How to regulate the Internet of Toys in the Netherlands?

(1)

How to regulate the Internet of Toys in the Netherlands?

Student name: B.A.S. van Banning

Student ID:

s1754742

Supervisor:

Dr. B. van den Berg

Second reader: Mr. S. Boeke

Course:

Master’s Thesis Crisis & Security Management

Faculty:

Faculty of Governance and Global Affairs

Date:

August 10

th

_{, 2017}

(2)

(3)

I

Preface

This thesis marks the end of my MSc. Crisis and Security Management and with that the end of my career as a student at Leiden University. To be honest I never would have thought that I would write a thesis about dolls, cuddle toys or other toys that are connected to the internet. It certainly was a fun way to explore the field of regulations in combination with privacy and cyber security.

I had the pleasure to do a graduation internship within Deloitte’s Cyber Risk Services. I would like to thank my colleagues for being there, answering questions, showing me how CRS works, and for the good time. In special, I would like to express my gratitude to Esther van Luit and Anouk Jessurun who helped me with the thesis content and process as well as with the integration within Deloitte.

Second, I would like to thank all the respondents for their time and view on the IoToys regulation puzzle. I appreciated their efforts to invite me e.g. workshops and meetings, and to connect me with other people in their network.

Third, I would like to thank Dr van der Berg for her supervision throughout the thesis trajectory. Fourth, I thank Bram Perenboom and my father for reviewing my thesis. And last, I am particularly grateful for the support Elisabeth and my mom have given me.

Amsterdam, August 10th 2017

(4)

II

Abstract

The Internet of Toys, as a subcategory of the Internet of Things, uses similar technologies and has comparable security and privacy issues as other connected objects. However, the impact differs as children, who are less aware of the risks, consequences and safeguards concerned, form a target group for internet connected toys.

Current incentives by consumers and government authorities do not form an incentive for manufacturers and other market operators to invest in security and privacy measures. The lack of security and privacy measures results in poorly designed devices, which most likely will not receive any security patches. Through regulation involved actors should triggered to enhance the security and privacy of the Internet of Toys. Here, the government has a leading role for enabling other forms of regulation and forming an ecosystem of regulation measures that mitigates the security and privacy risks that are attached to the Internet of Toys. First by establishing essential requirements in certain specific regulatory contexts such as hardware and software security and liability. The previous is a precondition for law enforcement activities by government authorities. Furthermore, the government has to provide tools and resources so companies, consumers, and other stakeholders can make informed decisions about Internet of Toys. Here investing in awareness and education is essential.

The Netherlands is used as case study.

Keywords: Internet of Toys, Internet connected toys, Regulation, (Cyber) Security, Privacy,

Incentives.

Disclaimer:

The opinions expressed in this study are those of the author and interviewees, and do not necessarily reflect the

(5)

III

List of acronyms and abbreviations

ACM Netherlands Authority for Consumers and Markets

AT Radiocommunications Agency Netherlands

AP Dutch Data Protection Authority

CB Dutch Consumers’ Association

DoS Denial of Service attack

DDoS Distributed-Denial of Service attack

EC European Commission

EU European Union

FBI Federal Bureau of Investigation

FOSI Family Online Safety Institute

FPF Future of Privacy Forum

GPSD General Product Safety Directive

GDPR General Data Protection Regulation

IoT Internet of Things

IoToys Internet of Toys

RFID Radio-Frequency Identification

TSD Toy Safety Directive

MinEZ Dutch Ministry of Economic Affairs

MinV&J Dutch Ministry of Security and Justice

NFC Near-Field Communication

NVWA Netherlands Food and Consumer Product Safety

MinVWS Dutch Ministry of Health, Welfare and Sports of the Netherlands

(6)

IV

Table of Figures

Figure 1 IoToys Connectivity (Van Diermen, 2017, p. 9) ... 19

Figure 2 IoToys classification by FPF/FOSI (2016, p. 3)... 19

Figure 3 IoToys anatomy (Boss, Bruce, Case, & Miller, 2001, p. 2) ... 20

Figure 4 Hello Barbie anatomy (Bouvet, 2016; Somerset Recon, Inc, 2015). ... 21

Figure 5 Connected/Smart/Sensor IoToys ... 24

Figure 6 Model of Modalities (Lessig, 2006, p. 123) ... 29

Figure 7 Model of Modalities (Lessig, 2006, p. 130) ... 31

Figure 8 Operational framework IoToys Regulation ... 35

Figure 9 Actors involved in IoToys regulation ... 38

Figure 10 Actors involved in the supply chain of toys ... 47

Figure 11 Example of a possible privacy label (Van Diermen, 2017) ... 60

Table of Tables

Table 1 Publically available discourses on IoToys Benefits (Chaudron, et al., 2017, p. 8) .... 15

