European Parliament pushes on IoT device security and interoperability
European Parliament pushes on IoT device security and interoperability

European Parliament pushes on IoT device security and interoperability

The European Parliament wants to force the IoT industry to give consumers the security and interoperability they expect from the devices they buy. However, it is far from a sure thing that European lawmakers will get their way, as David Meyer reports.

Last week, the European Parliament approved amendments to a relatively obscure piece of legislation known as the Digital Content Contracts Directive, meaning that closed-doors ‘trilogue’ negotiations can now begin with EU member states, as represented by the Council of the European Union.

When the European Commission first proposed the directive at the end of 2015, it had no intention of having the legislation cover IoT devices – it was just trying to provide a way to give consumers straightforward contractual protections when buying digital content and services online, including across borders, and even when they pay with their personal data rather than money.

However, the European Parliament had different ideas. Its legal affairs and consumer protection committees recently added amendments that would extend the law to also cover software that’s embedded in hardware, and Parliament green-lit the amendments last Thursday.

Let battle commence

Now the fight begins with Council, which has previously said it opposes the inclusion of IoT devices in the legislation’s scope.

Julia Reda of the Pirate Party was one of the parliamentarians who worked on the document in committee. She told Internet of Business that the addition of IoT devices to the directive’s scope would give the law “a lot more relevance”.

The proposed point of leverage here is not so much the producers of the devices, but the traders that sell them to the public. The traders have to comply with what they have agreed with their customers in the contract of sale, but on top of that there will also be “objective conformity criteria” – characteristics that consumers would be able to expect from the products they buy.

“If the consumer has a reasonable expectation that a certain level of security is followed in the devices, especially where there are existing technical standards or best practices existing in the sector, then it would be considered a lack of conformity with the contract if doesn’t conform,” Reda said.

If the product doesn’t conform, that would entitle the consumer to go back to the trader and demand that they fix it. Failing that, the consumer would be entitled to return the product for a refund.

Read more: Why the IoT industry needs to pay attention to ePrivacy Regulation

Faulty devices and faulty software

Of course, existing law already allows consumers to demand such things in cases of faulty IoT devices – but only if the hardware is playing up. The key extension here is that they would get the same rights if it’s the embedded software that’s at fault.

“The seller of an IoT device would have to provide the consumer with notifications of any updates that would be necessary to keep the device in conformity,” Reda explained. “So, for example, if a new security flaw is detected and therefore the device would no longer comply with the current expectations of security that a consumer would reasonably have, then the trader has to inform the consumer of any security updates they have to install to fix the problem. But if the consumer decides not to install the updates, there’s no liability on the side of the supplier.”

Does this mean retailers would need to take contact details from their customers every time they sell a home hub or smart lighting? This is where things get fuzzy.

Because this is a directive rather than a regulation, much of the detail would be left to member states to work out in their national implementing legislation. But, Reda said, the answer to the question above is “technically yes. If the content is installed on a device of some sort, then of course the seller would have to make it possible for the consumer to be informed about the existence of those updates.”

Reda added that some parliamentarians had wanted the law to establish this sort of relationship directly between the consumers and the manufacturers, rather than the middlemen, but others pushed back and got their way. Either way, if the problem is the fault of the producer, the retailer would be able to pass on liability to the producer (as long as there was a financial transaction involved – if a consumer were to install free software components on their IoT device and those components were to foul up, there would be no liability at play).

Read more: Uncertainty persists around ownership and value of IoT data

Traders liable?

The amendments would also make the trader liable if they sold the product while promising interoperability with a certain operating system, for example, and the product failed to deliver. “The consumer has to be able to access the digital content without having to use other technologies to convert it in order to be able to use it,” Reda said.

There is a loophole in all this, though it’s a rather uncomfortable one. If the trader clearly tells the consumer at the time of purchase that the product doesn’t follow these security and interoperability criteria, and the consumer agrees, then there would be no potential liability if things go wrong. Reda isn’t happy with this loophole. “It’s not possible for consumers in most situations to negotiate the contractual terms. It’s not really a very good safeguard for consumers,” she said.

Máté Mester, a managing partner at the Budapest-based regulatory consultancy ExplicoTech, said Parliament’s ideas would be “very favourable for consumers”.

“It might be costly for the producers and might be a barrier for many to enter or stay in the market, and it may lead to an increase of the prices, but at the same time it’s a very good example of the European approach, which is rather a cautious one and rather pro-consumer,” Mester said.

“I wouldn’t say it’s a landmark regulation, but a very important one for the IoT market that reflects on one of the key problems of these products. But you also have to balance innovation with security – it depends on the exact product, on the use case of the product… That’s why you have to interpret these rules in a rather flexible and case-by-case basis.”

Read more: No more security through obscurity for IoT device makers

Big questions, tricky negotations

The big question now is how Council will react to Parliament’s ideas in negotiations. When Council set out its general approach to the directive earlier this year, it was minded to leave IoT devices out of the document.

However, the Council’s rotating six-month presidency is currently in the hands of Estonia, which is keen to wrap up as much legislation during its term as it can. Bulgaria, which will take over the presidency at the start of 2018, has a fair amount of political turmoil at the moment, and may find itself unable to achieve much during its term.

Estonia’s haste is evident in the fact that the first of the trilogue negotiation sessions with the other EU institutions will already take place this coming Tuesday, and another is scheduled for later this month. Council is keen on the overall directive, so the question now is how much ground they’re willing to give in order to progress it as far as possible, Reda said.

The Estonian justice ministry told Internet of Business that the council presidency would follow the general approach agreed by the Council earlier this year. “According to the agreement the directive on digital content does not cover hardware with embedded content – as originally envisaged by the Commission,” a spokesperson said.

However, the ministry spokesperson added: “Coming back to the trilogues it is difficult to predict the final outcome as it is highly unlikely that negotiations would be finalised under the Estonian presidency – taking into account the little time left before the end of the presidency.”

Read more: IoT device makers: Tackle security or face legal action