|“||With a trillion sensors embedded in the environment — all connected by computing systems, software, and services — it will be possible to hear the heartbeat of the Earth, impacting human interaction with the globe as profoundly as the Internet has revolutionized communication.||”|
- Peter Hartwell
- Senior Researcher, HP Labs
|“||In 2008, the U.S. National Intelligence Council warned that the IoT would be a disruptive technology by 2025; six years later, it is clear that this will happen much sooner, if it has not already.||”|
- 1 Definitions
- 2 Overview
- 3 How it works
- 4 Enablers of IoT
- 5 Technical limitations
- 6 Security risks
- 7 Privacy risks
- 8 Additional risks
- 9 Intellectual property rights
- 10 Government regulation
- 11 Potential impacts of the Internet of Things on U.S. national power
- 12 Future scenarios and potential impacts on the United States
- 13 Signposts to monitor
- 14 References
- 15 Sources
- 16 See also
- 17 External resources
Definitions[edit | edit source]
There are numerous definitions for the Internet of Things (ioT), including:
|“||a technological revolution that represents the future of computing and communications, and its development depends on dynamic technical innovation in a number of important fields, from wireless sensors to nanotechnology.||”|
|“||sensors and actuators embedded in physical objects — from roadways to pacemakers — [that] are linked through wired and wireless networks, often using the same Internet Protocol (IP) that connects the Internet.||”|
|“||the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.||”|
|“||"things" (devices) connected through a network to the cloud (datacenter) from which data can be shared and analyzed to create value (solve problems or enable new capabilities). The IoT enables us to connect "things" like phones, appliances, machinery, and cars to the Internet, share and analyze the data generated by these "things," and extract meaningful insights; those insights create new opportunities, help solve problems, and implement solutions in the physical world.||”|
|“||the ability of devices to communicate with each other using embedded sensors that are linked through wired and wireless networks. These devices could include your thermostat, your car, or a pill you swallow so the doctor can monitor the health of your digestive tract. These connected devices use the Internet to transmit, compile, and analyze data.||”|
|“||the ability of everyday objects to connect to the Internet and to send and receive data. It includes, for example, Internet-connected cameras that allow you to post pictures online with a single click; home automation systems that turn on your front porch light when you leave work; and bracelets that share with your friends how far you have biked or run during the day.||”|
|“||a global network infrastructure, linking physical and virtual objects through the exploitation of data capture and communication capabilities. This infrastructure includes existing and evolving Internet and network developments. It will offer specific object-identification, sensor and connection capability as the basis for the development of independent cooperative services and applications. These will be characterised by a high degree of autonomous data capture, event transfer, network connectivity and interoperability.||”|
|“||[t]hings having identities and virtual personalities operating in smart spaces using intelligent interfaces to connect and communicate within social, environmental, and user contexts.||”|
|“||[n]etworks of low-cost sensors and actuators for data collection, monitoring decision-making, and process optimization.||”|
|“||'things' such as devices or sensors — other than computers, smartphones, or tablets — that connect, communicate or transmit information with or between each other through the Internet.||”|
|“||an expansion of the global infrastructure through existing and evolving interoperable information and communication technologies. It incorporates the interconnection of physical and virtual systems to enable new and autonomous capabilities."||”|
|“||[b]asically, connected sensors that can gather data by conducting physical analysis and (if capable) make changes to that physical environment. The Internet of Things is not just one product or even type of product, but rather a catalogue of technologies that are different than traditional information- and data-focused information technology.||”|
Overview[edit | edit source]
|“||Big data and the growing 'Internet of Things' have made it possible to merge the industrial and information economies.||”|
The term "Internet of Things" ("IoT") appears to have been coined by a member of the RFID development community circa 2000, who referred to the possibility of discovering information about a tagged object by browsing an Internet address or database entry that corresponds to a particular RFID. Since that time, visionaries have seized on the phrase "Internet of Things" to refer to the general idea of things, especially everyday objects, that are readable, recognizable, locatable, addressable, and/or controllable via the Internet — whether via RFID, wireless LAN, wide area network, or other means.
|“||The IoT is expected to greatly integrate leading technologies, such as technologies related to advanced machine-to-machine communication, autonomic networking, data mining and decision-making, security and privacy protection and cloud computing, with technologies for advanced sensing and actuation.||”|
The idea is that physical objects can become part of an information network, whereby they can interact with both humans and with each other (also known as machine-to-machine or M2M communication).
"The IoT includes consumer-facing devices, as well as products and services that are not consumer-facing, such as devices designed for businesses to enable automated communications between machines. For example, the term IoT can include the type of Radio Frequency Identification ("RFID") tags that businesses place on products in stores to monitor inventory; sensor networks to monitor electricity use in hotels; and Internet-connected jet engines and drills on oil rigs. Moreover, the 'things' in the IoT generally do not include desktop or laptop computers and their close analogs, such as smartphones and tablets, although these devices are often employed to control or communicate with other 'things.'"
"In other words, the IoT potentially includes huge numbers and kinds of interconnected objects. It is often considered the next major stage in the evolution of cyberspace. Some observers believe it might even lead to a world where cyberspace and human space would seem to effectively merge, with unpredictable but potentially momentous societal and cultural impacts."
"The fundamental characteristics of the IoT are as follows:
- Interconnectivity: With regard to the IoT, anything can be interconnected with the global information and communication infrastructure.
- Things-related services: The IoT is capable of providing thing-related services within the constraints of things, such as privacy protection and semantic consistency between physical things and their associated virtual things. In order to provide thing-related services within the constraints of things, both the technologies in [the] physical world and information world will change.
- Heterogeneity: The devices in the IoT are heterogeneous as based on different hardware platforms and networks. They can interact with other devices or service platforms through different networks.
- Dynamic changes: The state of devices change dynamically, e.g., sleeping and waking up, connected and/or disconnected as well as the context of devices including location and speed. Moreover, the number of devices can change dynamically.
