IoT – economic opportunities and security challenges. – WS 05 2018

From EuroDIG Wiki
Jump to navigation Jump to search

6 June 2018 | 11:00-12:30 | GARDEN HALL | YouTube video
Consolidated programme 2018

Session teaser

This session will look at IoT from 3 different perspectives: end user, policy maker, industry.

Keywords

Until . They will be used as hash tags for easy searching on the wiki.

Session description

After a short presentation participants will be ask to split into 3 groups.

Format

un-conference style

Further reading

Links to relevant websites, declarations, books, documents. Please note we cannot offer web space, so only links to external resources are possible. Example for an external link: Website of EuroDIG

People

Please provide name and institution for all people you list here.

Focal Point

  • Peter Koch

Organising Team (Org Team)

List them here as they sign up. The Org Team is a group of people shaping the session. Org Teams are open and every interested individual can become a member by subscribing to the mailing list.

Key Participants

Until . Key Participants are experts willing to provide their knowledge during a session – not necessarily on stage. Key Participants should contribute to the session planning process and keep statements short and punchy during the session. They will be selected and assigned by the Org Team, ensuring a stakeholder balanced dialogue also considering gender and geographical balance. Please provide short CV’s of the Key Participants involved in your session at the Wiki or link to another source.

Moderator

Until . The moderator is the facilitator of the session at the event. Moderators are responsible for including the audience and encouraging a lively interaction among all session attendants. Please make sure the moderator takes a neutral role and can balance between all speakers. Please provide short CV of the moderator of your session at the Wiki or link to another source.

Remote Moderator

The Remote Moderator is in charge of facilitating participation via digital channels such as WebEx and social medial (Twitter, facebook). Remote Moderators monitor and moderate the social media channels and the participants via WebEX and forward questions to the session moderator. Please contact the EuroDIG secretariat if you need help to find a Remote Moderator.

Reporter

  • Su Sonia Herring
  • Claudio Lucena
  • Ilona Stadnik

Current discussion, conference calls, schedules and minutes

See the discussion tab on the upper left side of this page. Please use this page to publish:

  • dates for virtual meetings or coordination calls
  • short summary of calls or email exchange

Please be as open and transparent as possible in order to allow others to get involved and contact you. Use the wiki not only as the place to publish results but also to summarize the discussion process.

Messages

  • Good privacy standards embedded in Internet of Things (IoT) devices render projects expensive, and manufacturers currently lack the incentive to adopt them, often compromising commercial viability.
  • Information about the security and safety of connected devices must be clear, objective and intelligible; an excessive burden on vulnerable users who normally lack the necessary expertise will not improve the overall cybersecurity environment.
  • Whether it is through more informal mechanisms or more formal certification initiatives, users want devices to be tested, collaboratively whenever possible, so as to ensure diversity and the confrontation of views, as well as diversity of independent sources, and officially verified, if viable.
  • The security and safety of products which are designed for use by children are particularly sensitive, and it could be a good point from which to start setting standards, since people to tend to raise their concerns and awareness when the interests of children are at stake.
  • The government shall engage with businesses and citizens for IoT research and development so as to meet the demand for public good (healthcare, transportation, smart cities), while proposing commercial incentives for manufacturers.
  • Privacy and security by design should be kept in mind, but we shall work with the industry to set standards at the global level to ensure a cross-border flow of IoT technologies and devices, approaching international organisations that can enforce the regulation of IoT.
  • It is necessary to find reliable metrics to check the progress of IoT deployment and how it really contributes to economic growth.

Find an independent report of the session from the Geneva Internet Platform Digital Watch Observatory at https://dig.watch/resources/iot-%E2%80%93-economic-opportunities-and-security-challenges

Video record

https://youtu.be/JHZCZqBryBk

Transcript

Provided by: Caption First, Inc. P.O Box 3066. Monument, CO 80132, Phone: +001-877-825-5234, +001-719-481-9835, www.captionfirst.com


This text is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text is not to be distributed or used in any way that may violate copyright law.


>> Okay. So good morning, everyone. I'm -- I think the three facilitators in the front will work through the rows and shake everyone's hand. Not to drive you away, this is going to be a session on IoT and Internet of Things. We thank everyone who found their way in to the room. We are giving people some time to find their way from the garden in to the garden hall. Some people were confused and assembled in the garden and we will make them appear here.

>> I have a presentation about IoT.

>> Let's start.

>> So everybody, you are in a very unique situation when there are almost the same number of facilitators as people in the room and reporters because we have three coreporters. But I see several excellent people in this room who have IoT experience and whom we expect to get engaged in these discussions. Yes. So Frederike can take it from now. I was going to explain that we are going to have some kind of conference type session.

>> Thank you. Thank you. So hello. My name is Frederike Dunk. I am with the Internet Society. The plan was to have a EuroDIG experiment and that was to split a room of a hundred people in to three parts and work the different avenues of Internet of Things. So let me talk to you a little bit about what the plan was and let's together reflect on what it is -- what we are going to do in reality. So talking to so many people is so impressive that I am losing my control. No. IoT, there are different angles that we feel we should investigate with you. Something that we should know is that there are so many aspects and it is so complex because there are so many stakeholders. When we talk about IoT, we should not think of devices, only but of the whole ecosystem. Will be just very limited if to focus on the device which is the top of the iceberg. But you got cloud, storage and web developers, et cetera. This is an ecosystem.

