DC-IoT & IS3C: Global Best Practices for a Resilient and Secure IoT by Design

Summary

This discussion focused on secure IoT practices, data governance, and emerging technologies in the Internet of Things (IoT) ecosystem. The session began with an overview of current IoT security developments, highlighting the U.S. Cyber Trustmark program and efforts towards international harmonization of IoT labeling schemes. Participants emphasized the importance of consumer awareness and education regarding IoT security.

The conversation then shifted to IoT data governance and privacy concerns. Experts stressed the need for robust policies balancing innovation with privacy protection, acknowledging the challenges of managing vast amounts of data generated by IoT devices. The discussion touched on the complexities of data categorization, cross-border data flows, and the potential risks of data colonialism.

Emerging technologies, particularly quantum computing and artificial intelligence (AI), were identified as critical factors shaping the future of IoT governance. The importance of implementing post-quantum cryptography (PQC) solutions to future-proof IoT systems against potential quantum threats was highlighted. Participants also explored the interconnected nature of AI and IoT, noting the need for a holistic approach to their development and regulation.

Throughout the session, speakers emphasized the importance of international cooperation, standardization, and multistakeholder engagement in addressing IoT challenges. The discussion concluded by acknowledging the rapid pace of technological advancement and the need for flexible, forward-thinking approaches to IoT governance that can adapt to future developments.

Keypoints

Major discussion points:

– IoT security labeling and certification programs being developed in different countries

– Data governance and privacy challenges related to IoT devices and systems

– Impact of emerging technologies like quantum computing and AI on IoT security and governance

– Need for international cooperation and harmonization of IoT standards and regulations

– Importance of considering societal impacts and ethical implications of IoT technologies

The overall purpose of the discussion was to explore current developments and future challenges in IoT security, data governance, and emerging technologies. The speakers aimed to share insights on global efforts to improve IoT security through labeling programs, address data privacy concerns, and prepare for impacts of quantum computing and AI.

The tone of the discussion was largely informative and collaborative, with speakers sharing updates on initiatives in their respective areas. There was a sense of urgency around the need to address IoT security and privacy issues, balanced with optimism about ongoing efforts. The tone became more speculative and forward-looking when discussing future impacts of quantum computing and AI on IoT governance.

Speakers

– Maarten Botterman: Moderator

– Jonathan Cave: Alan Turing Institute and Warwick University

– Wout de Natris: Coordinator of the Internet Standards Security and Safety Coalition (IS3C)

– Renee Roland: Special Counsel at the Federal Communications Commission (FCC)

– Nicolas Fiumarelli: Chair of IS3C Working Group 1 on IoT security by design, Co-founder of IoT CyberSEC Latin American and Caribbean

– Jimson Olufuye: Chair of the Adversity Council of the Africa City Alliance

– Wisdom Donkor: Director for Africa Open Data and Internet Research Foundation

– Martin Koyabe: GFC Africa

– Elif Kiesow Cortez: Chair of IS3C Working Group 9 on emerging technologies

Additional speakers:

– Audience

IoT Security, Data Governance, and Emerging Technologies: A Comprehensive Discussion

This summary provides an overview of a discussion on secure IoT practices, data governance, and emerging technologies in the Internet of Things (IoT) ecosystem. The session brought together experts from various fields to explore current developments, challenges, and future implications of IoT governance.

US Cyber Trust Mark and IoT Security Initiatives

The discussion began with Renee Roland, Special Counsel at the Federal Communications Commission (FCC), introducing the US Cyber Trust Mark program for IoT devices. This voluntary initiative aims to provide consumers with clear information about the security features of IoT products. Roland explained that UL Solutions and other Cybersecurity Label Administrators (CLAs) will be responsible for testing and certifying devices under this program.

Nicolas Fiumarelli, Chair of IS3C Working Group 1 on IoT security by design, discussed the work being done by IS3C on IoT security. He emphasized the importance of security by design principles and the need for consumer education regarding IoT security labels. Fiumarelli also mentioned an upcoming workshop focusing on IoT security, RPKI, and post-quantum encryption.

Data Governance and Privacy Challenges in IoT

Jonathan Cave from the Alan Turing Institute and Warwick University highlighted the complexity of IoT data governance. He emphasized that IoT devices generate various types of data beyond personal information, including environmental and operational data. Cave pointed out that IoT systems are often self-documenting, creating metadata about their own operation and environment. This characteristic poses unique challenges for data governance and privacy frameworks.

Cave also raised concerns about the difficulties of obtaining meaningful consent for data collection in IoT environments, given the pervasive and often invisible nature of these devices. He noted that data generated by IoT devices frequently crosses categories, blurring the lines between personal, environmental, and other types of information.

In the chat, Cave further elaborated on the risks of “data colonialism” in developing countries, where data generated by IoT devices might be exploited by external entities without adequate local control or benefit. He also highlighted the challenges of mutual recognition in regulations across different jurisdictions.

IS3C and AFNIC Collaboration on IoT and Post-Quantum Cryptography

Elif Kiesow Cortez, Chair of IS3C Working Group 9 on emerging technologies, discussed a collaboration project between IS3C and AFNIC focusing on IoT and post-quantum cryptography. This initiative aims to address the potential vulnerabilities of current encryption methods in the face of future quantum computing capabilities.

Emerging Technologies and Their Impact on IoT

The discussion then turned to the impact of emerging technologies, particularly quantum computing and artificial intelligence (AI), on IoT security and governance. Kiesow Cortez emphasized the importance of implementing post-quantum cryptography (PQC) solutions to future-proof IoT systems against potential quantum threats. She explained that current classical encryption algorithms, such as RSA, are vulnerable to attacks from powerful quantum computers, which, while not yet existent, pose a credible future threat.

Jonathan Cave introduced an intriguing perspective on the relationship between AI and IoT, noting that the lines between these technologies are increasingly blurring. He pointed out that smart devices not only make decisions but also learn from their environment and users, meaning that the device and its algorithms may be significantly different in use than when they left the factory. This observation led to a discussion about the challenges of regulating rapidly evolving technologies and the need for flexible, adaptive governance frameworks.

Regulatory Challenges in IoT

Renee Roland concluded the discussion by highlighting the challenges of regulating medical devices and other equipment in the IoT space. She emphasized the need for a balanced approach that ensures security without stifling innovation or impeding the benefits that IoT technologies can bring to various sectors.

Throughout the session, speakers emphasized the importance of international cooperation, standardization, and multistakeholder engagement in addressing IoT challenges. The discussion revealed the complexity of creating unified global standards for IoT governance and security, highlighting the need for continued dialogue, research, and collaboration to address the evolving landscape of IoT technologies and their societal impacts.