- Enormous scale: The number of devices that need to be managed and that communicate with each other will be at least an order of magnitude larger than the devices connected to the current Internet. The ratio of communication triggered by devices as compared to communication triggered by humans will noticeably shift towards device-triggered communication. Even more critical will be the management of the data generated and their interpretation for application purposes. This relates to semantics of data, as well as efficient data handling."
"The IoT applications include various kinds of applications, e.g., "intelligent transportation systems", "smart grid", "e-health" or "smart home". The applications can be based on proprietary application platforms, but can also be built upon common service/application support platform(s) providing generic enabling capabilities, such as authentication, device management, charging and accounting."
"The IoT is characterized by four main attributes:
- Time Scale: Automated systems that operate in the physical world and engage in analysis and action faster than humans can comprehend, participate in, or supervise.
- Interdependence: Actions and consequences, some unanticipated, that can result from the interactions between systems.
- Prediction/Learning: Systems that are constantly evolving through experiences and additional data.
- System Management and Control: Emerging networked technologies that may not conform to older, established models."
Everyday objects include not only everyday electronic devices, and not only products of higher technological development such as vehicles and equipment, but things not ordinarily thought of as electronic at all — such as food, clothing, and shelter; materials, parts, and subassemblies; commodities and luxury items; landmarks, boundaries, and monuments; and all the miscellany of commerce and culture.
|“||Today and increasingly in the future, computing and communications technologies (collectively, information technologies) are found and will be more likely to be found in places where they are essentially invisible to everyday view: in cars, wallets, clothing, refrigerators, keys, cabinets, watches, doorbells, medicine bottles, walls, paint, structural beams, roads, dishwashers, identification cards, telephones, and medical devices (including some embedded in human beings). These devices will be connected — the so-called Internet of Things. Computing will be embedded in myriad places and objects; even today, computing devices are easily transported in pockets or on wrists. Computing devices will be coupled to multiple sensors and actuators. Computing and communications will be seamless, enabling the tight integration of personal, family, and business systems. Sensors, effectors, and computing will be networked together so that they pass relevant information to one another automatically.
In this emerging era of truly pervasive computing, the ubiquitous integration of computing and communications technologies into common everyday objects enhances their usefulness and makes life easier and more convenient. Understanding context, personal information appliances will make appropriate information available on demand, enabling users to be more productive in both their personal and their professional lives. And, as has been true with previous generations of IT, interconnections among all of these now-smart objects and appliances will multiply their usefulness many times over.
Although analysts define the IoT in terms of connected everyday objects, the nature of the connection remains to be determined. A two-way connection by means of the Internet Protocol constitutes the ideal case, but the originators of the IoT concept appear to have emphasized a simpler model of RFID query and response. The IoT will be inextricable from sensor networks that monitor things but do not control things. Both connected everyday objects and sensor networks will leverage a common set of technological advances toward miniature, power-efficient sensing, processing, and wireless communication. Analysts commonly describe two distinct modes of communication in the Internet of Things: thing-to-person and thing-to-thing communication.
"Two features makes objects part of the IoT — a unique identifier and Internet connectivity. Such "smart" objects each have a unique Internet Protocol (IP) address to identify the object sending and receiving information. Smart objects can form systems that communicate among themselves, usually in concert with computers, allowing automated and remote control of many independent processes and potentially transforming them into integrated systems."
Individuals, businesses, and governments are unprepared for a possible future when Internet nodes reside in such everyday things as food packages, furniture, paper documents, and more. Today's developments point to future opportunities and risks that will arise when people can remotely control, locate, and monitor everyday things. Popular demand combined with technology advances could drive widespread diffusion of an IoT that could, like the present Internet, contribute invaluably to the economy. But to the extent that everyday objects become information security risks, the IoT could distribute those risks far more widely than the Internet has to date.
|“||By 2015, there will be 25 billion autonomous Internet-connected devices with sources estimating 35B-50B such devices by 2020.||”|
"Some estimate that by 2020, 90% of consumer cars will have an Internet connection, up from less than 10 percent in 2013."
The IoT will likely create whole new classes of devices that connect to broadband, and has the potential to generate fundamentally different requirements on the fixed and mobile networks: they will require more IP addresses, will create new traffic patterns possibly demanding changes in Internet routing algorithms, and potentially drive demand for more spectrum for wireless communications.
How it works[edit | edit source]
While IoT devices serve a wide array of purposes, they all consist of three common components: hardware, network connectivity (referred to as "network"), and software. These components, and some examples of each, are shown in figure 2 and discussed below.
The Internet of Things consists of two foundational concepts:
- IoT components are connected by a network providing the potential for a many-to-many relationship between components (this network capability may or may not be TCP/IP based); and
- some of the IoT components have sensors and actuators that allow the components to interact with the physical world.
Hardware[edit | edit source]
The hardware used in IoT devices consists of the embedded components — sensors, actuators, and processors, among others. Sensors collect information about the IoT devices' environment, such as temperatures or changes in motion. Actuators perform physical actions, such as unlocking a door. Processors serve as the "brains" of IoT devices, supporting the computing platform for the network and software components and interfacing with the sensors and actuators.
Network[edit | edit source]
The network component of an IoT device connects it to other devices and to network-accessible computer systems. Different IoT devices can connect via different digital communications methods, including wired or wireless methods. Wired devices typically connect to a network through an Ethernet connection via copper or fiber-optic cable. Wireless devices typically connect via the radio frequency spectrum. Bluetooth and Wi-Fi are commonly used short-range wireless connections, while cellular is used for long range wireless connections. Wireless communications allow devices to remain connected to a network while mobile. Depending on the communication needs — such as transmission range, data transmission rate, and power — one or more network communications technologies can be incorporated into IoT devices.
Different types of networks operate over different ranges. For example, IoT devices can use a personal area network (PAN) to transmit data over a distance of about 10 meters (e.g., Bluetooth inside a room), a local area network to transmit data over an area of about 100 meters (e.g., Wi-Fi within a house), and a wide area network to transmit data over an even wider area, encompassing buildings or cities (e.g., cellular transmission). In addition to range needed, IoT devices may use different networks based on other factors such as available power.