So the plan today was to walk you through very rapidly through the three avenues that we felt would be worth discussing. First an important stakeholder here this is industry. Manufacturers and IoT suppliers. And we thought we would try to discuss what it is that we think should happen from their side. Manufacturers produce lots of IoT device. We are talking about more 35 billion IoT device by 2020. Those are the last figures. Yet we don't see many incentives for the time being for manufacturers to include privacy or security. And one of the reasons is, of course, economics. I mean privacy and security embedded in to an IoT device is money. Do they have incentives? So this is a first avenue that we wanted to discuss with you what do you think would be the incentive for manufacturers if you take yourself in the shoes of manufacturers what it is that you would like to address and discuss from your perspective. That was the first part we want to investigate. I might give you some avenues later about some of the stuff that we thought of in the Internet Society and refer you to some of the guidelines that we have but that would be for later.

The second stakeholders that is as much important and maybe one of the most important stakeholders is us. You and us. Users. Users, we have this capacity to make our voice heard and say what it is that we want. That would be the user perspective. Again what it is that the users may want in terms of privacy and security and the economic spot. So you believe users are ready to pay a little bit more for security and privacy. This is something we would love to discuss with you. What it is that users may need to really embrace the IoT. What user concerns, can we talk a little bit about that. That would be the second big pillar, and the third pillar is policymaker. Policymakers can create an environment where IoT devices are just see privacy and security being embedded. But what it is that policymakers and our regulators can do. Do we believe that IoT should be a field that should be regulated in the future. I would leave the question open for you to help us answering this. There might be different IPs on whether regulation is a must or not. What are the danger of regulations or what are the good part of regulations. And policymakers they are not just regulators. They might create an environment where they promote. They promote awareness. They promote a framework where the different actors are invited to include security and privacy.

So that was the second big part that we want to discuss with you. So remember the three pillars. The manufacturer's perspective, the why do I see something with block chain in front of me? We are not in block chain. I hope that everyone is clear this is not the block chain. So sorry. This is the IoT conversation. Thank you. But the block chain is good, too. Unless they compete with us, this is a very good session, trust me. So the three pillars are respectively the manufacturer side, industry, users and policymakers side. I believe I see a critical mass of people in the room. So let me introduce the people who will comment with me and each of them will try to initiate some conversation with you from their own perspective. Peter Koch on my left. Peter is working with DNIG and he accepted to make sure that we can have a conversation on the industry side, what it is that we see, manufacturers and IoT suppliers should do from a privacy and security and economic perspective.

On my right I got Tatiana Tropina. She would take another role, approach on what it is that policymakers should be doing, what are the incentives for them to move in this space. Is regulation something that should come up first and many other questions. And then I have here in the corner, I have Jo Ann Girnina who is working with the Internet Society and she would drive us towards the user's perspective. So we want this session to be really interactive. We are limited. You guys can come closer to us. Let's have a conversation. And maybe if you agree, we could already pick up among people who want to talk from some perspective. What do you think? I'm talking really here because we didn't expect -- we need to manage how we can do this. But I guess we now have a room with role with some critical parts. What do you think?

>> Give me a microphone. So Frederike, I do think that we should split in to groups or can I just pick a couple of people who will have perspectives from the policy making and ask them to say something to initiate the discussion or user perspective or whatever.

So unless there is someone to volunteer themselves to talk about policy making perspective, I know who I am going to volunteer here. So are there any people in the room who are involved in the issues for policy making, regulation, certification. Andre. If you feel more comfortable speaking from here you just take the floor.

>> Okay. Thank you. My name is -- I will speak louder because it is a really strange sound in an auditorium. My name is Andre. I am a director of the Internet of Things Association in Russia. And we do -- I mean we do policy making. We do regulations. At least we draft some kind of basic basics for the people who make decisions for the operators. And also we spend a lot of time over the standards, market research, et cetera, et cetera. So basically the whole scope of the IoT is covered in my daily job. And I would like to make a few important things about the IoT. First of all, about the IoT market, the majority of the IoT is missing I. It is not Internet connected things. This is used in logistics, manufacturing, transportation, environmental monitoring, industries, et cetera, et cetera. Every culture and these applications are not connected to the Internet at all. And it is about 90% of the market.

In America it is a bit less. Because it is end user applications blooming. And in Europe it also has some implementation in terms of end users but again the majority of IoT has nothing to do with end users. There are very important things. The most popular use of the IoT these days is basically metering of their resources in every house in Europe and America, there are smart meters which collect your data about the water, gas, electricity, et cetera, consumption. And we did some research. For instance, the utility companies who hold all this data from these metering devices, they have a lot of patterns and they know everything about you. They know everything what you are doing, when you come home and when your children go to school, et cetera, et cetera. Are you at home, not at home. Just by combining this pattern of day-to-day collected because IoT has a -- I call it the Whole Trinity, Whole Trinity. And it is important for the regulations. First it is census and devices. Second it is a network. And the third part of the Whole Trinity is the data patterns and Artificial Intelligence and everything which processes the data. So when you approach the regulations and influence of the end users you have to consider all the three parts. This is important. Thank you.

