the influence of california iot equipment network security law on internet of things law

Posted by punzalan at 2020-03-01

Summary of current affairs

For the United States, the development of the Internet of things has become an important part of its domestic technological and economic development. Congress has proposed several bills related to the Internet of things, including the Internet of things network security improvement act 2017 (iotcia) (which proposed to establish minimum security standards for government procurement of connected devices, but excluding general electronic equipment), the Internet of things consumer tips act 2017 (instructing the Federal Trade Commission to draft educational resources for consumers on connected devices) And the smart IOT act, which requires the Ministry of Commerce to study the state of the Internet of things industry.

However, so far, no vote has been held on any of the above-mentioned bills. Instead, the IOT device network security law (hereinafter referred to as the "California IOT law") for general electronic devices was approved by the governor of California on September 28, 2018, and will come into effect on January 1, 2020. The bill mainly stipulates three aspects:

First, manufacturers of interconnected devices are required to equip devices (from routers to smart homes) with reasonable security performance or performance corresponding to the nature and function of devices. Here, it mainly refers to the performance suitable for devices and for devices to collect, contain or transmit information. How to achieve reasonable safety performance? The bill requires that each device needs a unique pre programmed password and that they are unique to each device manufactured; or it requires that the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time)。

Secondly, enterprises are required to take reasonable management and control measures to ensure the safety of personal information, and to take corresponding measures for personal information that no longer needs to be retained to make it difficult to recover and identify.

Thirdly, enterprises are required to adopt and maintain information security processes and practices to avoid unauthorized access, destruction, use, modification or disclosure of personal information.

Compared with another bill passed in California in June, the consumer privacy protection law of California, which has been highly praised, after the introduction of California IOT bill, the United States has a lot of controversy about it. The affirmative view is that the introduction of the bill is a good start. Opponents believe that there are too many ambiguities in the bill and many ambiguous provisions.

To this end, Ms. m invited three compliance workers who have done or are now in charge of privacy security and protection in the field of IOT to talk about their views on the California IOT act from different perspectives, and put forward their insights on the relevant impact of China's IOT legislation (current affairs review only represents the author's personal views, not the views of the institutions served).

comments on current events

Zhu Lingfeng (Xiaomi Technology):

IOT (Internet of things) has become an explosive trend after years of development in 5g network technology, artificial intelligence and various subdivision fields. IOT has penetrated into almost every corner of our lives, including smart home, smart wear, smart travel, etc., bringing great convenience. However, because IOT devices go deep into our lives, the security problems brought by IOT devices have a wider impact on users. The main reason is that the personal data collected and used by IOT devices are sometimes more sensitive, such as smart speakers, which collect users' voices. If attacked by hackers, IOT devices can become eavesdropping devices.

As an emerging industry, IOT industry is in the process of establishing various laws and regulations, industry standards and so on. The safety problems of IOT equipment vary from good to bad, and the safety problems are constantly multiplying and changing. In this context, sb-327 information privacy: connected devices (hereinafter referred to as "sb-327"), which we should applaud. Sb-327 should be the first network security law for IOT devices in the world. It is a bold attempt, and it has caught the prominent security problems of IOT devices at present. Device manufacturers generally set the same password for devices or do not set user identity authentication, which leads hackers to easily control devices, leading to a wide range of security problems.

However, Section 1 (a) of sb-327 describes the basic requirements of security performance (suitable for equipment, information collected and for the purpose of preventing unauthorized access, tampering, disclosure, etc.), and item (b) directly specifies the technical requirements (setting unique password for equipment or enabling user identity authentication method) that specifically meet the requirements of item (a) IOT equipment manufacturers only need to meet the requirements of item (b) to meet the safety performance of the equipment. However, such a provision is too simple and crude to conform to the specific reality:

First, due to different complexity of equipment and sensitivity of data collection, the same safety requirements should not be adopted. From a technical point of view, if you need a secure storage device key, you need to establish an independent security area on the device, if you need to establish a user identity authentication method, you also need to establish a corresponding connection link, authentication method, etc. from a technical point of view, which is required for the chip computing ability of IOT devices, which undoubtedly increases the cost of simple devices, such as only an intelligent device Bulb, chip size, and cost limitations may not meet the safety requirements of sb-327. On the other hand, for complex devices such as smart cameras, it is not enough to only provide pre-set unique code verification for devices, but also have further requirements for the complexity of the unique code, whether the storage space is independent, dual factor authentication and so on.

