Skip to main content
Top Button
'Internet Of Things' Protocols: Past And Future Trends 'Internet Of Things' Protocols: Past And Future Trends

'Internet Of Things' Protocols: Past And Future Trends

This article is part of Ice Miller’s Smart Connections | Internet of Things Guide. This guide can serve as a shared resource for your peer group discussions to give everyone the background they need on the business and legal issues behind connected devices. Click here to learn more.

The world is abuzz with conversations concerning the internet of things (IoT). This interconnected world involves the networking of personal devices, vehicles, appliances, buildings and other everyday objects embedded with electronics, software, sensors and network connectivity to enable them to exchange data with the internet and /or with each other. Just as there is no widely accepted definition of IoT, there currently are no uniformly recognized standards for either communication protocols or security protocols.[1]
The communication protocol standards are an important first step in the development of a true IoT, because there must be a uniform way to communicate with sensors/devices regardless of the manufacturer or transmission method. The major players involved were initially split: some developing an open-source platform and some developing mesh networks.[2] Moreover, it looked as though this would be another Betamax/VHS or HD-DVD/Blu-ray format war, but more recently the major industry leaders have begun to align around a limited number of protocol standards.
CIOs, chief information security officers and information technology heads are voicing their main IoT concern: security.[3] Currently, there are no generally accepted security standards or protocols for IoT device operations.[4] Security experts predict that approximately 66 percent of networks will become victim of an IoT security breach by 2018.[5] Security standards are being developed by the Underwriters Laboratory (UL). With the Smart America Challenge, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) is also getting involved on an even larger scale focusing on cybersecurity standards. Security standards are very premature as well, but UL has stepped in with its Cybersecurity Assurance Program which implemented a new 2900 series of standards. Similarly, NIST is working on a publication called 800-160 which will extend Insurance Services Office standards and provide guidance on security engineering.
Technology necessarily changes before the law. At this point in time, IoT-specific legislation could be premature given that IoT operates in a geographically agnostic manner and is international in scope. There are no specific laws applicable to IoT technology in the U.S. or elsewhere in the world.[6] This article discusses the history of the development of communication and security protocols and the trends for where IoT law and technology are heading.
Early Communication Protocol Players and Their Standards
1. AllJoyn & AllSeen Alliance. AllJoyn was the first of the communication standards protocols. It was developed in 2011 by Qualcomm, and in 2013 the source code was sold to the Linux Foundation. Shortly thereafter, Qualcomm and the Linux Foundation formed the AllSeen Alliance which includes Cisco, Microsoft, LG and HTC (among others).[7] AllSeen sponsors AllJoyn. It is an open-source software connectivity and services framework that allows for interoperability of devices that can discover, connect and interact directly with each other.[8] AllJoyn is pure open-source framework for peer-to-peer connectivity over the cloud.[9]
A certification program has now been launched, but currently AllJoyn requires Wi-Fi which severely limits the interoperability beyond a household or office space.[10] Microsoft indicated that AllJoyn empowers the IoT by allowing devices to discover and communicate with each other regardless of the transport technology, platform or manufacturer.[11] The AllJoyn framework is currently geared toward software platforms such as Linux, Android, iOS and Windows, not on a global or local (U.S.) scale.[12] Clearly those platforms are global, but in a narrow sense.
2. Thread Group. In July of 2015, Thread Group was announced.[13] It was formed by Google’s Nest, Samsung and Arm Holdings.[14] Its standard is an alternative to Wi-Fi and Bluetooth that is thought to have better low-power and security features. The sensors will communicate through a low-power radio protocol over wireless personal area networks (6LoWPAN), and it supports the new internet protocol version 6 (IPv6). The security feature utilizes a mesh network.[15] Wi-Fi consumes a lot of power and is used for big data. Bluetooth is low-power but cannot accommodate a true mesh network. Mesh networks can run over wireless local networks (WLANs) and are decentralized by connecting nodes (e.g., sensors) directly to each other rather than through routers. This ensures that if one node (or sensor) fails, the others can still communicate.[16] Thread is not an open-source format and is geared more toward household interconnectivity.[17]
3. Open Interconnect Consortium (OIC). Also in July of 2015, OIC announced its formation. Notable members include Atmel Corp., Dell, Intel and Samsung.[18] OIC was formed because of the general distrust in Qualcomm or any other major for-profit vendor as a creator of “allegedly open-sourced protocol.”[19] OIC was developing a specification through its open-source project called IoTivity. The IoTivity project allows member companies, including the Industrial Internet Consortium (IIC), to collaborate and share software and engineering resources.[20] While OIC still exists, it is now subsumed by the Open Connectivity Foundation (see OCF numbered item 7 below) that now includes the IoTivity project.