Maarten Botterman: Hello. Do you hear me? Five. I hear myself.

Jonathan Cave: I hear you.

Maarten Botterman: I can hear you. Good. Good morning, everybody. Welcome to the joint session by the Dynamic Coalition on IoT and IS3C. This morning, we’re going to focus on secure IoT practices for resilient and secure IoT by design. IoT has been on the agenda of the IGF since 2008, and more and more work is done. At that time, there were more people online than devices. This is definitely the other way around today, and increased importance to also the use of IoT devices and networks and services in our environments has become true. Hence, also, the criticality of making sure it’s more secure than before because we rely on it more than before. So, very short introduction because we only have an hour. Global good practice for IoT, so finding a multi-stakeholder view on what that means, what that entails. In very short, it comes down to Internet of Things good practice principle that we believe that Internet of Things good practice aims at developing IoT systems, products, and services, taking ethical considerations into account from the outset. Legal is obvious. Ethical hasn’t always been that obvious. Both in the development, deployment, and use phases of the life cycle, thus to find the ethical, sustainable way ahead, using IoT to create a free, secure, and enabling rights-based environment with a minimal future we want for us and our future generations. So, this is where we’re working towards, and we’re very happy to work with IS3C who has also done some work in the past, and we’ve done some work together before. I’m asking Wout de Natris, coordinator from IS3C, to shortly introduce the IoT activities of IS3C.

Wout de Natris: Thank you, Maarten. My name is Wout de Natris, and I’m, as I said, the coordinator of the Internet Standards Security and Safety Coalition. We work in a few fields, and I’m not going to go into them, but I will mention that you understand how broad our work is. We do security by design on IoT. We do education and skills in the tertiary cybersecurity sector, procurement for governments, data governance. We created tools, and we’re going to do things on post-quantum encryption in combination with IoT, and that is what Nicolas Fiumarelli, our working group one chair, and hopefully Elif Iso-Cortes, our working group nine chair, will be talking about. And we do that all with one specific goal, is making the Internet more secure by design to make sure that security-related, second-generation Internet standards are adopted by the industry to make us all more secure and safer. Thank you for the opportunity to introduce, Maarten.

Maarten Botterman: Thank you, Wout, and thank you for assisting also for online moderation. Online questions are very welcome. We will only have an hour, so what we decided to do is to have three topics that we’re going to talk about. The first topic is, so what are the current IoT security developments? A mini-panel focused on that. A second one on data governance related to IoT. IoT is creating an enormous wealth of data, and they’re dealt with in different ways how to do it well, also in context to privacy. And then, last but not least, we also talk about emerging technologies and the impact on IoT governance. Without further ado, I’d love to introduce to you a lady who’s at the core of these activities in the U.S., Renee Rowland from the FCC, who’s been overseeing this work there and has been seeing that the U.S. has created some standards, and now also has the pleasure and honor of starting to exchange experiences with countries other than the U.S. on mutual recognition and things like that. Renee, very welcome. After you, Nicolas from Rally will speak, and then we’ll have space for some questions. Renee, thank you for getting up at this amazing early hour for you.

Renée Roland: Excellent. Thank you. Thank you for having me. And please let me know if my volume is high enough.

Maarten Botterman: It’s high enough.

Renée Roland: Okay, good. Renee Rowland, Special Counsel at the Federal Communications Commission here in the United States. And as you said, I am leading the implementation of the Internet of Things Cyber Labeling Program, the U.S. Cyber Trustmark. The Federal Communications Commission has established rules laying out the foundation and the framework for a voluntary cybersecurity program for wireless consumer IoT products. That happened in March of this year, and then in September, those rules became effective. Under this qualifying consumer smart IoT products, we’ll have a cyber label that’s going to include the new U.S. Cyber Trustmark that indicates to consumers that the product meets critical minimum cybersecurity standards. Now, the IoT products for our program include an IoT device and any additional product components, for example, a backend or gateway or mobile app that are necessary to use the IoT device beyond basic operational features. The device is a product that is also capable of intentionally emitting radio frequency energy, as that is under our jurisdiction, and also capable of having at least one transducer for interacting directly with the physical world. So a sensor, for example, or an actuator, and at least one network interface for interfacing with the digital world, so an Ethernet or Wi-Fi or Bluetooth. So smartwatches, for example, smart light bulbs, baby monitors, et cetera, are included under our program. Now, while the product is defined as including data communication links to external components, it does not include external components or any external third-party components that are outside of the manufacturer’s control. Under our program, the commission is the program owner and will be supported by a lead administrator, who we recently announced a couple weeks ago as UL Solutions. They will be responsible for collaborating with stakeholders and with making a number of recommendations, most notably regarding standards and testings. We will also have cybersecurity label administrators that we call CLAs, responsible for the day-to-day management of the program, including accepting and reviewing and approving or denying the use of the trademark. We also just recently announced the selection of 10 CLAs for the program. And finally, we have part of the program, our cyber labs, that are going to be responsible for testing products to ensure manufacturers meet the program’s requirements to use the label. Now, the products will display the U.S. Cyber Trust mark and a QR code, and that QR code will direct the consumer to a decentralized public available registry. That registry will link to additional information that’s consumer-friendly about the securability of the product, such as how to change the default password, how to configure the device securely, et cetera. Excluded from our program are medical devices, motor vehicles, and there are a number of provisions that we have that address national security threats. NIST’s core baseline is 8425, serves as the basis of our IoT along with the NIST 8259 series of reports that provide guidance for designing securable IoT products. Finally, the program recognizes that international harmonization of cybersecurity standards really brings an immense value to manufacturers. In that regard, we really have been meeting with a number of different countries over the past several months, learning about their respective labeling programs. We do have an arrangement with the EU to commit to achieving mutual recognition of our plans, and we’re in the process of doing comparative analysis of our plans. We’ve been working closely with NIST in that respect on comparisons. Singapore has also been very eager to begin comparative analysis of our plans once our standards and scope are in place. As you may know, we have a cybersecurity labeling scheme for smart consumer products and have already stood up. They’re benchmarked up against the European Standards Organization and have some mutual recognition agreements with Finland and Germany. We have also met with a number of other countries, including Australia, Canada, Israel, India, Japan, Korea, New Zealand, and the U.K. And we expect once our standards are in place to move as expeditiously as we can on development. developing a mutual recognition of the SDC’s IOT label, a recognition of international labels, and we look forward to continuing that dialogue. I’m happy to answer questions with respect to next steps, but we’ll mention that we have kicked off a 90-day engagement stakeholder period that will begin in earnest after the holidays, during which time the lead administrator, in collaboration with the CLAs and other stakeholders, will submit recommendations to us, most notably the recommendations on developing technical standards and procedures for our program. Thank you.

Maarten Botterman: Thank you, Renee. Thanks for that excellent layout. Two quick questions. One, is the public comment period, is that the public one, or is that restricted to certain bodies?

Renée Roland: The 90-day stakeholder engagement process has not yet had sort of an official, official start because of the holidays. We expect it to start in January, and we are working with the lead administrator right now on how we will ensure that there is a diversity of stakeholders engaged, but we will also be putting out the recommendations from the lead administrator to the public so the public has an opportunity to comment on them.

Maarten Botterman: Thank you very much. And the other one is, you mentioned a lot of multilateral contacts. Is there also harmonization, or how do you call it, looking at the IEEE work on this area, et cetera, the global standards models?

Renée Roland: Yeah, I think part of our coordination with NIST is to sort of start off the process with the EU, understanding that they’re going to be working with the CRA, and then coming up with a process so that we can develop a mutual recognition with the other countries as well. So I think we’re trying to be as flexible as possible, keeping in mind.

Maarten Botterman: Thank you very much for this. For now, move on to Niklas. Niklas, you have been overseeing a lot of work on this for IS3C. What is your latest view and your input? Where are we and what’s next?

Nicolas Fiumarelli: Thank you so much, Martin. Good morning and afternoon, everyone. For the ones on site and online, my name is Niklas Amarelli, a chair of the DCIS3C, working group one on IoT security by design, and also the co-founder of IoT CyberSEC, Latin American and Caribbean. As mentioned by Vaud, at IS3C, our mission is to ensure security becomes integrated into every IoT device design and lifecycle. In 2022, our report from the Dynamic Coalition Saving the World from an Insecure IoT analyzing policies from 18 countries, identifying 442 best practices across four key areas that were data privacy, secure updates, user empowerment, and operational resilience, all about IoT, right? Despite this, some gaps remain, particularly in regions lacking enforceable policies, you know, and global standards are some kind of fragmented. On the topic of… These are gaining a global recognition as a key mechanism for addressing IoT security challenges. These schemes by design aim to inform consumers about the security features of IoT products, thereby empowering them in some manner to make more informed decisions while driving manufacturers to prioritize secure by design principles. At our research at IS3C, we have underscored this critical role of labeling schemes in bridging the gap between consumers and manufacturers. But however, the implementation of the schemes remains uneven globally, right? While regions like Europe, Asia Pacific, and USA have made significant strides, other regions, particularly in the global South, in American Caribbean, we still face challenges in adopting and enforcing such mechanisms. In our report, we have analyzed some of the global labeling initiatives. One of them is the Singapore Cybersecurity Labeling Scheme, or CLS, as mentioned by Rene. Singapore has pioneered, we think, one of the most comprehensive labeling schemes available globally. They use a tiered approach, rating devices on a four-level scale based on the security features. Devices must meet rigorous benchmarks as well, such as secure software updates and unique authentication protocols. Another one is the Finland Cybersecurity Labeling Initiative. Parency and trust by mandating independent, third-party testing for these IoT devices, ensuring in some manner that the manufacturers provide a clear and more verifiable security claims, thereby fostering maybe a culture of accountability and trust. Another one is the United States Cyber Trust Mark, as mentioned by Rene. The FCC recently launched this labeling program, highlighting operational resilience. Also, aligning with the update in NIST, under layer 8.425a, the initiative represents a mature step towards standardizing this minimum IoT standards in the North American market. Just to mention another one, because in our report we analyzed several regulatory document and policy documents talking about IoT security specifically. So the other one is the Korea Regulatory Framework that takes a multi-layered approach. It’s a technical perspective offering detailed requirements on how to address diverse stakeholder needs. Also, this provides examples such as protocols and device illustrations that other standards does not provide are more like high-level. This is more like practical. We found not only clarifies on the complex regulatory language, but also accelerating the compliance and implementation. So despite these advancements, we think that challenges remain. Was very great to hear Rene on advancing our harmonization issues, as you mentioned, because in our report in 2022, we were recognizing that the lack of this harmonized global standard sometimes create inconsistencies. And this limit the reach and impact of the labeling programs. Additionally, consumer awareness about labeling schemes remains low in many regions, as I have mentioned. So this is why this cyber labs approach that Rene mentioned are so desired in the industry. So from our report, we have a number of IS3C recommendations, specifically on labeling. One is that these voluntary frameworks, while valuable, sometimes fail to achieve widespread adoption, as I already said. So the IS3C recommends that the governments to introduce mandatory labeling policies to ensure more consistent implementation. Then on the labels, they should not only reflect a device current security state, but also thinking in the future, like they need commitments. That is very important for us, such as ongoing updates and details on the end of life consideration, because IoT devices and the state of the art of security, also in the light of the quantum advancement, is always changing. And finally, robust consumer education campaigns. We think that that was one of our recommendations from the report that we identified, and this is a future work that IS3C is focusing on, that the labeling skills can only succeed if consumer understands and value them. So how the consumers will understand this? So governments and industry stakeholders, we think it must invest in public awareness, right? The initiatives to reach this knowledge gap. So adopting these measures, we think that we can transform the labeling into a more powerful fostering trust, costability, security in all the IoT ecosystem. Thank you.

Maarten Botterman: Thank you very much, Nico. And having witnessed the work of IS3C from very closely, one of the things that strikes me is that when this work was, much of it was done a year ago, how much has happened since? And Renee’s presence here is a very clear testimony of that. And the collaboration in particular from individual initiatives, so individual country initiatives coming to what is beginning to be harmonized today. So Renee, also very much thanks for your work in there. And as you pointed out, up and beyond the labeling, which is useful to inform consumers, they still need to know how to deal with it. And very much appreciate that input. Any questions in the room? Please. Please introduce yourself, Jimmy.

Jimson Olufuye: Thank you very much. My name is Jameson Olufoye, Chair of the Adversity Council of the Africa City Alliance. I run a company, cyber security focus organization. So this is a very, very important panel, and I really appreciate the presentations. You raise concern about harmonization and about relating with the stakeholders, the customers, the users. And so my question is, why are we not going through, say ISO, International Standard Organization, we know that encompasses all standard. Well, why can’t we get into them at first so that we can streamline the process going forward? Thank you.