Table 2 Publically available discourses on IoToys Risks (Chaudron, et al., 2017, p. 8) ... 22

Table 3 IoToys classification based on types of data (Van Diermen, 2017) ... 23

(9)

7

1 Introduction

On November 14th 2015, a database of toy manufacturer VTech was hacked (VTech Holdings

Limited, 2015a). In their statement, VTech argues that an unauthorized party had gained access to the customer database that ‘contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history’(Ibid.). According to VTech about 5 million customer accounts and related children’s profiles were affected (VTech Holdings Limited, 2015b). In the same year, hackers and privacy advocates questioned the security of an internet connected doll called ‘Hello Barbie’ (Meers, 2015). As the involved third parties were unknown and the doll was hackable, hello Barbie quickly became ‘Creepy’ or ‘Eavesdropping’ Barbie (Halzack, 2015).

Since late 2016, issues concerning IoToys appeared in the news again which incite the public debate about the safety, security, privacy and other fundamental rights of children in relation to these connected smart toys. In December 2016, the Norwegian Consumer Council (Forbrukerrådet) published two reports in which consumer and privacy issues concerning three internet-connected toys were analysed, based on their terms and conditions and technical features (Forbrukerrådet, 2016). Those toys (dolls ‘My Friend Cayla’ and ‘Hello Barbie’, and the robot ‘i-Que’) can respond to the voices of children by using microphones and speech-recognition. Forbrukerrådet (2016, p. 3) concluded in their technical report that the two toys had ‘practically no embedded security’. “My Friend Cayla” was removed from the shelves by Blokker Holding (the Dutch toy supplier) in December 2016 in the Netherlands. In February 2017 Cayla was banned from the German market by the German watchdog Federal Network Agency (Bundesnetzagentur, 2017). Cayla connects to the internet to answer children’s questions. The German Watchdog argues that Cayla could be used as a surveillance device as it possesses unauthorised wireless transmitting equipment (in this case Bluetooth technology). As a result, conversations between the child and its environment could be recorded and dispatched (Hunt, 2017). Thereby, through vulnerabilities in the software technically capable people could interact with the child through Cayla, who as a result could say inappropriate words. In another incident, 2 million voice messages recorded by CloudPets soft toys were available in an open database (Hunt, 2017).

(10)

8

Welcome to the world of the Internet of Toys (IoToys), in which conventional toys are enriched with Internet of Things (IoT) technology. The benefits of IoToys seem undeniable as many possibilities for learning and playing come into existence. However, the security and privacy risks of IoToys should be our primary concern as children and their environment could be affected. Children are vulnerable and therefore a protected group within society. Recital 38 of the General Data Protection Regulation states that children need special protection to their personal data as children ‘less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data’, in particular personal data that is processed for marketing and profiling. Hunt (2017) argues that our tolerance concerning security and privacy infringements differentiate when children are victimized. This means that society does not tolerate things that could possibly harm children. However, in case of the IoToys this different tolerance level has not (yet) resulted in effective activities to mitigate those risks.

1.1 Problem definition

July 17, 2017, the Federal Bureau of Investigation (FBI) places a public service announcement in which they ‘encourage consumers to consider cyber security prior to introducing smart, interactive, internet-connected toys into their homes or trusted environments’ (Federal Bureau of Investigation, 2017). Here, the FBI gave a list with recommendations (see Annex III FBI: Consumer notice on Internet-connected toys page 78) that consumers should consider before they buy an internet-connected toy. The consumer notice of the FBI implies that consumers have to take an active role before buying and using IoToys. Although I think this is a valid consumer notice, I argue that besides consumers, both public and private parties have to take an active role in mitigating the issues around internet-connected toys.

