IoT Working Group
Thursday, 14 May 2020
4 p.m. (CEST)

SANDOCHE BALAKRICHENAN: Hi everybody. Can you hear me?

STACIE HOFFMAN: I can hear you.

SANDOCHE BALAKRICHENAN: And can you see my slide? Thank you. We'll wait for two more minutes.

So, wait for one more minute and then we'll start. I think let's start.

Hello everybody. Welcome to the RIPE IoT Working Group. I am Sandoche Balakrichenan and with Jim Reid the IoT co‑chairs, we'll be coordinating this session for another 30 minutes. It is an unusual meeting, we have a virtual meeting, so, there are some housekeeping details.

Most of them you might already know. But at least I think for some who don't know, I would like to reiterate.

So, if you are coming here, you are connecting either via Zoom or via standard RIPE live streaming. You have a live transcription, which you can see from the link shown in the slide. You can open that separately.

Then if you are asking questions and answers, if you are using Zoom, use the Q&A window. Always write your name and affiliation. So that it will be useful for others to know, because we have a lot of attendees.

If you are using the IRC channel to put the question and answers. The Zoom chat is only for discussions. Always select panelists and attendees if you want to use the Zoom chat. As you know the Zoom chat will be made public. It is archived.

So, like all RIPE meetings, this session is being recorded and will be published.

And finally, please remember to rate all the presentations. If you go to the RIPE IoT page you have a place where you can rate. Sometimes you can win prices.

So if I see we have a large number of attendees. Currently we have, like, 337 attendees. So it is a huge number. I hope all of you also participate to the IoT mailing list and get registered.

So, this is the agenda.

The first point in the agenda is Working Group co‑chair appointment. Jim Reid, who is my co‑chair, helped to do the Working Group. He has put a lot of effort and now he is stepping down and wants to have new things, so he will be explaining it in the coming slide.

Then we have two presentations, one from Marco Hogewoning, giving us the NCC IoT update. Then we have Stacie Hoffman from Oxford Labs, Information Labs, who will give us a presentation on how to prepare the SMEs for IoT security standards and regulars.

Is there anyone who would like to change or modify or update the agenda?

I see no feedback. We will approve the agenda. Then we have the RIPE 79 minutes. It has been duly returned, and thanks to Marco again, and it has been sent to the mailing list, reviewed and updated in the length that we have seen the slide. So, if there is any ‑‑ can we approve the RIPE 79 minutes? I'll give you just 30 seconds, if you have anything, please use the Q&A window.

Also, I also add that, in RIPE 79, there was a group of volunteers that has been formed to start working on an outline document on RIPE scope for proactively mitigating IoT attacks. The group has started working. There is a draft Google document, which is forming up, and the group is meeting tomorrow to discuss further. We will be updating it in the mailing list, so that is just additional information.

So, Jim, please, about the Working Group co‑chair appointment.

JIM REID: Thank you very much, Sandoche. Good afternoon, morning or evening, wherever you happen to be, everybody.

When I took up the job of helping to get this Working Group started, I immediately declared I wasn't intending to stick around as co‑chair for any length of time, and amongst many things we had to do was figure out an appointment process and last year we ran that process for the first time and that's how Sandoche was chosen to be one of the co‑chairs, and I made it clear again at the meeting last year that I would be standing down this time round to make way for fresh faces and find a new approach to things.

So, the good news is we got two excellent candidates come forward, Constanze Dietrich and Peter Steinhaeuser, who are well known to everybody.

The not so good news is that the Working Group is split down the middle as to who should be the new co‑chair. So, TTL support for both candidates is pretty much equal, depending on how you want to measure it, but the reaction is there is no clear consensus inside the Working Group just now to favour Constanze over Peter, or vice versa. By definition, that means we don't have consensus, which means that Sandoche and myself can't make a consensus determination because of the fact that the Working Group's deliberations so far have not reached a conclusion. Well they have reached a conclusion, but the conclusion is they haven't been able to decide.

So, under the appointed process procedure we have got in place is that in these kind of exceptional circumstances where the appointment process doesn't have a way of solving an issue that may arise, it's down to the RIPE Chairman to make a decision about what happens next.