Maarten Botterman: Thank you for that. And I’ll ask Renee to come with an answer on that. While saying that one of the reasons why we try to come to a common understanding of global good practice is that it would be to inspire around the world and to provide a common line. And in the ideal world, there’s interaction between the understanding that we develop here at IGF and the initiatives that are rapidly developing around the world, both in the international standard institutions as in the countries. A few on this, please.

Renée Roland: Yeah, I think that’s right. I mean, I think that, you know, you have countries like Singapore that had started obviously before the United States have started and they have, you know, the four-tier system. And then in terms of our system, we determined the best system for us was to have a system that is not a tiered system. You either get the label or you do not get the label. There is no tiering. And there are some other obvious differences between out there in the scheme that the United States has determined to come up with. So I think that that’s part of the problem is just the difference in timing in terms of when these programs have initiated. But I think the goal is ultimately to be able to have some sort of either mutual recognition or otherwise harmonization of the programs going forward. And I think that’s the intent of the countries, at least that we have spoken with.

Maarten Botterman: Yes, thank you very much. Last remark from Wout.

Wout de Natris: Wout, this is RICC to come back to your question on the harmonization of the sort of the official. But my experience is from the past three years that I’m working in the four years in RICC is that internet standards are made by people who represent the internet. So in the IETF, the Internet Engineering Task Force. And that is totally separate from the institutions like ISO or NEN that you have. And they don’t do these internet standards. But the internet standards is what makes the internet work. And I have one example where it failed. I understand that the European Commission had a group of people that had to decide to officially recognize IP version six or DNSSEC or something like that. After King, they just decided to stop because they couldn’t agree whether that was the right standard or not. But it’s what made the internet work. It’s not about recognizing it officially. It is about making sure that you understand that it’s just there, it’s not going to change. So you have to start working with it and not recognize it because there’s no need to recognize it anymore. It is the standard. And that’s with IOT more or less the same is my opinion. Thank you.

Maarten Botterman: So I think the natural evolution of this has standards that are not only available to the countries who have to be front runners like Singapore, US, EU, but that this would be shared with the world. And as Rene expressed clearly, it’s the intent. So for the sake of time, I’d like to move on to the next part. We’re exactly on time. So thank you for the speakers and the questions. This is a first step into the work of the way of the work to come, but I think we’re on track and your question was right on. So with that, we move on to IOT data governance and privacy. I would like to invite Jonathan Cave from the Alan Turing Institute and Warwick University to address the data governance issues that relate to IOT, acknowledging that many live data related to persons are collected 24 seven and through analysis may be even relatable to people and AI will strengthen that process as well. But Jonathan, please your opening remarks here.

Jonathan Cave: Thank you very much, Martin. And thank you everyone for attending this in whatever time zone you happen to be in. Just to begin, I wanted to note that both the resilience and the security and indeed the functionality of the Internet of Things depend on how the Internet of Things is used in the awareness that people have of them. They also depend on a range of different participants, obviously designers, but all intermediates that link them in between. And one of the things that flows between them and enables them to decide who does what or one of the attributes are the data that are collected. The Internet of Things like many other things in the internet is self-documenting. It collects data as it goes along and these data can be retained and processed and used to provide and protect all the things we want from the Internet of Things, which include privacy and security. But it’s worth noting that privacy as we normally understand it nowadays is data privacy referring to personal data. That it’s really only the tip of the iceberg. However, that tip of the iceberg has been used to create legal and regulatory structures that may get in the way of some of the ways we come to understand and use data. One obvious example is proprietary data or data that can be shared. They’re not private to the individual, but they’re useful in sharing in smaller groups and they link people together through networks of trust, what lawyers might call privity. And so it’s important to governance, not simply to project into the Internet of Things, things that came from a world of individuals whose individual privacy was being protected. The second point relating to that is that data privacy is only a part of the privacy we want individuals to have. If we want individuals and indeed devices to be able to act on the basis of the information that they receive, they have to have a certain responsibility attached to them. Now with individuals, we do that through mechanisms like consent and awareness. So in other words, we ask people to consent to the collection and processing of their data. But as Martin mentioned, many of the data on which the Internet, not data that are asked for, to which people can give informed consent, they are simply collected in the process of people going about their normal interactions. And that applies not just to the people, but to the different devices in the Internet of Things that receive data and take actions. And these things are only imperfectly observed and their implications may not be fully understood. Now, another thing that happens in this world is that when people interact with the Internet of Things, they receive devices as well as supplying data to them. The data they receive from them, the prompts, for example, and query responses and so on, change the understanding and change the behavior of those people. So it’s not necessarily correct to say that all people in all parts of the world have the same degree of sovereignty and understanding or should be made responsible in the same way as the others. So the final point about this is that many of these devices are becoming smart devices. Smart devices, among other things, they not only take decisions, but they learn and learn from the people around them. And that change means that the device itself and certainly the algorithms within the device are different when they are in use than they were when they left the factory. So the putting the responsibility on designers and saying we must correct these things by design may miss the most essential element, which is you may have an algorithm that is perfectly innocuous, but based on what it learns, it can wind up making decisions about which people might have concerns and which they might want to be able to monitor, if not exactly control. This is algorithmic collusion in the case of pricing algorithms, although that’s a slightly different issue. But it is true that some of the players here, the manufacturers, the platforms, and so on, have special responsibilities. The final thing I want to mention is that these data that are collected will be retained and used. And through the longitudinal study of these data, the repositories that are created, we can come to understand many of these complex phenomena that the law at present and regulation are inadequate to deal with. But part of that generations will come forward. And one of the kind of meat and potatoes data governance issues is the fact that new generations of devices are entering the Internet of Things all the time. And with these new generations come new protocols for storing those data. So they may not be understandable or accessible by later generations. And they may not function properly when fed with data collected by later generations of devices. So the formats, the level at which these things are retained and access to long-term repositories may be very important. And the conclusion of that is that many of the rules that we have on the privacy and proprietary nature of these state way of having an Internet of Things that is capable of retaining enough data to be able to understand the problems that it may create or to be able to back away from or modify the standards and methods that it use when things cease to be a problem. Okay, those are my remarks.

Renée Roland: Jim, I can’t hear you.

Jonathan Cave: No, no sound from the room here either.

Maarten Botterman: In the room they’re waiting, working on it. In the room we can hear me, but can you hear me online now?

Jonathan Cave: Yes, we can, although you’re slightly reduced.

Maarten Botterman: Slightly what?

Jonathan Cave: Quieter than you were before.