IoT devices can be uniquely identified on their networks by being assigned "addresses." If an IoT device connects via the Internet, the Internet Protocol Version 4 (IPv4) can be used. IPv4 provides approximately 4.3 billion unique Internet Protocol (IP) addresses, and is currently the most commonly used addressing system for the Internet. However, as the number of devices connecting to the Internet has grown with computer systems and IoT devices, all of the available addresses in the IPv4 scheme have been assigned. Some Internet users are transitioning to Internet Protocol Version 6 (IPv6), which provides approximately 340 trillion trillion trillion (3.4x1038) unique IP addresses. The IPv6 has superior scalability and identifiability features compared to IPv4 and allows each device — wired or wireless — to have a unique IP address independent of its current point of attachment to the Internet. Since the number of IoT devices is projected to continue growing, IPv6 can address the need for more IP addresses to facilitate unique identification. However, challenges associated with several aspects of IPv6 adoption, including security management, implementation in current business applications, interfaces with business partners that are not IPv6 enabled, maintaining dual IPv6 and IPv4 environments, and the adoption of new standards, have delayed the transition from IPv4 to IPv6.
Software[edit | edit source]
Software in IoT devices performs a range of functions, from basic operations to complex analyses of collected data. For example, software of one IoT device may translate data from one format to another. Other software might analyze data to monitor the functionality of complex machines. Software for jet engines, for example, could collect the measurements from an engine's sensors and determine whether the engines require maintenance.
The software component may also include data analytics to find patterns, correlations, or outliers, among other information, in the collected data. Such information can inform users or determine and convey an action the IoT device needs to make. For example, IoT-enabled thermostats can use sensors to collect information about when consumers change the temperature in their homes, and then use software to perform data analytics to automate the temperature change so that it mimics consumer usage patterns.
Although some software can be deployed within the IoT device itself, software performing complex data analysis is typically performed using cloud computing (also known as the cloud). Cloud computing applications are network-based and scalable. The cloud infrastructure may include servers, networks, and software. For the IoT, this means computing power does not have to physically reside on the device, or even at the same location as the device, allowing for devices to be placed in areas too remote or small to power and house a conventional computer.
Data[edit | edit source]
"The power and disruptive promise of the IoT is the exponential scale of its data. As the number of devices capable of internet connectivity increase, and as IoT device manufacturing, connectivity and data costs are reduced, there is an unprecedented scalability of IoT solutions. However, the proliferation of data collection, storage and transmission and use from the IoT also raises increased concern about privacy and security risks, as well as consumer confidence around the IoT design process."
Enablers of IoT[edit | edit source]
"A number of significant technology changes have come together to enable the rise of the IoT. These include the following.
- Cheap sensors — Sensor prices have dropped to an average 60 cents from $1.30 in the past 10 years.
- Cheap bandwidth — The cost of bandwidth has also declined precipitously, by a factor of nearly 40X over the past 10 years.
- Cheap processing — Similarly, processing costs have declined by nearly 60X over the past 10 years, enabling more devices to be not just connected, but smart enough to know what to do with all the new data they are generating or receiving.
- Smartphones — Smartphones are now becoming the personal gateway to the IoT, serving as a remote control or hub for the connected home, connected car, or the health and fitness devices consumers are increasingly starting to wear.
- Ubiquitous wireless coverage — With Wi-Fi coverage now ubiquitous, wireless connectivity is available for free or at a very low cost, given Wi-Fi utilizes unlicensed spectrum and thus does not require monthly access fees to a carrier.
- Big data — As the IoT will by definition generate voluminous amounts of unstructured data, the availability of big data analytics is a key enabler.
- IPv6 — Most networking equipment now supports IPv6, the newest version of the Internet Protocol (IP) standard that is intended to replace IPv4. IP supports 32-bit addresses, which translates to about 4.3 billion addresses — a number that has become largely exhausted by all the connected devices globally. In contrast, IPv6 can support 128-bit addresses, translating to approximately 3.4 x 1038 addresses — an almost limitless number that can amply handle all conceivable IoT devices."
Technical limitations[edit | edit source]
Prominent technical limitations that may affect the growth and use of the IoT include a lack of new Internet addresses under the most widely used protocol, the availability of high-speed access, wireless communications, and lack of consensus on technical standards.
Internet addresses[edit | edit source]
A potential barrier to the development of IoT is the technical limitations of the version of the Internet Protocol (IP) that is used most widely. Internet Protocol Version 4 (IPv4) is currently in widest use. It can accommodate about four billion IP addresses, and it is close to saturation, with few new addresses available in many parts of the world.
Some observers predict that Internet traffic will grow faster for IoT objects than any other kind of device over the next five years, with more than 25 billion IoT objects in use by 2020, and perhaps 50 billion devices altogether.
Internet Protocol version 6 (IPv6) allows for a huge increase in the number IP addresses. IPv6 will accommodate over 1038 addresses — more than a trillion trillion per person. It is highly likely that to accommodate the anticipated growth in the numbers of Internet-connected objects, IPv6 will have to be implemented broadly. It has been available since 1999 but was not formally launched until 2012. In most countries, fewer than 10% of IP addresses were in IPv6 as of September 2015.
High-speed Internet[edit | edit source]
Use and growth of the IoT can also be limited by the availability of access to high-speed Internet and advanced telecommunications services, commonly known as broadband, on which it depends. While many urban and suburban areas have access, that is not the case for many rural areas, for which private-sector iSPs may not find establishment of the required infrastructure profitable, and government programs may be limited.
Wireless communications[edit | edit source]
Many observers believe that issues relating to access to the electromagnetic spectrum will need to be resolved to ensure the functionality and interoperability of IoT devices. Access to spectrum, both licensed spectrum and unlicensed spectrum, is essential for devices and objects to communicate wirelessly. IoT devices are being developed and deployed for new purposes and industries, and some argue that the current framework for spectrum allocation may not serve these new industries well.
Standards[edit | edit source]
Currently, there is no single universally recognized set of technical standards for the IoT, especially with respect to communications, or even a commonly accepted definition among the various organizations that have produced IoT standards or related documents. Many observers agree that a common set of standards will be essential for interoperability and scalability of devices and systems. However, others have expressed pessimism that a universal standard is feasible or even desirable, given the diversity of objects that the IoT potentially encompasses. Several different sets of de facto standards have been in development, and some observers do not expect formal standards to appear before 2017. Whether conflicts between standards will affect growth of the sector is not clear.
Other technical issues[edit | edit source]
Several other technical issues might impact the development and adoption of IoT. For example, if an object's software cannot be readily updated in a secure manner, that could affect both function and security.
Energy consumption can also be an issue. IoT objects need energy for sensing, processing, and communicating information. If objects isolated from the electric grid must rely on batteries, replacement can be a problem, even if energy consumption is highly efficient. That is especially the case for applications using large numbers of objects or placements that are difficult to access. Therefore, alternative approaches such as energy harvesting, whether from solar or other sources, are being developed.
"Interoperability between IoT systems is critically important to capturing maximum value. . . ." "On average, interoperability is necessary to create 40 percent of the potential value that can be generated by the Internet of Things in various settings."
Security risks[edit | edit source]
The IoT presents a variety of potential security risks that could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety. Privacy risks may flow from the collection of personal information, habits, locations, and physical conditions over time. Companies might use this data to make credit, insurance, and employment decisions. Perceived risks to privacy and security, even if not realized, could undermine the consumer confidence necessary for the technologies to meet their full potential, and may result in less widespread adoption.
There appeared to be widespread agreement that companies developing IoT products should implement reasonable security. Of course, what constitutes reasonable security for a given device will depend on a number of factors, including the amount and sensitivity of data collected and the costs of remedying the security vulnerabilities.
- First, on IoT devices, as with desktop or laptop computers, a lack of security could enable intruders to access and misuse personal information collected and transmitted to or from the device. For example, new smart televisions enable consumers to surf the Internet, make purchases, and share photos, similar to a laptop or desktop computer. Like a computer, any security vulnerabilities in these televisions could put the information stored on or transmitted through the television at risk. If smart televisions or other devices store sensitive financial account information, passwords, and other types of information, unauthorized persons could exploit vulnerabilities to facilitate identity theft or fraud. Thus, as consumers install more smart devices in their homes, they may increase the number of vulnerabilities an intruder could use to compromise personal information.
- Second, security vulnerabilities in a particular device may facilitate attacks on the consumer's network to which it is connected, or enable attacks on other systems. For example, a compromised IoT device could be used to launch a denial of service attack. Denial of service attacks are more effective the more devices the attacker has under his or her control; as IoT devices proliferate, vulnerabilities could enable these attackers to assemble large numbers of devices to use in such attacks. Another possibility is that a connected device could be used to send malicious emails.
- Third, unauthorized persons might exploit security vulnerabilities to create risks to physical safety in some cases. Unauthorized access to Internet-connected cameras or baby monitors also raises potential physical safety concerns. Likewise, unauthorized access to data collected by fitness and other devices that track consumers' location over time could endanger consumers' physical safety. Another possibility is that a thief could remotely access data about energy usage from smart meters to determine whether a homeowner is away from home.
These potential risks are exacerbated by the fact that securing connected IoT devices may be more challenging than securing a home computer, for two main reasons. First, companies entering the IoT market may not have experience in dealing with security issues. Second, although some IoT devices are highly sophisticated, many others may be inexpensive and essentially disposable. In those cases, if a vulnerability were discovered after manufacture, it may be difficult or impossible to update the software or apply a patch.
And if an update is available, many consumers may never hear about it. Relatedly, many companies — particularly those developing low-end devices — may lack economic incentives to provide ongoing support or software security updates at all, leaving consumers with unsupported or vulnerable devices shortly after purchase.
So what should companies do?
- First, companies should build security into their devices at the outset, rather than as an afterthought. As part of the security by design process, companies should consider: (1) conducting a privacy or security risk assessment; (2) minimizing the data they collect and retain; and (3) testing their security measures before launching their products.
- Second, with respect to personnel practices, companies should train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization.
- Third, companies should retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers.
- Fourth, when companies identify significant risks within their systems, they should implement a defense-in-depth approach, in which they consider implementing security measures at several levels.
- Fifth, companies should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer's device, data, or even the consumer's network.
- Finally, companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.
Privacy risks[edit | edit source]
There are many types of privacy risks flowing from the Internet of Things. Some of these risks involve the direct collection of sensitive personal information, such as precise geolocation, financial account numbers, or health information — risks already presented by traditional Internet and mobile commerce. Others arise from the collection of personal information, habits, locations, and physical conditions over time, which may allow an entity that has not directly collected sensitive information to infer it.
The sheer volume of data that even a small number of devices can generate is stunning. "[R]esearchers are beginning to show that existing smartphone sensors can be used to infer a user's mood; stress levels; personality type; bipolar disorder; demographics (e.g., gender, marital status, job status, age); smoking habits; overall well-being; progression of Parkinson's disease; sleep patterns; happiness; levels of exercise; and types of physical activity or movement.” Such inferences could be used to provide beneficial services to consumers, but also could be misused. Relatedly, IoT enables the collection of "sensitive behavior patterns, which could be used in unauthorized ways or by unauthorized individuals.”
There are also general privacy risks associated with these granular information-collection practices, including the concern that the trend towards abundant collection of data creates a "non-targeted dragnet collection from devices in the environment." Others noted that companies might use this data to make credit, insurance, and employment decisions. For example, customers of some insurance companies currently may opt into programs that enable the insurer to collect data on aspects of their driving habits — such as the number of "hard brakes," the number of miles driven, and the amount of time spent driving between midnight and 4 a.m. — to help set the insurance rate. Use of data for credit, insurance, and employment decisions could bring benefits — e.g., enabling safer drivers to reduce their rates for car insurance or expanding consumers' access to credit — but such uses could be problematic if they occurred without consumers' knowledge or consent, or without ensuring accuracy of the data.
