Daily Archives

IoT Working Group session
23rd November 2021
14:30 (UTC + 1)


SANDOCHE BALAKRICHENAN: We'll wait for one more minute, Constanze. Can we start?


SANDOCHE BALAKRICHENAN: I hope everybody can hear me. Thank you all for coming to the virtual IoT Working Group meeting at RIPE 83. I can see there are 273 participants, that's a good number. Myself, with my co‑chair Constanze will be chairing the meeting. Before going to the agenda, we would like to say that we appreciate very much your participation and feedback on the Working Group activities.

One such topic that has been much discussed is the IoT Working Group Charter, which is something that it's quite broad. We understood that from the survey and private suggestions, so topics like that we are open to feedback, we can discuss that during the AOB if we have time, otherwise in the SpatialChat at 1900 CET today or in the mailing list. So, thank you, Constanze, for that.

CONSTANZE DIETRICH: Thanks, Sandoche, and hi, everyone, welcome to the fourth remote IoT Working Group session, and the first one ever conveniently scheduled on Tuesday. What's about to happen in this session?
So, of course, we start with housekeeping. Then, we have Elsa Turios Rodriguez from the Technical University in Delft talking about more or less successful ways for ISPs to approach customers when they want them to disinfect their IoT devices. Afterwards, Marco Hogewoning is going to provide us with a fresh RIPE NCC update on recent regulated developments highlighting how that might affect the Internet of Things. And at last, well, when we set up the agenda we had great plans for the AOB slot. Unfortunately, our means to force people onto the stage are quite limited in this remote setting, which is why we are trying something new this time. So, if anyone has something they want to share with us, feedback, projects, studies, or if anyone has IoT‑related questions or suggestions to the community, just send us a ping in the Q&A section during the session, so that we know and so that we can reserve a little bit of AOB time in the end for you.

Otherwise, I guess we'll just extend the Q&A time for Elsa and Marco, or have an early break, or practice enduring five minutes of utterly awkward silence.

All right. Housekeeping.

So, the RIPE 82 meeting minutes were sent to the mailing list and have not gotten any complaints. So, unless there is a sudden revolt right here, right now, we're confident to flag them as final. Thanks, Antony, for the excellent work. And here is the drill for this and pretty much every other meeting session:

First of all, this session is being recorded and will be published on the RIPE 83 archives. And if Twitter is to be believed, the tech team is incredibly quick this time in this regard. If you want to comment on the talk or ask a question to the speaker, you can do that by using the audio queue and if you want to also share your webcam video with the audience which is always nice, if you however lack the equipment needed or just prefer writing down your questions, you can do that as well, using the Q&A window, and have us Chairs read out the questions out loud.

Anyhow, please always state your name and affiliation, if not otherwise indicated. And I think that's about it.

Okay. I guess it's time for our first talk. Elsa, the stage is yours.

ELSA TURCIOS RODRIGUEZ: Thank you very much. Let me see if I can ‑‑ well, the thing is when I ‑‑ I see my slides are pre‑loaded, but when I do share ‑‑ oh, now I can see it, thanks.

Thank you for having me here and all for being here as well. My name is Elsa Turios Rodriguez and I am doing a Ph.D. in TU Delft, and today I will share some work with colleagues from TU Delft and ICT Japan, understanding user compliance and remediation success after IoT malware notifications.

So, first of all, I would bring you through the background why we did this research and the methodology we use. I will show you some results and the limitations, of course, of this research, and some takeaways.

I think it doesn't come as a surprise that IoT devices are proliferating as well as the attacks keeps evolving, and I have heard a lot that, well, manufacturers should develop secure IoT devices and there are some regulations, authorisations and discussions about that coming up. However, what can we do in the meantime?
So, RFC 6561 says that IXPs should notify users either via e‑mail or quarantine them. Tell them hey, you have an infected IoT device. However, also, when you do that, these notifications relied on users' intervention and actually well we need to see if users actually understand what they are being asked because, of course, there is a variety of users, technical, non‑technical users, etc. So what we did was we partnered with an ISP and its subsidiary to understand how users deal with MIRAI when they are infected.

And I will give you some overview how the ISP is approaching this right now. Of course, they get from shadow server some feeds every day and this feed tells which IPs are compromised with MIRAI, and then the ISP basically either sends an e‑mail to the user and says hey, you are compromised, or the ISP also puts the customer in the so‑called walled garden and sends also an e‑mail. And pretty much what the e‑mail says is you have been compromised with MIRAI and do these five steps and these steps are very generic because of course the ISP cannot know in advance which devices, or if multiple devices are compromised, and also of course, they cannot give specific advice ‑‑ I mean if we don't know what device is infected we cannot give a specific advice, let's say, to follow for a specific device. So, the five steps are very generic.