The European Research cluster on the Internet of Things (2015) argues that it is a necessity to include standardization, regulation, legislation, interoperability, certification and other activities in the life-cycle process of Internet of Things (IoT). Mattern & Floerkemeier (2010, p. 245) argue that the IoT infrastructure ‘must be efficient, scalable, reliable, secure and trustworthy, but it must also conform with general social and political expectations, be widely applicable and must take economic considerations into account’. I argue that the previous also applies to IoToys. In the current situation, no clear overall-owner can be addressed for the

(11)

9

problems/risks that are caused by IoToys. Mayntz (2009, pp. 121-122) argues that regulation are ‘different forms of deliberative collective action in matters of public interest’. Therefore, I argue that each actor involved in IoToys has a certain responsibility to contribute to safe and secure IoToys. The objective of IoToys risk mitigation can be realized only when common goals, individual and shared responsibilities are put together. Moreover, it is necessary to look how the obligations and interests of different actors can be properly deployed, so that the public interest (in this safe/secure children's toys) is pursued as best as possible. Regulation measures should individually or comprehensively trigger involved actors in contributing to the enhanced security and privacy for IoToys devices. Therefore, this thesis is about the regulation of the IoToys.

The aim of this thesis is to discover the field of public and private actors involved in the IoToys. Considering the feasibility for the researcher to attain actors involved with the regulation of IoToys, the Netherlands is used as case study. This means that only Dutch stakeholders are interviewed for this thesis. When identified, the various incentives needed within society in order to form an ecosystem of regulation measures that mitigates the security and privacy risks that are attached to the Internet of Toys, are described. This thesis does not include the governance (different modes of action) of IoToys. The technical aspects for realizing secure IoToys are not taken into account in this thesis. Within this thesis, IoToys are delineated confirming article two of the 2009/48/EC ‘Directive on the Safety of Toys’ to ‘any product or material designed or intended, whether or not exclusively, for use in play by children under 14 years of age’. However, these IoToys have the characteristic to be connected to the internet. This is an important feature, as connected toys have bigger social and legal implications concerning privacy and security (Future of Privacy Forum & Family Online Safety Institute, 2016). Furthermore, this thesis is not about the effect of IoToys on children’s behaviour and educational development, or the cultural and pedagogic suitability of IoToys. The above described demarcation results in the following research question:

(12)

10

In order to answer this research question, the following sub-questions are formulated:

1. What does the IoToys landscape look like in the Netherlands in 2017?

2. Which gaps are there in the regulation of IoToys in the Netherlands according to stakeholders?

3. Which incentives/solutions exist to fill the gaps in the regulation of IoToys in the Netherlands according to stakeholders?

4. What are challenges in the implementation of those incentives/solutions?

1.2 Societal and academic relevancy

The academic relevance for researching the regulation of the IoToys is understanding, identifying and perhaps eventually reducing risks within this domain. As far as the writer is aware no research has been done about this specific topic. Since little is written about the regulation of the IoToys, this thesis contributes in addressing the knowledge gap for this specific phenomenon. Furthermore, this thesis provides the reader with a comprehensive view by mapping a multiplicity of ways to regulate IoToys products in the future. By using Lawrence Lessig’s Model of Modalities, this thesis identifies key indicators/modalities to regulate IoToys. The societal relevance of this master thesis is gaining insight in the IoToys paradigm and highlighting the urgency for a broader discussion on this topic. Since little research is done about the IoToys, the results could inform and advise all stakeholders. Moreover, this thesis fits within the overarching discussion about the security of IoT devices or hard- and software in general. Furthermore, this thesis is important as it concerns the safety/security and privacy of children.

Although this thesis focusses on IoToys regulation in the Netherlands, results of this research could be relevant for other EU member states as the risks of IoT technology (and IoToys specific) are identical. Furthermore, as the EU focusses on harmonization between the member states, most regulation, for example the General Data Protection Regulation (GDPR), is issued at the EU-level. The underlying norms are to a large extent similar for other EU member states.

(13)

11

However, the fulfilment or appliance of EU regulations and the involved actors could be different in each member state for example as other governance mechanisms are applied. For companies involved, the relevance of analysing trends surrounding the regulation of IoToys products thereby gives the possibility to adapt in an early stage. Furthermore, this research is meant to instigate the discussion about how IoToys devices should and must be regulated, and how the quality of the product and the privacy/security of the consumer in his private environment should be safeguarded in the future. The insights derived from this thesis aim to enhance the privacy/security of IoToys’ users and future IoToys products.

1.3 Thesis structure

The remainder of this thesis is organised as follows. In chapter two, the theoretical framework is described. Subsequently, the research design and methodology are outlined in chapter three. Here, the main question and the sub questions are defined. Thereafter, in chapter four, the analysis takes place, which answers the first sub question about the regulatory landscape of the IoToys in the Netherlands. The next chapter, chapter five, answers the second sub question concerning the gaps in the regulation of the IoToys. The third sub question, which states the incentives and solutions necessary to regulate the IoToys, is elaborated in chapter six. In chapter seven, the fourth sub question regarding the difficulties in regulation of the IoToys is expounded. Chapter eight contains the conclusion which answers the main question. Finally, chapter 9 encompasses the discussion of this thesis.