Maarten Botterman: Quieter than I was before, oh, that’s exceptional for me. The technical team has been doing wonders over the week and learning every step how to interact with this setup and the room. Thank you for that. So, and yesterday in this room we also talked about the consciousness of equipment that can be on the ability of the users that they’re serving. So to adapt to, for instance, kids or elderly in the way they interact. So I think that relates to the point you just made too.

Jonathan Cave: I think just one small comment on that, and that awareness also includes whether or not about what their devices are collecting from them. And it is quite possible that the population of users may fragment into people who basically don’t trust having data collected in ways and used in ways that they know they don’t understand and people who become unaware of the collection that’s taking place so that as with smart speakers and so on, they sort of fade into the background and you take them for granted the same way as you do any of the other things that we use normally. So I think that splitting in the population may have concerns, particularly in terms of privacy.

Maarten Botterman: Thank you very much. I appreciate it. On this, Nicolas, the work of IC3C on IoT as it relates to privacy, please.

Nicolas Fiumarelli: Yes, as well. Because you know IoT ecosystems generate these vast amounts of data and often personal and sensitive that can be managed responsibly. So this requires more robust policies, as mentioned, that balance the innovation with the privacy. And as Jonathan emphasized, in data governance and categories of data, it’s not appropriate to treat them all the same. Each category requires tailored security measures to address a specific characteristic and risk. I would also like to highlight something that Jonathan raised about that it’s not only about the user using devices, right? But also there are thing-to-thing. It means devices communicating and actuators interoperating between them. So different areas as well. Some of the recent developments in IoT data governance, EUCRA, that emphasizes the lifecycle security mandating that manufacturers as well address vulnerabilities throughout the device operational life. We also have seen the NIST providing a specific recommendation for secure consumer-grade routers, a critical component of these IoT ecosystems. And also, why not to highlight the work of the thing-to-thing research group, the IRTF, the Internet Research Task Force, that is focusing more on exploring these advanced technologies as also raised by Jonathan. Because new generation of devices, are there protocols and architectures for this seamless communication and this interoperation among the IoT devices, as stated in their website, the thing-to-thing research group, the mission of this group is to identify and address these challenges and opportunities related to device-to-device communication and related ecosystems. So it’s really about the user. This is very important for policymakers. We also need to mention that this cannot be left behind. The Global Digital Compact is fostering international cooperation to harmonize these data governance standards, particularly for the IoT devices that operate across borders in the Internet. In our report in 2022 and 2023 on the I3C, we revealed significant gaps in IoT data governance, particularly in regions, again, in the South, lacking these enforceable privacy laws. Many countries relied on voluntary guidelines. What are our recommendations, the I3C recommendations? We want the government to adopt holistic privacy laws that address IoT-specific challenges, such as data encryption, access controls, minimization of data exposures, different things that are also about lifecycle data protection, about user empowerment mechanisms, and finally, this global standardization, right, because we have different working groups and protocols. At the IETF, I can mention, you can explore the IETF website, and harmonizing these data governance standards is essential for us to have consistent protection across these jurisdictions. This may be required, as I mentioned, the Global Digital Compact is multilateral cooperation and alignment more with the frameworks like the GDPR, right, but now with more advanced technology. So, to translate these recommendations into action, the I3C is always emphasizing the role of the multistakeholder collaboration, government, industry leaders, the civil society must work all together to create these policies that are both enforceable in some manner and adaptable to emerging technologies. So, it’s not just about connectivity, it’s maybe about trust. We need to deal with that, and embedding these strong governance and privacy measures into the IOT landscape, we can create this future where the technology serves the humanity without compromising our security, and I’m looking forward to questions on critical issues here.

Maarten Botterman: Thank you on this. I don’t see questions in the room still, right? So, Jimmy, very quickly.

Jimson Olufuye: You know, you’re talking about smart regulation. The data is going to be huge, so what do you recommend? What’s the period for data to be stored, two years, three years, five years for ISP and all those in charge of data storage, and then secondly, will you consider the NetMundia guidelines for multistakeholder engagement, because you mentioned in…

Maarten Botterman: Please introduce yourself.

Wisdom Donkor: Yeah, my name is Wisdom Donkor, the director for Africa Open Data and Internet Research Foundation. I just want to understand the difference between AI and IOT. Now, we realize that, let me say, in Africa, government are beginning to regulate or initiate that process to regulate AI, so I want to know the difference, is IOT AI or AI IOT?

Maarten Botterman: I appreciate that question, but for the sake of time, we’ll discuss that outside of the meeting, but a quick response on Jimmy’s question, and Wisdom, very happy to talk further.

Nicolas Fiumarelli: Yes, I will address your question about the digital cooperation mechanisms, NetMundial, for promoting this digital inclusion, IOT is almost most related with AI, but not like the same, because we are talking about constrained devices. For me, the most important part here is that, as different from the ICT technologies, when you have more computational power, these IOT devices are restricted, are constrained in terms of energy, in terms of batteries, so they are a different approach. That is why we differentiate from the ICTs, but advancing global cooperation, this is something that is important for the nation to have these global challenges, as well as what we do with cybersecurity for the ICT, or misinformation, or digital fragmentation, these huge IOT devices that will be millions and millions of devices need to be addressed, so this also aligns with the digital transformation we are seeing at the United Nations Sustainable Development Goals, so at the end, it’s all about harmonization, digital cooperation, and also, you know, these devices are promoting, we have other problems that are addressed globally, such as the climate change, we are talking about health and education with these devices, so at the end, we need to have a more holistic approach to understand how to have a global picture of all of this.

Maarten Botterman: So, I’m sorry, Martin, but we have 15 minutes left, so very quickly, but then we move on. Tapping doesn’t help, switching on does.

Martin Koyabe: Martin Kayabe, GFC Africa. The question that I wanted to raise is not actually a question, it’s something that we need to emphasize. There are two areas that are very difficult. One is the way IOTs operate, especially when you look at the ecosystem, which is isolated, so for example, the decentralization of the IOT ecosystem brings with it some challenges, especially when it comes to manufacturing, the equipment, and also the geopolitics of equipment as we know it very well, so there will be some specific parts of the world that will develop very many tools and very many equipment that are not allowed to be in some specific parts of the world as well. The other thing also is that we need to emphasize on regulation, because regulation is one of the most difficult. IOTs are in isolation, they are in specific jurisdictions across borders, and how do we make sure that we harmonize that regulation, because it’s different, and even if we do anything as far as global settings are concerned, regulation will always have a different impact. difference. And that is something that we really need to look at, because if we don’t look at regulation, then how do we actually have users using it, monitoring and so forth. Thank you.

