Who Owns The Data From The IoT?

Uploaded on 2017-02-15 in NEWS-Cybersecurity News, FREE TO VIEW

With the internet of things becoming critical to many industries and consumers, questions surrounding data ownership are coming with increasing frequency. The answers aren't obvious.

Many organisations are beginning to convey their IoT data to third parties. Often this is motivated by a desire to monetise the data, sometimes for regulatory reporting reasons. These initiatives are bringing the issues of data ownership and licensing to the fore. Interestingly, there is no set schema for determining how ownership is assigned, much less how IoT data can be licensed properly. Here's an overview.

Data Ownership in the Western World

In essence, the owner of machine-generated data (MGD), which covers virtually all of the IoT, is the entity who holds title to the device that recorded the data. In other words, the entity that owns the IoT device also owns the data produced by that device.

However, it's not always clear that whomever has possession of the device and/or its output data actually "owns" it. When real-world constructs such as lease holdings come into play, it indeed gets complex and even murky.

Clinically speaking, data is owned by the titleholder. In this regard, data title is like a deed to real property. MGD may also contain metadata, which is akin to mineral and water rights.

Further, data may be owned by one party and controlled by another. Possession of data does not necessarily equate to title. Possession is control. Title is ownership. Referred to as usage rights, each time data sets are copied, recopied and transmitted, control of the data follows it. Conversely, transfer of ownership requires a legal mechanism to convey title.  

Legal Issues

It turns out that data by itself is not protectable under the American intellectual property regime; however, data title rights are similar to the rights afforded by a copyright.

Data title includes a bundle of usage rights that allow the titleholder to copy, distribute and create derivative works. Data within a database is like the words and images that compose a copyrighted book. The usage rights and title to the book are separable. The author of the novel retains title to the words and pictures that comprise the novel.

The author also owns the ability to authorise a publisher to publish books and distribute them. However, he or she does not control each reader's usage rights of the content once they are accessed by readers.

Similarly, an entity that holds title to data or a database holds the associated data ownership rights. If the data set is copied and transmitted elsewhere, the author relinquishes the usage rights.

The parties to a data transfer contract matter

There are two major classes of parties in this space. The first category includes corporations, data brokers and marketplaces, which exchange data among themselves. This is not typically exposed to tight government regulation.

The second category is composed of consumers who submit data to a vendor in exchange for a product or service. Agreements in the consumer space may be subject to government oversight. The result is that certain industries such as healthcare must comply with a network of statutes and agency rules.

On the other end of the spectrum is the give-and-take approach. Under this approach, the vendor may collect in-depth data from a sensor platform to optimize the user's experience. Here, the contract allows all data to be exchanged in return for incentives such as a curated service or discount. This approach conveys all data usage rights and data title once the end user opts in.

How data rights are being handled in agriculture

The US agriculture industry has embraced the use of sensors and machine-generated data to maximise production, and is also sophisticated in the way it handles data ownership interests.

The bottom line is that the farmer owns the data produced by his or her sensor platforms. Nevertheless, farm equipment manufacturers have developed a system of agreements with a high level of transparency to enable agricultural MGD to flow freely.

The complex world of vehicle-generated Data      

Automobiles are increasingly equipped with connected technologies and sensors that will create an unprecedented explosion in car-generated data. Stakeholders across several sectors from insurance to telecommunications, high tech and beyond, are poised to integrate these new data streams into their business models.

A unique feature of the automotive data market is the importance of consumer trust and sentiment. Consumers perceive all the data flowing from their car to be theirs. The effect is a strong expectation of receiving something in return.

In response to data-conscious users, automobile manufacturers craft their data exchange provisions that use a give-and-take approach. Similar to agribusiness data exchanges, there is an underlying presumption that the MGD captured after a purchase is owned by the entity who bought the car.

Regulators and industry groups agree that the car owner also owns the MGD. Like an insurance policy, the MGD ownership interests follow the car. This means that non-personal machine-generated data is treated differently from personal data, which follow the automobile's occupants.

Energy and the IoT

Consumer smart-grid device deployment is rising. However, there is a cultural barrier to complete data exchange integration. This is because smart grid devices are connected to the home, and users may be hesitant to attach a device that may provide insight into their energy habits and, by way of inference, their lifestyles. It is no accident that firms have implemented data collection practices that take a tiered approach to obtaining a license to data usage rights and then title to end user MGD. As IoT adoption grows, schemas and policies governing data ownership rights and conveyance may become standardised.

No Universal Answer

As evidenced by the preceding, IoT data ownership is a complex issue. As a rule of thumb, whomever holds title to the data producing platform, likely owns the data. 

Different industries and companies take different approaches to regulating the transfer of data control and title. The common denominator is well-crafted contractual language that both protects consumer interests and feeds a growing data ecosystem.

Computerworld:    

The Internet of Things Must Not Be Allowed To Turn Into The Internet of Trouble:

EU General Data Protection: A Milestone Of The Digital Age:

 

 

« Fallout In Russia : One Suspicious Death & Three Cyber Spies Arrested
Fake Microsoft Phishing Scam »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Titania

Titania

Titania provide network security and compliance software. Find your Network Security gaps before hackers do with our security & compliance tools.

SAMATE

SAMATE

The Software Assurance Metrics And Tool Evaluation project is an inter-agency project between the US Department of Homeland Security and NIST.

NextLabs

NextLabs

NextLabs provides data-centric security software to protect business-critical data and applications.

OASIS Open

OASIS Open

OASIS Open is where individuals, organizations, and governments come together to solve some of the world’s biggest technical challenges through the development of open code and open standards.

Applied Risk

Applied Risk

Applied Risk is an established leader in Industrial Control Systems security, focused on critical infrastructure security and combating security breaches that pose a significant threat.

National Center for Manufacturing Sciences (NCMS) - USA

National Center for Manufacturing Sciences (NCMS) - USA

NCMS is a cross-industry technology development consortium, dedicated to improving the competitiveness of the US industrial base. Strategic initiatives include industrial cyber security.

Elliptic

Elliptic

Elliptic solve the crucial problem of identity in cryptocurrencies, with the sole purpose of combating suspicious and criminal activity.

Evanston Technology Partners (ETP)

Evanston Technology Partners (ETP)

ETP provides services and solutions to enable and transform businesses in the areas of cybersecurity, data protection, and efficient operations practices.

American Cybersecurity Institute

American Cybersecurity Institute

American cybersecurity Institute is a newly formed not-for-profit organization dedicated to education, advocacy, study and analysis in the space of cybersecurity law and policy.

Forum Systems

Forum Systems

Forum Systems is a global leader in API Security Management with industry-certified, patented, and proven products deployed in the most rigorous and demanding customer environments.

VLATACOM Institute

VLATACOM Institute

Vlatacom Institute is privately owned accredited research and development institute, system integrator and turn-key solution provider. Areas of expertise include encryption and authentication.

BalkanID

BalkanID

BalkanID is an Identity governance solution that leverages data science to provide visibility into your SaaS & public cloud entitlement sprawl.

WiebeTech

WiebeTech

WiebeTech’s line of digital forensics tools provide innovative and rugged devices for efficient disk imaging and evidence capture.

Otto

Otto

Stop Client-Side Attacks. Plug otto into your application security suite and protect your supply chain.

Siometrix

Siometrix

Siometrix addresses digital identity fraud. It steals your attacker's time and prevents many prevalent attack vectors.

TerraEagle

TerraEagle

Terraeagle is a boutique cyber security services company providing tailor-made solutions. Our core competency is in SOCaaS, MDRaaS & and Incident Response Retainer Services.