(14)

12

2 Theoretical Framework

This chapter focuses on introducing and delineating the different concepts and theories used in this master thesis. The first paragraph comprises a historical overview and introduction to the overarching concept of the ‘Internet of Things’. Next, the phrase ‘Internet of Toys’ is demarcated. To become acquainted with this relatively new phenomenon, the different categories and characteristics are described. This includes a general description on the anatomy of IoToys. Here some consumer products are described shortly. In paragraph 2.3 the general risks of IoT and IoToys are mentioned. Subsequently, the theories and concepts regarding regulation are discussed. Paragraph 2.4 explains why regulation is necessary to mitigate the risks mentioned in paragraph 2.3. The last subsection introduces Lessig’s theory on modalities of regulation.

2.1 Internet of Things’ timeframe

In the last years, the internet has increasingly extended to the Internet of Things (IoT). The IoT vision is that IoT technology, with the internet as the core technology, is invisibly embedded in everyday objects (Mattern & Floerkemeier, 2010; Gubbi, Buyya, Marusic, & Palaniswami, 2013; Olson, Nolin, & Nelhans, 2015). This results among others in smart thermostats that are connected to the internet. The smart thermostat can automatically adjust the temperature based on the routines and preferences of the users. Furthermore, there are wearables that track both your heart rate, as well as your activities. Then, there are various connected devices that contain sensors that can detect environmental changes. The application of IoT technology is endless. The IoT-vision is based on the prognosis that progressions within microelectronics, and communications and information technology (which follow each other rapidly) will lead to an increasing number of connected devices (Mattern & Floerkemeier, 2010, p. 242). This vision

derives from ubiquitous computing, which is the third wave of the computing revolution1.

Around the ‘90s members of the Xerox Palo Alto Research Center (PARC) Ubiquitous Computing Program observed how to embed computers invisibly in the physical environment.

1_{The first wave of the computing revolution is called the mainframe era. The second wave is}

(15)

13

The program was the result of a mutual understanding among PARC members that the personal computer was too big, complex and therefore not ergonomic (Weiser, Gold, & Brown, 1999). Through ‘ubiquitous computing’ the researchers wanted to move the personal computer from its dominant place on the desktop to the environmental background to strive for calmness (Weiser, Gold, & Brown, 1999; Weiser, 1998). In order to disappear in the environmental background, the size and price of computers had to be minimalized (Weiser, 1998). This resulted in a new field of computer science, which brought the digital and physical world closer together. Small and inexpensive low-end computers built with sensors, actuators, displays, hard- and software elements were integrated into everyday objects and became part of the connected wired/wireless world (Weiser, Gold, & Brown, 1999; Payne & Macdonald, 2004).

The ‘Internet of Things’ became the marketing buzzword2 for describing internet connected

objects. The concept ‘IoT’ was first mentioned during a presentation by Kevin Ashton in 1999 (Ashton, 2009). Ashton argued that the main body of data available on the internet was embedded and created by humans (Ibid.). Ashton stated that there are limitations to this human-entered data as human beings ‘lack time, attention and accuracy’ (Ashton, 2009, p. 1). He therefore imagined computing without human interference by enriching computers with Radio-Frequency Identification (RFIDs) and sensor technology. However, in order to bring the IoT concept to life several enabling technologies have to be integrated together (Atzori, Iera, & Morabito, 2010). Moreover, the falling prices, declining energy consumption and size of hardware in the last years contributed to the emergence of the IoT (Payne & Macdonald, 2004; Surman & Thorne, 2016).

In comparison with ubiquitous computing, IoT originally focused on automated, Machine-to-Machine (M2M) interaction (Cáceres & Friday, 2012). Miorandi et. al (2012) argue that IoT comprises a more broader term. First, IoT envisions a worldwide network of interconnected smart objects that use internet technology. Moreover, IoT includes supporting technologies, for example RFID, sensors and actuators, that make the interconnection between Machine-to-Machine (M2M) devices, and smart devices that provide the man-machine user experience,

2_{Next to the Internet of Things, other terms emerged that are interlinked with the concept of}

ubiquitous computing (Weiser, 1991), such as: pervasive computing (Orwat, Graefe, & Faulwasser, 2008), ambient intelligence (Olson, Nolin, & Nelhans, 2015), Internet of Everything (Nedeltchev, 2014) and Everyware (Olson, Nolin, & Nelhans, 2015).