So, first of all, the ISP tells them, hey, identify the device or devices because also the ISP does not know if it's one or multiple devices that are infected. They recommend to change the password of the device or devices, restart the device or devices, reset the modem and change the password of the modem.

So, basically what we did was some experiment, so, having some participants assigned to a treatment with a walled garden or quarantine and the e‑mail and other participants only receive the e‑mail, and we had a control group that neither received an e‑mail nor they were put in walled garden and received an e‑mail. And we tried to understand if they comprehend these notifications and their motivation to act, as well as basically if they complied with these steps or not and if this need to clean up.

And we defined as "clean" the absence of the IP in any of the feeds that the ISP have every day. And also, if we didn't see the IP as becoming aggressively and, for that, we use a network telescope of 300K IP addresses as well as a cyber alliance IoT honeypot and IoT pot data. So this means that we define as "clean" basically if the network is clean and we didn't see the IP in any of these feeds.

Which is already some limit ‑‑ well, some part of the limitations is that we cannot distinguish partial clean‑up from clean‑up, and also, this includes other IoT malware, so because the advice is so generic, then basically we wanted to see if this advice also could apply to other types of malware families if users follow all the steps for all the devices they own.

Besides that, we asked some questions about demographics because, of course, some literature says, of course, that some people are better at handling IT, and also, we asked users what type of devices they found as compromised, although we didn't have really ground rules to check that, we actually checked ‑‑ we did some extra checks to at least get a sense that users were reporting ‑‑ what there were reporting was more or less what was exposed.

So, then, as I said, also, the clean‑up included if the network was absent or any ‑‑ or any type of malware.

So, only now we have ‑‑ well, the idea was to have three groups, so control group, e‑mail group and walled garden group and similar number of customers. However, something went wrong in the server of the ISP and then we had a bigger control group and we also have some participants from the subsidiary, and, in total, we could interview 45 people from the control group, which we wanted to ask questions because we assumed those people wouldn't do anything because they were not notified. And we interviewed some people that got the e‑mail, 11, then we also talked to people that got into the quarantine and walled garden. So, in total, we had 177 participants, and, in total, we interviewed 95 people.

So, basically, what we found is that people that were in the walled garden, 37 out of 39 users, 95% remember receiving and reading the notification. However, 25 out of this 37 indicated that they understood the notification. Interestingly, the rest says that they did not understand the notification, contacted the ISP to ask for more information, and to try to understand what they should be doing. And similarly, for the e‑mail group, we found that 82% of the people remember receiving and reading the notification, while one indicated that they ‑‑ well, basically, 88% indicated they understood the notification, and the person that actually said they didn't understand the notification also contacted the ISP for more information.

Also, when we asked people about what motivated them to act, basically for the walled garden group, it was really like obvious because they were in a walled garden so some people say, I just want my Internet back. However, there were others that described other motivations like, I want my Internet back but safe Internet is important. Another said that a ‑‑ a participant said okay, my device was malfunctioning so I have to do something. Other people said that they need the device, but if we move to the e‑mail group where they didn't ‑‑ or they were not in quarantine, they actually expressed more intrinsic motivation to act which is more like safe Internet is important and their device was malfunctioning.

So, that's some of the motivations ‑‑ those are some of the motivations that people expressed.

This table is just like a summary of, like, which steps people, in which group they did. So, for instance, in the e‑mail group, only three participants did the full five steps, and the participants did step 1, 2 and 3 and 5, and so on. I think if you want to take a look at this table, you can later on check the paper that is already published and is open access.

Then, interestingly, also people reported doing different steps than the ones highlighted in the message they received. So, some people in the e‑mail group said something like ‑‑ well, only five of them say: I followed the exact notification steps. But some others also said they disconnected the device, they did some software update or disabled port forwarding. Similar things happened in the walled garden group. And also, since we talked to people that neither were e‑mail ‑‑ neither received the e‑mail or were in the walled garden, we found that some of these people actually took actions, some of these people from ‑‑ they said that they did some software update in the device and stopped using it or disconnect the device, and what we learn is that these people actually find out there was some software update prompt in their devices because actually when we conducted this study, there was things going on been home optimisation with the Motics, so some of the users in the control group received a pop‑up and they did their software update, and also, other people were saying that they act because the device was malfunctioning.