>> Thank you. Thank you very much. You know what, please have a seat because we will -- we just decide we will do this experiment with you. So again forgive us to do something we never done in EuroDIG, but we believe it is worth it. We will try to have something that is really participative from this room. So we just decide to stay where you are. To that left part would be Peter, driving this less part of people sitting there and talking more about manufacturers.

>> PETER KOCH: We should repeat for the people had arrived late.

>> This is an experiment. We want the room to participate. Wait a second. We got this middle row here that will be people you will work with us on consumers. So we will just make sure that you guys can contribute and give you your feelings from a user perspective and this side of the room where Tatiana is the guy working on policymakers. We would like to have a conversation with you, coming from this room where you can express your concerns and then we will discuss all together what it is that each group will be reporting. So we will ask each of our animators to find someone reporting. So I repeat, we want this part of the room to work on something from a manufacturers or industry perspective.

>> PETER KOCH: Say it is -- it doesn't matter what perspective you have in real life. This is kind of a role play. So you are assuming a perspective and everyone on this side is invited to have the manufacturer's perspective. And same for the others.

>> You are manufacturers, what should you be driven because this is important for you. Peter, if you could just take care of this side.

>> PETER KOCH: It would be easier if people moved their bodies and their brains over there. And so we can convene and don't need the mics anymore. 30 minutes.

>> 30 minutes. Privacy, security, economics. This side of the room -- I see people trying to escape now. This side of the room is consumers. And this side of the room is policymakers. Guys --

>> (Off microphone).

>> Let's do that and then let's report and have the conversation that we wish we have with you. And all of this under the ambience of Susanna who will try to summarize at the end.

(Pause)

(Individual groups).

>> So we need --

>> PETER KOCH: We need to be close to the remote moderator and away from the others. Let's go here and then we try to don't make too much noise. So how many -- we seem to be a small group. Are you joining us? Great. That's good. Hold on. Yeah. Fine.

Okay. Yeah. So the idea is to -- first of all, I'm Peter. I do work -- okay. Fine.

So I'm not a manufacturer. I work for DNIG which is a Top-Level Domain registry and most everyone knows everyone else. We will do a short introduction. And the idea of the role play is that we all assume the perspective of the manufacturer and while assuming this role we work on three questions. And then in the end we will have some general assembly again and we go through the topics with any perspective of every one of these three groups and the three topics with privacy, security, and economics. It could mean that the vender wants cheap chips and the user wants longevity of the product. But we take the perspective of the manufacturer. So we have about 30 minutes and we have a reporter, yes. That is the reporting for the -- yeah.

>> (Off microphone).

>> PETER KOCH: Okay. Fine. So this is overall the general reporting but we also like to have one volunteer and it won't be me, one volunteer to report the results of what we are doing here to the overall -- are you doing that? Okay. Fine. That's great. So can we do a quick round of introductions so we understand who we are? 30 seconds. And yeah. Could anyone start?

>> I don't really know what's happening.

>> No, no. (Off microphone).

>> One of these sessions reports after -- actually right now -- hello.

>> So we can start.

>> I will pass for the first time.

>> So my name is (inaudible). I'm mostly technical person. (Off microphone).

>> Justin. (Off microphone). I am technical person. (Off microphone).

>> Yeah. My name is Jack. I am working with APB Industries. And now I'm in the business association watch with companies where we tackle (Off microphone).

>> I'm (Off microphone). I'm reporting on the session and also on the executive Committee of Eastern dialogue on Internet Governance and IGF Turkey.

>> Head of (inaudible).

>> I'm Mark (Off microphone).

>> (Off microphone).

>> My name is Andre.

>> I don't have any transmission. That's okay. We have 30 minutes. From the manufacturer's perspective (Off microphone).

(Individual groups).

>> It survives.

>> This whole regulation, this is -- the regulators are stopping and still developing. This is bad. You know what's important.

>> (Off microphone).

>> If things go wrong make sure you can point to the other guy or the end the user. It is the user who pushed the wrong button.

>> (Off microphone).

>> Who are the users?

>> (Off microphone).

>> What kind of customers? Don't know anything about the light bulb. Customers make the light bulb.

>> (Off microphone).

>> Industrial. Right? And they --

>> That's a different thing. We -- I have a feeling we are talking about the end user devices.

>> Everything.

>> But (Off microphone).

>> All the customers?

>> On the customer side. And they know those. So they have certain requirements but to do the whole thing. Crystal (Off microphone).

>> Okay. We have a list of components. (Off microphone).

>> Just think about it. I mean in the -- I don't know. The production stage, you remember the (inaudible). I don't know.

>> You really think that?

>> No, I know how it is done. In working with the big guys, the companies.

>> (Off microphone).

>> (Off microphone).

>> Yes. (Off microphone).