So, in this case, our beloved leader Hans Petter Holen has to make a decision between choosing between Constanze and Peter.

Now we have had discussion around this because we could potentially allow the appointment process to run on a little bit longer. But I doubt that's going to change the current view of the Working Group. We have asked people to submit expresses of support, we reminded people about that. It's not had any impact so I don't think by extending things we're going to see more people stepping up saying why they prefer one candidate over the other.

Another consideration that I think with he would like to get a new appointment, a new co‑chair in place as soon as possible, and it would be appropriate to announce it here and then also confirm that appointment in the Closing Plenary of the RIPE meeting tomorrow as well.

Another consideration that if we were to try and extend things, which I think another reason why we won't do that, as you know Hans Petter is going to be stepping down as the RIPE Chairman fairly soon, it would not be nice to have the new incumbent RIPE Chairman, whoever he or she may be, be left with this decision to make. It's probably better that someone is familiar with the personalities and the dynamics and the history of the situation, makes that decision.

And the fact I think it would have put Hans Petter on the spot because I think he is in the chat, and I wonder does he want to say anything about it now? Okay, I have just read in the chat, he will review the candidates and the discussion on the mailing list and he will announce his decision in the Closing Plenary. So the decision will not be made now but tomorrow in that Plenary.

Thank you very much to Hans Petter and obviously thank you very much to Constanze and Peter for standing and I'm sure either of them will do a great job once they are in post.

Are there any other questions on this topic.

With that, I think we can move on to the next item of business. And I will put myself on mute.

SANDOCHE BALAKRICHENAN: Thank you, Jim. Maybe now it is Marco. Marco will give the NCC IoT update, so, Marco, you can share the ‑‑

JIM REID: Sorry, can I just interrupt. There is just been a question from Benedikt Stockebrand saying other Working Groups have three chairs, why can't IoT?

There was a lot of discussion on mailing list in the last week or so and both the view of Sandoche and myself is the workload is not great enough to justify adding a third co‑chair. But, of course, if the Working Group decides to do that, we can change the appointment process and then extend it. The way it's written now, it's two chairs, two co‑chairs serving staggered two‑year terms. So if you want to exchange that, we can change the process but that will be the mechanism that we need to follow. Update the appointment process, but at the moment, my judgement is it's not necessary. I think Sandoche will agree with that. If the Working Group feels it's appropriate or the new co‑chair feels it's appropriate we can certainly consider that. Have two back‑ups rather than one, it's just an idea.

SANDOCHE BALAKRICHENAN: I do agree with Jim here, yeah.

JIM REID: I don't think anyone has got any more to say at this point. So back to what we were supposed to be doing.


MARCO HOGEWONING: Okay. I share my screen then. Thank you, Jim, for boot‑strapping. The IoT Working Group people might still remember that I was part of the cabal that started this IoT Working Group in the first place so I very much thank you for stepping up originally and helping to get this Working Group off the ground.

So, yes, thank you, welcome everybody. My name is Marco, I work for the RIPE NCC as external relations department. As I said, I have been involved with the IoT Working Group from the early days on, and meanwhile ‑‑ well, do other things, and as part of my job I also try to keep track of what's happening in the policy space, so Jim asked me to give a brief update, I reached out for some of the policy topics that we have been tracking and selected one or two that I think are important for the IoT Working Group to take note of and probably track and consider whether they have impact on what you're doing.

As I said, I only have a little time. My colleague Suzanne, yesterday published a large article on RIPE Labs about all kinds of EU legislation and one of the things she mentioned there was the ePrivacy directive, which is currently under review. The process is taking much longer than the commission originally anticipated. But it's still being discussed, so we don't know where it's going to end up in, still people say like, hopefully, by the end of the year there is some agreement on a new thing.

EPrivacy directive itself is not new. It's been existing. You might not have heard of it but its most, sort of, well‑known outcome was this was the directive that introduced the cookie consent. So whenever you get one of those pop‑ups, this was the EU privacy directive.