So, I won't go deep these these but we also run two statistical models, one to understand how these be variables I mentioned like motivation, understanding and the type of device they user owns, etc., actually lead to compliance and what we found is basically that when consumers are involved by a compromised IoT device they are willing to act and basically what prompts the compliance is basically this notification. So people in the walled garden group do, on average, 1.9 steps more than the control group and 1.8 more steps users ‑‑ users in the control group do 1.8 more steps than the control group.

And the other model we did was to understand if this compliance leads to more clean‑up in the network. As I said, the definition of "clean‑up" was like the network absence of any malware. So, this compliance with these steps led to 32% increase in remediation, compared to the control group, and also, we checked if the ‑‑ since we had this in the data, if there were other malware families present in the same network, then we check if the absence or presence of these competing malware in the network decrease the probability of remediation and we found that networks that ‑‑ where we saw a scanning pattern from URI and a scanning pattern from our types of malware families decreased remediation by 54%. So, bottom line of this statistical model or findings were that basically these five steps are generic and they might not apply to all types of malware, and some devices still remain infected or are being reinfected in the network, and also there is some literature that suggests that IoT malware ‑‑ some families fight for control over vulnerable devices, so that could be also that the people genuinely did the steps and they got infected or reinfected as well because of that. And also because the message was related to IoT devices, maybe they ‑‑ of course, they didn't do it for other type of devices.

So, what was also interesting was that 24 of these 39 consumers that were in the walled garden groups, that they were satisfied with this approach. So, there is a specific section where we discuss about that because yeah, of course, the question is like, okay, am I going to be happy if my ISP cut my Internet connection, or something like that, or just allow me to list websites while I don't fix this problem. Actually, of course, people were ‑‑ express that they were actually happy to get ‑‑ to know that they were infected, otherwise they wouldn't know because they don't have other ways of noticing, although there is some percentage of ‑‑ in the control group, of course, that, because of malfunctioning or something ‑‑ or some prompt of the manufacturer actually, they did some actions, but otherwise they wouldn't know. And also, the e‑mail group also was satisfied with this approach.
Of course, some limitations in this research were that we rely on what the users report they did. Unfortunately, of course, we cannot go to their homes and see exactly what they did, and if they really did the steps, or not, so we rely on when they told us they did. Also, of course, this is a database and only one ISP and its subsidiary, and also, unfortunately, we end up with a small sample of users that were just in the treatment group that received e‑mail only, and so we think that maybe more research is needed to make more robust inferences. Although I have experience recently on working on notifying only with e‑mail and the response is actually very good as well. So, also importantly, after all, like, this process in the walled garden group, 92% of the people in this group were clean, or their networks were clean. And 82 errors in the e‑mail group got clean. So, also, the compliance with these steps helps to increase the remediation factor by 32%, and of course the presence of competing malware in the network reduced the probability of remediation by 54%.

So that's basically what I wanted to share with you today, and I am very happy to hear any questions or comments or ‑‑ yeah, if you have any questions or, you know, suggestions, you can e‑mail me and also, there is the link to the paper if you want to read in more detail what it was about. Thank you.

SANDOCHE BALAKRICHENAN: Thank you, Elsa. That was an interesting presentation. Questions for Elsa, we have a lot of time.

CONSTANZE DIETRICH: Maybe I start with one I have. So, how did the ISP that was involved in the study think about this? What were their takeaways from the study? Can you tell us about that?

ELSA TURCIOS RODRIGUEZ: Yeah. Well, basically they keep doing this process. It's actually part of the abuse handling, so that something that is in place and they keep doing and actually not only with MIRAI, but also their malware family, so we recently did also a study with Kios Nach [phonetic], and actually the response they have is ‑‑ I mean, welcomed by the users in general because for the other studies the same. So, they actually ‑‑ it's like really an established process. Of course, they were also ‑‑ or they learned, of course, that users are willing to act as important, and that even though the advices are generic, because some concerns at the beginning were like okay, this advice is very generic, how can we help people with such generic advice? Are they going to be able to understand what they have to do or not? And then seeing their results is at least worth the try, right?

CONSTANZE DIETRICH: Do they follow the walled garden approach or the one just sending e‑mails?

ELSA TURCIOS RODRIGUEZ: So far, what I know is, of course, during the coffee time, they only start doing e‑mails, and that's actually why I know that e‑mail is an approach that is working because they keep doing it ‑‑ or kept doing it. I think now they came back to the walled garden approach. Well, of course, during the Covid times ‑‑ or we are still in Covid times, but when most people were working from home, they were more careful with that because even though they want to notify people, they didn't want to interrupt their ‑‑ you know, their work from home. So ‑‑ but, yeah, now they are back to using quarantining.

