Covington Internet of Things Update: The FCC Gets Ready for 5G Spectrum Auctions

As we explained in a prior post, 5G deployment will be a critical component to the ever-evolving Internet of Things (IoT). On April 17, the Federal Communications Commission (FCC) adopted a Public Notice seeking comment on the competitive bidding procedures for auctions involving spectrum in the 28GHz and 24 GHz bands. The auction of 28 GHz spectrum will begin on November 14, with the 24 GHz auction following after that. But what does this mean, and why is it important?

For those new to the world of FCC Auctions, a Comment Public Notice, such as the one just released, seeks input on the application process for the auctions and the procedures to be used while bidding. It is similar in form to a Notice of Proposed Rulemaking, in which the FCC seeks comments on a proposal and asks a variety of questions. After the comment and reply comment deadlines pass (May 9 and May 23, respectively), the FCC will take into consideration the input on the record. Next, the FCC will release a Procedures Public Notice, akin to an Order, that will lay out the rules that will be in force for the auction. The FCC will also announce the application windows to participate in the auction, and interested parties will apply to participate. This will all take place before the start of bidding in November. Continue Reading

Covington Internet of Things Update: FCC Looks to Bolster the Communications Supply Chain

On April 17, the Federal Communications Commission (“FCC”) broke new ground in the agency’s role in national security policy by voting unanimously to approve a Notice of Proposed Rulemaking captioned “Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs” (the “NPRM”). The deadlines for filing comments and reply comments have not yet been announced, but they likely will be over the summer.

As the title indicates, the NPRM seeks comment on a framework to reduce supply chain risks for telecommunications equipment and services deployed throughout the country. The item acknowledges a specific role for the FCC in this arena: to ban use of Universal Service Fund (“USF”) subsidies in ways that undermine or pose a threat to national security. In short, the FCC proposes to use the power of the purse—in the case of USF, about $9 billion in subsidies per year—to dissuade companies from using equipment sourced from companies or countries that pose a national security concern.

Although the approach is narrow in scope, in practice the NPRM could produce a final rule that would significantly affect the selections of equipment and services by some USF recipients, particularly rural and smaller providers who reportedly are more likely to have purchased equipment from targeted suppliers. Additionally, as explained below, this proposed rule could affect USF recipients that do not use prohibited equipment and service providers, depending on whether some of their subcontractors use them. Continue Reading

The UK Government Seeks Views on the Regulation of Digital Markets for a Post-Brexit Great Britain

The UK Government’s Department for Business, Energy and Industrial Strategy has just released a 75-page Green Paper on Modernising Consumer Markets, setting out the Government’s main priorities for the digital economy in a post-Brexit Britain. The Green Paper reflects on the current state of consumer markets and regulation, and lays down the key challenges and opportunities which will be the focus of the UK’s regulatory and competitive framework going forward. This poses consultation questions to stakeholders on hot topics in digital markets, including questions on: the adequacy of the current competition rules and privacy protections, supporting consumer-friendly innovation, use of and access to big data, whether personalised pricing should be regulated, sufficiently protecting customers without stifling innovation, and alternative dispute resolution solutions.

It also includes various proposals to ensure new technology and data are used to benefit customers, strengthen national enforcement of consumer rights, modernise the approach taken by regulators, and improve consumers’ access to alternative dispute resolution services. In this Covington blog post, we explore some of the key messages and questions posed by the Green Paper.

Continue Reading

Covington Internet of Things Update: China Strengthens IPv6 Deployment

At the end of 2017, China’s Communist Party Central Committee and the State Council jointly circulated an Action Plan for Promoting Scale Deployment of Internet Protocol Version 6(IPv6)(“Plan”), and set detailed targets and steps for the next few years, aiming full transition to IPv6 by 2025.

According to the Plan, China is aiming to establish the world’s largest commercial network deploying IPv6, and formulate a next generation internet technical system and industrial ecosystem with independent intellectual property rights, within five to ten years. The target numbers of active users for the proposed IPv6 are 200 million by the end of 2018 and 500 million by the end of 2020, accounting for more than 20% and 50% of internet users in China, respectively. Finally, China is aiming to have the largest IPv6 network in the world by the end of 2025, in terms of network scale, quantity of users, and network traffic scale.

China is in urgent need of a more developed IPv6 network because IP addresses originating from the existing IPv4 network are nearly exhausted, and will be unable to meet the fast development of internet industry, including mobile internet, IoT, big data, cloud computing, and artificial intelligence. According to publicly available statistics, each Chinese internet user was allocated only 0.45 IPv4 address, which is not only insufficient for actual needs, but also leads to cybersecurity problems. By generating IP addresses consisting of 128 bits (instead of 32 bits under IPv4), the number of IPv6 addresses enormously expanded, allowing for an almost unlimited number of appliances in China being connected to the internet.