Meanwhile, GDPR has come along and one of the aims for the commission was to review this directive in light of GDPR, bring them better into line. What we expect and information that we have is part of the ePrivacy directive it will probably also take a bit more definitions on what is considered privacy data and that might not end with just sort of what we normally consider PII. So, in that sense, if you are collecting data for your IoT application or you are processing data, this might be relevant to you.

The other big pillar that I sort of said like this should take into account is what's known as trustworthy communications, which is a bit of a big umbrella. But it looks at encryption, but also takes a step into, like, okay where is data going? What's happening with it, sort of, when it is in transit? So, in that sense, maybe see it a bit in light of GDPR defining processors, etc., that sort of take a bit of a view of what's the journey of the data across the network. And again, this is probably, if you are working on IoT solutions, something you have to take into account.

As I said, it's still being negotiated. So we don't have a lot of detail yet, but it's probably well worth having a look at what's currently out there in legislative text and also have a chat with your compliance people in your company to see what they think and how that might affect what you're building and what you're doing.

Jumping ahead a bit on sort of same topic and that's something that we see in a lot of fora. The OECD has been talking about it. We have heard it in commission, we have seen it always, for instance, in the Council of Europe, is kind of the data mobility and ownership. Who owns the data? If your IoT device uploads data, if an AI starts learning from the data, who is the owner of those additions? But also what happens if you change server providers? Can you take your data with it or, ultimately, can you actually take the behaviour that an AI has determined and sort of upload that into a new service provider or does it have to learn everything it knows about you from scratch again?

Of course, this is a main policy item, is having consumer choices and have an open market. So you can quickly see that this is really important thing for a lot of politicians to have that, and, of course, if we, as an industry, fail, then likely it's something that the politicians will step up their game.

JIM REID: Sorry, there is a question in the Q&A from Luna, no affiliation, asking:

"Would your voice use for Google Assistant, Syria and Alexa be searched and be considered as personally identifying information in the future?"

MARCO HOGEWONING: I don't know. That's a good question. Yeah, as I said, this directive aims to look a bit deeper into detail, come up with definitions, I must say I'm not very deep into the specific details, I have to look up the text as well to see what's going on, so maybe there is something we can take back to the mailing list and see what other people think and what they make of the text. I'm not a lawyer either, so in that sense I also sometimes rely on our legal team to figure out what's what.

JIM REID: Just another thing. I remember from a previous conversation that involved one or two lawyers, is that the term PII, personal identifying information, is an American legal term and the preferred expression inside TTL European region is personal data. So just bear that in mind for the future for everybody.

MARCO HOGEWONING: Yeah, true. Like I said, a lot of people think like GDPR stops with your name and your birthday, and that kind of thing and it is much broader and the European view is much broader, because even your electricity usage says something about your behaviour and what you are doing and not doing and when you are doing that. So, yes, that's why ePrivacy is such a big thing. It will probably cover all aspects of our digital life.

So, and.I am reaching the end of my allotted time. So, in terms of data mobility, as I said, it's a big policy topic. From what we see a lot of the policy level is currently a bit held back and say okay, let's wait and see where the industry stakes us, but that means is also flows over into a lot of standardisation work, even if IETF where you see young data models POP up, but we have seen it, we know it's a topic in ITU. So this again is something, pay attention to but also consider that you actually have to do this, because again, as I said, this is something that is cause for concern, and sooner or later somebody will probably step up and move in and say well like okay, sorry, if you as an industry, can't agree on this, then let us make the decision for you.

So again, something ‑‑ take it back home, look at what you are doing and consider how open your model really is and whether you can sort of use existing standards to make sure that the consumer has a bit of freedom and can move his or her data around amongst us as service providers.

That's it. You only gave me five minutes. I know this is a short session, but as I said, happy to take further things on the mailing list and you can, of course, always mail me or ping me online and we can find time to have a chat. Are there any more questions?

JIM REID: It's not in the Q&A but I have one, taking off my Working Group Chair hat is what's been happening at the ITU? You were very active there and it was very good at giving us updates on various bits of ITU activity with IoT. Has there been anything happening recently or since the last time the Working Group met or has it gone quiet there?