SANDOCHE BALAKRICHENAN: There is a question from Michael Richardson, no affiliation: "Did any of the users have IPv6 and was the ISP able to identify the IPv6 end points? If so, was traditional SLAAC used or privacy‑enhanced addresses?"

ELSA TURCIOS RODRIGUEZ: So far I understand that the report they received from shadow server, that half the IP, but to be honest, we were not interested in that information, so we really didn't look in how many of these customers have IPv6 or IPv4, to be honest.

SANDOCHE BALAKRICHENAN: Okay. The next question is from Jim Reid, no affiliation:

"Any thoughts on how to get a bigger sample size? Say for the whole of TU Delft campus net?"

ELSA TURCIOS RODRIGUEZ: Mmm... well, yeah, ideally this is the thing, at least from my experience, has been great to have a partner ISP because let's say if you look for IPs that are compromised with MIRAI, let's say you go to a, you know, a darknet and you look for the MIRAI fingerprint, probably you will find few IP addresses that belong to, let's say, a university, right. And also, what is nice, at least in my experience, is that the ISP actually can contact their customers while I, as researcher, cannot just take random IPs and start contacting users and ask them questions: Hey, how do you handle your infection? Right. So, basically, what is valuable is the fact that the ISP has some contact with the customers, their e‑mail addresses and then also actually this is personally something like my ISP cares about my security or something. Well, I feel if I do it as a researcher, that won't work that well.

SANDOCHE BALAKRICHENAN: Okay. The next question is from jJoey Boon from SURF: "How did the ISP detect the malware? I assume through abuse reports?"

ELSA TURCIOS RODRIGUEZ: If they just identify it by the abuse reports?

SANDOCHE BALAKRICHENAN: Yeah, it's a question‑mark also.

ELSA TURCIOS RODRIGUEZ: Yeah, indeed. To the best of my knowledge, it's through the ‑‑ only through the shadow server reports. It's not that they actually look into any way to detect that. It's just they receive the reports from shadow server and then from there they take it.

SANDOCHE BALAKRICHENAN: Okay. So, there is a repeat for the first question from Michael Richardson. He wants to be clear: "In 2021, MIRAI is still out there. How many instances, or how many instances per capita?"

ELSA TURCIOS RODRIGUEZ: Yeah. Actually I recently looked into reports, and once I looked a lot in the shadow server reports and still MIRAI is an important threat. So I don't know exactly numbers, and I don't know how to answer about per capita, but at least in the majority of industry server reports and shadow server reports it's still an important threat. For instance, I can speak only for the Netherlands as well. For instance, there was a time last year when geo snatch [phonetic] was on top and after it was MIRAI. I don't know about how that number goes for other countries, but it still is a threat.


CONSTANZE DIETRICH: Okay. So, for now, there are no further questions. So we will have a little bit more time, probably, at least, at the end of the session, and of course afterwards in the SpatialChat. I hope, Elsa, you will be there as well.


CONSTANZE DIETRICH: Okay, then I would suggest that we continue with Marco.

MARCO HOGEWONING: Hi. My name is Marco Hogewoning, I work for the RIPE NCC as a manager for Public Policy and Internet Governance, and, once again, it is my pleasure to give you a short update of what we see in the IoT space.

Before I do that, happy birthday. Well, I was actually looking back at it and realised that the first time we had a meeting, and obviously it wasn't the Working Group yet, it was simply a BoF, but the first time we sat down with the group and looked it the like, okay, the IoT, do we need to do something? What is the role in IoT was ten meetings ago with RIPE 73, but just about ten years ago this was the first ever message I sent to the then IoT discussion list, which is now the IoT Working Group mailing list. But yeah, time flies, it's five years already.

Looking at it, where we started off back in 73 is what's RIPE's role, what's the RIPE NCC's role in the IoT? And generally, this talk is referred to as an update from the RIPE NCC, but looking at it, it is really not that big for us, you know. A large part of the IoT is basically the application layer. There isn't much for the RIPE NCC to do in this space. Network and transport are only a very small part of the bigger picture. And where we do see networks, especially on the edges, a lot of them don't even use IP. IP is very common in the long‑haul transport getting data from A to B, but actual IoT networks pick other protocols, yet it doesn't mean that we don't have a stake, as you'll see throughout this presentation.

A lot of time, IoT is using in examples; for instance, when arguing for change, we saw that with new IP we see that, quite often, security concerns, especially when they get reflected in legislative proposals, often come down and also touch on the spaces that the RIPE community or the RIPE NCC has an interest in. And then, of course, there is IoT standardisation that we come across in various forums and venues and in all shapes, sorts and sizes.