Secondly, the rigid writing of a single technical requirement directly into the legislation will lead to the outbreak of security problems in the whole industry. The author suggests adopting the guidance of FTC - "careful connections: building security in the Internet of Thinking of "things" [1], "there is no general list to ensure the security of connected devices, and reasonable security depends on the number and type of data collected, the functions of devices and potential security." it is more recommended to solve this problem from multiple aspects, such as the implementation of the basic principles "security by design", "defense in depth" Approach; refer to the best practice in the industry similar to standard encryption technology; strengthen the security test before the product goes online; take the security selection as the default setting of the user; take a reasonable way to update the security, etc.

Xue Ying (perfect world, formerly serving the IOT Business Department of Haier Group):

The network security of IOT equipment is one of the core issues attracting more and more attention in the development of IOT industry. The Internet of things Network Security Act issued by California in the United States reflects the response and innovation of traditional network security and information security legal fields to the rapid development of IOT industry in the form of special legislation. The applicable object of this act is "manufacturer of connected equipment", which means that enterprises need to pay attention to the compliance with the legal provisions on network security in the "end" design and manufacturing of IOT equipment sold in California market. Therefore, this act can also be understood as the proprietary product quality law for IOT equipment in California market.

This bill proposes that the security performance of IOT equipment should meet three requirements at the same time, namely, it is applicable to specific IOT equipment, it is applicable to specific information processing activities, and it can ensure information security, but it does not exclude that it can also have other security performance. Therefore, if the network security solution provided by IOT service provider fails to fully cover the fragmented IOT device end, but only focuses on the encryption and security measures of cloud or transmission channel, or fails to protect the device end from unauthorized access, destruction, use, modification or disclosure of information, it cannot be deemed to meet the requirements of the act.

This act also provides two practical methods to meet the three requirements of the security performance of IOT equipment. Enterprises can choose one of them

(1) Ensure that each IOT device has a unique pre programmed password. Accordingly, if this pre programmed password forms a "device identifier" or part of a consumer IOT device, it will also form a "unique personal identifier" (which can be used to identify devices connected to consumers or families or other forms of holding that can be used to identify specific consumers or devices) under the California consumer Privacy Act (CCPA) just introduced in June this year Long term or probability identifier), which becomes "personal information" under CcpA. At the same time, the amount of IOT equipment information possessed by the enterprise also affects whether the enterprise will trigger the enterprise scale threshold applicable to CcpA.

(2) Provide users with new authentication methods before granting access to IOT devices for the first time, such as allowing users to set a digital password (about fingerprint and other biometric authentication methods, the current common situation is that it can only be implemented in consumer IOT devices after activation).

It should be noted that if a Chinese enterprise exports IOT equipment to California for sale, it is also necessary to ensure that the network security performance of its IOT equipment also meets the requirements of this California IOT Network Security Act after January 1, 2020.

Meng Jie, sister m (global law firm, used to serve IOT company to ask):

Internet of things (IOT) represents the next step of Internet development: Web 3.0 era. Through the Internet of things, devices can connect through the Internet and interact with other devices. This enables physical objects and humans to connect to each other through a communication network, reporting their status and / or the status of their surroundings. A few years ago, the "Internet of things" was still a conceptual thing, and now it has become a reality and rapid development. It is expected that in the next few years, there will be a substantial growth in smart cities, smart homes, smart enterprises and smart cars. However, with the rapid development of the Internet of things, people will pay more attention to network security, privacy and trustworthiness.

In the environment of the Internet of things, a large number of personal data generated from various interconnected devices brings the risk of privacy and data protection. Due to the large number of connected devices, it is not always clear who collects, accesses and uses the data collected from IOT devices. However, according to the principle of transparency, the controller has the obligation to use clear and concise language to make the data subject understand the use of their data, and deal with the risks, rules, safeguards and rights of their personal data. Internet of things connected devices may involve multiple processors, and individuals often do not understand the technical functions of such processing, and therefore do not understand the consequences of their consent, which makes the clear and informed consent requirements for data processing challenging.