Continue Reading

UK House of Lords Inquiry on ‘The Regulation of the Internet’

The UK House of Lords Select Committee on Communications has recently opened a Public Consultation on ‘The Regulation of the Internet’, with submissions being accepted until Friday 11 May. The Call for Evidence can be accessed here.

The nine questions posed are relatively broad in scope, including: whether there is a need to introduce specific regulation for the Internet, the legal liability of online platforms, responsibility for online community standards, measures for online safety, information on the use of personal data, and the transparency of business practices – such as the use of algorithms. The last question posed asks stakeholders for their views on what effect the UK leaving the European Union will have on the regulation of the Internet in the UK.

The aim of this Inquiry is to examine how the regulation of the Internet in the UK should be improved, including options of self-regulation and governance – and whether a new regulatory framework for the Internet is necessary – or general UK law is adequate. It follows on from the UK Government’s October 2017 Internet Safety Strategy green paper, which was underpinned by the principle ‘what is unacceptable off-line should be unacceptable online ‘. It also follows the Government’s Digital Charter introduced in January 2018.

In response to the current Inquiry, stakeholders are encouraged to focus on their areas of expertise and therefore do not have to answer every question. They are also permitted to address any additional relevant issues of their choosing not covered by the set questions, provided that they explain the significance of such issues, widening the potential ambit of this Inquiry. As with the standard House of Lords Inquiry process, stakeholders who submit written evidence may be invited to give oral evidence at Westminster – currently tabled between April and September 2018. Any stakeholder wishing to make a submission on this important debate should submit their written evidence online here by 11 May. The Covington Inside Tech Media blog team will post further updates on related developments of significance, in the UK, and across Europe, Asia and the US.

Covington Internet of Things Update: BEREC Confirms European 5G Strategy Priority and Opens Public Consultation on the European Net Neutrality Rules

BEREC, the Body of European Regulators for Electronic Communications, recently held its 34th public debriefing in Brussels. It confirmed, among other developments, that it has made 5G a strategic European priority for the next 3 years, and has opened a public consultation on the European Net Neutrality Rules – which will run until April 25 2018.

Continue Reading

Covington Artificial Intelligence Update: Industry Leaders Discuss the Future of Artificial Intelligence at Washington Post Transformers Series

Computer code on a screen

In its latest installment of the Transformers series, The Washington Post hosted key industry and thought leaders to discuss the current and future implications of artificial intelligence (“AI”).

A number of themes emerged from the two-hour discussion.

First, all panelists agreed that AI will be a useful tool to amplify and extend human skills, but most also noted that humans are still a necessary part of the equation.

Second, panelists acknowledged the need to combat bias in AI and some explained their current work to continually improve against biases. Many stated their goal was ensuring individuals with diverse experiences and backgrounds are infused at all stages of AI development; others similarly emphasized the need to test and validate not only in laboratory settings, but in the environments and communities in which the AI will be implemented.

Third, the question of whether and how to regulate this field remains open, as some panels favor self-regulation while others favor government-imposed transparency and oversight.

Continue Reading

Covington Artificial Intelligence Update: The Technology Bank

Artificial intelligence and big data are some of the new technologies dominating discourse in 2018.  These technologies are expected to change the way that we travel, learn, and transact.  However, this forecast is less clear for the least developed countries (LDCs).

According to a United Nations study, science and technology and resource and development remain limited in LDCs—several of which are in Africa. Though Africa contains various tech hubs such as Kenya’s Silicon Savannah and Rwanda’s Innovation City, the concern is that without the infrastructure to adapt and absorb existing technologies, it will be difficult for these LDCs to upgrade industries, effectively partner with high tech businesses, and contribute to sustainable development.

So, the question is: how do we overcome the technological divide?

Continue Reading

Covington Internet of Things Update: U.S., U.K., and E.U. Regulators Turn Focus to IoT

The “Internet of Things” (IoT)—the network of consumer devices connected to the Internet through digital connections and sensors—has dramatically grown over the past five years. A McKinsey analysis estimated that the potential annual economic impact of IoT in 2025 could be between $4 trillion and $11 trillion, with value accruing in manufacturing, urban spaces, human wellness, retail, autonomous vehicles, homes, and other sectors. An analysis by Gartner, Inc. estimated that in 2018, nearly 11.2 billion connected things will be in use globally, and that this figure will surpass 20 billion by 2020.

