Legal Challenges for a Privacy Framework- an IoT

perspective
SUBTITLE GOES HERE
Introduction
New innovation has managed clients with the capacity to check
the status of their home security from their cell phones, to start
their vehicles with a cell phone app, to turn on your preferred
espresso machine to get coffee without really making it and to
remotely open and close their entrance door from anywhere on
the planet. These advancements are turning out to be a part of
what is known as the Internet of Things (IoT).

Internet of Things (IoT), an environment of

data-collecting sensors and devices with unique
identifiers that have the ability to transfer data over the
internet without requiring human-to-human or
human-to-computer interaction.
 Data privacy and data protection
With the Internet of Things interfacing more things and individuals to the web, it will
significantly change lives particularly in the areas of wellbeing, home robotization, retail,
and transport. The correspondence between various gadgets, and huge information or data
transfer between their clients, would bring about sharing of personal data, in this manner
raising security and data protection concerns

Protection of sensitive personal information is secured under the Information Technology Act
2000 and The Information Technology (Reasonable Security Practices and Procedures and
Sensitive Personal Data or Information) Rules 2011. As per Section 43A of the Information
Technology Act 2000, a body corporate not executing and keeping up sensible security
practices and strategies in regard of sensitive personal information or data possessed,
managed or dealt by it in a PC resource owned, controlled or operated by it, is subject to
pay damages to the individual so affected for unfair misfortune to any individual.

The ITA additionally imposes harsh punishments of confinement maximum of two years or
fine maximum to 100,000 rupees or even both, on any individual who ties down access to
any electronic record, data, etc., and who, without the assent of the individual concerned,
unveils such record, data, etc, to some other individual.
 Data ownership
The building scene of IoT brings its own arrangement of data ownership issues. As gadgets
will be flawlessly associated and speaking with one another, a lot of information will be
generated. Taking an example of Google Nest to comprehend the potential data ownership
issues that may emerge later on.

Google Nest thermostat is a gadget that learns an individual’s timetable, programs itself and
can be controlled from the smartphone. It is guaranteed that this gadget can bring down
heating and cooling bills up to 20%.

Google Nest is as of now working with organizations, for example, Mercedes to develop cars
that can constantly interact with Google Nest indoor regulator and realize what time an
individual will show up home and in like manner the gadget will adjust itself so the second
you show up you will have your ideal temperature.Presently this correspondence between
the car and Google Nest indoor regulator will include numerous sensors including
geolocation sensors that will generate information. This information will give bits of
knowledge into an individual’s propensity, for example, preferred routes, arrival timings,
fueling propensities, and much more. This information could act as a gold mine for
promoters which might take targeted publicizing to another level.
So now the question which arises in relation to the ownership of data is that who actually
owns the data in the above scenario?
 Product liability and consumer protection
In the event that IoT gadget breakdowns, or if information or programming is undermined
or lost, people and organizations may endure devastating losses. Such gadget
disappointments may result from a gadget deformity as well as from a system failure to give
correspondences as required. Hence, it is significant for IoT gadget makers to buy and guard
themselves with product liability insurance.

Initially, the claims related to product liability had to be proved under the principle of
negligence. But as the law developed the courts across different jurisdictions began applying
the rule of strict liability in the case of product liability as the rule of strict liability is, even
more, consumer-friendly. Under this standard, the manufacturer of the item is at risk if the
item is found to be defective, regardless of whether the maker was not careless in making
that item flawed.

It will be significant for IoT gadget makers to buy and guard themselves with product
liability protection and contemplate this while working.

Notwithstanding strict liability and related torts, India has various enactments including
the Consumer Protection Act, 1986, the Legal Metrology Act, 2009, that secure buyer
against defective items, lacking administrations, anti-competitive practices, and costs,
deceptive advertising on account of perilous products, in addition to other things.
 Formation & validity of e-contracts

Data ownership, security, and privacy problems with IoT gadgets can be addressed to a
degree by the method of contracts between the gadget makers and the consumers and in
numerous situations, the contract will be between the clients and the makers by the method
of e-contracts, for example, clickwrap and shrink-wrap contracts. In the event of
shrink-wrap contracts, the party contracting can peruse the terms and conditions only after
it opens the item which is newly packed. Accordingly, it gets critical to look at the validity of
these agreements.

