ITU IoT Standards: Gateway to Government Control?
September 20, 2016
A new chapter is unfolding in the ongoing battle for the soul of the Internet. It takes place in the basement rooms of the United Nation’s International Telecommunication Union (ITU), an obscure technical organization that deals mostly with radio spectrum, satellites, and telecommunications. There, authoritarian governments—some with troubling histories of protecting human rights online—are seeking to internationalize how the Internet is governed and to overtake the policy-making power of non-state actors. While press headlines and Congressional hearings continue to focus on the potential changes to ICANN and its impact on the Internet, the real action by these governments has shifted to capturing technical standards development for next-generation networks, including the Internet of Things (IoT). If left unchecked, this new chapter could end with a dramatic change in how the IoT develops, moving further from a free, open, and secure Internet for all.
Today, governments mostly have been sidelined on the issue of Internet standards, which are developed in voluntary, consensus-driven, and open participation forums like the Internet Engineering Task Force (IETF). As the Internet’s global importance has grown over the past decade, however, so too has the interest of some governments for a larger role in the “nuts and bolts” of the Internet. The reason for this is straightforward: decisions about technical standards can have far-reaching economic and social consequences, altering the pace of innovation, constraining the freedom of uses, and even the affecting balance of power between competing businesses or countries.
Governments like Russia, China, and Saudi Arabia that are seeking greater influence in Internet public policy-related issues missed their opportunity with Internet standards. They do not intend to make the same mistake again with next-generation networks such as IoT.
Working through the ITU, some countries are seeking to ensure that a proposal called Digital Object Architecture (DOA) is adopted as the global standard for IoT devices, and that the ITU is the entity authorized to administer the DOA’s Global Handle Registry. DOA provides basic infrastructure for information management that can facilitate interoperability between or among different systems, processes, and other information resources. By assigning a permanent, trackable unique identifier (called a “Handle”) to both data and devices, DOA allows for improved authentication, rights management, and access controls. The ITU is one entity with rights to that intellectual property.
There is nothing nefarious about DOA itself—indeed, it is used in many contexts, such as libraries, and was created by Bob Kahn, the co-inventor of the TCP/IP protocol. Yet, citing concerns about privacy and security, some governments are seeking a “Recommendation” within the ITU’s Standardization Sector (ITU-T) making DOA not just an IoT addressing system, but the sole global IoT addressing system. This squarely would violate long-held principles of technology neutrality in ITU-T Recommendations.
Even more troubling, if adopted, the proposal could give governments a path for restricting the free flow of information across borders. DOA could allow governments to track all devices with a DO identifier communicating within their borders and to deny access to content. As such, the proposal creates geographical boundaries on a previously borderless Internet. And if DO identifiers are used to supersede current identifiers in mobile handsets (IMEIs) as some have suggested, or if device registration is required, such tracking could extend to people as well.
Because the ITU has free access to DOA intellectual property and could become the central registrar for DO identifiers, “universal DO addressing” may give the ITU a path toward controlling naming, numbering and addressing of the new digital communications world. Authoritarian governments that failed to capture ICANN through the IANA transition could attempt an end run around the existing distributed network-of-networks, in favor of DOA addressing centrally controlled at the ITU. Given that only governments can vote at the ITU, this would extinguish the role of the technical community, standards development organizations (“SDOs”), business, and civil society in the future operation, decisions, and direction of the global Internet and put the pace of innovation squarely in the hands of governments.
Currently, DOA proposals are being discussed in the ITU-T’s Study Group 20, which was created in 2015 over the objections of the United States and others to focus on the development of international standards for IoT. However, on October 25 – November 3, the ITU-T will hold its quadrennial meeting, the World Telecommunication Standardization Assembly (WTSA), to define its work program for the next four years. DOA likely will be high on the agenda for countries seeking to expand the ITU’s standardization activities beyond its core telecommunications responsibility into IoT, Internet governance, security, and privacy.
The preparatory process for WTSA already is underway. Over the next few weeks, regional groups including the APT, the Arab States, CEPT, CIS, and CITEL, along with ITU Member States, will submit their proposals for new areas of ITU-T work as well as specific recommendations for approval, modification, or deletion. A number of proposals on IoT already are being discussed. Although formal decision-making at WTSA-16 will be limited to governments, the private sector and others can have a material impact both directly and through their national delegations. U.S. businesses and others also may find it worthwhile to monitor the activities of ITU-T study groups such as SG20—they may effectively set the international regulatory environment for many aspects of the IoT.