A framework for data security, privacy, and trust in “consumer internet of things” assemblages in South Africa
There are serious problems in Consumer Internet of Things “CIoT” concerning data security, privacy, and trust. Personal information is valuable to the owner of that information. It is for this reason that relevant stakeholders put measures in place to control it. Private information includes such information as physical location and movement of the person. Besides, service providers and regulatory bodies need to implement privacy enhancement technologies (PETs) and relevant protection laws. Finally, there is a need for standards, methodologies, and tools to identify consumers and objects.
Concerning security, the developers and service providers of CIoT need to ensure safety from the design stage to the execution stage. Services providers of CIoT need to be proactive in the identification and protection of IoT from arbitrary attacks such as the denial of service (DoS) attacks and abuse.
In addition, service providers need to ensure that malicious software does not enter the IoT ecosystem. The CIoT service provider is responsible for continuously updating the software and firmware of devices in response to security threats. Consumers need trust and be comfortable in exchanging personal information with any CIoT stakeholder. The information exchange is critical in the success of CIoT, and sensitive data must be protected. This trust also applies when smart objects communicate on behalf of consumers with trustworthy services. Trust has to be incorporated from the design stage of CIoT and must be in-built in the system. Also, trust needs to exist among all stakeholders, such as cloud providers, device manufacturers, connectivity providers, and mobile apps developers, to mention just a few, in the CIoT assemblages.
A Proposed Framework
Studies have sought to propose a framework to address data security, privacy, and trust issues relating to CIoT.As reflected in Figure 1, the framework addresses security, privacy, and trust issues experienced by consumers concerning legal matters and technology about CIoT.
Legislative framework
Concerning legislation, the framework identified key legal frameworks in South Africa as the Consumer Protection Act 68 of 2008 (CPA), and the Protection of Personal Information Act 4 of 2013 (POPI Act).
1. Consumer Protection Act
The protection of consumers is of vital importance in any market. South Africa enacted the CPA to deal with the need to protect consumers. When consumers of IoT suffer financial losses or identity theft because of improper business practices, the laws of the country need to protect them. Improper business practices may include habits like misleading information, advertising, direct marketing, use of inferior products, and unclear instructions on how to use the services. These practices apply to any business venture in the supply chain of delivering the service. In CIoT, the service providers may over-promise regarding what the service is capable of doing or its ability to provide security concerning consumers’ information. The providers may also use consumers’ information for advertising and marketing purposes without the consent of the consumers. Ukwueze36 states that the goal of the law in consumer protection is to prevent harm or injury to and provide redress for the consumer where he or she suffered damage or injury in his or her relationship with the producer or supplier of goods and services. In South Africa, the CPA derives from the International
2. Protection of Personal Information Act
The POPI Act exists to guarantee that all South African institutions behave themselves responsibly when collecting, processing, storing, and sharing other people’s information. The Act ensures this by holding the institutions accountable should they abuse or compromise people’s data in any way. The South African government created the POPI Act to promote the constitutional right to privacy by safeguarding PII. The Act tries to guarantee that all South African institutions behave responsibly when collecting, processing, storing, and sharing another entity’s personal information by holding them accountable, should they abuse or compromise that entity’s personal information in any way. The enactment of the POPIAct considers personal information valuable and therefore aims to bestow upon the people certain rights concerning their data. The owner of the data should be able to exercise control over their personal information.