Although a consumer may today use a fitness tracker solely for wellness-related purposes, the data gathered by the device could be used in the future to price health or life insurance or to infer the user's suitability for credit or employment (e.g., a conscientious exerciser is a good credit risk or will make a good employee). It would be of particular concern if this type of decision-making were to systematically bias companies against certain groups that do not or cannot engage in the favorable conduct as much as others or lead to discriminatory practices against protected classes.
The Fair Credit Reporting Act ("FCRA") imposes certain limits on the use of consumer data to make determinations about credit, insurance, or employment, or for similar purposes. The FCRA imposes an array of obligations on entities that qualify as consumer reporting agencies, such as employing reasonable procedures to ensure maximum possible accuracy of data and giving consumers access to their information. However, the FCRA excludes most "first parties" that collect consumer information; thus, it would not generally cover IoT device manufacturers that do their own in-house analytics. Nor would the FCRA cover companies that collect data directly from consumers' connected devices and use the data to make in-house credit, insurance, or other eligibility decisions — something that could become increasingly common as the IoT develops. For example, an insurance company may offer consumers the option to submit data from a wearable fitness tracker, in exchange for the prospect of lowering their health insurance premium. The FCRA's provisions, such as those requiring the ability to access the information and correct errors, may not apply in such circumstances.
Yet another privacy risk is that a manufacturer or an intruder could "eavesdrop" remotely, intruding into an otherwise private space. Companies are already examining how IoT data can provide a window into the previously private home. Indeed, by intercepting and analyzing unencrypted data transmitted from a smart meter device, researchers in Germany were able to determine what television show an individual was watching. Security vulnerabilities in camera-equipped devices have also raised the specter of spying in the home.
Finally, some participants pointed out that perceived risks to privacy and security, even if not realized, could undermine the consumer confidence necessary for the technologies to meet their full potential and may result in less widespread adoption.
With respect to government data collection, the U.S. Supreme Court has been reticent about making broad pronouncements concerning society's expectations of privacy under the Fourth Amendment of the U.S. Constitution while new technologies are in flux, as reflected in opinions over the last five years. Congress may also update certain laws, such as the Electronic Communications Privacy Act of 1986, given the ways that privacy expectations of the public are evolving in response to IoT and other new technologies. IoT applications may also create challenges for interpretation of other laws relating to privacy, such as the Health Insurance Portability and Accountability Act of 1996 and various state laws, as well as established practices such as those arising from norms such as the Fair Information Practice Principles.
Additional risks[edit | edit source]
- the lack of consensus standards for the IoT, especially with respect to connectivity;
- the transition to a new Internet Protocol (IPv6) that can handle the exponential increase in the number of IP addresses that the IoT will require;
- methods for updating the software used by IoT objects in response to security and other needs;
- energy management for IoT objects, especially those not connected to the electric grid; and
- the role of the federal government, including investment, regulation of applications, access to wireless communications, and the impact of federal rules regarding "net neutrality."
Intellectual property rights[edit | edit source]
"A common understanding of ownership rights to data produced by various connected devices will be required to unlock the full potential of IoT. Who has what rights to the data from a sensor manufactured by one company and part of a solution deployed by another in a setting owned by a third party will have to be clarified."
Government regulation[edit | edit source]
"There is no single federal agency that has overall responsibility for the IoT. Agencies may find IoT applications useful in helping them fulfill their missions. Each is responsible for the functioning and security of its own IoT, although some technologies, such as drones, may fall under the jurisdiction of other agencies as well."
"There is no single federal agency that has overall responsibility for the IoT. Agencies may find IoT applications useful in helping them fulfill their missions. Each is responsible for the functioning and security of its own IoT, although some technologies, such as drones, may fall under the jurisdiction of other agencies as well."
- The Federal Communications Commission (FCC) allocates and assigns spectrum for nonfederal entities.
- In the Department of Commerce, the National Telecommunications and Information Administration (NTIA) fulfills that function for federal entities, and the National Institute of Standards and Technology (NIST) creates standards, develops new technologies, and provides best practices for the Internet and Internet-enabled devices.
- The Federal Trade Commission (FTC) regulates and enforces consumer protection policies, including for privacy and security of consumer IoT devices.
- The Department of Homeland Security (DHS) is responsible for coordinating security for the 16 critical infrastructure sectors. Many of those sectors use industrial control systems (ICS), which are often connected to the Internet, and the DHS National Cybersecurity and Communications Integration Center (NCCIC) has an ICS Cyber Emergency Response Team (ICS-CERT) to help critical-infrastructure entities address ICS cybersecurity issues.
- The Food and Drug Administration (FDA) also has responsibilities with respect to the cybersecurity of Internet-connected medical devices.
- The Department of Justice (DOJ) addresses law-enforcement aspects of IoT, including cyberattacks, unlawful exfiltration of data from devices and/or networks, and investigation and prosecution of other computer and intellectual property crimes.
- Relevant activities at the Department of Energy (DOE) include those associated with developing high-performance and green buildings, and other energy-related programs, including those related to smart electrical grids.
- The Department of Transportation (DOT) has established an Intelligent Transportation Systems Joint Program Office (ITS JPO) to coordinate various programs and activities throughout DOT relating to the development and deployment of connected vehicles and systems, involving all modes of surface transportation. DOT mode-specific agencies also engage in ITS activities.The Federal Aviation Administration (FAA) is involved in regulation and other activities relating to unmanned aerial vehicles (UAVs)68 and commercial systems (UAS).
- The Department of Defense was a pioneer in the development of much of the foundational technology for the IoT. Most of its IoT deployment has related to its combat mission, both directly and for logistical and other support.