>> I think that's an important distinction for this discussion. (Off microphone).

>> Nice start.

>> (Off microphone). To which extent has already been a very broad --

>> (Off microphone).

>> Jumping back to the original three pillars. I need to create with as little cost as I can. This kind of ability works. Need to spend on product cycles but in the end if the customer -- okay. Either the price for the customer goes up or I try to satisfy these amounts. So every corner I -- I will cut because that increases the margin. It is not the ethical thing to do but that's where my shareholder can push me.

>> (Off microphone). Really we need to --

>> I probably prefer the cheap cost.

>> Which is the case.

>> (Off microphone).

>> Interesting (Off microphone). So is it (Off microphone). End game like the integrator area. Somebody else in the chain is responsible?

>> No, no. How it is sold up.

>> But what do we say?

>> We are manufacturers.

>> Yeah.

>> Somebody else's problem.

>> No, no.

>> For each step of the chain it is always -- is it good enough for the ones to find it. So that the chips or so -- the next value chain, is it good enough.

>> If it is both, obviously good enough. So the consumer decides what -- this is the (inaudible). And I am aware of development security in all aspects of common is always good enough to be bought.

>> Okay.

>> (Off microphone).

>> To a certain extent.

>> Are you saying that the (inaudible) indirectly?

>> (Off microphone).

>> (Off microphone).

>> Again that's what we said. But it is Phil's argument. They are all going to say look at how secure I am until it is no longer secured and that's the hard reality. Security is not the (inaudible). We all thought the Internet was secure and all of a sudden oh, yeah, good bye. Thank you.

>> We have two more topics. Economics and economics play together with the (Off microphone).

>> 30 seconds. For example, Amazon the system is very -- (Off microphone).

>> Maybe we can have two more on the security part.

>> As a -- privacy is also an economic decision. Privacy, putting privacy at risk is a business risk. Advice on privacy, I am bleeding money. But that's basically forced by the regulatory environment. That is privacy in to the economic business risk.

>> (Off microphone).

>> (Off microphone).

>> There is one assumption in what you are saying and that -- still a lot of things -- why are you making money? Selling chips or selling something else? Different stakeholders. Yeah. Okay. So that's the service. Yeah.

>> I'm sorry, the basic pyramid of value. (Off microphone).

>> It is good enough. I am settling to the customer that what he is buying is the best value. I am going to be the best and the cheapest. When selling something, I'm basically trying to convince the customer that I am the best he can get for the money he is willing to spend. So I'm -- essentially is what I am selling is appealing.

>> So hello?

>> Want to lock in. I lock in.

>> Hello.

>> (Off microphone).

>> Hello. So one minute. If each group can wrap up and prepare your report. One minute.

>> (Off microphone).

>> I have one signal short. You have multiple buildings or elevators are manufactured by ABB. I get one invoice for all my properties. I get one invoice for the whole plant. That makes it easier.

>> One-stop shop service.

>> Full service. One-stop shop. (Off microphone).

>> Okay. Ladies and Gentlemen, if you could wrap up please. Come back. Thank you very much. Peter, if you can come back. Thank you very much. So...okay. Yes. Please.

>> PETER KOCH: Thank you. Thank you for participating.

>> Good. So thank you very much. Let's reconvene the broad session if everyone can jump back. I know it is difficult to the break conversation. But let's do that. And I want Peter back actually. Peter. Herding cats here. Herding cats. So thank you very much for having played the games. I mean I know for some of you it might be a challenge to represent a group that you were not supposed to be in because of your actual capacity but there was a little bit the objective of the game and a reflection.

So what's the plan now? We will ask each of the groups to report from their perspective, manufacturers, users and policymakers, each of them will give us their thoughts about what it is that they think in the three metrics of issues that we present to you, privacy, security, economics. And then we will have a broader conversation and it will be interesting to see what one group is asking the others and have this conversation from here. Who wants to start? Who is the group who wants to report first before I decide? You are the users?

>> The manufacturers were there first. So we need to start.

>> Okay. Please report. Thank you. Introduce yourself and report.

>> I'm Susanna Herring. Main goal and there is to push most products regardless of security aspects, economics triumphant over security. After GDPR privacy and security is an economic consideration. Security is a feeling to be sold to customers. Security is mainly the consumer's responsibility. Security has many layers starting from the micro chip to the software. Manufacturers need to produce every layer. So security and economics are very intertwined in our discussions.

>> Wonderful. Thanks a million. It is already a very good start. So listen, users, you have heard security is your own responsibility. We will have very interesting conversations. Who come next? Mark. Please. Who do you represent? I guess Government. Am I right?

