LIVE FROM GSMA MOBILE 360 SERIES – PRIVACY & SECURITY: Nikolaos Isaris, deputy head of unit – future networks, IoT at the European Commission (EC), split opinions in a panel session at the M360 Privacy and Security event, when he outlined commission plans to create a security and privacy certification framework for the Internet of Things (IoT) system.

Isaris explained the EC is currently assessing the ramifications of establishing a certification framework, which may be accompanied by a labelling programme covering not just IoT, but all ICT services and products. Results of the assessment will be revealed by the end of 2017.

Tony Anscombe, global security evangelist at ESET said the EC’s approach could stifle innovation and instead proposed the “industry as a whole should come together to do this” because, while regulations are needed, it cannot be at the cost of innovation.

He cited a US company which certifies the safety of childrens’ IoT toys as an example, claiming the technology it uses may not fit the standards the EC proposes.

Building confidence
However, Isaris said “we are not killing IoT”, explaining the EC instead wants to establish trust in the ecosystem by creating more transparency so consumers are more open to using IoT products and services.

“We need to ensure that when there is a market failure we intervene and currently there is a market failure of information asymmetry”, he said, arguing consumers don’t have the necessary privacy and security information for the products and services they use everyday.

Meanwhile Robert MacDougall, head of enterprise public policy at Vodafone, said the operator takes IoT security “very seriously” and, without knowing the details of what the EC will propose, believes a framework can be beneficial in terms of idenitifying a minimum number of best practices, ensuring market compliance of those practices and driving consumer confidence.

He hoped the best practices would complement existing policies such as those recomemended by the GSMA, and said the framework will need to differentiate between high risk use cases such as heart monitors and low risk scenarios.

“The regulation needs to be proportionate to the risk” he said, adding that a one size fits all approach will not work.