13th Internet Governance Forum, Paris

IGF 2018 Dynamic Coalition on the Internet of Things, Report

Global Good Practice in IoT: A Call for Commitment


Tuesday, 13 November 2018, 10:40 – 11:40


Maarten Botterman, GNKS Consult BV
Wolfgang Kleinwaechter, University of Arhus, GCSC Avri Doria, Technicalities
Dan Caprio, The Providence Group
Nigel Hickson, ICANN
Peter Koch, DENIC
Chair and Moderator:
Chair: Maarten Botterman
Moderator: Avri Doria
Rapporteur and Notetaker:
Ryan Triplette, Canary Global Strategic
Frederic Donck, Regional Bureau Director for Europe, Internet Society / ISOC [male]
Eddan Katz, Project Lead on Digital Protocol Networks, World Economic Forum [male]
Taylor Bentley, Policy Advisor, Innovation, Science, and Economic Development Canada / ISED [male]
Claudia Selli, European Union Affairs Director, AT&T [female]
Gregory Meunier, Representative, Europol [male]
Melinda Clem [substitution for Ram Mohan], Vice President of Strategy, Afilias [female]
Theme: Cybersecurity, Trust and Privacy
Developing a global, multistakeholder understanding of “good practice” in relation to the Internet of Things
Subtheme: Internet of Things
Global good practice can only thrive if it includes a mature approach towards security of IoT devices and the data generated by those devices. In addition, global good practice only matters when it is actively pursued. The question that we need to consider is how do we get organisations and individuals to be aware and take action from a good practice perspective.
Key Messages:

  1. The DC IoT’s global good practice principle (“… taking ethical considerations into account from the outset…”) is a valuable and worthwhile pursuit since there is no way to account for the risks presented by IoT technology at this point. We call for all actors to consider, strategize and implement this principle and its main building blocks (e.g. meaningful transparency; user choice and control; adequate security; privacy by default) throughout the process of further developing and deploying IoT. We further call for all actors to ensure a level of flexibility and adaptability in their approach as this process will need to be evolving in nature, accounting for developments both in the technology and its application.
  2. There has been significant work on developing a better understanding of what “taking ethical considerations into account” means in a global context as these considerations may vary depending on the economic, philosophical and cultural norms and assumptions underpinning the position of any given party. We call for the organization of and participation in a working group to consider and make recommendations on what this means in the context of IoT technology innovation. This working group will foster an “open forum” for discussion to examine the nature of these differing norms and assumptions and, ideally, identify baseline considerations that run consistently through them. The World Economic Forum will facilitate this working group.
  3. There has been significant attention given to IoT security around the world due to both the growth of the technology, its increasingly consumer-facing applications, and corresponding use of highly confidential and personal data. We call for the organization of and participation in a DC working group to understand the security implications to ensure the use of IoT in the long term. This working group will examine current and future security implications of IoT by analysing instances of security breaches (i.e. their causes, the response, and impacts of the breach on consumers, the business and long range market), successfully identified and circumvented attempted hacks, and long term consumer confidence and faith in IoT technology. The Internet Society will facilitate this working group.

From the outset of the discussion, all of the presenting speakers agreed that the development of IoT global “good practices” is a shared responsibility between all potential stakeholders, public and private sector alike; including all service providers in the value chain (i.e. device developers and manufacturers, network access providers, service/app providers, and end-users). It was noted that the interest in developing these practices is, as the discussion Chair Maarten Botterman noted, “ours, not yours or theirs” given potential positive and negative applications of the technology and that that “dumping all responsibility on the end user is a no go.” Security of IoT is a prerequisite to any agreements that are to be made – and much is done on that. The suggestion to set up DC working group to understand what activities are currently undertaken to address security implications relating to the use of IoT in the long term was well received.

Given IoT global “good practices” are established both in the area of policy general and technology specifically, it is important to understand the old structures and concepts that form the basis of these practices, incorporating what has historically worked and what needs to be addressed for the future. As Eddan Katz of the World Economic Forum noted, we have to observe how “agile government” has worked to date in order to understand how to shape policy going forward, ensuring that all stakeholders have a voice and are involved. Although there are examples of countries moving forward with national policies that address IoT technologies (e.g. Canada, The Netherlands and the United Kingdom, all with representatives in the room), these have taken a relatively light regulatory approach to date. This has been, as Taylor Bentley of Innovation, Science, and Economic Development Canada noted, to allow for a relatively fluid process at this time to gain greater understanding of not only the potentially favorable and unfavorable uses of the technology but how policy will impact it.

An area which presented some disagreement amongst presenting speakers and discussion participants is an area fundamental to the establishment of global “good practices” principles and policy. Namely, the handling of data or, to be more specific, how long data can be used (e.g. whether there should be an ‘expiration date’ on personal data). The split in views were generally divided between business (focused on the need for data to improve the consumer experience) and civil group (focused on how such “warehouses” of data could be abused, especially in cases of security breach) interests. While there was little discussion let alone agreement was had on the question of ‘who’s ethics,’ an open discussion is imperative to reaching an agreement that balances these differing interests. It was agreed that it made sense to set up a working group to consider and make recommendations on what this means in the context of IoT technology innovation.
Policy Recommendations and Potential Next Steps:

  • Global IoT “good practice” principles need to be voluntary in nature, and thus need to make sense to those that are considering developing more specific principles or functional requirements based on those. Given the inherently long process that is creating policy, businesses need to ensure that there are systems in place to adapt and address evolving security questions. Such adoption can be an indicator of whether any established mechanism to ensure the adoption of “good practices” is functioning properly
  • Global IoT “good practice” principles can not be created in the vacuum of the single type of technology. They will both impact and be impacted by the evolution of other disruptive technologies (e.g. artificial intelligence, big data). That said, these principles, the process to establish them, and how well they function can help guide “good practice” recommendations and principles for these other technologies.
  • Establishing global IoT “good practice” principles will need to account for the cultural norms / biases of different stakeholders. Discussions on these norms / biases should be without judgment or predisposition. Rather, they need to be open in nature and with the purpose of finding consistencies instead of disparities in views that can foster the adoption of any such agreed to “good practice” principles internationally.

Key Ideas and Takeaways for IGF Ecosystem:

  • IoT “good practice” principles must factor in (at least) four primary goals: security (of data and in their own person), consumer trust (including privacy / ability to control their own data), meaningful transparency (no hidden consequences), and affordability (both to produce the technology and to access it). Much like the process of reaching “good practice” principles, the achievement of their goals is fluid in nature. These goals will be impacted by a range of factors, both currently known and unknown. As such, it will be important to revisit established and emerging principles in the future to ensure they both effectively reflect the current environment and continue to achieve their intended goals.
  • It is the responsibility of the larger IGF stakeholder ecosystem to educate and engage with public / government sector stakeholders on the progress of these discussions. The purpose of these discussions is to represent the interests of a larger set of interests (i.e. national governments, business and consumers). As such, it is important to educate these interests not only of the nature of these discussions but also to receive feedback from key points made / agreed to in them, reduce that feedback to understandable messages, and relay those messages back into the IGF stakeholder ecosystem.
  • More needs to be done, based on the outcome of the working groups results regarding better formulation of ethics and better understanding of activities underway towards longer term sustainability of IoT application in society.

Total Number of Participants:
There were approximately 70 attendees throughout the discussion.
Total Number of Women and Gender-Variant Individuals:
There were approximately 25-30 women throughout the discussion.
Discussion of Gender Issues:
There was no discussion of gender-related matters during this workshop.