The DIGIT Act, paved with good intentions, needs a firm hand

As threatening as malware can be, forget about it for a moment. Most applications installed today harvest data from a variety of devices, unbeknownst to their users, and that information often finds its way into the hands of criminals after a hack.

No law forces app makers to tell their users what they collect, let alone gives them a chance to opt out of that collection. But what if there was?

The Developing Innovation and Growing the Internet of Things Act, under consideration in the U.S. Senate, could help the United States better establish itself as a global leader of the fast-growing Internet of Things marketplace. It would require the Commerce Department to create a working group made of federal stakeholders, advised by organizations outside the government, to analyze and report on what the IoT industry needs—especially from the Federal Communications Commission—to continue to grow.

If the working group is created, it could go beyond recommending IoT’s spectrum bandwidth needs. It could advise putting an end to business practices that allow software programs to essentially spy on their users. It could define what is allowed to be taken from computers, and how it is permitted to be uploaded and encrypted.

Lacking regulation, many vendors don’t disclose the information they are taking. They misuse the Domain Name System to relay confidential information from companies. And they use encryption methods that prevent consumers from seeing what they are taking.

If the DIGIT Act led to legislation that would regulate the good companies, it becomes much easier to uncover the bad guys with network traffic analytics.

Let’s assume that DIGIT becomes law. The stakeholders are supposed to discuss:

  • federal laws and regulations that currently impact IoT
  • federal laws and regulations that will be needed
  • budgetary or jurisdictional challenges
  • how to improve coordination among federal agencies involved with IoT
  • how to implement the recommendations
  • how federal agencies can benefit from and prepare for IoT technologies
  • individual privacy and security concerns
  • small-business challenges
  • international proceedings or negotiations that could impact IoT

As proposed, DIGIT sounds like it could lead to the kind of comprehensive legislation that could protect consumers while allowing enterprise businesses and startups alike thrive. And on the surface, the act certainly has good intentions. But it could become just a rubber stamp for industry, if not properly implemented.

As the senators involved with DIGIT meet and discuss the bullets above, it would be beneficial if they established some very specific rules and laws in several areas.

Internet service providers

ISPs, ranging from home Wi-Fi providers to mobile-phone providers, need to play a larger role in protecting and policing their customers. For example, they need to implement better security by configuring their equipment to comply with the Internet Engineering Taskforce Best Current Practice 38, which prevents ISPs from forwarding traffic that did not originate from their network.

ISPs should also keep records on the violations per customer and report repeat offenders to a government agency. Ultimately, businesses and consumers alike must also invest resources to clean up the malware on their internal networks, but ISPs need to make them aware of their traffic-producing problems.

‘Smart dust’

Smart dust is a term used to describe very small chips containing a system of tiny microelectromechanical systems such as sensors, robots, or other devices that can transmit temperature, vibration, GPS coordinates and more.

Imagine attaching a small sticker of smart dust to every package shipped by UPS, FedEx, and U.S. mail. These devices allow the consumer or the shipping company to track everywhere the package goes, measure the temperature, and know if has been opened or dropped on the floor. Just add the smart-dust chip to the shipping label, scan it with a smartphone app, and track it online.

One problem with these devices is that they could be engineered to run forever—even if they end up in a landfill. This industry needs to be regulated, and manufacturers should be fined or forced to pay for cleanup services, if and when the end-of-life programming doesn’t expire the unit. Otherwise, the Internet of Things could become an Internet of Zombies, with devices that live forever, eventually become compromised, and are used to launch attacks on the Internet.

The DIGIT Act is certainly a step in the right direction. However, the technologies surrounding big data are moving fast, and government action needs to catch up. With tighter regulation on acceptable Internet traffic behaviors, detecting abnormal traffic patterns becomes much easier, and makes the Internet safer for businesses, users and government agencies. The Internet needs to evolve from the Wild West, the same way transportation did with much-needed regulations, laws, and policing.