On 3 July 2019, the ICO published its updated guidance on the use of cookies and similar technologies. This came shortly after it updated the cookie consent collection mechanism on its own website. Much of the guidance is unsurprising and reflects what companies already do in practice. However, other parts of the guidance are likely to require many organisations to make changes to their current cookies practices.

Slightly over one year ago, several major distributed denial-of-service (“DDoS”) attacks took place, including a major event affecting the domain name service provider Dyn, which caused outages and slowness for a number of popular sites, including Amazon, Netflix, Reddit, SoundCloud, Spotify, and Twitter.

Now, a new Internet of Things (IoT) botnet, called IoT Reaper, or IoTroop, has been discovered by researchers and could present a threat that could dwarf the 2016 attacks and create a major disruption to internet activity around the world.

On August 1, 2017, US Senators unveiled a bipartisan bill to mandate baseline cybersecurity requirements for internet connected devices purchased by the federal government. Recent attacks demonstrate that connected devices, which make up the Internet of Things (“IoT”), can paralyze websites, networks, and even components of critical infrastructure.

The draft bill, introduced by a bipartisan coalition of Senators, proposes implementation of basic security requirements for interconnected devices purchased by the federal government. Under the proposed law, federal suppliers would be required to monitor and patch cybersecurity vulnerabilities.

Late last year, the National Institute of Standards and Technology (“NIST”) released  Special Publication 800-160 (the “Guidance”) on implementing security in Internet-of-Things (“IoT”) devices.  The Guidance was released following several highly-publicized distributed denial-of-service (“DDoS”) attacks in 2016 and is intended to provide a framework for software engineers to better address security issues and to develop more defensible and survivable systems in a sustainable manner throughout the life cycle of these devices.

Several significant distributed denial-of-service (“DDoS”) attacks have taken place in the last few weeks, including a major event involving a domain name service provider (Dyn), which caused outages and slowness for many popular sites like Amazon, Netflix, Reddit, SoundCloud, Spotify, and Twitter. This significant attack came on the heels of two major DDoS attacks against KrebsonSecurity and France-based hosting provider, OVH, in late September—each of which set records as the largest of these attacks in history. Most recently, nearly 900,000 Deutsche Telekom routers in Germany were attacked, causing significant internet and television outages across the country. While DDoS attacks have been around for some time, what stands out in these cases is the attackers’ exploitation of security weaknesses in tens of thousands of Internet-of-Things (“IoT”) devices to launch the attacks. Unfortunately, these types of widespread outages may be more common in the future if these weaknesses are not addressed.

On Friday, October 21, a series of Distributed Denial of Service (DDoS) attacks were launched against the servers of Dyn, a major DNS host. DNS hosts operate in a manner akin to a switchboard for the Internet, helping to route domain names (e.g., dataprotectionreport.com) to underlying IP addresses (e.g., 104.28.6.115). By attacking Dyn, hackers were able to prevent end-users from reaching the websites and online services that relied on Dyn, including Netflix, Twitter, Spotify, SoundCloud, Amazon, AirBnB, Reddit, PayPal, Pinterest, CNN, Fox News, the Guardian, the New York Times, and the Wall Street Journal. In a statement, Dyn described the attack as “a sophisticated, highly distributed attack involving 10s of millions of IP addresses.”

On Thursday, January 28, Boris Segalis and David Navetta, who co-chair Norton Rose Fulbright’s Data Protection, Privacy and Cybersecurity practice in the US, invite you to join Chris Valasek, security lead at Uber Advanced Technology Center and recognized “Jeep Hacker,” along with a panel of our cybersecurity professionals, for an intimate discussion on the revolutionary possibilities of the IoT, among other hot topics. Darren Lubetzky, who is with the Federal Trade Commission’s New York Regional Office, and Ffion Flockhart, a cyber insurance partner with Norton Rose Fulbright’s London office, will also be serving on the panel.

Disrupted, yet again. The world is fast preparing for the invasion of objects connected to the Internet, otherwise known as the Internet of Things (“IoT”).

IoT is here, and it will revolutionize how both individuals and corporations interact with the world.  In this multi-part series we will explore this quickly evolving revolution and the privacy and security legal issues and risks that corporations will have to address in order to leverage IoT and move the world into a new reality.  Part One of this series provides background and context surrounding IoT and highlights the legal issues organizations seeking to leverage IoT will face.  Subsequent parts will dive much deeper into IoT.

To start, consider the following portrayal of a day in the life of IoT:

By the time Lazlo Hollyfeld’s smartwatch detected the proper biorhythms to roust him out of sleep, his coffee was brewing and his curtains were drawn back.  “It is cold this morning, Mr. Hollyfeld, but no rain today in the forecast,” stated his computer assistant over the Bluetooth speaker by his bed.  Lazlo haphazardly waved his watch at the T.V., which automatically began streaming his morning news program.  He fumbled for the slippers by the bed, and reached for his morning smart pills which were remotely dosed according to a physician’s review of Laszlo’s wearable health monitoring devices.  Health readings from the pills taken after ingested would later be sent to Lazlo’s physicians.

As he arose, motion detectors relayed to his home automation system to bring the lights up to 30%.  Stumbling into the bathroom, both the lights and his television stream followed him.  The shower was running at a comfortable temperature and Lazlo’s favorite album started to play on the shower stereo as he walked in.

Running late, Lazlo quickly dressed and dashed downstairs to grab his coffee.  Tracking his motion and triangulating the Bluetooth signal from his watch, the home automation system brought up Laszlo’s schedule and to do list on the refrigerator screen, shut down the heat system in the house, turned off the lights in the living quarters, and signaled to his car to start the engine and turn on the seat warmers.  Lazlo scanned his email on the fridge screen, and swiped a few emails to the car icon.  As he ran to the garage, he grabbed the last of the orange juice in the fridge, triggering a reorder to be delivered by drone later that evening.  By the time he pulled out of the driveway, his television stream was already playing in the car.  Meanwhile, his home automation system locked the doors, set the alarm system, and turned on the sprinklers. 

Lazlo entered the highway where his watch, reading his skin surface temperature, signaled the car to remove power from the seat warmers.  As he comfortably locked in cruise control, his car began reading the emails he had swiped to the car icon on the fridge.  Lazlo took his hands off the controls because his car was communicating with the other vehicles on the highway to maintain the proper speed and lane location.  Lazlo dimmed the car windows and settled into to his traffic-free relaxing morning commute.    

Does this sound like the distant future to you?  Think again.  Much of the technology discussed in this article already exists in the marketplace (or soon will).  For businesses, IoT will present enormous competitive advantages and financial opportunities, and also pose challenging legal, security and privacy risks.   To fully enable IoT organizations will have to consider privacy and security legal issues at the outset, and design IoT technologies and devices in way that address these issues and limit risk to both the users and companies.  Let’s begin exploring.