The IT Law Wiki
With a trillion sensors embedded in the environment — all connected by computing systems, software, and services — it will be possible to hear the heartbeat of the Earth, impacting human interaction with the globe as profoundly as the Internet has revolutionized communication.
Peter Hartwell
Senior Researcher, HP Labs[1]
In 2008, the U.S. National Intelligence Council warned that the IoT would be a disruptive technology by 2025; six years later, it is clear that this will happen much sooner, if it has not already.[2]


There are numerous definitions for the Internet of Things (ioT), including:

a technological revolution that represents the future of computing and communications, and its development depends on dynamic technical innovation in a number of important fields, from wireless sensors to nanotechnology.[3]
sensors and actuators embedded in physical objects — from roadways to pacemakers — [that] are linked through wired and wireless networks, often using the same Internet Protocol (IP) that connects the Internet.[4]
the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.[5]
"things" (devices) connected through a network to the cloud (datacenter) from which data can be shared and analyzed to create value (solve problems or enable new capabilities). The IoT enables us to connect "things" like phones, appliances, machinery, and cars to the Internet, share and analyze the data generated by these "things," and extract meaningful insights; those insights create new opportunities, help solve problems, and implement solutions in the physical world.[6]
the ability of devices to communicate with each other using embedded sensors that are linked through wired and wireless networks. These devices could include your thermostat, your car, or a pill you swallow so the doctor can monitor the health of your digestive tract. These connected devices use the Internet to transmit, compile, and analyze data.[7]
the ability of everyday objects to connect to the Internet and to send and receive data. It includes, for example, Internet-connected cameras that allow you to post pictures online with a single click; home automation systems that turn on your front porch light when you leave work; and bracelets that share with your friends how far you have biked or run during the day.[8]
a global network infrastructure, linking physical and virtual objects through the exploitation of data capture and communication capabilities. This infrastructure includes existing and evolving Internet and network developments. It will offer specific object-identification, sensor and connection capability as the basis for the development of independent cooperative services and applications. These will be characterised by a high degree of autonomous data capture, event transfer, network connectivity and interoperability.[9]
[t]hings having identities and virtual personalities operating in smart spaces using intelligent interfaces to connect and communicate within social, environmental, and user contexts.[10]
[n]etworks of low-cost sensors and actuators for data collection, monitoring decision-making, and process optimization.[11]
'things' such as devices or sensors — other than computers, smartphones, or tablets — that connect, communicate or transmit information with or between each other through the Internet.[12]
an expansion of the global infrastructure through existing and evolving interoperable information and communication technologies. It incorporates the interconnection of physical and virtual systems to enable new and autonomous capabilities."[13]
[b]asically, connected sensors that can gather data by conducting physical analysis and (if capable) make changes to that physical environment. The Internet of Things is not just one product or even type of product, but rather a catalogue of technologies that are different than traditional information- and data-focused information technology.[14]


Big data and the growing 'Internet of Things' have made it possible to merge the industrial and information economies.[15]

The term "Internet of Things" ("IoT") appears to have been coined by a member of the RFID development community circa 2000,[16] who referred to the possibility of discovering information about a tagged object by browsing an Internet address or database entry that corresponds to a particular RFID. Since that time, visionaries have seized on the phrase "Internet of Things" to refer to the general idea of things, especially everyday objects, that are readable, recognizable, locatable, addressable, and/or controllable via the Internet — whether via RFID, wireless LAN, wide area network, or other means.

The IoT is expected to greatly integrate leading technologies, such as technologies related to advanced machine-to-machine communication, autonomic networking, data mining and decision-making, security and privacy protection and cloud computing, with technologies for advanced sensing and actuation.[17]

The idea is that physical objects can become part of an information network, whereby they can interact with both humans and with each other (also known as machine-to-machine or M2M communication).[18]

"The IoT includes consumer-facing devices, as well as products and services that are not consumer-facing, such as devices designed for businesses to enable automated communications between machines. For example, the term IoT can include the type of Radio Frequency Identification ("RFID") tags that businesses place on products in stores to monitor inventory; sensor networks to monitor electricity use in hotels; and Internet-connected jet engines and drills on oil rigs. Moreover, the 'things' in the IoT generally do not include desktop or laptop computers and their close analogs, such as smartphones and tablets, although these devices are often employed to control or communicate with other 'things.'"[19]

"In other words, the IoT potentially includes huge numbers and kinds of interconnected objects. It is often considered the next major stage in the evolution of cyberspace. Some observers believe it might even lead to a world where cyberspace and human space would seem to effectively merge, with unpredictable but potentially momentous societal and cultural impacts."[20]

"The fundamental characteristics of the IoT are as follows:

"The IoT applications include various kinds of applications, e.g., "intelligent transportation systems", "smart grid", "e-health" or "smart home". The applications can be based on proprietary application platforms, but can also be built upon common service/application support platform(s) providing generic enabling capabilities, such as authentication, device management, charging and accounting."[22]