IoT already has global reach. Nearly one-third of the overall installed IoT base is located outside China, North America, and Western Europe. And although IoT use will continue to grow in commerce and industry, more than 63% of IoT-connected units are already available on the consumer market. Some “smart” consumer products—such as fitness monitors, wearable devices, smart thermostats, and smart TVs—are well-established. In the coming years, connected devices will continue to expand in other categories, including kitchen appliances, toys, and medical devices, among many others.

With the tremendous economic and social impact of connected products, systems, and devices comes a more intensive focus on the legal risks of misuse, defects, and malfunctions. IoT has the potential to make products and services safer (in such diverse areas as consumer products, railroads and food), to reduce workplace hazards, and to improve patient safety and reduce preventable errors in hospitals. Connections to the internet, however, also can introduce new vulnerabilities in the consumer market and in infrastructure, if not properly secured. Manufacturers, retailers, consumers, and regulators are increasingly focused on the consumer safety, security, and privacy implications of connected products.

Three recent events further propelled IoT safety, security, and privacy into the regulatory spotlight, all occurring in the first three months of 2018:

  • Cybersecurity firm Avast demonstrated that vulnerable Internet-connected devices could be commandeered by hackers and used to “mine” (generate) cryptocurrency. The firm estimated that 15,000 connected devices, if commandeered, could yield $1,000 every four days.
  • Cybersecurity firm ZingBox released a report shedding light on vulnerabilities in the healthcare context, particularly in hospitals. Among security issues, the company estimated that “user practice issues” (poor security practices) made up 41% of security threats; outdated operating systems and other software made up 33% of threats, with other vulnerabilities (including weak passwords) also playing a significant role. The report estimated that imaging systems and patient monitors were most vulnerable. The good news is that vulnerabilities in connected medical devices can be mitigated; the report advises healthcare providers to focus on “real-time visibility into device deployment and inventory” and enforce appropriate-use policies to “greatly reduce the exposure to rogue applications and lateral movement of infection.”
  •  In January, VTech Electronics Ltd.—which makes “electronic learning products” aimed at children between zero and nine years old—settled a complaint brought by the Federal Trade Commission. The FTC alleged, among other things, that the company violated the Children’s Online Privacy Protection Act (COPPA) by “collecting personal information from children without providing direct notice and obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected,” which led to a November 2015 hack in which the hacker penetrated the company’s computer network “by exploiting commonly known and reasonably foreseeable vulnerabilities” and stole personal information about children and parents.

How have regulators reacted to these new issues? In the first few months of 2018, comments from authorities in the U.S. and Europe show more attention being paid to IoT than ever before:

  • In her keynote address at the annual meeting of the International Consumer Product Health and Safety Organization (ICPHSO) in February, Consumer Product Safety Commission Acting Chairman Ann Marie Buerkle said that the CPSC has jurisdictional authority over IoT vulnerabilities that create a risk of physical harm, but not IoT vulnerabilities that are limited to privacy or information security alone. The CPSC also plans to hold a public meeting on IoT in May.
  •  As reported last week in another Covington Internet of Things Update, the U.K. government in March released a white-paper report, Secure by Design, Improving the Cyber Security of Consumer Internet of Things Report, on consumer IoT.  The report proposes an industry “Code of Practice for Security in Consumer IoT Products and Associated Services,” which the U.K. government aims to finalize by summer 2018.  The report identifies 13 specific points of guidance for industry, and names the top three priorities as (1) requiring all IoT devices to have unique passwords that are “not resettable to any universal factory default value”; (2) requiring companies to “provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues” and to timely respond to known vulnerabilities; and (3) promoting timely security software updates and publishing clear “end-of-life” policies informing consumers of the time when security support for a given device will end.
  • Last September, the European Commission proposed a Regulation on Cybersecurity that would introduce a voluntary cybersecurity certification framework to be overseen by the E.U.’s Agency for Network and Information Security (ENISA). The proposed Regulation establishes the primacy of European cybersecurity certification schemes over E.U. Member State schemes. Under the proposal, adopted European cybersecurity certification schemes would supersede all existing parallel EU Member State schemes for the same information and communication technology products or services at a given level of assurance. This would bring further clarity, reducing the current proliferation of overlapping and possibly conflicting national cybersecurity certification schemes. The proposal provides that the E.U. schemes would be voluntary (once a product voluntarily complies with a scheme, Member States would accept it as compliant). However, in practice the schemes could become mandatory E.U. standards. The European Parliament and Council must now consider the proposed Regulation for adoption and may introduce significant amendments. The proposed Regulation could enter into force by late 2019.
  • Connected devices have been on the radar of the U.S. Federal Trade Commission since at least 2013, when it held an IoT workshop, but the FTC has shown little appetite for regulation to date. FTC Acting Chairman Maureen Ohlhausen said last year that the IoT industry should adopt voluntary best practices, with the FTC taking a more reactive, rather than proactive role, intervening only if a “harm manifests.” This approach echoes the software industry’s pushback against regulation. The head of a major software trade association recently argued that the industry should be left to develop autonomously, with “enforcement actions only in cases where there is actual, concrete harm.” Consumer advocates, meanwhile, have pushed the FTC for greater action on IoT privacy.