Potential impacts of the Internet of Things on U.S. national power[edit | edit source]
If the United States executes wisely, the IoT could work to the long-term advantage of the domestic economy and to the U.S. military. Streamlining — or revolutionizing — supply chains and logistics could slash costs, increase efficiencies, and reduce dependence on human labor. Ability to fuse sensor data from many distributed objects could deter crime and asymmetric warfare. Ubiquitous positioning technology could locate missing and stolen goods.
On the other hand, the U.S. may be unable to deny access to networks of sensors and remotely-controlled objects by enemies of the United States, criminals, and mischief makers. Foreign manufacturers could become both the single-source and single-point-of-failure for mission-critical Internet-enabled things. Manufacturers could also become vectors for delivering everyday objects containing malicious software that causes havoc in everyday life. An open market for aggregated sensor data could serve the interests of commerce and security no less than it helps criminals and spies identify vulnerable targets. Thus, massively parallel sensor fusion may undermine social cohesion if it proves to be fundamentally incompatible with Fourth Amendment guarantees against unreasonable search. By 2025, social critics may even charge that Asia's dominance of the manufacturing of things — and the objects that make up the Internet of Things — has funded the remilitarization of Asia, fueled simmering intra-Asian rivalries, and reduced U.S. influence over the course of geopolitical events.
Future scenarios and potential impacts on the United States[edit | edit source]
When considering the spectrum of possibilities for the state of the IoT in 2025, the key uncertainties span a number of unresolved issues that fall along two major axes:
- The timing of developments (slow versus fast)
- The depth of penetration (niches versus ubiquity).
In terms of timing, just as the Internet and mobile telephony grew rapidly after their incubation periods, the IoT could emerge relatively rapidly if, on balance, the preponderance of conditions yields favorable policies, technological progress, and business collaboration. Or the IoT could arise more slowly if, on balance, conditions are less favorable in these dimensions.
In terms of depth of penetration, just as the Internet and mobile telephony penetrated deeply into the fabric of developed nations, the IoT could pervade everyday life if, on balance, the preponderance of conditions yields an enthusiastic public that uses its pocketbook to express strong market demand. Alternatively, if those demand signals do not materialize — for example if the public perceives costs, disadvantages, and risks that outweigh perceived benefits — then the IoT may remain limited to industrial, commercial, and government niches. Yet even those niches could include benefits and harms that would significantly affect the United States.
On the basis of these two axes of uncertainty, four scenarios highlight the spectrum of possibilities for how the future could play out until 2025. Whether fast and widespread, or slow and niche-driven, the emergence of the IoT has the potential to affect U.S. interests. We focus on the opportunities and threats that the two extreme scenarios present to the United States: Important risks and advantages will arise even in the "Connected Niches" scenario, which represents moderately-paced opportunistic developments of IoT technology. At the other extreme, "Ambient Interaction" highlights the implications of a rapid and deep penetration of information-communications technology into everyday objects — a scenario that is sufficiently plausible that its dramatic risks and advantages deserve consideration. We also describe briefly "Fast Burn" and "Slowly But Surely," which represent the middle ground among the four scenarios.
Scenario 1: Fast burn[edit | edit source]
In "Fast Burn" the IoT develops rapidly but in a limited fashion, and fails to sustain its momentum. Although impacts become quite significant in particular application areas (industrial automation, health care, and security), the IoT doesn't fulfill the promise of becoming pervasive (and thus is of limited importance to everyday lifestyles, business operations, and the conduct of government). Ubiquitous positioning technology never materializes as military concerns about the risks of terrorists gaining access to improved geopositioning combine with inadequate local government funding for emergency service positioning. In this scenario, IoT technology confers similar risks and benefits to U.S. interests to those experienced in "Connected Niches," but neither the risks nor the benefits to U.S. interests inherent in "Ambient Interaction."
Scenario 2: Slowly but surely[edit | edit source]
In "Slowly But Surely" the IoT becomes pervasive, but not until 2035 or so. Outcomes are somewhat similar to those of "Ambient Interaction," but there are substantial differences. The relatively slow development of the technology gives businesses and governments time to assimilate developments, allaying the most disruptive risks. Many risks remain, but the sheer complexity of technology in 2035 makes the IoT less accessible to hacking by mischief makers. Nevertheless, the most motivated malefactors and enemies of the United States can exploit the IoT in ways that are similar to those experienced in "Ambient Interaction," and benefits to U.S. interests do not materialize as dramatically as they do in "Ambient Interaction."
Scenario 3: Connected niches[edit | edit source]
In "Connected Niches" the IoT evolves along application pathways that promise rapid payback and that can overcome resistance and indifference. Demand is commensurate with evolutionary but not revolutionary cost reductions, moderate technology progress that leaves some problems largely unsolved. Industries show reluctance to fully collaborate. Policies express at best a benign neglect for the potential advantages and, at worst, discriminate against innovation in favor of grandfathered interests. Even in 2025, positioning technology remains limited to outdoor use and many individual items lack RFID tags. Nevertheless, innovations encourage adoption of connected everyday objects and sensor networks in security, logistics, healthcare, document management, inventory management, fleet management, industrial automation, and robotics. In short, connected everyday devices are common in workplaces and military operations but not in households. Similarly, sensor networks mainly reside in workplaces and public places. Connected everyday objects and sensor networks deliver significant value to the economy and significant efficiencies to military organizations but also introduce significant vulnerabilities as new pathways for exploitation become available to mischief makers, criminals, and enemies of the United States. As niches grow, some interconnect, introducing unexpected interactions — some synergistic, others counterproductive.
- Potential opportunities. The United States gains short-term economic advantages by adopting technologies that streamline commercial logistics and industrial automation, the combined effect of which lowers costs and boosts corporate profits. When retailers choose to keep RFID at the pallet level, technology suppliers aggressively seek and find alternative growth pathways via vertical-market opportunities. Airports and other public-transit hubs become venues for large-scale sensor networks that support the missions of private-security and public-safety agencies. For recognizing patterns of behavior indicating ill intent, software helps but does not reduce the need for human observers and analysts. Similarly, the IoT deters theft and helps locate missing goods, albeit indoor location is limited to perimeter-secured environments. Many hospitals and long-term care facilities become high-tech havens, resulting in significantly improved qualities of care. Two key niches — fleet management and document management — provide growth pathways for the IoT that confer decisive advantages over traditional approaches. Government and commercial operators of vehicle fleets find substantial value in advanced vehicle diagnostics and prognostics, enabling maintenance as-needed rather than on a schedule, concurrently yielding both reduced costs and increased reliability. Also, as solution prices fall, by 2020 paper documents and publications as well as electronic substitutes for paper e-books, smartcards, and other devices — commonly contain RFID tags, enabling automation of many formerly tedious and time-consuming processes.
- Potential risks. The IoT's advantages to the U.S. economy are moderated by trade imbalances that favor the adding of value to everyday things by overseas manufacturers. First responders have poorer geolocation capability than terrorists (who use real-time kinematic and/or satellite-based augmentation solutions that are far less expensive to a small cell of individuals than to large public safety agencies). The IoT's contributions to physical security come at the cost of a high rate of false positive and false negative detections, so that while people consider that the cost-benefit balance is favorable, it is only marginally so; thus, depth of support is shallow. Similarly, while the IoT proves to be a boon for healthcare overall, some hospitals and long-term care facilities reduce costs by trading away the "care" in healthcare in favor of surveillance and restrictive, access control policies. While the IoT is decisively beneficial for vehicle maintenance and document management, serious risks and unavoidable annoyances accompany even these applications. A host of risks accompany people's overconfidence in technical solutions, often at the neglect of common sense.
Scenario 4: Ambient interaction[edit | edit source]
In "Ambient Interaction" the IoT arises rapidly and pervasively, favored by technology progress, business collaboration, and innovation-friendly policies. Strong demand arises across several major sectors of the economy, as technological wizardry combined with creative business developments stimulate people's appetites for killer applications that reduce labor and tedium, confer peace of mind, and blur the lines between work, play, and commerce. Connected everyday objects and sensor networks are common in workplaces, public places, and households. By 2017, walk-through checkout procedures are the norm for retailing, and nationwide positioning technology is in place, including indoors. Strategic initiatives have ensured that the United States enjoys long-term economic and military advantages. Nevertheless, great risks accompany great benefits as pervasive computing introduces equally pervasive vulnerabilities. Just as the Internet aggravated the risks of cyberwarfare, spam, identity theft, and denial-of-service attacks, connected everyday objects become targets for malicious software that causes everyday devices to fail or spy. Sensor networks become channels for unauthorized surveillance by mischief makers, criminals, and enemies of the United States.
- Potential opportunities. Geopolitical advantages arise as the United States uses sensor networks to foil terrorists and asymmetrical warriors. The U.S. military gains long-term advantage by quickly streamlining operations and adopting strategic initiatives for continuous innovation, specifically for the purpose of sustaining that advantage. The United States also gains long-term economic advantages by embracing technologies (notably, item-level RFID and indoor location) that concurrently streamline commercial logistics and add value to physical products, the combined effect of which stimulates GDP. In fact, the pervasive IoT enables logistics to undergo a revolution rather than merely streamlining. By 2025, robotic supply chains are common and considered more secure and less prone to human tampering than traditional shipping and receiving. At ports, containers report their contents to heavy equipment, which routes goods to trucks automatically; at distribution points, pallets and forklifts similarly communicate and route goods which arrive in stores largely untouched by human hands. RFIDs in individual food packages drive popular adoption of RFID readers in cell phones that provide an indication of food origins and provenance. Makers of other packaged goods leverage the universality of RFID readers in cell phones. A combination of useful advice and marketing gimmicks yields a remarkable mix of "advertainment" and social benefits, such as cell phones that double as displays for multilingual user manuals and recycling instructions. Individuals enthusiastically adopt objects having embedded positioning capability, dramatically reducing the incidence of misplaced and stolen goods.
- Potential risks. The incidental risks mentioned in the "Connected Niches" scenario (above) threaten to multiply by an order of magnitude. As the United States increases its reliance on the IoT, supply disruptions will yield operational disruptions. Asia's role as single-source manufacturing center establishes a single point of failure for mission-critical materiel when new vehicles arrive on U.S. shores "contaminated" by malware. Terrorists can exploit sensor networks, whose encryption technology threatens to lag far behind the cracking capabilities of East- and North-European teenagers equipped with massively-multicore laptop computers. The same corporate and government misunderstanding of security issues that yielded email-propagated viruses and spam-generating "zombie" computers could end up providing the means for criminals and mischief makers to exploit connected everyday objects through lax security systems.
Signposts to monitor[edit | edit source]
Scenarios exist because of the uncertainty that is inherent with any view of the future. Determining which scenario best mirrors reality at any one time depends on careful assessment of reliable information and knowledge and monitoring various signposts that would indicate the direction and pace with which any field of uncertainty (in this case, relative to enabling the disruptive potential of a technology to U.S. interests) is advancing. Key variables, which, if positive, would indicate environments that are supportive toward development of the Internet of Things, include:
- The size and nature of demand for expedited logistics in commerce and military organizations,
- The effectiveness of initial waves of IoT technology in reducing costs, thereby creating conditions for diffusion into vertical application areas including civilian government operations, law enforcement, healthcare, and document management,
- The ability of devices located indoors to receive geolocation signals, possibly, distributing such signals by leveraging available infrastructures (cell towers, broadcasters, and other means),
- Closely related technological advances in miniaturization and energy-efficient electronics, including reduced-power microcomputers and communications methods, energy-harvesting transducers, and improved microbatteries,
- Efficient use of spectrum, including cost-effective solutions for wide-area communications at duty cycles that are much smaller (e.g., the equivalent of a few minutes per month) than those of cell phones (averaging many minutes per day), and
- Advances in software that act on behalf of people, and software that effectively fuses ("makes sense of") sensor information from disparate sources.