MARCO HOGEWONING: How much time do you have? We are currently mainly focused on, which is less of an IoT thing, of course, that's the new IP proposal and the work going forward on like what does the future network like look, which has a large IoT component.

As far as study group 20 is concerned, is that your question, yes, we do still track the work. There are some interesting things happening there, like I said also in terms of data portability. I just read a draft about, for instance, how sort of incident and accident reporting that's still something that ITU is trying to standardise, despite the US and the EU and even some Asian countries already having their own standards, so there is a bit of duplication.

There is also some work started that might be worth looking into is a couple of Chinese telecom providers and service providers looking into a massive block chain based authorisation and authentication schema that they also propose is something the IoT needs where we, in earlier conversations, questioned whether it is really a solution and whether there is a problem that needs a solution in the first place. So, yes, lots of stuff still happening. Also, a lot of stuff where ‑‑ maybe others can speak to that as well ‑‑ where we see like it's a nice solution but consider the privacy aspects here, because we have seen several solutions that just say like, yeah, just toss everything in a big database and then we're sorted and that might not be the best way forward if you take legislative things into consideration.

JIM REID: Thank you, Marco.

SANDOCHE BALAKRICHENAN: If we don't have any questions, next is Stacie Hoffman. She will be presenting about how to prepare the SMEs for the IoT standards.

STACIE HOFFMAN: Thank you so much for having me. I see some friendly faces here. Hi, Marco and Jim.

I am here to talk about a project that I am working with on ‑‑ I'm working with the IoT security foundation, and I am going to talk for just a few minutes, not in the whole five minutes, because I do want to take questions, if there are any at the end. Basically this project has two components. One is called step for security training and education programme. And then the other is called vulnerable things, which is focused on vulnerability disclosure and this project came out of the ‑‑ an idea we had about the UK code of practice for consumer IoT security, which is why it's up here on the board. We really want to help people adopt these good practices that are being developed and published by governments that are being included in new standards and that are going to inform regulation in the very near future.

So, really, what we want to do is, we are developing guidance documents to aid adoption of these best practices and we're looking at the top three best practices that are included in the UK code of practice, which are secure updates, no universal passwords, and then the coordinated vulnerability disclosure, and what we want to do is, we are specifically looking at resource‑constrained companies, so SMEs or start‑up companies that don't traditionally work in the connected spaces who might need some help in the security area and we want to help them, not only implement the guidance, but then comply with future regulation and point them to standards that will help them do that.

So, although this came out of what's happening in the UK, it is intended to be globally applicable. So we have looked at things like the new ETSI, well soon to be an EN standard on cyber security for IoT. And this is focused in the consumer space because this is where most of these standards and guidance are being elaborated first, so consumer IoT specifically. But looking at what's happening in Europe, what's happened in California with the Senate bill, Australia has also put out guidance, so we really would like it to be broadly applicable across the world for people to use this in some good ways forward.

In terms of what we're actually developing, we are making some info graphics and we're going to have an interactive webinar as well. The info graphics are in the very end stages of their design stage at the moment. I was hoping I could share is some with you but they are not quite ready yet. And those will be free at the point of access. We are not charging for these materials. They are meant to be really accessible.

The interactive webinars are going to start in the summer and they'll go probably through the autumn, we'll have a series on each of the three top code of practices, and so in those are intended to be free as well, and again, aimed at that international audience.

Then we have what we call vulnerable things. And this is an online service that we have developed and it is a lightweight coordinator for vulnerability disclosure and recording. What that means is, it's a platform that's free for anyone to come and report a vulnerability. It's intended to be really accessible. So, you know, if myself or if my mother would like to report something that's gone wrong with their IoT device, they can go on and they know how to use a platform, they can follow a bouncing ball. It's not something that's directed just at, you know, somebody that has a computer science degree or is a white hacker.

So, we really are just helping the companies who are the customers of the services, shows SMEs that can buy into our platform and can basically have somewhere that somebody can report the vulnerabilities directly to them and some help in terms of managing how to respond to that vulnerability and then eventually ending up in a coordinating disclosure also available through the platform itself.