With that, briefly looking back to some things that we talked about and give you a bit of a status update. So ITU, Study Group 20, which is about the IoT, and more specifically ITU‑T SG20 has a focus on IoT and smart cities. That means that's pretty broad and it's noticeable on the amount of work but also the extent of the scope of the work there. It really goes from vehicles to buildings to virtual reality control systems, UAVs. Basically, if you can say smart X, there is probably work under way in the study group to at least come up with some framework or some architectural idea on how it should work or how it could work that goes as far as, you know, a few years back people looked at smart greenhouses, there is actually an IoT recommendation produced by SG20 that specifies the optimal growing conditions for strawberries and lettuce, and so if you are into gardening, I can point to you that recommendation.

Then, of course, there is a lot to do about supporting technology such as Blockchain, which of course is the magic that should make it all happen. We can discuss about that.

Talk about the network layers is mostly gone. IPv6 that took quite a bit of discussion, has been removed from the work programme and you don't see a lot happening in that space. One exception notably for the last year or so has been Lorawam [phonetic], which is reissued as an ITU recommendation now. And it kind of makes sense, you need that harmonisation, you need that global standard, so it does make sense to at some point make sense to say let's make this an IP recommendation. At the same time what we often see is that it leads to duplication and also often it's behind the curve. So we already have products in the market and then the standardisation needs to make sure that it actually sort of accommodates and remains compatible with the products that are already sold in the market, so it's quite a challenge.

Moving on from there into EU legislation, and this, again, our role is limited when it comes to IoT, and my colleague Suzanne, after this session in the Cooperation Working Group later today, will give a more extensive description and a more presentation about all of these proposals and there is also an article on RIPE Labs, but looking through it, first of all all there is the Radio Equipment Directive. I have presented about that before, and then we said like yeah, watch that space, the Commission might use it to enforce the cybersecurity standards. The reason there is pretty much all devices have radio equipment.

So they did. This is pretty fresh, but they expanded the cybersecurity, the security paragraphs and specified search device clauses, so it basically says anything that connects to the Internet, anything that is used for childcare or anything you can attach to your body has to do X, Y, Z. And that's still very broad but it basically says like it should take security into consideration, it should receive timely updates, that sort of thing.

Yeah, so recommended next steps. The interesting bit there is that this works via a so‑called delegated act, which means that the Commission can move fast. It's subject to scrutiny as it is described, it means that unless parliament really has an objection, and really pulls on the emergency brake, this comes into effect two months after it is published. And it was published 29th October, so, basically, by the end of the year, these things are in place. Lucky if you built equipment, if you are in the process of making IoT devices, you still have 13 months to be compliant. My recommendation is, have a good look. If you build anything or you sell anything that has a radio, have a really good look and what the new requirements are and whether you are ‑‑ need to be compliant or not. And with that, mind you, that the radio equipment directive takes a whole value chain. So it's you, as a seller, that has to make sure that your importer is compliant and if import it you have to make sure your manufacturer is compliant. So it works the way up. There is no escape and there is no way to point to others, it's your problem basically. So have a talk to your compliance people and have a good look and see if you need to do anything.

The bigger picture: Security. That's really on everybody's mind, security and it's no surprise to see. The solutions are very broad there. They often don't even mention the IoT. If you look at the digital service act, the digital market act, the data governance act, they kind of all had have implications for the IoT space. You look at the definitions of platforms, definitions of service providers that can easily cover part of the IoT space.
Also, if you look at the IoT in a component structure, you know, there is a lot of talk about clouds, etc., and of course that also then would apply to IoT solutions that reach the Cloud.

Another big one is probably the geopolitical security concerns. Now, obviously that's relating to where the data is, who can access it. We also know, also discussions about possible back doors, but as the pandemic has shown there is more concern about generally the supply chain, the reliability of getting the components here and then people all of a sudden realise that we do ‑‑ are dependent on a couple of chaps somewhere in Asia and the car manufacturers of course have taken the brunt of this but we also see it in other IoT sectors, it's really hard to get the components to build the devices. There is some pressure too, what they then say strategic autonomy, make sure it's built and you can access components.