>> Yes. Thank you. Good morning, everyone. Yes, I am Mark Cavell. I am from the UK Government. So we lead on the whole digital strategy for the UK. And we have -- we support an IoT research and development program with a lot of projects that are going on in the health care sector, transport sector and so on. So now we have had a quick brainstorm. So we have assembled a few points. First of all, we talked about the importance of Governments engaging with business, with standards bodies, with users and also the public authorities. I mentioned just now in the UK case the health authorities. And also city planners, Smart City projects and so on. IoT is going to play an important role in that. So some Governments we heard do not do that. They pursue their own track without that kind of outreach which other Governments feel is vitally important to ensure that we understand how the technology is developing and the kind of challenges that policymakers feel the developers of these technologies should take in to count. And these include security, data management, transparency, ensuring that people have the skills to be able to use these technologies. And also the importance of the broadband network infrastructure being able to sustain the growth of these technologies which they are disruptive technologies. They are going to create a whole new approach to the Digital Economy that provides growth opportunities for the business and enhancing the welfare of citizens. We talked about that.

On standards, many governments support them being industry led in the development of standards. So it is important to engage with the standards organizations internationally to ensure that the global standards prevail in the development of these technologies. So you build in security. Security by design is the term and we in the UK, for example, we have a team looking at this. And we have will have a workshop by the way at the IGF to talk about this security by design in the IGF in Paris. So the importance of we are developing policy approaches that connect with what businesses are looking for, what citizens are looking for is vitally important.

We also talked about the risk of counterfeit devices, getting in to the market and what are the means of preventing that, cheap imports of counterfeit devices which will not have those standards built in to them. That's a big risk. Issue for the Government and private sector. How do we deal with that problem. We also heard that some Governments in -- I think I understand correctly in this region in particular are focusing too narrowly on eGovernment services, on e-skills and not looking at wider impact and commercial opportunities that IoT technologies are going to create as I said earlier. The emergence of any of the new Digital Economy. Some Governments are not approaching this with that broader perspective.

Our final point, metrics on takeup of IoT devices. How they are being used and getting a better understanding of how these technologies are evolving for the benefit of businesses, of city planners, of transport authorities and health authorities and so on. Getting the metrics is a vital issue so that we understand better how these transformative technologies are actually going to help. I think those are the main points. If I missed anything, please chip in colleagues from the group. Thank you.

>> That's helpful. Nice move from the Government. I don't want to highjack the conversation that you will have in a few minutes. I haven't heard the word regulation or certification or trust mark. It was a clever move from the Government. Let's see what our users might talk about. Please users. Please introduce yourself.

>> I am Claude from the Foundation of Science and Technology in Portugal and reporting for the session for Geneva Internet platform. From users, I got three bullet points that are worth mentioning and then the group can discuss. First one is that contrary to what you mentioned in the first intervention here, information about the security and safety of connected devices must be a clear objective and intelligible and vulnerable users who normally lack the necessary expertise.

Secondly it is whether it is to be more informal mechanisms or a more formal accreditation initiatives, users want devices to be tested. As to ensure diversity and computational views and diversity of independent sources and officially verified. And the third is that security and safety of products which are designed for use is particularly sensitive. And it may also be a good point from which to start in setting standards since people tend to raise their concerns and awareness when this interest are at stake. I think this is a summary of what I have got. Anyone from the users group want to add?

>> Thank you very much. So let's start from here and again thank you for playing the game and putting in your shoes that might not be yours, especially manufacturers and I think that -- so at least in this room. So users and policymakers, I have heard you engaging in a very wide way with some clear request of engaging the different stakeholders. And in the same times I believe I understood that security might just be an affair of some of you but not all of you. Does someone need to comment on this? Do you believe security is just a user's affair or it is just a responsibility of Government to do this? What do you think? Who wants to take it?

>> I would really like to listen to like second this question and there was some statement that security is users' responsibility, right? So the group somehow came to this conclusion? Could someone possibly comment because it is interesting development.

>> Yes, I think the press person just misrepresented our position in a way that is not acceptable.

>> Go for it.

>> PETER KOCH: What we said was that the user or the consumer actually decides by their decision about buying this or that product what security level they are willing to accept and we -- are we going to build products that are of utmost security grade if people are willing to help us getting our investments back. They need to buy our products. We present them to the market and we have super secure things but nobody buys them. Then afterwards complains that they are not secure. They need to make sure that they have an environment that is secure where these systems can be run well. We can't run the user's devices and the users and the consumers. It is also other business customers. They have responsibilities for their industrial networks where we can -- we can't take that. Our ports are secure.

>> I will give you one example, just about the trends in my homeland. Yeah, there is an issue with security and IoT and regulators are highly aware of it. And the way they think they can manage the security risk is to imply certain regulations to the venders of the IoT devices services and applications. So what they think is that okay, the device might be identifiable. It must be clear who is the manufacturer, must be clear who is the network provider, and it must be clear what is the application the user uses. In general the Russian traditional approach like all the citizens are little babies and the big boss decides what's best for them. But it is not only for Russia. I mean you can see it on the trends in the certain European countries and elsewhere.

So this is a role of the Government to, you know, make sure that venders who are pushing stuff on the market kind of certify and traceable and, you know, clear who the guys are. So that's one of the approaches to the security from the regulator point of view.

>> (Off microphone).

>> Very quick question to maybe -- you said that you have secure products. Nobody is buying. And -- I mean whose responsibility should that be to make sure that they know that it is actually secure and it is good for them? Because we were having a discussion as users and the biggest problem is still awareness. They think the information given is too complicated. They cannot understand them. And the vast majority of the people who represented users they said that they are willing to pay more for security devices. They don't know. So there is this -- some sort of lack of information on the consumer side. Who is to provide that information? Just a question.