Maarten Botterman: Okay, I’ll park that. It’s very true. It’s true for IoT governance, it’s true for AI governance, and it’s essential issues. Rene touched upon a little bit on it. What drives the positive there is that there is an international recognition that mutual recognition will help, because things come across borders all the time, whether it’s data or even devices. So that is the positive stimulants. And yes, we have different actors with different incentives in the world. Very much recognized. I just wanted to really also open the floor for the next one, which is IoT governance and emerging technologies, with a focus on quantum, the impact of quantum and AI. It’s about the thinking ahead of the issues that we’ll be facing tomorrow or a couple of years from now. And for that, very happy to have Elif Kizilkortes online, who is also with the IS3C as chair of the working group. Elif, please, the floor is yours.

Elif Kiesow Cortez: Thank you, Martin. And I will just jump right into the subject. So today we know that the security community highlights that the post-quantum cryptography, or PQC, is very important for maintaining data security and data privacy as quantum computing capabilities advance. Research shows that our current classical encryption algorithms, like RSA, is vulnerable to attacks from powerful quantum computers, which do not yet exist, but remain a credible threat for the future. PQC provides a set of cryptographic techniques and algorithms that are designed specifically to ensure long-term protection of sensitive information and also secure communication channels. And implementing PQC solutions now allows organizations to future-proof their security measures against potential quantum threats over the coming decade, preventing possible data breaches and national security risks. Governments and standards bodies like NIST are actively promoting PQC standards, emphasizing… Sorry?

Maarten Botterman: Excellent, you were gone for 10 seconds, but you’re back because you were cracking before. You’re clearly speaking now. Thank you. Please continue.

Elif Kiesow Cortez: Okay, so I would not know where it broke. So I was explaining the importance of implementing PQC solutions so that the organizations proofing their security. This is both for data breaches and also for national security risks. And governments and important organizations like NIST, they are actively promoting PQC standards to be adopted and emphasizing the urgent need for this widespread adoption across the industries, also to safeguard against the emerging quantum computing threat. And today, of course, we are also very happy to announce a new project of our dynamic coalition. This will be for the DC-IS3C. We will be collaborating with AFNIC from France on a new project that is very relevant to this session. We will work on a collaboration between the Working Group 1, that is on IoT security, as well as Working Group 9 on emerging technologies. Our research will have two different areas to focus, one dedicated to the societal impacts of IoT, and the second one on those of post quantum cryptography. And we will be providing a brief combined analysis of these domains as well. In this research, we will make sure to include a multidimensional look for this. And we will be looking at impact on societal, legal, economic and environmental levels. And we will be also including policy recommendations both at the state level and organization level. Next year in IGF 2025, we will be also enabling stakeholder engagement on these issues through a common workshop that will be promoting dialogue on societal implications as well as future directions. And we will be finalizing the combined report that will be looking at both IoT security and PQC, where we will be also exploring some cross-cutting themes like digital transformation and future-proofing against emerging threats. And we will include references to international cooperation and economic competitiveness aspects within the broader context of global cybersecurity efforts. This project will be conducted and concluded within the next six months. So please reach out to Wout, who is in the room, if you would like to hear more on this, or if you would like to work with us on similar projects in the future too. Thank you, Martijn.

Maarten Botterman: Thank you, Elif, for that. I think this is also capacity building and awareness raising around the world is important. So everybody gets involved, or at least all cultures are understood when moving ahead in this area. So the global dialogue is crucial in these areas, I think. There’s a broad recognition that and we talked about the data from different generations, Jonathan raised that, that they may also have different levels of encryption that may be affected by quantum computing, the power of those. So standing ready for that is, as Elif raised, we need to look to moving forward. The other element is very much related also to AI. AI is not a global concept. AI is very much about how you apply it in your region for your purpose. And that can only happen if you know how to do it. So even if the device measures temperature or whatever, what you want to do with that may be different whether you’re in Africa or in the North Pole, for instance. Just one of the examples. So really looking on how you ensure that you can adopt what we learn on AI, what we develop in IoT, and help to what in the end matters, impact on the people in your region is something that clearly need to be considered moving forward. Therefore, also, I think both at all stakeholder levels, governments, how to stimulate the development industry, how to see the opportunities, how to be able to grasp the opportunities, technical community to support this, whether it’s focused on the internet or on the car industry, and the users in the end of what do we really want to be involved in how this progresses. Jonathan, anything to add?

Jonathan Cave: A couple of very tiny points. Thank you very much, Adolf. That’s really provocative. Among the things that may be of concern, and you’re probably already thinking about them, but they have implications beyond that specific initiative, are the proliferation aspect, that is quantum computing becomes cheaper and more ubiquitously available. The nature of the problems and the nature of the solutions themselves may change. For example, with a decentralization, as opposed to a concentration on platforms that can see what’s going on and respond to it. And that movement of intelligence from the edge to the center or from the center to the edge should probably change a lot of the ways we think about these things from a regulatory point of view. Another one is the domino thing, because that is a killer application at the moment, which is strong cryptography and very smart ways of breaking cryptography. But the use of quantum computing probably goes beyond that to a greater complexity of how the IoT will function. And with that complexity come types of behavior, emergent types of behavior that we’ll need to think about not just from a security, but from a safety perspective. And even to be able to detect these things may require a different kind of thinking than thinking about how systems operate to do by the people who use them. And the last part of that is that this in the security world, we tend to think about things in terms of attackers and defenders. Obviously, the multi stakeholderism of the implications of quantum computing goes far beyond that. And a lot of the things that we worry about or place our hope in don’t come from a kind of zero sum perspective, but involve the interaction of many, many people. So the game theorists should get a look into. But thank you. That was really provocative.

Maarten Botterman: Thank you for that. So thinking of the future, any questions in the room? Nicholas, please. Your microphone is gone.

Nicolas Fiumarelli: No, just to highlight that comment with the subject of the quantum, because you know, as IoT becomes more foundational to smart cities, we are seeing healthcare devices, critical infrastructure, having IoT sensors. So implementing quantum resistant standards is like future proof. You know, these systems are against emerging threats. So for those interested, just one hour from now in workshop room nine, we will have hosting an interesting workshop on the topic of the critical important that is on secure routing, internet resilience, it’s called advancing IoT security, RPKI, and post-quantum encryption. So we’ll dive into this intersection of post-quantum encryption, IoT, and routing security, right into that session as well.

Maarten Botterman: Thank you very much. Bart, please.

Wout de Natris: Yes, there are some interesting comments that Jonathan made in the chat, so do we want to read them, Martin, or do we leave it there as it is?

Maarten Botterman: Please summarize.