4. Institute of Electrical and Electronics Engineers (IEEE). IEEE is a leading developer of international standards that underpin many telecommunications, information technology and power-generation products and services and is often the central source for standardization in a broad range of emerging technologies.[21] It has an existing 350 standards that are applicable to IoT. In 2014, the IEEE Standards Association (IEEE-SA) created an IoT ecosystem study and published an executive summary.[22] IEEE P2413 is a draft standard that will serve as the umbrella for building an architectural platform that covers integration of multitiered protocols on a global scale. In short, the IEEE sees the individual IoT verticals (e.g., transportation, healthcare, etc.) as its own domains which create multitiered protocol architecture. It is working on reference architecture that integrates the domains.[23] IEEE is currently not a member of any consortium.[24]
5. ITU-T SG20. The SG20 is a study group within the Telecommunication Standardization Sector (ITU-T) focusing on IoT and its applicability to smart cities and communities. Developed in June of 2015, it will develop international “standards to enable the coordinated development of IoT technologies, including machine-to-machine communications and ubiquitous sensor networks.”[25] The purpose is to create standards that “act as an umbrella for IoT standards development worldwide.”[26] The SG20 group has published a couple of standards periodically since November of 2015.[27]
6. Apple HomeKit. Much like Thread, the HomeKit is geared toward household interactive devices, not the broader IoT. But it is being marketed as an IoT product and Apple is of course a major player in the ecosystem.[28] Some say HomeKit is not much of a standard, but more as “Apple’s proprietary way of doing things.”[29] Apple does, however, utilize open-source platforms and touts itself as contributing to open-source projects,[30] but Apple is not a member of any consortium.
7. The most resent consortium is OCF. In February of 2016, a new consortium called Open Connectivity Foundation (OCF) was formed as a successor to the OIC. One of the stated purposes of this new group is to “get industry consolidation around a common, interoperable approach.”[31] The new group is working to create a specification and certification for its protocol framework.
OCF has pulled in some of the industry leaders that are also part of AllSeen Alliance,[32] but it is not a merger of the two groups.[33] Founding members include Cisco, Electrolux, GE, Intel, Qualcomm, Microsoft and Samsung.[34] The notable promise of this new industry group is that it includes Intel and Qualcomm which was the primary reason the OIC was formed as a competitor to AllSeen Alliance. The OCF has the same goal as AllSeen Alliance, but the OCF develops “middleware standards for connecting devices, and it sponsors an open-source reference implementation called IoTivity.”[35]
The OCF has not only incorporated the draft specs from the OIC, but also standards from the UPnP+ Initiative (which includes certification).[36] The UPnP develops standards for cloud services, and the code is open-source.[37] The open-source code is still being shared through the IoTivity project. The Linux Foundation (part of the AllSeen Alliance) hosts the IoTivity project that grants access to the code.[38] Similar to the AllJoyn framework, the OCF is currently geared toward software platforms such as Linux, Android, iOS and Windows, not on a global or local (U.S.) scale.[39] Clearly those platforms are global, but in a narrow sense.