>> (Off microphone).

>> Hi. So anyone else? Okay. So my name is Andre from Portugal. I want to give an example to explain this. So everyone has Internet at home. And you buy Internet from a service provider. It is a service you pay every month and you have customer premises equipment which you have no idea who the manufacturer is. The service provider provides you with equipment, provides you with the cables, provides you with everything. And you just assume it is safe because if it isn't safe, it is the service provider's fault entirely. So the full stack of the problem is that the service provider, that's who you pay money to. With IoT the trend is exactly the same. So nowadays you have a lot of cloud services from Google, Amazon, Microsoft, a lot of other providers and they are aiming at full stack as well. They don't actually sell you the devices yet. They might do that in the future. But they do supply all the firmware and all the software that goes in to those devices. So in the future they will be the ones that receive money from you. They might be the ones that are actually responsible for the full stack of security that you have in these devices. Anyone else?

>> We have the intervention from Marco.

>> I'm hiding. Maybe in this room because we kind of know what we are doing. But the guy on the street's really only buying decision is going for the bottom line. You can try. You might get niche of the market, but the biggest market share is still just deciding on price. And I don't think that -- unless you create a level playing field by regulation, there will always be somebody that's going to be cheaper and less secure but that's the one that people will buy.

>> Do you want to react on this? This is a fair point. Do you believe consumers are driven by economics? Do you really represent users in this room as per Marco's comment? I mean do you believe users are willing to pay a little bit more because they care about the security or they just want to buy the lower cheaper cost? Olivier.

>> Thank you. It works. It is Olivier speaking. I think that unfortunately Marco is correct. There is certainly a lot of price pressure on having cheap IoT devices. They are -- because often these devices themselves are consumer devices that might be worth 20 Euros or 30 Euros and bringing for security to them might add another 5, 10, 20% on the price. And when other devices are next to each other in the shop or on your favorite e-commerce website, that 5 or 10 dollars or Euros difference makes a difference and people tend to go for the other thing. So unfortunately I think that there is -- there is certainly an education that needs to be undertaken on the end user. And using very simple messages such as campaigns which show a house with a door open and say would you leave your house like this during the day. The door is left open or there is no lock on the door.

>> I had a question. So your point about education, who do you think should be responsible for this education? Manufacturers who want to sell more expensive but secure devices to Governments, education is a very good word but who is going to educate? EuroDIG is certainly here to educate.

>> I think, and that was something we were also deciding, there is a bit of a gap between sort of B to C but a lot of people think that IoT for sort of consumer devices, your smart television as you rightly pointed out there is a large chunk of IoT that is institutional players but the institutional players are pressing you for price and not for quality. If you are buying smart meters and you buy 10 million of them you want them cheap. It should be easier to reach out to those institutional barriers and tell them what they should do. The guy on the street in the end you are going to have a hard time doing that.

>> Mark, I didn't want to jump on but you are volunteering. So happy you raised your hand. There is a vicious circle here obviously. There is a security issue. Manufacturers say we are selling secure devices. Users say we won't buy this at the lower price possible. So should the Government be the one who cut the vicious circle and protect consumers even against their will?

>> Well, I come back to what I was saying about security by design. This is a key response to this problem that the UK and other Governments, the Dutch as another example of making sure that the devices that are going to reach the market are inherently secure. So you don't have this sort of variation in what is available in the market. And that -- if the manufacturers play their role and say this is a reliable device that has embedded security protocols in it and is a device that can actually adapt to enhancing those security protocol, that's -- that's what the market should be delivering. So I think that -- that is the approach from the policymakers to deal with this issue. The problem is, you know, bad stuff getting in to the market. As I said earlier before about counterfeit products coming from other sources. I won't say obviously where that might be. But I think that's our approach rather than, you know, regulating the market topdown. If that's the inference as an alternative approach that's certainly not what we would do.

>> So precisely about that one. I see you, Marco, and I want the room to respond to this. We have those who will invade the market coming from some Asian country but the biggest producer in the world will soon come with millions of easy toys for kids with the chips that will make it connected to the Internet. How could a Government, for example, UK, I don't want to pick UK, and by the way, Mark, you cannot say it is yourself but I will say it for you, the UK Government released a wonderful paper that I would invite you to read about IoT and security and really it is worth it. How could you think of a European Government and any other Government in starting some environment, when they cross our borders become safe or secure by design, what is the solution? Is it certification? Something that we need to address? How would we do that? Andre and then Marco.

>> Yeah. The quick. We can see a trend, first of all, of data localization, which are like where you don't know where it is. Somewhere in China. And -- you have no control over what's going on, what kind of data is sent from your device. Why it is going to the cloud somewhere, et cetera. So there is a new trend called the data localization. Actually for the critical applications. It is one of the trends. Maybe with a little help maybe we will help it a little bit in terms of security where your data is going and how it is being managed. So it is just a little trend. You can see it in many places now.

