The U.S. Federal Trade Commission has just issued a seasonal (and chilling) reminder about the dangers of internet-connected children's toys: they may be recording your children's voices and sharing their locations when they play. The FTC encourages grownups buying smart toys to investigate what kind of information the toys store, how and where the data is stored and shared, and whether parents have the ability to see and delete the data collected. It also flags U.S. privacy law requirements around consent and disclosure with which toy manufacturers must comply (Canada has similar privacy law requirements).
The warning is timely for Canadians as well, and not just because it's gift-giving season. Smart toys make up a growing part of the Internet of Things (the "IoT")-the universe of network-connected devices, ranging from smartphones to connected cars to pacemakers to Christmas lights-that bring greater convenience to daily life but that often contain little or no protection from cyber attacks. Cisco estimates that the IoT "will comprise more than 30 billion connected devices" by 2020.
Ensuring consumers understand the cybersecurity and privacy risks associated with connected consumer products is a key aspect of cybersecurity, but governments are also increasingly (if belatedly) recognizing that safeguards must be implemented at the manufacturing stage to effectively insulate end-users from cyber-attacks and unauthorized intrusions.
The Canadian Senate has expressed similar concerns to the FTC over the proliferation of the IoT. The Senate Standing Committee on Banking, Trade and Commerce recently published a report about the growth of cybersecurity threats in Canada, noting that "over half of Canadian households have four or more Internet-connected devices, and each of these devices could potentially serve as a target for cyber criminals," and recommending that "[t]he federal government develop standards to protect consumers, businesses and governments from threats related to the Internet of Things devices."
Canada would not be the first jurisdiction to consider imposing cybersecurity standards on manufacturers of connected devices.
Japan has had an IoT strategy in place for some time now. Its National Center for Incident Readiness and Strategy for Cybersecurity ("NISC") released a draft General Framework for Secured IoT Systems in 2016 as part of a 2015 national strategy driven in part by the security imperatives arising from Japan's hosting of the 2020 Olympic Games. The General Framework adopts the privacy principle of "privacy by design" and recognizes the need to develop "safety assurance standards, including statutory and customary requirements" for the IoT.
Japan updated its strategy in July 2018, emphasizing the necessity of creating guidelines for industry and of promoting "efforts for international standardization of the basic elements of cybersecurity required for realizing secure IoT systems in order to develop value creation systems for IoT systems and deploy it on a global scale while utilizing Japan's strengths of safety and security in order to contribute to the development of the global economy through spreading such secure IoT systems."
It is clear that Japan recognizes its leverage as a technological hub that can strongly influence global standard-setting, and is actively working to build up cybersecurity through policy.
Other jurisdictions have similarly recognized the importance of enforcing standards. A new California law coming into force in 2020 broadly defines "connected devices" to mean "any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address." The incoming law requires the manufacturer of any "connected device" to:
[E]quip the device with a reasonable security feature or features that are all of the following:
- Appropriate to the nature and function of the device.
- Appropriate to the information it may collect, contain, or transmit.
- Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
Meanwhile, a U.S. Senate bill not yet passed into law but endorsed by a number of cybersecurity experts would require that IoT devices are patchable, contain no known vulnerabilities, rely on standardized protocols, and not use hard-coded passwords.
There is no doubt that influential jurisdictions are recognizing the risk of allowing rapid IoT growth without corresponding regulatory authority. A Canadian approach to regulating the IoT raises interesting questions. Would jurisdiction be federal or provincial (likely both)? What existing or new regulators would take jurisdiction? What changes to existing privacy and other laws would be needed to implement a successful scheme of regulation and standards?
A robust and clear technical and legal framework is critical for end-users to appreciate their rights, and for the producers of these devices to understand their responsibilities. The jurisdictions that act first and go farthest will largely shape the approach taken by other jurisdictions. It will be interesting to see whether Canada becomes a leader or a follower in this process.
In the meantime, happy holidays, and play safe.