References[edit | edit source]
- Quoted in Dave Evans, The Internet of Things: How the Next Evolution of the Internet Is Changing Everything, at 4 (Cisco Internet Business Solutions Group (IBSG)) (Apr. 2011) (full-text).
- NSTAC Report to the President on the Internet of Things, at ES-2.
- International Telecommunication Union, The Internet of Things, Executive Summary, at 3 (Nov. 2005) (full-text).
- Transforming the Nation's Electricity System: The Second Installment of the Quadrennial Energy Review, at S-3.
- Gartner, IT Glossary (full-text)
- National IOT Strategy Dialogue, at 4.
- Big Data: Seizing Opportunities, Preserving Values, at 2.
- Internet of Things: Privacy & Security in a Connected World, at i.
- Security of Things: An Implementers' Guide to Cyber-Security for Internet of Things Devices and Beyond, at 4.
- Internet of Things in 2020: A Roadmap for the Future, Executive Summary.
- Risk and Responsibility in a Hyperconnected World, at 28.
- Internet of Things: Privacy & Security in a Connected World, at 6.
- Industrial Internet Scoping Report, at 1.
- Report on Securing and Growing the Digital Economy, at 90.
- Big Data: Seizing Opportunities, Preserving Values, at 5.
- The term was initially coined by Kevin Ashton in 1999 in a presentation at Proctor and Gamble in reference to radio-frequency identification tags (RFIDs). See Kevin Ashton, "That ‘Internet of Things’ Thing," RFID J. (June 22, 2009) (full-text).
- Overview of the Internet of Things, at 2.
- "Although the IoT implies the Internet is the mode of communication, local networks can also transmit information collected by sensors." Internet of Things: Status and Implications of an Increasingly Connected World, at 1 n.1.
- Internet of Things: Privacy & Security in a Connected World, at 5.
- The Internet of Things: Frequently Asked Questions, Summary.
- Overview of the Internet of Things, at 5.
- Id. at 4.
- Industrial Internet Scoping Report, at 1.
- At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues, at 8.
- The Internet of Things: Frequently Asked Questions, Summary.
- The Internet of Things. How the Next Evolution of the Internet Is Changing Everything, at 3.
- Securing the Internet of Things: A Global Overview of a Global Challenge, at 3.
- The Internet Of Things: Mapping The Value Beyond The Hype.
- In the 2010 case City of Ontario v. Quon, the Court sidestepped the question whether individuals have a reasonable expectation of privacy in their electronic communications by resolving the case on other grounds (City of Ontario v. Quon, 560 U.S. 746 (2010) ("The judiciary risks error by elaborating too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear."). Similarly, in the 2012 GPS tracking case United States v. Jones, the majority avoided the question of whether people should expect privacy in their public movements over a long period of time by instead relying on a hundreds-year-old trespass theory of the Fourth Amendment (United States v. Jones, 132 S. Ct. 945, 954 ). More recently, in the 2015 case California v. Riley, the Court held that the government must obtain a warrant before accessing the data on a cellphone confiscated upon an arrest; however, the ruling did not separately opine on the level of protections for data stored in the cloud, on which IoT applications will undoubtedly rely (California v. Riley, 134 S. Ct. 2473, 2495 (2015)).
- Internet of Things: Privacy and Security in a Connected World.
- The Internet Of Things: Mapping The Value Beyond The Hype, at 11.
- The Internet of Things: Frequently Asked Questions, Summary.
- The Internet of Things: Frequently Asked Questions, Summary.
- The Federal Communications Commission: Current Structure and Its Role in the Changing Telecommunications Landscape.
- See, for example, Internet of Things: Privacy and Security in a Connected World.
- For descriptions of these sectors, see Presidential Policy Directive 21: Critical Infrastructure Security and Resilience.
- About the National Cybersecurity and Communications Integration Center.
- Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication.
- About ITS.
- Pilotless Drones: Background and Considerations for Congress Regarding Unmanned Aircraft Operations in the National Airspace System.
- Unmanned Aircraft Systems (UAS): Commercial Outlook for a New Industry.
Sources[edit | edit source]
- The Internet of Things: Frequently Asked Questions.
- National Intelligence Council, Disruptive Civil Technologies: Six Technologies with Potential Impacts on US Interests Out to 2025: Conference Report (Apr. 2008) (full-text).
- Enablers of IoT section: The Internet of Things: Making Sense of the Next Mega-trend, at 4.
- How it works section: Technology Assessment: Internet of Things: Status and Implications of an Increasingly Connected World, at 7-9.
- Security risk section: Internet of Things: Privacy & Security in a Connected World, at iii, 10-13 (footnotes omitted).
- Privacy risk section: Id. at 14-18 (footnotes omitted).
See also[edit | edit source]
- Ambient intelligence
- Consumer Internet of Things
- Demystifying the Internet of Things
- European Research Cluster on the Internet of Things
- European Commission, Internet of Things: 14-point Strategic Action Plan
- Fostering the Advancement of the Internet of Things
- Human Internet of Things
- Internet of Everything
- Internet of Medical Things
- Internet of Things botnet
- Internet of Things device
- Internet of Things Global Standards Initiative
- Internet of Things middleware
- Internet of Things privacy
- Internet of Things: Privacy & Security in a Connected World
- Internet of Things security
- Internet of Toys
- IoT platform
- Machine-to-machine communication
- Minimally securable IoT device
- Overview of the Internet of Things
- Pervasive computing
- Securing Small Business and Home Internet of Things Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description
- Smart thing
- Technology Assessment: Internet of Things: Status and Implications of an Increasingly Connected World
- The Internet of Things
- The Internet of Things: Frequently Asked Questions
- The Internet of Things: Making Sense of the Next Mega-trend
- Ubiquitous computing
- Web of Things