Wout de Natris: It’s a lot, so I will try.

Maarten Botterman: Shall we ask Jonathan, because he’s online, otherwise.

Wout de Natris: There is another option that Jonathan, please make your, a few of your points that you’ve made in the chat that we have one or two minutes left that you can use for that.

Jonathan Cave: Thank you, Bart. I’ll just summarize them. If people want to come back to me on the mic. Hello?

Maarten Botterman: They can be here, corrects only.

Jonathan Cave: All right, well, I’m hearing you.

Maarten Botterman: Technical support. Please give me your thumbs up if it should work.

Jonathan Cave: Is that any better?

Maarten Botterman: Yes, it’s better. Thank you.

Jonathan Cave: So the first one was the data may cross categories. One of the things here is that, for example, automobile sensors have nothing to do with the operation of the car. They can reveal the driver’s political preferences, their gender, etc., etc., etc., and this crosses regulatory boundaries and therefore is a separate thing that we may need to think about. In relation to the supply of technologies, particularly to developing countries, the issue of data colonialism should be mentioned, where people from developed countries give devices to developing countries which help them, but also siphon data out of them, and they can use those developing countries as almost as labyrinths to harvest their data, and an equitable sharing of those data and equitable control of how those data are used will be very important. The trust network is obviously very important, but also the trustworthiness of the data. When it’s human data, we worry a lot about disinformation, misinformation, malinformation. The same thing is true with devices, but may be much harder to detect. Devices can spoofer off, they do. To the devices and the people behind them, or the IoT and AI element of it, if the AI is the brain, the IoT are the eyes, the ears, and the hands. And just as it’s hard to think about a mind without thinking about the senses and capabilities of the person, the distinction between AI and IoT, particularly when the devices themselves may have some degree of what we used to call ambient intelligence, but where the intelligence of the system comes through the interaction of all of these devices, we may want to be careful about whether we retain that distinction. Oh, and a final thing on mutual recognition is a good thing. We have it in free trade agreements and things like that. It can be very helpful, but it can also be very harmful. Mutual recognition can be a backdoor for bypassing the regulations of countries and for denying the people in those countries access to information that they may need. And this is particularly true between high-tech and low-tech countries. And we’re seeing it already in the world, that if you accept devices and services on the grounds of mutual recognition, there has to be some degree of verification before the trust that lies behind that mutual recognition can be fully implemented. Great, thanks.

Maarten Botterman: Thank you. Thank you again for being here with me in this ugly hour. Your final takeaways.

Renée Roland: I did want to talk a little bit about regulations and some of the challenges that we have. Certainly as I mentioned at the commission and under our program medical devices are not included. So I think that’s something that we should consider in terms of flexibility in the future. Other. I think that part of the issue is there are already regulations. By other agencies, right. For for equipment. Automobile equipment and then medical devices. So there’s a whole other stream of work that is going on with the regulations and, and some of the inconsistencies that there may there, there may be or overlap that there may be. So I think that’s a different stream of, of work that, that we’re also doing. And part of it, the commission.

Maarten Botterman: Thank you so much.

Elif Kiesow Cortez: I will just echo I think Renee’s comments and saying that all of those issues that we are seeing about standardization will be now also applicable to the PQC space. So I think we will be seeing a lot of movement there too. Thank you.

Maarten Botterman: Yes. Thank you. And it’s time. So we run off this session. Even if you talk to them, we started with labeling and certification. We can also see that, that evolves throughout the international process of, of mutual recognition throughout the multi-stakeholder input. That emerges over time and adoption. Across the world. If we keep it sharp. It’s a kind of reflection on what’s happening. There’s many things moving and let’s try to keep that clear for all of us so we can move together. One of the other evolutions that may be is that. In the labeling. So it’s likely that to evolve as well. And overall, I think I’m really happy with the understanding that we got all the systems, but we also got the data and let’s not forget that. And last but not least. So let’s think ahead because what we’ve seen over the last year, how quickly things move. We will see towards the future. My expectation. It will be maybe not what we expect, but we will move very fast. So let’s stay on the ball, stay on the ball together and move this together. So thank you all very much for your inputs, your thoughtful comments and questions. And we look forward to publishing the report and, and from there, this is for us a step in the process and a good step. Thanks to all of you. Sorry. This is the end of the session. Thank you for all your help technical section.

Renée Roland: Thank you.

Jonathan Cave: Thanks.

Agreement Points

Importance of IoT security labeling and certification

Renee Roland

Nicolas Fiumarelli

Maarten Botterman

US Cyber Trust Mark program for IoT devices

Global labeling initiatives like Singapore’s CLS

Need for harmonization of labeling standards

Speakers agreed on the importance of implementing IoT security labeling schemes and the need for international harmonization of these standards.

Need for comprehensive IoT data governance

Nicolas Fiumarelli

Jonathan Cave

Need for holistic privacy laws addressing IoT challenges

Complexity of IoT data types beyond personal data

Speakers emphasized the need for comprehensive data governance frameworks that address the unique challenges posed by IoT devices and data types.

Importance of addressing emerging technologies in IoT governance

Nicolas Fiumarelli

Elif Kiesow Cortez

Jonathan Cave

Need to future-proof IoT systems against quantum threats

Importance of post-quantum cryptography for IoT security

Blurring lines between AI and IoT technologies

Speakers agreed on the importance of considering emerging technologies, particularly quantum computing and AI, in IoT governance frameworks.

Similar Viewpoints

Both speakers emphasized the need for a more nuanced understanding of IoT data and the importance of educating users about the complexities of IoT ecosystems.

Nicolas Fiumarelli

Jonathan Cave

Importance of consumer education on labels

Complexity of IoT data types beyond personal data

Both speakers highlighted the challenges associated with cross-border data flows and the potential for inequitable data practices, particularly affecting developing countries.

Martin Koyabe

Jonathan Cave

Challenges with cross-border data flows and jurisdictions

Risks of data colonialism in developing countries

Unexpected Consensus

Integration of AI and IoT in regulatory frameworks

Jonathan Cave

Nicolas Fiumarelli

Blurring lines between AI and IoT technologies

Need to future-proof IoT systems against quantum threats

While coming from different perspectives, both speakers unexpectedly converged on the need to consider the integration of AI and IoT in future regulatory frameworks, highlighting the interconnected nature of emerging technologies.

Overall Assessment

Summary

The main areas of agreement included the importance of IoT security labeling, comprehensive data governance, and addressing emerging technologies in IoT governance. Speakers also shared concerns about cross-border data flows and the need for user education.