So, we are looking in vulnerable things to really kind of help not only give ‑‑ the guidance gives information on vulnerability disclosure, but the platform is actually meant to work as a way for people to comply with that requirement and to actually take action on that area.

So, that is my few minutes' spiel about what we're doing. I'm really happy for any questions at this point or clarifications on what we're doing.

SANDOCHE BALAKRICHENAN: Thank you, Stacie. We do have one or two minutes for questions. If you have any, please put them in the Q&A.

STACIE HOFFMAN: In the meantime ‑‑ oh, go ahead.

JIM REID: Question from Paul Rendek:

"How will you actually reach these SMEs, the small and medium enterprises?"

STACIE HOFFMAN: We're going to have a marketing campaign. The materials should be ready to roll out both the platform and the guidance materials, ready to roll out by July of this year, so we're in the very final stages. We're going to have a marketing strategy that's going to do this. We're working with a marketing company. We have also got our network members at the IoT security foundation, some of which work specifically with SMEs, and we also have some connections with innovation centres and things like that that we'll be reaching out to and trying to push this information their way.

If you have any ideas or any, you know, networks that we could maybe kind of plug into when this comes time to roll this out and let them know that there is resources there, we're definitely open to that.

JIM REID: Thank you, Stacie. Another question here from Blake Willis from iBrowse:

"Have you any thoughts about having any well known "conformed to" logos, like those CE symbols and stamps that go on various bits and pieces of electronic equipment? You might remember the good old days when we had digital‑ready TVs as part of the digital TV transition. Have you anything like that as part of the this project?

STACIE HOFFMAN: That's not part of this project in particular, although the IoT security foundation does have another work stream that it's developed an IoT security compliance framework that builds off of its best practice guidance, and I know that there is a stream of work that's looking at how that can feed into the discussions around some kind of a marker that goes on products and what that would look like and using that in the kind of the compliance process. So, unfortunately I'm not working on that in particular. This is really just about getting information to the SMEs and the startups, that they can use, you know, right now before they have to comply with something.

JIM REID: Okay. Just another comment here ‑‑ two more comments.

Paul Rendek: It's a question ‑‑ "Could you send some linking about this to the IoT Working Group once these materials are available?"

STACIE HOFFMAN: Yes, very happy to share it.

JIM REID: Peter Steinhaeuser: "How will the vulnerability information be used?" What's your plans for that?

STACIE HOFFMAN: So, the report itself? How will that information be used.

JIM REID: The vulnerability information that you get reports on or that you find out about. Given that we're up against the half‑hour deadline now.

STACIE HOFFMAN: The platform is really meant to be a way to report a vulnerability to a company and then for them to communicate with the reporter. So that they can resolve that vulnerability. So, in the beginning, we don't have any plans on using that information outside the platform with the exception of getting some you know raw data of we have had X number of vulnerabilities reported and then X number of coordinated vulnerabilities disclosures published. Those types of data. So we are not planning monetising this data in any way. That's not the point of the platform and we're trying to keep everything very ‑‑ trying to keep the mechanism going so that people can actually engage in a vulnerability disclosure in a more positive manner.

JIM REID: There is another comment here from Vesna about cooperation with RIPE Atlas, but I think I have to park that now because we're out of time and Martin is agitating to get his Working Group session started so I think it's time for the IoT Working Group to shut up and get out of the way. Back to Sandoche.

SANDOCHE BALAKRICHENAN: Thank you, Jim. So we have completed the 30 minutes time. So I would like to thank RIPE for giving us the platform, for the meeting. I would like to give a big thanks to Gerardo Viviers to be the chat monitor and the scribe.

So, I would like to have a big thanks to Jim who has helped us to boot‑strap the IoT Working Group and who has guided me for the last one year. So, without him, it would have been impossible, so I would like to thank him very much and the Working Group would also like to ‑‑ be sure to thank him.

So, if we don't have any other thing, I hope to see you live at Milan in RIPE 81. Thank you all.