>> Marco again. Actually a question for Mark because we -- yes. We can try and ensure that the device that is -- that is sold is secure. But security is not a state. Security is continuously evolving, especially with longevity devices that are going to be there for 10, 20 years. What are you going to do ten years down the road? I see a security instability and the manufacturer is long gone because then I will be looking at the Government.

>> Wait a second, Mark. Maybe you want to say something?

>> Actually Marco already said most of it. But let me just remind you what happened in January. We had a meltdown on Spector. These were two very problematic security issues that actually existed for over 20 years. These were not new. All the manufacturers over 20 years build chips that have these kind of problem and no one knew it was a problem. It was obvious it was a problem. How do you solve in terms of regulation, how do you solve problems that are ongoing? You have the basic security flaws which is it is inherently insecure. Everyone looks and sees it is obvious it is insecure and then you have other stuff that's industry standards. And you don't assume that's a problem until someone gives you a proof of concept that saying melt on Spector. So the two levels are very different. The obvious ones are easy to regulate. The not obvious ones need two different approaches.

>> Yeah. So Spector meltdown, the one in a billion clashes and we have multiple others. Back to my role as the manufacturer, as a manufacturer, of course, we are on a level playing field within our economy. We are building these devices and if some other manufacturer from some other regulatory environment comes in and then destroys all our efforts of security, we can't stand that. We need to protect our investments. At the same time though we want to be able to innovate and we also have lots of startups. And they cannot afford expensive certification for small volume series of innovative products and much of the IoT is small products and small lines of products. So what we also don't want, we enjoy the telecom's liberalization that was done in the '90s and we don't want to go back to the plain old postal certified telephone even though if you think about it you already have one of those already because who controls the app store does that. But rant aside. As a manufacturer I want to be able to innovate. And that certification thing that scares the hell out of me because it would not only be the physics, the product, but all the software and we couldn't deploy security fixes unless and until we get the sort of software recertified. We see that the fire is burning and we can't deliver the water because the pipe isn't certified and that can -- that must not work. We need to be able to innovate.

>> Just before, Olivier, before you get the microphone, I think the group of policymakers, they have discussed regulation standards that are set by the industry and then getting them cross-border by standards setting bodies which actually can enforce them instead of the Government. So how much of the contribution to answer to your question, this is -- there was some cause for regulation as well. Mostly within the standards. I don't know if this problem security was pressed by such standards. Olivier are next in the queue.

>> Thank you. Just mentioning standards. I think that every single product and taking a Euro centric view since this is EuroDIG after all, every single product that is sold in Europe whether it is food, whether it is electrical goods, whether it is clothing, anything, housewares, all of that, always goes through specific standards. One common standard for all of these goods is the CE mark which makes it possible to sell in Europe. There are other marks such as the TUV and the different standards by different European agencies when it comes down to electrical goods so you don't get electrocuted by these goods. They have a fuse in case you decide to put your toaster in the baths. There are other standards by paints so you don't get intoxicated to lead. And so that children don't end up eating bits of their toys and choking to death. Great stuff, isn't it, choking to death. Security of devices such as those is equally as important because it is to do with privacy, to do with your own personal life. And intrusion in to your own -- in to your own home. Should there be a standard also developed that or standards developed that would actually test out devices that would also be a trust mark or something that would be required in order to be able to sell those devices in Europe.

There is always this thing of well, yes, you can have some devices that will come in, I think that Mark had mentioned the fake devices or sort of counterfeit goods and so on. Counterfeit goods are already somehow blocked at the border as much as they can. At the moment what we are dealing with here are legitimate devices that are sold legitimately in the region and that have no security whatsoever.

>> Thank you. Can I leave this question open because I would like in the remaining ten minutes that we have to switch to the privacy part of this conversation. Security might have the public interest. I might understand that some stakeholders might be willing to evolve at any cost the fact that there are massive attacks through billion IoT device. Do you believe they should be informed, your daughter who is connected who is recording what she says. When you go on holidays with your little doll someone can track where you go because she is in your car with this tracking device. We have many examples for privacy issues. Should there be notification of privacies, trusts mark of privacy? What's the user perspective on this? What did you guys want in terms of privacy? Did you discuss this from a user perspective? Please.

>> So from what I see and not only IoT, let's compare with the apps that you have on the phones.

>> Speak louder.

>> Okay. So let's compare this with the apps you have on your own phones. When you install an app you assume you have lists of all the things that they are going to use with your information and you have to accept that. With IoT you usually don't have that kind of situation. But they do have some of the disclaimers on paper that usually include that information. So let's imagine if you have one of those cloud services have a doll, the doll connects somewhere to the Internet and that tracks your location. I'm assuming at the very least that doll must have a piece of paper that says this is going to happen as well. If they don't that becomes a legal issue. If not the people are accepting what's in the paper and that's one of the major issues. Even if that is on a piece of paper, many people do not understand the full consequences of giving that information to someone else.

>> Thank you very much. Someone else on privacy? Does this matter for you? Should the Governments do something? Andre.

