Is the world ready for California’s new IoT laws?

Two laws that deal with data privacy and IoT device security will go into effect on Jan. 1, 2020. Fortunately, most people building connected devices are ready for the transition, especially companies with big names and budgets. Also at an advantage are businesses that have had to adapt to the EU’s General Data Protection Regulation (GPDR), which went into effect in May 2018.

The California Consumer Privacy Act (CCPA) is probably the law with the most impact on businesses. Like GDPR, it aims to protect Californian’s consumer data and privacy by demanding that companies inform consumers about the data they, delete an individual’s data upon request, allow Californians to opt out of the sale of their data to third parties, and prohibit companies from charging more for features that protect privacy.

Lesser known is SB-327, which is the IoT Device Security Act (most people simply call it SB-327). This law demands that companies building connected products implement “reasonable security features” on said products. The definition of reasonable is vague, but the law does take into account the device’s function and the type of data it collects when determining how reasonable those security features actually are. The law also calls for devices that connect to the internet to have a unique password and to require that a user generate a new password or method of authentication when they fire up the device for the first time.

Together, the laws are forcing companies that want to sell products in California to assess  — and in some cases — revamp their security policies. Craig Payne, security and privacy officer with IoT platform provider Ayla, says that most of the requirements of the CCPA are already in place thanks to Ayla’s preparations for GDPR.

The biggest challenges when it comes to both CCPA and GDPR compliance originate with the service providers associated with Ayla. For example, text notifications about a product are sent using Twilio, which also has to comply with data privacy rules. With dozens of consumer brands serving Californians on Ayla’s platform, it has a good understanding of how prepared companies are for the law.

Determining if suppliers are compliant and getting everyone involved in building an IoT product to agree on what the rules mean would take time, and may not even be possible. A partner might interpret the law one way while Ayla interprets it a different way. And if the end consumer thinks the company isn’t obeying the laws pertaining to how the data needs to be handled, they could sue and get the court’s interpretation. In other words, it’s fair to say that many companies are going to view compliance as an ongoing process as case law around the laws matures.

Payne isn’t as worried about SB-327 because it’s something Ayla’s customers have to handle on the device side (although he says Ayla is prepared to handle anything needed in the cloud.) However, Jack Ogawa, senior director of embedded security products at Cypress Semiconductor, is less sanguine. He says it’s really unclear how California plans to test for compliance.

At issue is how unique the device password has to be as well as how it needs to be stored on the device. A security purist could argue that the password should be unique to each chip and should be implemented as the chip rolls off the manufacturing line. Additionally, the purist would argue that the device identifier should be stored in a secure enclave on the chip.

But if devices will require a secure enclave on the chip to store password data, that will be a significant change for device makers. “The vast majority of things don’t have a hardware root of trust,” Ogawa says. He adds that an even stricter interpretation of the law might require the device to store its identification in memory on the device as is done on chips destined for credit cards or devices that process payments. That would change the device requirements even more.

If the company must implement a secure password on the secure enclave early on in the manufacturing process, doing so will add even more cost and complexity. “At that point, you’re talking about custom silicon for each device,” he says. That’s an incredibly rigid interpretation, however, and he estimates the best practice would involve flashing a custom-device identifier on each product along with the device firmware right before it leaves the factory. Otherwise, it’s just too expensive.

Most companies making a connected light bulb or similar devices that don’t have access to a lot of sensitive consumer data are betting that a secure enclave would be overkill. But for companies building activity trackers, medical devices, or even smart displays, the data they have access to might push them into a category that needs a more secure password storage plan.

Unfortunately for those who want to know how this turns out, we’ll have to wait until the New Year when we start seeing decisions by California’s attorney general and California judges.