Security Protocol Standards
The Department of Commerce NIST notes that reality is that the “IoT leaves private and public computer systems indefensible, and no amount of security guidance can provide salvation.”[40] NIST 800-160 is a draft publication which provides security engineering process extensions for International Standard ISO/IEC/IEEE 15288 in furtherance of the Federal Information Security Modernization Act of 2014.[41] This is a nonbinding document that provides guidance on adapting a set of widely used international standards for systems and software engineering to the specific needs of security engineering. The final version was originally slated to be published in December 2014, but the second and most recent draft was published in May 2016.[42]
The White House published a press release on February 9, 2016 outlining the President’s concern about cybersecurity and announcing the Cybersecurity National Action Plan (CNAP). In the press release, it was noted that the “Department of Homeland Security is collaborating with UL and other industry partners to develop a Cybersecurity Assurance Program to test and certify networked devices within the ‘Internet of Things,’ ... so that when you buy a product, you can be sure that it has been certified to meet security standards.”[43]
Underwriters Laboratories Cybersecurity Assurance Program
In April of 2016, UL launched a new UL 2900 series of standards that offers cybersecurity test criteria for network-linked products and systems as part of its UL Cyber Security Assurance Program (CAP).[44]
The UL CAP standards will certify products and help “thwart attempts to change a product’s functionality; access the data that a product collects, processes or stores; or utilize a flaw in the product to gain entry into any network or system to which the product is connected.”[45]
A product’s software protocol may be technically secure, “but without the correct implementation of applicable security controls, the product is still vulnerable to cyberattacks.” The controls may include “role-based access control, secure data storage, cryptography, key management, authentication, integrity, and confidentiality of all data received and transmitted.” The UL 2900 standard contains minimum requirements for the security controls. The standards also describe testing and verification requirements.[46]
A stated flaw in the UL CAP is that it lacks a post-certification audit process. Such a process would allow certification to be removed if there is problem with the software or firmware so that the owner of the product knows that it is not safe to use.[47]
Regulatory Authorities
The Federal Trade Commission has remarkably broad authority to address violations of data privacy and security standards through section 5 of the Federal Trade Commission Act that prohibits unfair and deceptive trade practices. However, the commission announced a limitation on its enforcement powers: “Through these settlements, the Commission has made clear that reasonable and appropriate security is a continuous process of assessing and addressing risks; that there is no one-size-fits-all data security program; that the Commission does not require perfect security; and that the mere fact that a breach occurred does not mean that a company has violated a law.”[48]
The Federal Communications Commission could also get involved if the transmission protocol is broadcast (e.g., Wi-Fi).[49]
Antitrust issues may arise if the protocol standards are not open-source; because an open-source framework promotes competition.[50]
Although the IoT communication and security standards development are in their infancy, it is reassuring that many industry partners are collaborating and appear to be working toward consensus. Such industry collaboration appears to be the logical direction to obtain uniformity and an efficient solution for consumers and business. And there appears to be general consensus on open-source software format.
At this point, only time will tell whether to the IoT will take OCF’s standards approach or whether Qualcomm will de-emphasize the push for standards so it can just upgrade software in the billions of devices it has in use and on the market. Qualcomm is now a member of the OCF so things could turn toward the direction of uniform standards. Once the standards work themselves out, the law will follow suit.
There could be significant overlap in regulatory authority once the IoT takes off. The devices/sensors will surely communicate through many different transmission protocols triggering authority by both the FTC and FCC (just to name two).
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.
[1] Antigone Peyton, The Connected State of Things: A Lawyer’s Survival Guide in an Internet of Things World, 24 Cath. U. J. L. & Tech. 369, 386 (2016); Kathleen Aguilar, Getting up to Speed on the Internet of Things, 33 No. 8 ACC Docket 26, 27-28 (2015).
[2] Technically there still is a split, but as you will see below, there is now overlapping support from industry group leaders on both sides. And the mesh network seems to be a system that will be confined to household devices, not true IoT involving free interoperability of sensors/devices in the public.
[3] Joachim Scherer, Regulating Machine-to-Machine Applications and Services in the Internet of Things, 2 Eur. Networks L. & Reg. Q. 141, 153-54 (2014) (The need for standardization in order to ensure interoperability and security has been identified as one of the key areas of concern regarding the development of [machine-to-machine] services and the IoT”);
[4] Peyton, supra note 1, at 386.
[6] Adam D. Thierer, The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns Without Derailing Innovation, 21 RICH. J.L. & TECH. 6, 106 (2015).
[41] 44 U.S.C § 3541 et seq.;
[44] and
[48] Thierer, supra note 44, at 110-11.
[49] Gregory G. Wrobel, Connecting Antitrust Standards to the Internet of Things, 29 Antitrust 62, 66-67 (Fall, 2014). This article provides good insight into the antitrust issues that may arise through the IoT if the proprietary business models are utilized.  Open source standards and business models tend to promote competition among rivals by assuring interoperability.
[50] Wrobel, supra note 49, at 64-65.
View Full Site View Mobile Optimized