first and most important step in securing access to the dozens of connected devices we use daily.  As our dependence on such devices increases, so does the need for a common framework like eIDAS, which can provide a minimum guaranteed level of security based on standard procedures and protocols across jurisdictions. There is an important need to provide secure and trustworthy electronic identification, authentication, and authorization for IoT devices. Without this, the system will be vulnerable, and the potential for abuse will keep rising with time.

Another way in which regulations like eIDAS can help is the legal and liability framework. eIDAS ensures the legal compliance of services that are provided using its framework. Something similar is needed for the Internet of Things - a universally accepted framework that defines the legal requirements for compliance and then ensures compliance with that legal framework. It needs to address the issues of cross-jurisdiction disputes and set the standard for regulatory/ legal compliance in the IoT world.

Conclusion

eIDAS and other such regulations will go a long way to ensure that digital transactions are secure, and users are protected. However, this same level of security and trust needs to be extended to the other network, the Internet of Things. The IoT requires a strong framework that ensures the user’s identity, provides privacy and strong authentication capabilities, and a rock-solid legal and liability framework to protect users.  

References and Further Reading

• REGULATION (EU) No 1316/2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(12/2013), by the European Parliament and the European Council 
• Selected articles on Authentication (2014-today), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more

• Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more

• REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council

• Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council

• REGULATION (EU) No 910/2014  on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission

Image: Microsoft Azure Sphere OS (Linux kernel) #iot, courtesy of medithIT, Flickr (CC BY 2.0)