Data Governance Act. That's an interesting one, because it's kind of ‑‑ I took some text here from the proposal says ‑‑ we're going to build an internal market for data. It very much realises that a lot of people are sitting on data that could be of benefit to others, and, with that, it also very much looks at, you know, the role of the public sector but then also say like but even certain commercial datasets can have value so others so what if we anonymise those and make them available. So it's a pretty big framework, it's very ambitious. It's also leaves it open for third countries. So if another country says, look, we have something equivalent, there might be a deal. So it might also evolve off into a trade tool saying oh, sure, if you want to be part of this, then do this, this and that. So it's worth a read. If you are processing data, if you are in the big data business, have a look.

ePrivacy, the final one and on the EU legislative side there is an an update on the current ePrivacy directive. This kind of complements GDPR. ePrivacy takes a scope a bit broader realising that there might also be generated by your devices, by your machines that, you know, leaves traces, could be privacy infringements, for instance if there is metadata etc. This has been in the making four, five, six years now. It took an awful lot of time for the member states to agree on a position. They finally did, so this is now entered the last bit of negotiations. Everybody is quite optimistic in that, now we finally have the negotiations going that this should be in place probably sort of mid next year, and then we're looking again at a grace period, probably at two years, so before this is really into effect, we're looking at 2023, 2024, but again, if you are processing data, and we just saw a presentation about how that affects your space, it's really interesting to read and see what's coming your way.

Moving from legislation to the regulatory environment, BEREC, the body of European electronic regulators, have taken this from their programme of work for next year. That's out in a draft. It might still be possible to comment on it, I am not exactly sure ‑‑ no, sorry, the deadline has been passed, we did leave a small comment regarding IPv6. But...
Yeah, something we have addressed before is, BEREC has done a lot of work on the network termination point, and that gang of translates into who owns the modem and that plays a big role probably in how devices connect, but, for instance, we just saw, and as the work of this group also shows, you know, how the security environment, you know, that modem is a perfect way to, you know, isolate, affect the equipment, detect problems.

The legislation is very ambiguous. Certain states say yes, the user must always bring their own modem. Some states have no legislation, but whenever they do, there is always the technical but, you know, if there are technical requirements, you can basically say, like, no, sorry, the user has to use my modem. BEREC produced some guidelines in 2020 to support alignments. The whole plan now is, and it's not specific to the network termination point, but the end user rights package, and this is part of that, will be evaluated by the end of next year, so there will be workshops, there might be consultations, so if you want to readdress this as an industry, if you want to readdress this as a community, that might be an attachment point to say hey, can we talk about this again.
Adequate broadband access. I must say, I am a bit lost here. I am not too deep in, but in the European Electronic Communication Code, there is some provisions that say, like, yeah, everybody should have access to broadband at a reasonable cost. It kind of realises that, without it, you can't really participate in society any more, you can't really participate in the economy and of course we we have all seen in the pandemic and everything how important it is to have that bandwidth there.

They are planning a report on best practices and suitability of the criteria and the question that pops into my mind is, right now, it really focuses on the price and a bit on bandwidth, maybe that's not all the requirement you want to have here, given how dependent we become on this also in the context of IoT. If I look at my own residential retail line, meantime to repair, it's probably over 48 hours. If I am unlucky that might no longer be acceptable in a fully connected IoT world. So, again, we're not planning to engage on this, but, of course, if you do, feel free to contact them or let us know and then we'll look into this more deeply.

Finally, and I think this is kind of important, is, this might warrant a bit of time from everybody, also from the community, is that BEREC is planning a report that maps out the bigger picture. It's now called the Internet ecosystem, it used to be referred to as the value chain, and again, I have taken some text from the programme, the magic word here is "gatekeeper", you know, the DSA, the DMA talks about gatekeeper and parts of BEREC's work is like okay, are there other gatekeepers at other levels, for instance in the application space, for instance in app stores, and what is our role as regulators in that market. So, this is really one to watch for and possibly see if we can provide some input at some point in this dialogue.

With that, this is a lot of EU talk, and you might think about like yeah, what's other countries? A lot of this, we get not specifically because we're looking for IoT, it's simply because we monitor all these things because they have an effect on the RIPE NCC, we know that possibly have an effect on the RIPE community. Of course, the world is bigger than the EU, and yes, there is a lot of focus on the EU‑27 and their legal frameworks also because it is such a large and significant part of the market, it's 450 million people, it's also 450 million rich people, it's rich countries, and then of course the EU knows that and also tries to use that as leverage. They can basically say, like, if you want to sell stuff into our market, then you have to do this, this and that, and that will probably mean that it becomes a global standard.