"The IoT is characterized by four main attributes:

  • Time Scale: Automated systems that operate in the physical world and engage in analysis and action faster than humans can comprehend, participate in, or supervise.
  • Interdependence: Actions and consequences, some unanticipated, that can result from the interactions between systems.
  • Prediction/Learning: Systems that are constantly evolving through experiences and additional data.
  • System Management and Control: Emerging networked technologies that may not conform to older, established models."[23]

Everyday objects include not only everyday electronic devices, and not only products of higher technological development such as vehicles and equipment, but things not ordinarily thought of as electronic at all — such as food, clothing, and shelter; materials, parts, and subassemblies; commodities and luxury items; landmarks, boundaries, and monuments; and all the miscellany of commerce and culture.

Today and increasingly in the future, computing and communications technologies (collectively, information technologies) are found and will be more likely to be found in places where they are essentially invisible to everyday view: in cars, wallets, clothing, refrigerators, keys, cabinets, watches, doorbells, medicine bottles, walls, paint, structural beams, roads, dishwashers, identification cards, telephones, and medical devices (including some embedded in human beings). These devices will be connected — the so-called Internet of Things. Computing will be embedded in myriad places and objects; even today, computing devices are easily transported in pockets or on wrists. Computing devices will be coupled to multiple sensors and actuators. Computing and communications will be seamless, enabling the tight integration of personal, family, and business systems. Sensors, effectors, and computing will be networked together so that they pass relevant information to one another automatically.

In this emerging era of truly pervasive computing, the ubiquitous integration of computing and communications technologies into common everyday objects enhances their usefulness and makes life easier and more convenient. Understanding context, personal information appliances will make appropriate information available on demand, enabling users to be more productive in both their personal and their professional lives. And, as has been true with previous generations of IT, interconnections among all of these now-smart objects and appliances will multiply their usefulness many times over.[24]

Although analysts define the IoT in terms of connected everyday objects, the nature of the connection remains to be determined. A two-way connection by means of the Internet Protocol constitutes the ideal case, but the originators of the IoT concept appear to have emphasized a simpler model of RFID query and response. The IoT will be inextricable from sensor networks that monitor things but do not control things. Both connected everyday objects and sensor networks will leverage a common set of technological advances toward miniature, power-efficient sensing, processing, and wireless communication. Analysts commonly describe two distinct modes of communication in the Internet of Things: thing-to-person and thing-to-thing communication.

"Two features makes objects part of the IoT — a unique identifier and Internet connectivity. Such "smart" objects each have a unique Internet Protocol (IP) address to identify the object sending and receiving information. Smart objects can form systems that communicate among themselves, usually in concert with computers, allowing automated and remote control of many independent processes and potentially transforming them into integrated systems."[25]

Individuals, businesses, and governments are unprepared for a possible future when Internet nodes reside in such everyday things as food packages, furniture, paper documents, and more. Today's developments point to future opportunities and risks that will arise when people can remotely control, locate, and monitor everyday things. Popular demand combined with technology advances could drive widespread diffusion of an IoT that could, like the present Internet, contribute invaluably to the economy. But to the extent that everyday objects become information security risks, the IoT could distribute those risks far more widely than the Internet has to date.

In 2010, for the first time, the number of "things" connected to the Internet surpassed the number of people.[26]

By 2015, there will be 25 billion autonomous Internet-connected devices with sources estimating 35B-50B such devices by 2020.

"Some estimate that by 2020, 90% of consumer cars will have an Internet connection, up from less than 10 percent in 2013."[27]

The IoT will likely create whole new classes of devices that connect to broadband, and has the potential to generate fundamentally different requirements on the fixed and mobile networks: they will require more IP addresses, will create new traffic patterns possibly demanding changes in Internet routing algorithms, and potentially drive demand for more spectrum for wireless communications.

How it works[]

While IoT devices serve a wide array of purposes, they all consist of three common components: hardware, network connectivity (referred to as "network"), and software. These components, and some examples of each, are shown in figure 2 and discussed below.

The Internet of Things consists of two foundational concepts:



The hardware used in IoT devices consists of the embedded componentssensors, actuators, and processors, among others. Sensors collect information about the IoT devices' environment, such as temperatures or changes in motion. Actuators perform physical actions, such as unlocking a door. Processors serve as the "brains" of IoT devices, supporting the computing platform for the network and software components and interfacing with the sensors and actuators.


The network component of an IoT device connects it to other devices and to network-accessible computer systems. Different IoT devices can connect via different digital communications methods, including wired or wireless methods. Wired devices typically connect to a network through an Ethernet connection via copper or fiber-optic cable. Wireless devices typically connect via the radio frequency spectrum. Bluetooth and Wi-Fi are commonly used short-range wireless connections, while cellular is used for long range wireless connections. Wireless communications allow devices to remain connected to a network while mobile. Depending on the communication needs — such as transmission range, data transmission rate, and power — one or more network communications technologies can be incorporated into IoT devices.