Another major problem is security, because connected devices are particularly vulnerable to security risks. Connected devices have different security levels. They run outside of the standard IT infrastructure and may lack sufficient processing and storage capacity to host security software or use encryption, pseudonymy or anonymity technologies to protect users' personal information. In view of the possibility of security loopholes, it constantly leads to accidental or illegal destruction, loss, change, unauthorized access or disclosure of the personal data processed, making the processing of personal data itself will bring security risks. Therefore, appropriate technical and organizational measures need to be taken by controllers and processors to prevent any unauthorized access, destruction, use, modification or disclosure. This is stipulated in the second and third points of the California IOT act.

In the first point of the act, the "unique pre programming password" refers to that each IOT device should use a separate password, which may be composed of long and up-to-date passwords such as numbers, letters and symbols, rather than a unified and simpler password (default password) set by the device manufacturer, which is hard coded into the device when it is built. Botnets usually rely on the default password, and users often do not change it for various reasons, so it is easy to be hacked and lead to serious network security problems. In addition to the only way to pre program passwords, the bill says it can also force users to set their own passwords before connecting to the network for the first time to ensure security.

It can be seen that California's rules have focused on the security issues of the Internet of things. Even some scholars think that "subtraction" rather than "addition" mode should be adopted in dealing with the security issues, Ms. m believes that it is undoubtedly advantageous to put forward some security performance requirements of the Internet of things devices and raise them to the height of legislation. Because although the bill is only for California, if equipment manufacturers want to sell products in California, they must comply with the regulation, which means that other state enterprises also need to comply with the bill due to the relationship of sales place. With the scale of California, the implementation of the bill in California can effectively affect the standards that American States and even regions outside the United States comply with. That is to say, through California The bill becomes a model, even if it may not be mature now, but it can be a standard configuration of Internet of things security law.

Through the three aspects of California IOT act, we can see that for Internet of things enterprises, security, privacy and credibility are the three core elements. At present, there are at least ten standards for security, privacy and trustworthiness of Internet of things and mobile intelligent terminals in different dimensions, but most of them are recommended. Is it possible for China to follow the example of California to protect and formulate a set of uniform rules in the form of legislation for special types of emerging industries that have a significant impact on national security?

If feasible, Ms. m suggests that we should still focus on these three core elements:

Security, usually defined as the ability of the environment, equipment and software under the control of the organization, requires security requirements and regular updates of the embedded device passwords, such as the above-mentioned password arrangement and personal identity authentication. In addition, the security measures of the Internet of things also include security configuration and technology integration, equipment security configuration, software code setting, close combination of software and hardware, failure insurance control (i.e. the system is still safe when "offline" due to failure), etc.

Privacy requires controllers to automatically apply appropriate privacy and data protection settings in their product design. For example, when a user decides to join the social network, the service provider may not automatically provide all the information about the new service user to all users. Only after the new user takes measures to manually change the default privacy and data protection settings, can the access rights of people outside the list be extended. In addition to the risk control of unauthorized access, sharing personal information in social media also brings additional privacy risks. This is usually due to a lack of understanding of who can access their information and how these people use their information, such as identity theft. In addition, despite the security measures taken, in case of data leakage, the service provider must notify the affected users, etc.

Credible, because the Internet of things is an ecosystem, which connects users, partners, suppliers and customers closely, it is very important to establish a good atmosphere of mutual trust and cooperation in this ecosystem, and enterprises can also establish trustworthy brand effect for themselves. As mentioned in SoC 2, there are five "trusted service principles": security, availability, process integrity, confidentiality and privacy. All participants in the Internet of things ecosystem should be responsible for protecting the security, privacy and trust of the system in order to perform "protocol handshake" to ensure the security of end users. Therefore, it is required that suppliers in the Internet of things ecosystem should also have policies and security measures consistent with customers, and controllers should also use relevant technologies and tools to track and audit suppliers' performance, so as to ensure that the security, privacy and data protection capabilities provided to users are matched and benchmark consistent.

[1] See:, accessed October 6, 2018.

IOT device network security law translation download (official account from WeChat public network)