2018 is shaping up to be a pivotal year in IoT regulation. Interested stakeholders—whether manufacturer, supplier, or end-user—should keep a close eye on new legal and regulatory developments. Covington’s Internet of Things Blog posts will continue to monitor developments and report on future key consultations, analysis and insights here.

Covington Internet of Things Update: “Secure by Design” – UK Government’s Proposed Code of Practice

The UK government has published a Proposed Code of Practice for Security in Consumer IoT Products and Associated Services promoting a “secure by design” approach to designing, manufacturing and delivering internet-connected products and services. The Proposed Code forms part of the government’s National Cyber Security Strategy (2016-2021) and complements the government’s focus on making the UK a center of excellence for technological innovation through, amongst other things, its IoT UK Programme, funding research and innovation in IoT. While the Code was developed in consultation with industry, the UK government intends to make some of the guidelines enforceable through regulation. The government is seeking public comment on the Proposed Code through April 25.

The rapid proliferation of internet-connected products and services is providing exciting opportunities for business innovation and economic growth. However, it also brings concerns for governments and consumers about the potential cybersecurity risks. The UK government therefore is taking a close look at IoT devices and their associated security risks, including microphones or cameras recording individuals within their homes, compromised connected home-heating or appliances threatening physical safety, and hacked access control systems allowing burglars easy access to your home. It is against this backdrop that the government is encouraging industry to assist in combatting cybersecurity threats through the design and support of products and services.

The Proposed Code contains thirteen guidelines aimed at device manufacturers, IoT service providers, mobile application developers and retailers. In particular, these stakeholders are being asked to prioritize three guidelines:

  • Unique passwords. All IoT device passwords must be unique and not be possible to reset to any universal factory default value. Consumers’ reliance on default passwords makes them vulnerable to cyberattacks and, as highlighted by the government, has been at the root of a number of recent high-profile cybersecurity incidents (e.g., the use of default passwords was exploited by the Mirai malware, which ultimately disrupted the service of many news and media websites).
  • Vulnerability disclosure policy. All companies that provide IoT devices and services must provide a public point of contact as part of a vulnerability disclosure policy to facilitate reporting issues. The policy should ensure continual monitoring, identification and rectification of security vulnerabilities in IoT products and services. There is also a procedure for reporting security vulnerabilities to the National Cyber Security Centre.
  • Securely updateable software. All software components in IoT devices should be securely updateable for a period appropriate to the device. Such a period should be made known to the consumer at the point of purchase.

The remaining ten guidelines urge stakeholders to: secure storage of credentials and security-sensitive data; secure communications through appropriate encryption; minimize exposed attack surfaces; ensure software integrity; ensure the protection of personal data; make systems resilient to outages; monitor system telemetry data; make it easy for consumers to delete personal data; make installation and maintenance of devices easy; and validate input data.

The UK government also spells out a number of proposed parallel actions to support the Proposed Code. Of note is a proposed voluntary labelling scheme to aid consumer purchasing decisions and facilitate consumer trust. The government suggests that an IoT product label should include a statement that the product is internet connected and provide information on the product’s minimum support period, as well as consistent and transparent privacy-related information.

The report accompanying the Proposed Code specifically references the European Commission’s regulatory proposal for a pan-European cyber security certification framework only to really say that, whilst the UK remains part of the EU, the UK government will continue to engage in negotiations relating to the regulatory proposals, alongside other Member States. We summarized the European Commission’s proposal last fall (see our post here and a more detailed summary here).

Finally, the government sounds a word of warning: it is expecting industry to take the lead in developing and implementing the Proposed Code. Should rapid progress not be realized, legislation will otherwise be on the cards.

The Proposed Code is open for comments until April 25, 2018. Details on how to respond are at paragraph 7.4. The Covington Internet of Things team will keep readers up to date with further posts on this initiative in the UK, and other IoT technology, regulation, law and policy developments from our specialists across the globe.