Different types of networks operate over different ranges. For example, IoT devices can use a personal area network (PAN) to transmit data over a distance of about 10 meters (e.g., Bluetooth inside a room), a local area network to transmit data over an area of about 100 meters (e.g., Wi-Fi within a house), and a wide area network to transmit data over an even wider area, encompassing buildings or cities (e.g., cellular transmission). In addition to range needed, IoT devices may use different networks based on other factors such as available power.

IoT devices can be uniquely identified on their networks by being assigned "addresses." If an IoT device connects via the Internet, the Internet Protocol Version 4 (IPv4) can be used. IPv4 provides approximately 4.3 billion unique Internet Protocol (IP) addresses, and is currently the most commonly used addressing system for the Internet. However, as the number of devices connecting to the Internet has grown with computer systems and IoT devices, all of the available addresses in the IPv4 scheme have been assigned. Some Internet users are transitioning to Internet Protocol Version 6 (IPv6), which provides approximately 340 trillion trillion trillion (3.4x1038) unique IP addresses. The IPv6 has superior scalability and identifiability features compared to IPv4 and allows each devicewired or wireless — to have a unique IP address independent of its current point of attachment to the Internet. Since the number of IoT devices is projected to continue growing, IPv6 can address the need for more IP addresses to facilitate unique identification. However, challenges associated with several aspects of IPv6 adoption, including security management, implementation in current business applications, interfaces with business partners that are not IPv6 enabled, maintaining dual IPv6 and IPv4 environments, and the adoption of new standards, have delayed the transition from IPv4 to IPv6.


Software in IoT devices performs a range of functions, from basic operations to complex analyses of collected data. For example, software of one IoT device may translate data from one format to another. Other software might analyze data to monitor the functionality of complex machines. Software for jet engines, for example, could collect the measurements from an engine's sensors and determine whether the engines require maintenance.

The software component may also include data analytics to find patterns, correlations, or outliers, among other information, in the collected data. Such information can inform users or determine and convey an action the IoT device needs to make. For example, IoT-enabled thermostats can use sensors to collect information about when consumers change the temperature in their homes, and then use software to perform data analytics to automate the temperature change so that it mimics consumer usage patterns.

Although some software can be deployed within the IoT device itself, software performing complex data analysis is typically performed using cloud computing (also known as the cloud). Cloud computing applications are network-based and scalable. The cloud infrastructure may include servers, networks, and software. For the IoT, this means computing power does not have to physically reside on the device, or even at the same location as the device, allowing for devices to be placed in areas too remote or small to power and house a conventional computer.


"The power and disruptive promise of the IoT is the exponential scale of its data. As the number of devices capable of internet connectivity increase, and as IoT device manufacturing, connectivity and data costs are reduced, there is an unprecedented scalability of IoT solutions. However, the proliferation of data collection, storage and transmission and use from the IoT also raises increased concern about privacy and security risks, as well as consumer confidence around the IoT design process."[28]

Enablers of IoT[]

"A number of significant technology changes have come together to enable the rise of the IoT. These include the following.

Technical limitations[]

Prominent technical limitations that may affect the growth and use of the IoT include a lack of new Internet addresses under the most widely used protocol, the availability of high-speed access, wireless communications, and lack of consensus on technical standards.

Internet addresses[]

A potential barrier to the development of IoT is the technical limitations of the version of the Internet Protocol (IP) that is used most widely. Internet Protocol Version 4 (IPv4) is currently in widest use. It can accommodate about four billion IP addresses, and it is close to saturation, with few new addresses available in many parts of the world.

Some observers predict that Internet traffic will grow faster for IoT objects than any other kind of device over the next five years, with more than 25 billion IoT objects in use by 2020, and perhaps 50 billion devices altogether.

Internet Protocol version 6 (IPv6) allows for a huge increase in the number IP addresses. IPv6 will accommodate over 1038 addresses — more than a trillion trillion per person. It is highly likely that to accommodate the anticipated growth in the numbers of Internet-connected objects, IPv6 will have to be implemented broadly. It has been available since 1999 but was not formally launched until 2012. In most countries, fewer than 10% of IP addresses were in IPv6 as of September 2015.

Efforts to transition federal systems to IPv6 began more than a decade ago. Adoption varies substantially among agencies, and some data suggest that federal adoption plateaued in 2012.

High-speed Internet[]

Use and growth of the IoT can also be limited by the availability of access to high-speed Internet and advanced telecommunications services, commonly known as broadband, on which it depends. While many urban and suburban areas have access, that is not the case for many rural areas, for which private-sector iSPs may not find establishment of the required infrastructure profitable, and government programs may be limited.

Wireless communications[]

Many observers believe that issues relating to access to the electromagnetic spectrum will need to be resolved to ensure the functionality and interoperability of IoT devices. Access to spectrum, both licensed spectrum and unlicensed spectrum, is essential for devices and objects to communicate wirelessly. IoT devices are being developed and deployed for new purposes and industries, and some argue that the current framework for spectrum allocation may not serve these new industries well.


Currently, there is no single universally recognized set of technical standards for the IoT, especially with respect to communications, or even a commonly accepted definition among the various organizations that have produced IoT standards or related documents. Many observers agree that a common set of standards will be essential for interoperability and scalability of devices and systems. However, others have expressed pessimism that a universal standard is feasible or even desirable, given the diversity of objects that the IoT potentially encompasses. Several different sets of de facto standards have been in development, and some observers do not expect formal standards to appear before 2017. Whether conflicts between standards will affect growth of the sector is not clear.

Other technical issues[]

Several other technical issues might impact the development and adoption of IoT. For example, if an object's software cannot be readily updated in a secure manner, that could affect both function and security.

Energy consumption can also be an issue. IoT objects need energy for sensing, processing, and communicating information. If objects isolated from the electric grid must rely on batteries, replacement can be a problem, even if energy consumption is highly efficient. That is especially the case for applications using large numbers of objects or placements that are difficult to access. Therefore, alternative approaches such as energy harvesting, whether from solar or other sources, are being developed.

"Interoperability between IoT systems is critically important to capturing maximum value. . . ."[29] "On average, interoperability is necessary to create 40 percent of the potential value that can be generated by the Internet of Things in various settings."[30]

Security risks[]

The IoT presents a variety of potential security risks that could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety. Privacy risks may flow from the collection of personal information, habits, locations, and physical conditions over time. Companies might use this data to make credit, insurance, and employment decisions. Perceived risks to privacy and security, even if not realized, could undermine the consumer confidence necessary for the technologies to meet their full potential, and may result in less widespread adoption.

There appeared to be widespread agreement that companies developing IoT products should implement reasonable security. Of course, what constitutes reasonable security for a given device will depend on a number of factors, including the amount and sensitivity of data collected and the costs of remedying the security vulnerabilities.

These potential risks are exacerbated by the fact that securing connected IoT devices may be more challenging than securing a home computer, for two main reasons. First, companies entering the IoT market may not have experience in dealing with security issues. Second, although some IoT devices are highly sophisticated, many others may be inexpensive and essentially disposable. In those cases, if a vulnerability were discovered after manufacture, it may be difficult or impossible to update the software or apply a patch.

And if an update is available, many consumers may never hear about it. Relatedly, many companies — particularly those developing low-end devices — may lack economic incentives to provide ongoing support or software security updates at all, leaving consumers with unsupported or vulnerable devices shortly after purchase.

So what should companies do?

  • Second, with respect to personnel practices, companies should train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization.

Privacy risks[]

There are many types of privacy risks flowing from the Internet of Things. Some of these risks involve the direct collection of sensitive personal information, such as precise geolocation, financial account numbers, or health informationrisks already presented by traditional Internet and mobile commerce. Others arise from the collection of personal information, habits, locations, and physical conditions over time, which may allow an entity that has not directly collected sensitive information to infer it.

The sheer volume of data that even a small number of devices can generate is stunning. "[R]esearchers are beginning to show that existing smartphone sensors can be used to infer a user's mood; stress levels; personality type; bipolar disorder; demographics (e.g., gender, marital status, job status, age); smoking habits; overall well-being; progression of Parkinson's disease; sleep patterns; happiness; levels of exercise; and types of physical activity or movement.” Such inferences could be used to provide beneficial services to consumers, but also could be misused. Relatedly, IoT enables the collection of "sensitive behavior patterns, which could be used in unauthorized ways or by unauthorized individuals.”

There are also general privacy risks associated with these granular information-collection practices, including the concern that the trend towards abundant collection of data creates a "non-targeted dragnet collection from devices in the environment." Others noted that companies might use this data to make credit, insurance, and employment decisions. For example, customers of some insurance companies currently may opt into programs that enable the insurer to collect data on aspects of their driving habits — such as the number of "hard brakes," the number of miles driven, and the amount of time spent driving between midnight and 4 a.m. — to help set the insurance rate. Use of data for credit, insurance, and employment decisions could bring benefits — e.g., enabling safer drivers to reduce their rates for car insurance or expanding consumers' access to credit — but such uses could be problematic if they occurred without consumers' knowledge or consent, or without ensuring accuracy of the data.

Although a consumer may today use a fitness tracker solely for wellness-related purposes, the data gathered by the device could be used in the future to price health or life insurance or to infer the user's suitability for credit or employment (e.g., a conscientious exerciser is a good credit risk or will make a good employee). It would be of particular concern if this type of decision-making were to systematically bias companies against certain groups that do not or cannot engage in the favorable conduct as much as others or lead to discriminatory practices against protected classes.