We see coordination between other countries, they do cooperate, but often to a lesser extent, and I mean, also practically speaking for us, it's almost impossible for us to track 190‑plus countries, but it also goes for the industry at large. So, looking at it from that perspective, we see that a lot of countries are seeking Internet standards, they do realise that you can't just do this by yourself, and that kind of brings the focus back to where I started. Because a lot of countries flock to the ITU and say, can you help us define policies? Can you help us to set those standards?
And with that, I kind of also want to come back to the questions we started with at RIPE 73 and I think the question that's also been brought up in the recent surveys and that we're going to address in the AOB hopefully: What is the role there for the community? Can we actually use this as one of the points to collect that information and experiences, but also really to, you know, use it to steer this and steer the alignment via publication, via best practices, you know, can we do something here? Because what I notice from the public policy work and the discussions we have in the IETF, a lot of people are kind of lost. We all know something needs to be done, but to find the right place and to find the right model to do something, is often easier said than done and my personal opinion is that RIPE and this particular Working Group might be able to play an important role there in channelling the information and getting everybody together and say like, yeah, you see, here is how you can do that.

With that, I hope we have got a bit of time left for the Q&A. And otherwise I'll give it back to the Chairs to guide us through the final discussion. Thank you.

SANDOCHE BALAKRICHENAN: Thank you, Marco. Thank you for the panoramic view of the different IoT standards. So, as you said, we have a good eight to nine minutes for the questions. So if you have questions for Marco, it will be better.

So the first question is from Michael Richardson: "Have or will BEREC examine the legal question as to who is responsible for malware and/or attacks that originate on the model? Or does this fall into the red?"

MARCO HOGEWONING: That's a good question. I think if you asked the real BEREC stakeholders, which are the regulators, the NRAs will then point to the legislation, the parliament, the governments that actually build the legislation. So, you know, the role from a regulatory perspective is to execute and enforce the laws that are put through the parliamentary process. RED indeed does have a framework regarding who is responsible, like I said, that really starts with okay, if you sell stuff, it has to be compliant with the Radio Equipment Directive and that means that you have to talk to the people who import it, the people who manufacture it. So, the RED has some clear guidance on, yes, if you build this, you are responsible to make sure it happens, but also then if you sell it, you are responsible, and keep in mind that ultimately when it comes to RED, the ultimate enforcement is that they confiscate it. If I find it on your shelf, if they say sorry, this is not compliant, you risk to basically take away and destroy it and that's your loss and you have to talk to your supply chain to get it compensated for. So, yeah, it's it's a hard one. It's a good question, but I think in this case it should be directed to the legislators and in the sense the European Commission, the European Parliament.

SANDOCHE BALAKRICHENAN: The next question is from Dmitry Kohmanyuk: "Any similar developments in non‑EU countries?"

MARCO HOGEWONING: Yes. Like I said, we do see it. For instance, also there is a lot of talk between the Arab states and in the Arab states around this. Basically, every country has similar laws like the Radio Equipment Directive. I know, basically, Russia is quite advanced in looking into that kind of possibilities to enforce compliance. It's hard. The EU will benefit as Yours sincerely a large trading block that they kind of have a bit of market power for other small countries. You can say what you want and you could put legislation there, but actually enforcing it as the equipment is manufactured elsewhere and it comes into your country is really hard and again this is why you see so many people flock to alignment and within the ITU but also within the World Trade Organisation to look into what are our possibilities to really sort of get rid of these unsafe devices and really get to the manufacturers to do the right thing? Then again, we also see an international debate on what is the right thing then, because that's also not immediately consensus, you know, some people focus more on privacy than others. So, internationally speaking, this is a really tough space to be in, and it's really hard to align.

SANDOCHE BALAKRICHENAN: I have a question for you. In one of your slides there you say about the ITU, that there is an exception for LoraWAN why?

MARCO HOGEWONING: No, not as much an exception. We have seen, in the past, for instance, with one M to M where ITU takes the work that is done by a private consortium and turns into recommendations. What I meant with the exception is that it isn't really focused on transport and networks. LoraWAN is one of the things that focuses on the lower transport layers, but the specifics of taking an industry construction standard and kind of rebranding it into an ITU recommendation is certainly not unique. We also see that at other levels.


CONSTANZE DIETRICH: I am kind of wondering, actually you asked that question kind of yourself, is what we could do? You said we could, you know, throw best practices out there, or policy proposals or whatever standards, ideas for standards, but, for example, who would we have to talk to? Who would we get around one table to... you know, actually get the feeling to have some kind of influence?