Consensus level

There was a moderate to high level of consensus among the speakers on key issues. This consensus suggests a growing recognition of the complex challenges in IoT governance and the need for collaborative, multistakeholder approaches to address them effectively. The implications of this consensus point towards potential international cooperation on IoT standards and governance frameworks, but also highlight the need for flexible approaches that can adapt to rapidly evolving technologies and diverse regional contexts.

Different Viewpoints

Voluntary vs. Mandatory Labeling Schemes

Renee Roland

Nicolas Fiumarelli

US Cyber Trust Mark program for IoT devices

Global labeling initiatives like Singapore’s CLS

Renee Roland presented the US Cyber Trust Mark as a voluntary program, while Nicolas Fiumarelli emphasized the need for mandatory labeling policies to ensure consistent implementation.

Unexpected Differences

Approach to International Standardization

Renee Roland

Jonathan Cave

US Cyber Trust Mark program for IoT devices

Risks of data colonialism in developing countries

While Roland focused on mutual recognition of labeling schemes between countries, Cave unexpectedly raised concerns about data colonialism and the need for equitable data sharing, highlighting potential conflicts in international standardization efforts.

Overall Assessment

summary

The main areas of disagreement centered around the implementation of labeling schemes (voluntary vs. mandatory), the scope of data governance (personal data vs. broader data types), and the approach to international standardization.

difference_level

The level of disagreement was moderate. While speakers generally agreed on the importance of IoT security and data governance, they differed in their approaches and emphasis on specific issues. These differences highlight the complexity of creating unified global standards for IoT governance and security, potentially leading to challenges in implementing consistent international policies.

Partial Agreements

Both speakers agreed on the need for comprehensive data governance, but differed in their approach. Fiumarelli advocated for holistic privacy laws, while Cave emphasized the need to consider various data types beyond personal data.

Nicolas Fiumarelli

Jonathan Cave

Need for holistic privacy laws addressing IoT challenges

Complexity of IoT data types beyond personal data

Similar Viewpoints

Both speakers emphasized the need for a more nuanced understanding of IoT data and the importance of educating users about the complexities of IoT ecosystems.

Nicolas Fiumarelli

Jonathan Cave

Importance of consumer education on labels

Complexity of IoT data types beyond personal data

Both speakers highlighted the challenges associated with cross-border data flows and the potential for inequitable data practices, particularly affecting developing countries.

Martin Koyabe

Jonathan Cave

Challenges with cross-border data flows and jurisdictions

Risks of data colonialism in developing countries

Key Takeaways

Resolutions and Action Items

Unresolved Issues

Suggested Compromises

The Internet of Things like many other things in the internet is self-documenting. It collects data as it goes along and these data can be retained and processed and used to provide and protect all the things we want from the Internet of Things, which include privacy and security.

speaker

Jonathan Cave

reason

This comment introduces the important idea that IoT devices inherently generate data, which can be used both for functionality and security purposes. It challenges the typical view of data collection as solely a privacy concern.

impact

This shifted the discussion to consider the dual nature of IoT data – as both a potential privacy risk and a security asset. It led to further exploration of data governance issues.

Smart devices, among other things, they not only take decisions, but they learn and learn from the people around them. And that change means that the device itself and certainly the algorithms within the device are different when they are in use than they were when they left the factory.

speaker

Jonathan Cave

reason

This insight highlights the evolving nature of IoT devices and their algorithms, challenging the notion that security can be fully addressed at the design stage.

impact

This comment deepened the conversation by introducing the complexity of securing devices that change over time. It led to discussion of lifecycle security and the need for ongoing updates and monitoring.

The FCC recently launched this labeling program, highlighting operational resilience. Also, aligning with the update in NIST, under layer 8.425a, the initiative represents a mature step towards standardizing this minimum IoT standards in the North American market.

speaker

Nicolas Fiumarelli

reason

This comment provides concrete information about regulatory developments, showing how standards are being implemented in practice.

impact

This shifted the discussion towards more practical considerations of how IoT security standards are being implemented and harmonized across different regions.

Research shows that our current classical encryption algorithms, like RSA, is vulnerable to attacks from powerful quantum computers, which do not yet exist, but remain a credible threat for the future. PQC provides a set of cryptographic techniques and algorithms that are designed specifically to ensure long-term protection of sensitive information and also secure communication channels.

speaker

Elif Kiesow Cortez

reason

This comment introduces the critical issue of quantum computing threats to current encryption methods, highlighting a future challenge for IoT security.

impact

This comment shifted the discussion towards future challenges and the need for proactive measures in IoT security. It led to further discussion about post-quantum cryptography and its implications for IoT.

Overall Assessment

These key comments shaped the discussion by broadening its scope from current IoT security practices to future challenges and complexities. They highlighted the multifaceted nature of IoT security, encompassing data governance, evolving device capabilities, standardization efforts, and emerging technological threats. The discussion evolved from addressing immediate security concerns to considering long-term, proactive approaches to IoT security in a rapidly changing technological landscape.

How can we achieve harmonization of IoT security standards globally?

speaker

Jimson Olufuye

explanation

Harmonization is crucial for ensuring consistent IoT security across different jurisdictions and reducing fragmentation of standards.

What is the appropriate retention period for IoT-generated data?

speaker

Jimson Olufuye

explanation

Determining an appropriate data retention period is important for balancing data utility with privacy and security concerns.

How can we effectively implement the NetMundial guidelines for multistakeholder engagement in IoT governance?

speaker

Jimson Olufuye

explanation

Ensuring inclusive multistakeholder participation is crucial for developing fair and effective IoT governance frameworks.

What are the key differences between AI and IoT, particularly in the context of regulation?

speaker

Wisdom Donkor

explanation

Understanding the distinctions and overlaps between AI and IoT is important for developing appropriate regulatory frameworks.

How can we address the challenges of regulating IoT devices that operate across borders?

speaker

Martin Koyabe

explanation

The decentralized nature of IoT ecosystems poses unique challenges for regulation and governance across different jurisdictions.

How can we ensure equitable sharing and control of data collected from IoT devices in developing countries?

speaker

Jonathan Cave

explanation

Addressing potential ‘data colonialism’ is crucial for ensuring fair benefits and control over IoT-generated data in developing nations.

How can we verify the trustworthiness of data generated by IoT devices?

speaker

Jonathan Cave

explanation

Ensuring data integrity and detecting potential misinformation or manipulation in IoT-generated data is crucial for the reliability of IoT systems.

How should regulations adapt to include medical IoT devices?

speaker

Renee Roland

explanation

Medical IoT devices present unique challenges and risks that may require specific regulatory approaches.