The Fair Credit Reporting Act ("FCRA") imposes certain limits on the use of consumer data to make determinations about credit, insurance, or employment, or for similar purposes. The FCRA imposes an array of obligations on entities that qualify as consumer reporting agencies, such as employing reasonable procedures to ensure maximum possible accuracy of data and giving consumers access to their information. However, the FCRA excludes most "first parties" that collect consumer information; thus, it would not generally cover IoT device manufacturers that do their own in-house analytics. Nor would the FCRA cover companies that collect data directly from consumers' connected devices and use the data to make in-house credit, insurance, or other eligibility decisions — something that could become increasingly common as the IoT develops. For example, an insurance company may offer consumers the option to submit data from a wearable fitness tracker, in exchange for the prospect of lowering their health insurance premium. The FCRA's provisions, such as those requiring the ability to access the information and correct errors, may not apply in such circumstances.

Yet another privacy risk is that a manufacturer or an intruder could "eavesdrop" remotely, intruding into an otherwise private space. Companies are already examining how IoT data can provide a window into the previously private home. Indeed, by intercepting and analyzing unencrypted data transmitted from a smart meter device, researchers in Germany were able to determine what television show an individual was watching. Security vulnerabilities in camera-equipped devices have also raised the specter of spying in the home.

Finally, some participants pointed out that perceived risks to privacy and security, even if not realized, could undermine the consumer confidence necessary for the technologies to meet their full potential and may result in less widespread adoption.

With respect to government data collection, the U.S. Supreme Court has been reticent about making broad pronouncements concerning society's expectations of privacy under the Fourth Amendment of the U.S. Constitution while new technologies are in flux, as reflected in opinions over the last five years.[31] Congress may also update certain laws, such as the Electronic Communications Privacy Act of 1986, given the ways that privacy expectations of the public are evolving in response to IoT and other new technologies. IoT applications may also create challenges for interpretation of other laws relating to privacy, such as the Health Insurance Portability and Accountability Act of 1996 and various state laws, as well as established practices such as those arising from norms such as the Fair Information Practice Principles.[32]

Additional risks[]

In addition to security and privacy, several other issues may affect the continued development and implementation of the IoT, Including:

Intellectual property rights[]

"A common understanding of ownership rights to data produced by various connected devices will be required to unlock the full potential of IoT. Who has what rights to the data from a sensor manufactured by one company and part of a solution deployed by another in a setting owned by a third party will have to be clarified."[33]

Government regulation[]

"There is no single federal agency that has overall responsibility for the IoT. Agencies may find IoT applications useful in helping them fulfill their missions. Each is responsible for the functioning and security of its own IoT, although some technologies, such as drones, may fall under the jurisdiction of other agencies as well."[34]

"There is no single federal agency that has overall responsibility for the IoT. Agencies may find IoT applications useful in helping them fulfill their missions. Each is responsible for the functioning and security of its own IoT, although some technologies, such as drones, may fall under the jurisdiction of other agencies as well."[35]

Potential impacts of the Internet of Things on U.S. national power[]

If the United States executes wisely, the IoT could work to the long-term advantage of the domestic economy and to the U.S. military. Streamlining — or revolutionizing — supply chains and logistics could slash costs, increase efficiencies, and reduce dependence on human labor. Ability to fuse sensor data from many distributed objects could deter crime and asymmetric warfare. Ubiquitous positioning technology could locate missing and stolen goods.

On the other hand, the U.S. may be unable to deny access to networks of sensors and remotely-controlled objects by enemies of the United States, criminals, and mischief makers. Foreign manufacturers could become both the single-source and single-point-of-failure for mission-critical Internet-enabled things. Manufacturers could also become vectors for delivering everyday objects containing malicious software that causes havoc in everyday life. An open market for aggregated sensor data could serve the interests of commerce and security no less than it helps criminals and spies identify vulnerable targets. Thus, massively parallel sensor fusion may undermine social cohesion if it proves to be fundamentally incompatible with Fourth Amendment guarantees against unreasonable search. By 2025, social critics may even charge that Asia's dominance of the manufacturing of things — and the objects that make up the Internet of Things — has funded the remilitarization of Asia, fueled simmering intra-Asian rivalries, and reduced U.S. influence over the course of geopolitical events.

Future scenarios and potential impacts on the United States[]

When considering the spectrum of possibilities for the state of the IoT in 2025, the key uncertainties span a number of unresolved issues that fall along two major axes:

  • The timing of developments (slow versus fast)
  • The depth of penetration (niches versus ubiquity).

In terms of timing, just as the Internet and mobile telephony grew rapidly after their incubation periods, the IoT could emerge relatively rapidly if, on balance, the preponderance of conditions yields favorable policies, technological progress, and business collaboration. Or the IoT could arise more slowly if, on balance, conditions are less favorable in these dimensions.

