13 July 2018

Easing the regulatory burden on the Internet of Things

Rahul Matthan
They say that by 2020, there will be 50 billion connected things on the planet. This already includes your refrigerator, weighing scale, coffee machine, household lighting systems and intelligent assistants, and will very soon (if not already) extend to the cars you use to commute, the restaurants and pubs you visit and even the locomotives and aeroplanes in which you travel. As good as they are on their own, it is only when smart devices connect to each other that their utility undergoes a phase transformation. Smart cars that speak to our home automation systems can provide our smart homes with advance information of our exact location on our commute back from work, initiating a series of workflows that will ensure that the lights come on and the air conditioning has cooled the house to the correct temperature so that our home welcomes us properly when we arrive. This is the power of the Internet of Things (IoT). And as much as we might marvel at all it has to offer us, the true promise of the connected world is still ahead of us.


Critical to the future of connected devices is the communications layer that underpins it—what the International Telecommunications Union calls the “global infrastructure for the information society”. This is the means by which physical and virtual things connect with each other. It is essential that this communications layer operates using standardized and interoperable protocols so as to ensure deep integration between as wide a range of devices as possible.

The connected devices we encounter most frequently use the Wi-Fi or bluetooth spectrum to connect to the cloud so that the data and inputs they collect can be uploaded and accessed by services that choose to connect to their public APIs (application program interfaces). However, larger applications of IoT—connected cars, heavy machinery, remote weather stations—have to function independently and need their own dedicated access to the cloud.

Most of these applications use built-in SIM cards to connect to the cellular network, and through that to the internet. In the transportation sector, for instance, where live telemetry data of vehicles in the field has to be processed by network operating centres (NOC) for optimal fleet management, this approach is commonplace. I can see how a similar architecture could be deployed in locomotives, heavy industrial facilities and construction machinery where telemetry data is necessary to prevent accidents and extend the life cycle of the machinery.

The trouble is that this approach runs contrary to current Indian telecom regulations. Telecom access services providers are currently obliged to verify each customer before issuing them a SIM. However, if cars must already have cellular connectivity to their NOC when they roll off the assembly line, it is impossible for telecom service providers to complete a customer verification of the future owner of the car before activating the SIM.

The department of telecommunications issued M2M (machine-to-machine) guidelines in May this year. I was hoping that they would address this issue by offering some form of dispensation to telecom service providers that would allow them to issue SIMs for use in M2M communications without customer verification. Instead, the new regulations seem to have imposed obligations that are likely to be more onerous.

It is now mandatory for M2M service providers to maintain a log of all customers who own devices in which these M2M SIMs have been installed—including details of their names and addresses. All of this must be made available to the telecom service provider through an interactive online interface. If the device is transferred to someone else, the M2M service provider has to provide details of the new owner to the telecom service provider. The guidelines have also imposed a limit of nine M2M SIMs per person, all of a sudden requiring us to keep track of the SIM connected devices we own to stay within this limit. These are burdensome obligations that will impose the sort of constraints that the nascent M2M industry just does not need right now.

I have to assume that these regulations were introduced to accurately attribute misuse of SIMs to the person responsible. Since M2M SIMs are embedded in devices, it seems that the government is concerned that enterprising criminals will be able to extract the SIM and use it for illegal activities.

Surely there are simpler ways to achieve this objective. For instance, M2M SIMs could be hobbled so that they can only connect to the data network, making it impossible for them to be used for making voice calls. This would allow law enforcement agencies to trace the calls made using these SIMs if required. Additionally, M2M SIMs could be designed to deactivate the moment they are extracted from the device in which they were intended to work, foiling any attempts to extract them from the machine. Finally, M2M service providers could be asked to maintain a log of all data communication with the connected device, including location information, so that they can produce this on request for law enforcement agencies.

These measures would allow law enforcement agencies to track misuse without imposing aggressively onerous obligations on the M2M industry. To my mind, this would be a far more progressive approach that would allow a nascent industry adequate opportunity to flourish while also addressing security concerns.

Rahul Matthan is a partner at Trilegal. Ex Machina is a column on technology, law and everything in between. His Twitter handle is @matthan.

Comments are welcome at views@livemint.com

No comments: