物联网－欧盟行动计划（英文版）

EN EN EN EN EN COMMISSION OF THE EUROPEAN COMMUNITIES Brussels, 18.6.2009 COM(2009) 278 final COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS Internet of Things — An action plan for Europe EN 2 EN COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS Internet of Things — An action plan for Europe 1. INTERNET OF THINGS: THE UMBRELLA FOR A NEW PARADIGM The growth of the Internet is an ongoing process: only twenty-five years ago it was connecting about a thousand hosts and has grown ever since to link billions people through computers and mobile devices. One major next step in this development is to progressively evolve from a network of interconnected computers to a network of interconnected objects, from books to cars, from electrical appliances to food, and thus create an ‘Internet of things’1 (IoT). These objects will sometimes have their own Internet Protocol addresses, be embedded in complex systems and use sensors to obtain information from their environment (e.g. food products that record the temperature along the supply chain) and/or use actuators to interact with it (e.g. air conditioning valves that react to the presence of people). The scope of IoT applications is expected to greatly contribute to addressing today’s societal challenges: health monitoring systems will help meet the challenges of an ageing society2; connected trees will help fight deforestation3; connected cars will help reduce traffic congestion and improve their recyclability, thus reducing their carbon footprint. This interconnection of physical objects is expected to amplify the profound effects that large-scale networked communications are having on our society, gradually resulting in a genuine paradigm shift. To complement this overview, it is worth noting three points that highlight the complex nature of IoT. First, it should not be seen as a mere extension of today’s Internet but rather as a number of new independent systems that operate with their own infrastructures (and partly rely on existing Internet infrastructures). Second, as detailed in a recent ISTAG report4, IoT will be implemented in symbiosis with new services. Third, IoT covers different modes of communication: things-to-person communication and thing-to-thing communications, including Machine-to-Machine (M2M) communication that potentially concerns 50-70 billion ‘machines’, of which only 1 % are connected today5. These connections can be established in restricted areas (‘intranet of things’) or made publicly accessible (‘Internet of things’). The advent of IoT is taking place in an ICT environment affected by several major trends6. ‘Scale’ is one of them: the number of connected devices is increasing, while their size is reduced below the threshold of visibility to the human eye. ‘Mobility’ is another: objects are ever more wirelessly connected, carried permanently by individuals and geo-localisable. ‘Heterogeneity and complexity’ is a third trend: IoT will be deployed in an environment 1 See the ITU 2005 report www.itu.int/dms_pub/itu-s/opb/pol/S-POL-IR.IT-2005-SUM-PDF-E.pdf or the ISTAG report ftp://ftp.cordis.europa.eu/pub/ist/docs/istagscenarios2010.pdf 2 See for example www.aal-europe.eu/about-aal 3 See for example — www.planetaryskin.org/ 4 See ‘Revising Europe’s ICT Strategy’, — ftp://ftp.cordis.europa.eu/pub/ist/docs/istag-revising-europes- ict-strategy-final-version_en.pdf 5 This figure is commonly used by different authors who assume that every human is on average surrounded by ~10 machines 6 See COM/2008/0594 final — Future networks and the Internet EN 3 EN already crowded with applications that generate a growing number of challenges in terms of interoperability. The above examples show that the Internet of things can help to improve citizens’ quality of life, delivering new and better jobs for workers, business opportunities and growth for the industry, and a boost to Europe’s competitiveness. So this paper dovetails with the wider policy initiatives related to the Lisbon strategy and with the current thinking on post-i2010 initiatives7. The idea was first announced in the RFID communication8 and has since received input from the RFID Expert Group9, the EESC10, and the EU Presidential Conferences of Berlin, Lisbon and Nice11. It comes in response to the invitation made by the Council12 to deepen the reflection on the development of decentralised architectures and promoting a shared and decentralised network governance for the Internet of things. Finally, this paper takes account of the initial position outlined by the Commission13 and the comments received14. 2. SOME EXISTING INTERNET OF THINGS APPLICATIONS IoT should not be considered as a utopian concept; in fact, several early-bird components of IoT are already being deployed as illustrated hereafter: • Consumers are increasingly using web-enabled mobile phones equipped with cameras and/or employing Near-Field Communication15. These phones allow users to access additional information regarding products such as allergen information. • Member States are increasingly using unique serial numbers on pharmaceutical products (supported by bar-codes), enabling the verification of each product before it reaches the patient. This reduces counterfeiting, reimbursement fraud and dispensing errors16. A similar approach taken on the traceability of consumer products in general would improve Europe's ability to tackle counterfeiting and to take measures against unsafe products17. • Several utility companies in the energy sector have started deploying smart electrical metering systems which provide consumption information to consumers in real time and allow electricity providers to monitor electrical appliances remotely18. • Within traditional industries, such as logistics (eFreight)19, manufacturing20 and retail, ‘intelligent objects’ facilitate the exchange of information and increase the effectiveness of the production cycle. 7 See ec.europa.eu/information_society/eeurope/i2010/index_en.htm 8 See COM/2007/0096 final — RFID in Europe: steps towards a policy framework 9 See 2007/467/EC — Decision setting up the Expert Group on RFID 10 See EESC Opinion n°1514 of 2008 11 See www.internet2008.eu 12 See Council Conclusion 16616/08 13 See SEC/2008/2516 — Early Challenges regarding the “Internet of Things” 14 See ec.europa.eu/information_society/policy/rfid/library/index_en.htm 15 See www.nfc-forum.org/home 16 See the work of EFPIA — www.efpia.eu/Content/Default.asp?PageID=566 17 See RAPEX annual report ec.europa.eu/consumers/safety/rapex/docs/rapex_annualreport2009_en.pdf 18 See www.esma-home.eu/default.asp 19 See COM/2007/0607 final – Freight Transport Logistics Action Plan 20 See The Fraunhofer Institute for Material Flow and Logistics : www.iml.fraunhofer.de/1327.html EN 4 EN These examples rely on several building blocks such as RFID, Near Field Communication (NFC), 2D bar codes, wireless sensor/actuators, Internet Protocol Version 6 (IPv6)21, ultra- wide-band or 3/4G, which are all expected to play an important role in future deployments. The European Commission, through the Framework Programme for Research and Development (FP5-6-7) and the Competitiveness and Innovation Framework Programme (CIP), has already invested in these technologies. For example, in the transport area, it is actively promoting their deployment through the Freight Transport Logistics and the Intelligent Transport System Action Plans22. Europe’s industry is as well a strong player in many of these technologies, such as telecommunications equipment, enterprise software and semiconductors. Promoting the development of IoT thus reinforces the European ICT sector and should contribute to the growth of other sectors, such as those that include proximity services (tourism, personal healthcare, etc). 3. THE GOVERNANCE OF THE INTERNET OF THINGS Why is there a role for public authorities? The technical advances described in the previous section will occur regardless of public intervention, simply following the normal cycle of innovation whereby industry harnesses for its own needs the new technologies developed by the scientific community. Although IoT will help to address certain problems, it will usher in its own set of challenges, some directly affecting individuals. For example, some applications may be closely interlinked with critical infrastructures such as the power supply while others will handle information related to an individual’s whereabouts. Simply leaving the development of IoT to the private sector, and possibly to other world regions23,24 is not a sensible option in view of the deep societal changes that IoT will bring about. Many of these changes will have to be addressed by European policy-makers and public authorities to ensure that the use of IoT technologies and applications will stimulate economic growth, improve individuals’ well-being and address some of today’s societal problems. Finally, it must be stressed that a number of principles that should also underlie the governance of the IoT have already been debated at the World Summit on the Information Society (WSIS)25. The EU was a key contributor to this international consensus, reflecting its earlier positions26. An important point here is that WSIS recognised the responsibility of governments for public policy issues27: public authorities cannot shirk their responsibilities towards their citizens. In particular, the governance of the IoT must be designed and exercised in a coherent manner with all public policy activities related to Internet Governance. 21 See the related work conducted at IETF: tools.ietf.org/wg/6lowpan/ 22 See COM/2008/0886 final – Action plan for the deployment of ITS in Europe 23 The American National Intelligence Council considers ubiquitous computing as one of the nine technologies that will be a ‘game-changer’ by 2025. See www.dni.gov/nic/NIC_2025_project.html 24 Songdo (South Korea) is a 6km² city, now under construction, that will showcase the first large-scale deployment of IoT. See www.songdo.com/page1992.aspx 25 The Tunis Agenda for the Information Society, one of the main outcome documents of WSIS, outlines the main principles www.itu.int/wsis/documents/doc_multi.asp?lang=fr&id=2266|2267 26 See COM/2006/0181 final — Towards a Global Partnership in the Information Society: Follow-up to the Tunis Phase of the WSIS 27 Tunis Agenda paragraph 35a states that ‘policy authority for Internet-related public policy issues is the sovereign right of States. They have rights and responsibilities for international Internet-related public policy issues’ EN 5 EN The governance of what? Typically, things become connected by getting assigned an identifier and a means to be connected to other objects or to the network. The amount of information on the object is usually limited, the remainder residing elsewhere in the network. In other words: accessing information related to an object implies establishing a network communication. Immediate questions arise as to: – How is this identification structured? (the object naming) – Who assigns the identifier? (the assigning authority) – How and where can additional information about that thing be retrieved, including its history? (the addressing mechanism and the information repository) – How is information security ensured? – Which stakeholders are accountable for each of the above questions, what is the accountability mechanism? – Which ethical and legal framework applies to the different stakeholders? IoT systems which have not properly addressed these questions could have serious negative implications, such as: – Mishandled information could reveal an individual’s personal data or compromise the confidentiality of business data. – Unsuitable assignation of rights and duties of private actors could stifle innovation. – Lack of accountability could jeopardise the functioning of the IoT system itself. Line of action 1 — Governance The Commission will initiate and promote, in all relevant fora, discussions and decisions on: – defining a set of principles underlying the governance of IoT; – setting up an ‘architecture’ with a sufficient level of decentralised management, so that public authorities throughout the world can exercise their responsibilities as regards transparency, competition and accountability. 4. LIFTING THE OBSTACLES TO THE UPTAKE OF THE INTERNET OF THINGS Besides the governance issues addressed in section 3, as IoT becomes a reality there are many other issues still unresolved, each of them constituting a potential impediment to IoT uptake. This section will highlight the main ones and detail the actions the Commission intends to take to address them. Privacy and protection of personal data Social acceptance of IoT will be strongly intertwined with respect for privacy and the protection of personal data, two fundamental rights of the EU28. On one hand, the protection of privacy and personal data will have an influence on how IoT is conceived. For example, a home equipped with a health monitoring system could process some of the inhabitants’ 28 See Articles 7 and 8 of the Charter of Fundamental Rights of the European Union EN 6 EN sensitive data. A prerequisite for trust and acceptance of these systems is that appropriate data protection measures are put in place against possible misuse and other personal data related risks. On the other hand, it is likely that the uptake of IoT will affect the way we understand privacy. Evidence for this is given by recent ICT evolutions, such as mobile phones and online social networks, particularly among younger generations. Line of action 2 — Continuous monitoring of the privacy and the protection of personal data questions The Commission recently adopted a Recommendation29 that provides guidelines on how to operate RFID applications in compliance with privacy and data protection principles; in 2010 it intends to publish a broader Communication on privacy and trust in the ubiquitous information society. These two examples illustrate how, in practice, the Commission will watch over the application of data protection legislation to IoT: – by consulting, when necessary, the Article 29 Data Protection Working Party; – by providing guidance on the correct interpretation of EU legislation; – by fostering dialogue among stakeholders; – by proposing, if necessary, additional regulatory instruments. Line of action 3 — The ‘silence of the chips’ The Commission will launch a debate on the technical and legal aspects of the ‘right to silence of the chips’, which has been referred to under different names by different authors30 and expresses the idea that individuals should be able to disconnect from their networked environment at any time. Trust, Acceptance and Security Information security is a must and is seen by most stakeholders as a major concern of IoT. In the private sphere, information security is closely linked to the questions of trust and privacy mentioned above. Past experience with the development of ICT shows that they are sometimes neglected during the design phase, and that integrating features to safeguard them at a later stage creates difficulties, is costly and can considerably reduce the quality of the systems. It is therefore crucial that IoT components are designed from their inception with a privacy- and security-by-design mindset and comprehensively include user requirements. As part of its 2009 Work Programme, in support of EU policy, the European Network and Information Security Agency (ENISA) has undertaken to identify emerging risks affecting trust and confidence, in particular regarding RFID. This constitutes a first step in the understanding of the privacy and security risks that will impinge on IoT. 29 See C(2009)3200 — Recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification 30 See Adam Greenfield, ‘Everyware’, ISBN 0321384016 EN 7 EN Another key aspect to building trust is the capability to adjust the functioning and properties of technological systems to individual preferences (within safe boundaries). Studies31 have shown that giving users a sufficient level of control improves their level of trust and plays an important role in the uptake of the technology. In the business sphere, information security translates into the availability, reliability and confidentiality of business data. For a company, questions arise as to who has access to their data or how they can grant partial access to their data to a third party. These questions, while in appearance simple, are profoundly affected by the complexity of today’s business processes32. Line of action 4 — Identification of emerging risks The Commission will follow the ENISA work mentioned above and will take further action as appropriate, including regulatory and non-regulatory measures, to provide a policy framework that enables IoT to meet the challenges related to trust, acceptance and security. Line of action 5 — IoT as a vital resource to economy and society Should IoT grow to the importance it is expected to attain, any disruption might have a significant impact on economy and society. The Commission will therefore closely follow the development of IoT infrastructures into a vital resource for Europe, especially in connection with its activities on the protection of critical information infrastructure33. Standardisation Standardisation will play an important role in the uptake of IoT, by lowering entry barriers to newcomers and operational costs for users, by being a prerequisite for interoperability and economies of scale and by allowing industry to better compete at international level. IoT Standardisation should aim at rationalising some existing standards or developing new ones where needed. IoT would also greatly benefit from a rapid deployment of IPv6, as proposed by the Commission34 and endorsed by the Council, as this would make it possible to directly address any number of objects needed through the Internet. Line of action 6 — Standards Mandate The Commission will assess the extent to which existing standards mandates can include further issues related to IoT35 or launch additional mandates if necessary. Additionally, the Commission will keep monitoring developments in European Standards Organisations (ETSI, CEN, CENELEC), their international counterparts (ISO, ITU) and other standards bodies and consortia (IETF, EPCglobal, etc) with a view for IoT standards to be developed in an open, transparent and consensual manner with the participation of all interested parties. 31 See the European research project SWAMI: www.isi.fraunhofer.de/t/projekte/e-fri-swami.htm 32 See the related work of IETF — https://www.ietf.org/mailman/listinfo/esds 33 See COM/2009/0149 final — Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience 34 See COM/2008/0313 final — Advancing the Internet: action plan for the deployment of IPv6 in Europe 35 See mandate EC/436 on RFID and ma