In terms of depth of penetration, just as the Internet and mobile telephony penetrated deeply into the fabric of developed nations, the IoT could pervade everyday life if, on balance, the preponderance of conditions yields an enthusiastic public that uses its pocketbook to express strong market demand. Alternatively, if those demand signals do not materialize — for example if the public perceives costs, disadvantages, and risks that outweigh perceived benefits — then the IoT may remain limited to industrial, commercial, and government niches. Yet even those niches could include benefits and harms that would significantly affect the United States.

On the basis of these two axes of uncertainty, four scenarios highlight the spectrum of possibilities for how the future could play out until 2025. Whether fast and widespread, or slow and niche-driven, the emergence of the IoT has the potential to affect U.S. interests. We focus on the opportunities and threats that the two extreme scenarios present to the United States: Important risks and advantages will arise even in the "Connected Niches" scenario, which represents moderately-paced opportunistic developments of IoT technology. At the other extreme, "Ambient Interaction" highlights the implications of a rapid and deep penetration of information-communications technology into everyday objects — a scenario that is sufficiently plausible that its dramatic risks and advantages deserve consideration. We also describe briefly "Fast Burn" and "Slowly But Surely," which represent the middle ground among the four scenarios.

Scenario 1: Fast burn[]

In "Fast Burn" the IoT develops rapidly but in a limited fashion, and fails to sustain its momentum. Although impacts become quite significant in particular application areas (industrial automation, health care, and security), the IoT doesn't fulfill the promise of becoming pervasive (and thus is of limited importance to everyday lifestyles, business operations, and the conduct of government). Ubiquitous positioning technology never materializes as military concerns about the risks of terrorists gaining access to improved geopositioning combine with inadequate local government funding for emergency service positioning. In this scenario, IoT technology confers similar risks and benefits to U.S. interests to those experienced in "Connected Niches," but neither the risks nor the benefits to U.S. interests inherent in "Ambient Interaction."

Scenario 2: Slowly but surely[]

In "Slowly But Surely" the IoT becomes pervasive, but not until 2035 or so. Outcomes are somewhat similar to those of "Ambient Interaction," but there are substantial differences. The relatively slow development of the technology gives businesses and governments time to assimilate developments, allaying the most disruptive risks. Many risks remain, but the sheer complexity of technology in 2035 makes the IoT less accessible to hacking by mischief makers. Nevertheless, the most motivated malefactors and enemies of the United States can exploit the IoT in ways that are similar to those experienced in "Ambient Interaction," and benefits to U.S. interests do not materialize as dramatically as they do in "Ambient Interaction."

Scenario 3: Connected niches[]

In "Connected Niches" the IoT evolves along application pathways that promise rapid payback and that can overcome resistance and indifference. Demand is commensurate with evolutionary but not revolutionary cost reductions, moderate technology progress that leaves some problems largely unsolved. Industries show reluctance to fully collaborate. Policies express at best a benign neglect for the potential advantages and, at worst, discriminate against innovation in favor of grandfathered interests. Even in 2025, positioning technology remains limited to outdoor use and many individual items lack RFID tags. Nevertheless, innovations encourage adoption of connected everyday objects and sensor networks in security, logistics, healthcare, document management, inventory management, fleet management, industrial automation, and robotics. In short, connected everyday devices are common in workplaces and military operations but not in households. Similarly, sensor networks mainly reside in workplaces and public places. Connected everyday objects and sensor networks deliver significant value to the economy and significant efficiencies to military organizations but also introduce significant vulnerabilities as new pathways for exploitation become available to mischief makers, criminals, and enemies of the United States. As niches grow, some interconnect, introducing unexpected interactions — some synergistic, others counterproductive.

  • Potential opportunities. The United States gains short-term economic advantages by adopting technologies that streamline commercial logistics and industrial automation, the combined effect of which lowers costs and boosts corporate profits. When retailers choose to keep RFID at the pallet level, technology suppliers aggressively seek and find alternative growth pathways via vertical-market opportunities. Airports and other public-transit hubs become venues for large-scale sensor networks that support the missions of private-security and public-safety agencies. For recognizing patterns of behavior indicating ill intent, software helps but does not reduce the need for human observers and analysts. Similarly, the IoT deters theft and helps locate missing goods, albeit indoor location is limited to perimeter-secured environments. Many hospitals and long-term care facilities become high-tech havens, resulting in significantly improved qualities of care. Two key niches — fleet management and document management — provide growth pathways for the IoT that confer decisive advantages over traditional approaches. Government and commercial operators of vehicle fleets find substantial value in advanced vehicle diagnostics and prognostics, enabling maintenance as-needed rather than on a schedule, concurrently yielding both reduced costs and increased reliability. Also, as solution prices fall, by 2020 paper documents and publications as well as electronic substitutes for paper e-books, smartcards, and other devices — commonly contain RFID tags, enabling automation of many formerly tedious and time-consuming processes.
  • Potential risks. The IoT's advantages to the U.S. economy are moderated by trade imbalances that favor the adding of value to everyday things by overseas manufacturers. First responders have poorer geolocation capability than terrorists (who use real-time kinematic and/or satellite-based augmentation solutions that are far less expensive to a small cell of individuals than to large public safety agencies). The IoT's contributions to physical security come at the cost of a high rate of false positive and false negative detections, so that while people consider that the cost-benefit balance is favorable, it is only marginally so; thus, depth of support is shallow. Similarly, while the IoT proves to be a boon for healthcare overall, some hospitals and long-term care facilities reduce costs by trading away the "care" in healthcare in favor of surveillance and restrictive, access control policies. While the IoT is decisively beneficial for vehicle maintenance and document management, serious risks and unavoidable annoyances accompany even these applications. A host of risks accompany people's overconfidence in technical solutions, often at the neglect of common sense.