>> I'll just repeat what I said in the beginning, there are not necessarily devices which are like IoT of your own. There are things like meters, video cameras, door locks for the big houses, et cetera, and this is very important that, for example, the European directive on the privacy says that it is not necessary, the personal data. It might be data which derives through the platforms collected by other things. In terms of legal protection of the privacy, it is already there. Yes. It is in the European directive number whatever. I forgot. It is important to say that -- it is not in using. But I don't know if companies buy in to this directive and do the things appropriately. I'm not sure about it.

>> Do you guys feel protected already from the privacy side? Do you feel it is okay? Anybody? Policy? Industry? Users? Are you happy with what we have for legislation? Mark.

>> We shouldn't be complacent from the policymakers' perspective. We have to look at -- I mean I mentioned health care sector, for example. There is a project under IoT UK relating to devices which monitor dementia patients and that data is relayed to the movement of the patient how the person is behaving, living at home with that condition. It is relayed back to the clinic. How is that data protected? And, you know, there are -- we now have the GDPR. And so that's going to be very applicable. But we -- this is an issue which IoT brings in to sharp focus. And the point made about children's toys and so on is a very valid point. We in Government are very mindful of this and we will be -- we are examining the implications, whether existing regulation is sufficient or needs to be adjusted in some way.

>> So Mark, I'm sorry, a question from me. So there might be a point where policymakers realize that privacy regulation is not actually technology neutral or layers of technology neutral. And there might be a need for additional regulation just because there is IoT. Am I right? So -- the existing regulation will not be enough? Hypothetically?

>> I don't know. We have to examine that. Whether the existing regulations are going to be sufficient, I don't know. I mean we would not like to see, you know, a nontechnology neutral approach be taken but we have to look at it.

>> Yeah, that sounds sensible and this is why I was going to ask of you if you would recommend anyone to do this. But you already took it.

>> Nigel.

>> Nigel.

>> Yes. Thank you very much. Nigel Hicks at ICANN. I think this is question was answered, previous question to an extent and in years to come I mean my -- I thank the European Commission for the GDPR. We might not be on our feet cheering at the moment but we might well thank them for the GDPR because surely what will happen in the future is that product manufacturers will have to take this in to account. Otherwise these products will simply become sensors or whatever that don't have some sort of mechanisms built in when they are used in a particular way and medical ways that Mark was talking about or other ways in which personal data is being protected. These devices will not be allowed in the marketplace. I mean Governments will stop them being used in the marketplace because they, you know, they will not be compliant with the law. And I think that will have to be addressed. Thank you.

>> I agree. Thank you, Nigel. Marta, you will be the last one to speak because we already closed.

>> I will try to be very short. Thank you so. So I will skip that part. Just to mention that the commission proposal that is now being discussed by the Parliament and by the Member States on certification for cybersecurity products, it is still open how it is going to it turn out to be. It is a process of certification for cybersecurity. That may actually deliver part of the answer. The point as was being discussed now, all the certifications are becoming much more complex. So as Olivier said we have many certifications for many products but now we have issues that are of the competence of sectorial regulations, regulators like the e-Health because there is a very hard procedure currently for the certification of medical devices, for instance. And this has to be taken in to account in the certification of the whole product because you don't only have the connectivity issue and you have the product itself, so the whole process are very complex. I think that the procedures that we had before need to be revised and you need to have much more industry and experts involved in this to make sure that we actually manage to come up with something that really responds to the user's rights and ensure that people trust the products. If people cannot trust the products they will not take up and they cannot reap the benefits of the new IoT services.

>> Thank you very much. Actually it is very sad that we have to wrap up just when we came to a proposal on certification, but I think you summed up in a very nice way and brought it together, industry consumers and Government regulatory and certification and trust. Yeah.

>> Thank you very much. I mean what you see, what we discuss here and thank you again for playing this with us. It is what is happening in the real life. We don't know everything but I believe we have strong feelings and principles that we want to bring. So please be the ambassadors of this whenever you go out in your capacity and also in your user capacity. So Sonia, I feel a little bit for you now because you will have to sum up this conversation and propose some bullets. Sonia will suggest some broad lines that we might agree as a conclusion.

>> I am going to sit down, yes. Some of them are longer and I -- as a disclaimer these will be edited. But one second, please. I'm sorry.

Good privacy standards embedded in IoT devices render projects expensive and manufacturers currently lack incentive to adopt them, compromising commercial viability. If anyone opposes please raise your hand. The security and safety for products which are designed for children's use are particularly sensitive. And it may be a good point to start in setting standards. They raise their concerns when these interests are at stake.

The Government shall engage with business and citizens for IoT research and development, meet the demand for public good, health care, transportation, but propose some commercial incentives for manufacturers as well.

Privacy and security by design must be kept in mind but we will work with industry to -- and that's it.

>> Brilliant.

>> Thanks a million. You can clap for her because those are very, very good. Thank you.

>> TATIANA TROPINA: Thank you, Claudio and Yama.

>> The three moderators I would like to thank you because you have a wonderful audience. So thank you.

>> Thank you so much.

(Applause.)


This text is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text is not to be distributed or used in any way that may violate copyright law.