MARCO HOGEWONING: Yeah, that's a really good question. It is ‑‑ in the end, it's ‑‑ if you want to solve a multistakeholder, you probably have to probably attract other stakeholders as well and we know there is government interest in this, there is industry interest in this and I know a lot of people are watching this presentation from the government side, from the industry side. So, I think that sort of the first thing is sort of like, okay, if we all agree that there is a problem here, what is it is that we, within the RIPE remit, can potentially do to solve the problem and sort of the guidelines that were produced sort of for device safety are probably, all right, a start, but maybe there is other ways for this group to provide the forum and, for instance, like, yeah, this is something that maybe it needs to go to IETF or maybe there is something to put through an ITU process or, for instance, to what BEREC is doing and to help shape the discussion. So a lot of people are actually looking around and going like, okay, what is the industry then doing? And try to understand how far we have and that's also part of our role, as often I point out it's like yes, the industry is already working on this. The countless times we have had discussions in ITU where, you know, like, yes, this is already done, or it's already very much under way, can you talk to these people. And it's ‑‑ yeah, it's a continuous effort. I don't have anything, and I know that's disappointing, but I don't have really anything specific that to say oh, like, you should make a deliverable and then the problem is solved. I think having the dialogue here and providing a platform for a dialogue like we have now is probably a good first start.

CONSTANZE DIETRICH: And, for example, looking at the Radio Equipment Directive, which is about to actually be in place, it seems do you know anyone who is like ‑‑ like any industry, any company, specific ecosystem, who is affected by that?

MARCO HOGEWONING: Well, it could be quite extensive, especially that first ‑‑ the first class where it says oh, yes, if it connects to the Internet. So we're kind of in a space that if you have something that has a radio on board and it connects to the Internet. So, I guess everything that has a wi‑fi device is potentially in scope of this. And then those classes say, like, it must receive regular updates. Now, probably a lot of vendors do that, but probably a lot of vendors don't. And the big question of course is, what is regular? And what is timely?

CONSTANZE DIETRICH: And who are the vendors, that was kind of my question behind that, who do not comply at the moment?

MARCO HOGEWONING: The RED bypasses it. The RED really says you can finger‑point as long as you want against each other, we want this sorted, and ultimately the point of sale needs to ‑‑ is responsible for making sure that, once it hits the market, it is compliant. And whether you go talk to your manufacturers or you do it yourself, that is ‑‑ the RED kind of leaves that open for the industry to sort out.


SANDOCHE BALAKRICHENAN: Constanze, if we want to have the queue for the AOB, there are already people lining up.

CONSTANZE DIETRICH: Oh, really? We have two minutes left. Okay, let's try that. Cool.

MARCO HOGEWONING: I am here, if people want to talk to me I'll try and join SpatialChat after this session.

CONSTANZE DIETRICH: Thank you so much, Marco.


RUDIGER VOLK: Yes, I wanted to throw a little comment on the almost very last remarks from Marco. Well, okay, Marco made the remark "Everything that is connected to the Internet," and I would want to point out that, yesterday, we had a presentation about things that were, to a large extent, related to IoT, which were quite definitely meant to be outside of the Internet as we know it. The mobile stuff, the mobile stuff done by the mobile operators.

CONSTANZE DIETRICH: So I myself having watched that talk, could you go a little more into detail, or was that more to let us know we should watch the talk?

RUDIGER VOLK: Well, IPX, or older generation GRX, as the organisation of the mobile operators to interconnect their stuff outside of the Internet as we know it, outside of the public Internet, and the talk was saying well, okay, this is getting huge and global, so spreading outside of just, say, the EU regulation, or the US regulation, or whatever regulator you take, and, yes, kind of getting the large scale of operation for taking care of all kinds of IoT, or mobile to mobile devices.

MARCO HOGEWONING: I think where Rudiger is going and I think as I just commented on chat, yeah, the legal text is the Internet and then of course you can start a whole discussion on whether something is the Internet or not or whether it is just like the Internet as it uses IP or a network of networks, actually it might sort of be also a nice one to carry over to the Cooperation Working Group later on. Yeah, it often ‑‑ we often see things saying like, oh, yeah, if it's on the Internet. But what makes the Internet the Internet? And I guess that's what ‑‑ I'm not a lawyer and I guess we should leave that discussion to the lawyers to figure out how this works.

SANDOCHE BALAKRICHENAN: Thank you, Marco. Constanze, we are in the coffee time.

CONSTANZE DIETRICH: Right, we are. Yeah, I guess ‑‑ will I share my screen just for that second. Thanks, everyone. Thanks to Elsa and Marco for the interesting presentations, to everyone making these meetings happen. Currently around 282 people in Meetecho, and have a nice meeting. I hope to see you in Berlin next year, and to see you in SpatialChat right now.

Thank you. Bye‑bye.

(Coffee break)