Scenario 4: Ambient interaction[]

In "Ambient Interaction" the IoT arises rapidly and pervasively, favored by technology progress, business collaboration, and innovation-friendly policies. Strong demand arises across several major sectors of the economy, as technological wizardry combined with creative business developments stimulate people's appetites for killer applications that reduce labor and tedium, confer peace of mind, and blur the lines between work, play, and commerce. Connected everyday objects and sensor networks are common in workplaces, public places, and households. By 2017, walk-through checkout procedures are the norm for retailing, and nationwide positioning technology is in place, including indoors. Strategic initiatives have ensured that the United States enjoys long-term economic and military advantages. Nevertheless, great risks accompany great benefits as pervasive computing introduces equally pervasive vulnerabilities. Just as the Internet aggravated the risks of cyberwarfare, spam, identity theft, and denial-of-service attacks, connected everyday objects become targets for malicious software that causes everyday devices to fail or spy. Sensor networks become channels for unauthorized surveillance by mischief makers, criminals, and enemies of the United States.

  • Potential opportunities. Geopolitical advantages arise as the United States uses sensor networks to foil terrorists and asymmetrical warriors. The U.S. military gains long-term advantage by quickly streamlining operations and adopting strategic initiatives for continuous innovation, specifically for the purpose of sustaining that advantage. The United States also gains long-term economic advantages by embracing technologies (notably, item-level RFID and indoor location) that concurrently streamline commercial logistics and add value to physical products, the combined effect of which stimulates GDP. In fact, the pervasive IoT enables logistics to undergo a revolution rather than merely streamlining. By 2025, robotic supply chains are common and considered more secure and less prone to human tampering than traditional shipping and receiving. At ports, containers report their contents to heavy equipment, which routes goods to trucks automatically; at distribution points, pallets and forklifts similarly communicate and route goods which arrive in stores largely untouched by human hands. RFIDs in individual food packages drive popular adoption of RFID readers in cell phones that provide an indication of food origins and provenance. Makers of other packaged goods leverage the universality of RFID readers in cell phones. A combination of useful advice and marketing gimmicks yields a remarkable mix of "advertainment" and social benefits, such as cell phones that double as displays for multilingual user manuals and recycling instructions. Individuals enthusiastically adopt objects having embedded positioning capability, dramatically reducing the incidence of misplaced and stolen goods.
  • Potential risks. The incidental risks mentioned in the "Connected Niches" scenario (above) threaten to multiply by an order of magnitude. As the United States increases its reliance on the IoT, supply disruptions will yield operational disruptions. Asia's role as single-source manufacturing center establishes a single point of failure for mission-critical materiel when new vehicles arrive on U.S. shores "contaminated" by malware. Terrorists can exploit sensor networks, whose encryption technology threatens to lag far behind the cracking capabilities of East- and North-European teenagers equipped with massively-multicore laptop computers. The same corporate and government misunderstanding of security issues that yielded email-propagated viruses and spam-generating "zombie" computers could end up providing the means for criminals and mischief makers to exploit connected everyday objects through lax security systems.

Signposts to monitor[]

Scenarios exist because of the uncertainty that is inherent with any view of the future. Determining which scenario best mirrors reality at any one time depends on careful assessment of reliable information and knowledge and monitoring various signposts that would indicate the direction and pace with which any field of uncertainty (in this case, relative to enabling the disruptive potential of a technology to U.S. interests) is advancing. Key variables, which, if positive, would indicate environments that are supportive toward development of the Internet of Things, include:

  • The size and nature of demand for expedited logistics in commerce and military organizations,
  • The effectiveness of initial waves of IoT technology in reducing costs, thereby creating conditions for diffusion into vertical application areas including civilian government operations, law enforcement, healthcare, and document management,
  • The ability of devices located indoors to receive geolocation signals, possibly, distributing such signals by leveraging available infrastructures (cell towers, broadcasters, and other means),
  • Closely related technological advances in miniaturization and energy-efficient electronics, including reduced-power microcomputers and communications methods, energy-harvesting transducers, and improved microbatteries,
  • Efficient use of spectrum, including cost-effective solutions for wide-area communications at duty cycles that are much smaller (e.g., the equivalent of a few minutes per month) than those of cell phones (averaging many minutes per day), and
  • Advances in software that act on behalf of people, and software that effectively fuses ("makes sense of") sensor information from disparate sources.