Talking about India, e-contracts like every single other contract are administered by the
fundamental standards overseeing contracts in India, which is the Indian Contract Act,
1872 which among other things mandate certain pre-necessities for a valid contract, for
example, free assent and lawful consideration.
In this relation, it is necessary to note that the Information Technology Act, 2000 gives
strongholds to the legitimacy of e-contracts. There is no necessity under the Indian Contract
Act to have a written agreement that had to be physically signed. However, explicit statutes
do include signature necessities.
In any case, if there is an immoral contract, the courts can place a weight on the individual
who is in the dominant position to prove that the contract was not instigated by the undue
impact. With regards to IoT, there is a minimal or no chance degree for negotiations to be held
between the gadget maker and the clients in regards to the conditions of e-contracts. With
that, in maximum cases there is no privity of contract between different gadget makers, thus
what keeps on staying as a challenge is that what terms would administer the in-between
relations between the various gadget makers whole-process with one another while offering
types of assistance to the consumer.
 Privacy and security issues
Billions of gadgets gather, collect, store, and convey an abundance of information related
to the subject. The more the number of gadgets, the huger will be the generation and
gathering of information over the web. This pushes up information volume and
multifaceted nature and results in inconceivably less control, which places protection in a
rather sorry state. The collection of information relies upon the recurrence of the utilization
of gadgets.

In the year 2017, it was noted that a bug in the Google Home Mini made whole
conversations get recorded and radiated back to Google, regardless of the fact that the ”
OK Google” wasn’t spoken. However, Google accepted and resolved the issue, but still
despite everything it causes a feeling of dread inside the users concerning whether these
gadgets are really tuning in nonstop.

The smartphones which are available to sneak around to the sort of sites we use, followed
by our online search patterns with the assistance of cookies and gadget fingerprinting, are
tracked all over. With the utilization of data analytics and trend-setting innovations,
information gathered can be utilized to comprehend the patterns of behaviour, variations in
a person’s daily regime, and indications of bizarre conduct by the users. Moreover, clients
may think that it’s hard to control the measure of data they consented to share. The
correspondence between gadgets might be activated naturally just as a matter of course,
without the buyer monitoring it.
The security issues unfurl because of the absence of defensive measures for IoT gadgets. The
connecting of these gadgets with individuals, property, plants, animals, etc is highly at risk of
getting in contact with hackers. Due to these exposures to hackers, individual data gathered
can be severely abused. The level of reality increments especially if the programmer holds the
ownership of money related or medical information bringing about ‘fraud’.

With the expansion of IoT gadgets more advanced and latest types of attacks are likely to be
expected because of the absence of basic framework. As indicated by the Internet Organised
Crime Threat Assessment (IOCTA) 2018 by Europol, it can bring about new types of coercion
and blackmail plans. It also manages culprits an opportunity to bargain IoT gadgets by
propelling Denial of Service (DoS) attack or by spreading malware, and so forth.
 Conclusion
The future of IoT turns into value but a huge amount of information increases its
unpredictability in discovery, correspondences, and in delivering awareness yet its
development will be expanded step by step. The current and changing signs of vulnerability
are present with the use of IoT and its inescapability in the public eye. The protection of IoT
gadgets is a multifaceted and process filled with complexity. The current danger of an
inadequate legal system requires earnest action in legal analysis and may require new
methodologies in the enactment. To viably manage existing IoT vulnerabilities, an intensive
analysis of the currently applicable legal system should be embraced, and wherever it is
necessary new components should be developed to address the risks and dangers identified
with IoT deployment.
Privacy Enhancing Technologies for Iot
• Providers of IoT-based services are confronted with the problem of collecting the necessary
amount and quality of data, while at the same time protecting persons’ privacy using privacy
enhancing technologies (PETs).

• Selecting appropriate PETs is neither trivial, nor is it uncritical since applying an unsuitable
PET can result in a violation of privacy rights.

• The process takes into account two perspectives on the selection of PETs which both narrow
down the number of potentially applicable PETs:

• First, a data-driven perspective which is based on the data’s properties, e.g. its
longevity and sequentiality;
• Second, a service-driven perspective which takes into account service requirements,
e.g. the precision required to provide a particular service.
Some common privacy-enhancing technology examples are:

• Homomorphic Encryption: When I don’t trust the service provider in between when I send
data from my source to cloud. The use can encrypt himself and send.

• Secure multi-party computation (SMPC): A function applied jointly on inputs from various
people, but not revealing individual details. EG: Millionaire Problem

• Differential privacy: On the Dataset as a whole and not revealing individual data details

• Data minimisation: Adequecy, Relevance, Limited data

• Communication anonymizers: An anonymizer is a proxy server that makes Internet activity

untraceable.
1. https://medium.com/privacy-preserving-natural-language-processing/homomorp
hic-encryption-for-beginners-a-practical-guide-part-1-b8f26d03a98a
2. 2.
https://www.coursera.org/lecture/security-privacy-big-data-protection/secure-mu
ltiparty-computation-yxXMJ
3. 3.
https://tortoiseandharesoftware.com/blog/gdpr-principles-data-minimization/#:~:
text=%20Data%20Minimization%20%201%20Adequacy.%20Concerns%20about,th
e%20most%20important%20aspect%20of%20the...%20More%20