  1. Quoted in Dave Evans, The Internet of Things: How the Next Evolution of the Internet Is Changing Everything, at 4 (Cisco Internet Business Solutions Group (IBSG)) (Apr. 2011) (full-text).
  2. NSTAC Report to the President on the Internet of Things, at ES-2.
  3. International Telecommunication Union, The Internet of Things, Executive Summary, at 3 (Nov. 2005) (full-text).
  4. Transforming the Nation's Electricity System: The Second Installment of the Quadrennial Energy Review, at S-3.
  5. Gartner, IT Glossary (full-text)
  6. National IOT Strategy Dialogue, at 4.
  7. Big Data: Seizing Opportunities, Preserving Values, at 2.
  8. Internet of Things: Privacy & Security in a Connected World, at i.
  9. Security of Things: An Implementers' Guide to Cyber-Security for Internet of Things Devices and Beyond, at 4.
  10. Internet of Things in 2020: A Roadmap for the Future, Executive Summary.
  11. Risk and Responsibility in a Hyperconnected World, at 28.
  12. Internet of Things: Privacy & Security in a Connected World, at 6.
  13. Industrial Internet Scoping Report, at 1.
  14. Report on Securing and Growing the Digital Economy, at 90.
  15. Big Data: Seizing Opportunities, Preserving Values, at 5.
  16. The term was initially coined by Kevin Ashton in 1999 in a presentation at Proctor and Gamble in reference to radio-frequency identification tags (RFIDs). See Kevin Ashton, "That ‘Internet of Things’ Thing," RFID J. (June 22, 2009) (full-text).
  17. Overview of the Internet of Things, at 2.
  18. "Although the IoT implies the Internet is the mode of communication, local networks can also transmit information collected by sensors." Internet of Things: Status and Implications of an Increasingly Connected World, at 1 n.1.
  19. Internet of Things: Privacy & Security in a Connected World, at 5.
  20. The Internet of Things: Frequently Asked Questions, Summary.
  21. Overview of the Internet of Things, at 5.
  22. Id. at 4.
  23. Industrial Internet Scoping Report, at 1.
  24. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues, at 8.
  25. The Internet of Things: Frequently Asked Questions, Summary.
  26. The Internet of Things. How the Next Evolution of the Internet Is Changing Everything, at 3.
  27. Id.
  28. Securing the Internet of Things: A Global Overview of a Global Challenge, at 3.
  29. The Internet Of Things: Mapping The Value Beyond The Hype.
  30. Id.
  31. In the 2010 case City of Ontario v. Quon, the Court sidestepped the question whether individuals have a reasonable expectation of privacy in their electronic communications by resolving the case on other grounds (City of Ontario v. Quon, 560 U.S. 746 (2010) ("The judiciary risks error by elaborating too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear."). Similarly, in the 2012 GPS tracking case United States v. Jones, the majority avoided the question of whether people should expect privacy in their public movements over a long period of time by instead relying on a hundreds-year-old trespass theory of the Fourth Amendment (United States v. Jones, 132 S. Ct. 945, 954 [2012]). More recently, in the 2015 case California v. Riley, the Court held that the government must obtain a warrant before accessing the data on a cellphone confiscated upon an arrest; however, the ruling did not separately opine on the level of protections for data stored in the cloud, on which IoT applications will undoubtedly rely (California v. Riley, 134 S. Ct. 2473, 2495 (2015)).
  32. Internet of Things: Privacy and Security in a Connected World.
  33. The Internet Of Things: Mapping The Value Beyond The Hype, at 11.
  34. The Internet of Things: Frequently Asked Questions, Summary.
  35. The Internet of Things: Frequently Asked Questions, Summary.
  36. The Federal Communications Commission: Current Structure and Its Role in the Changing Telecommunications Landscape.
  37. See, for example, Internet of Things: Privacy and Security in a Connected World.
  38. For descriptions of these sectors, see Presidential Policy Directive 21: Critical Infrastructure Security and Resilience.
  39. About the National Cybersecurity and Communications Integration Center.
  40. Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication.
  41. About ITS.
  42. Pilotless Drones: Background and Considerations for Congress Regarding Unmanned Aircraft Operations in the National Airspace System.
  43. Unmanned Aircraft Systems (UAS): Commercial Outlook for a New Industry.


See also[]

External resources[]

  • Michael Chui, Markus Löffler & Roger Roberts, "the Internet of Things," McKinsey Qtly. (Mar. 2010) (full-text) (Free registration required.)
  • Bruce Schneier, "The Internet of Things Is Wildly Insecure — And Often Unpatchable." Wired, Jan. 6, 2014 (full-text).