(16)

14

possible (Miorandi, Sicari, De Pelligrini, & Chlamtac, 2012). IoT thus also refers to the arsenal of applications and services to exploit the supporting technologies to create market values (Ibid.). The supporting technologies, applications and services enable devices to become active participants in the information and knowledge systems in society (European Research Clusters on the Internet of Things, 2015). As active participants, the devices can observe and respond to their environment mostly in an autonomous way (European Research Clusters on the Internet of Things, 2015). The high applicability of IoT technology in society makes that IoT is often defined by the following orders of magnitude: ‘billions of devices connected, trillions in generated revenue, zettabytes of multi-directional data’ (Perry, 2016). The high amount of data that is derived from those observations and proceedings can be gathered and shared across platforms to obtain a common picture on the operations (Gubbi, Buyya, Marusic, & Palaniswami, 2013). IoT insights, through IoT data analysis, could be applied for solving problems in various domains, out of which new services, applications, working and communications methods evolve (Miorandi, Sicari, De Pelligrini, & Chlamtac, 2012; European Research Clusters on the Internet of Things, 2015). The integration of physical objects in the virtual world through IoT technology furthermore facilitates remotely controlled internet services, which are applicable on both the individual level, as well at a governmental and business level (Mattern & Floerkemeier, 2010; Karkouch, 2016). Besides these three different levels, IoT can be seen as an innovation wave that affects all domains within society, creating sub-areas of IoT (Olson, Nolin, & Nelhans, 2015). The application of IoT devices in these domains and sub-areas goes beyond our imagination, for example smart homes, offices, cities, industries, electronic-health technology and possibilities for enhanced learning etc. are created (Bandyopadhyay & Sen, 2011; Olson, Nolin, & Nelhans, 2015; Karkouch, 2016). Thus, IoT technology enables a digital transformation of conventional items in daily life, adding a new dimension with significant value (Mattern & Floerkemeier, 2010).

(17)

15

2.2 Internet of Toys

Among those conventional objects, IoT technology can be integrated with traditional toys as well, creating the IoToys. IoToys already are part of the children’s entertainment market (Future of Privacy Forum & Family Online Safety Institute, 2016). In the report ‘Smart Toys: Hardware, Technology & Leading Vendors 2017-2022’, Juniper Research forecasts that worldwide the annual smart toy sales could grow from $4.9 billion in 2017 to $11.3 billion by 2020 (Guardian News and Media Limited , 2017). The interactive and adaptive IoToys enable advanced chances for ‘play, learning, health and educational support’ (Chaudron, et al., 2017, p. 6). In the report ‘Kaleidoscope on the Internet of Toys’ from the European Commission, Donell Holloway inventoried the risks and benefits of internet connected toys found on public available discourses (in English). Holloway argues that the benefits are mostly promoted in advertisements and infomercials that focus on the IoToys educational value and other moral attributes (Chaudron, et al., 2017). However, there are other less dominant discourses about the benefits and risks of IoToys. The risks are described in Table 2 in §2.3. The benefits of the IoToys, or at least how they are promoted, discussed and portrayed are listed in the table below. Note, both lists are not comprehensive, none of these points have to be true or applicable to all IoToys products. The risks and benefits are ranked from most prominent to less published viewpoints.

Table 1 Publically available discourses on IoToys Benefits (Chaudron, et al., 2017, p. 8)

 Educational (Engaging and individualised to child)

 Encourages play and toy interaction of passive screen time?  Fun, exciting

 Can teach coding

 Supports more physically active play

 Encourages more social play with toy and with other children  Fosters collaborative play with other children

 Diagnostic possibilities (Identify learning difficulties or medical problems)  Safe and secure (Internet privacy and security)

(18)

16

The benefit in Table 1 that IoToys are safe and secure in the context of internet privacy and security is remarkable. The introduction on page 7 showed that security and privacy infringements do occur in the IoToys. These infringements are the reason that among others the German watchdog and the FBI warn consumers about the risks of IoToys. Furthermore, safe and secure (internet privacy and security) are no benefits in comparison with conventional toys that do not have an internet connection. In contrary, I argue that the benefit of those conventional toys is the fact that they are not connected and therefore cause no privacy and security risks. Thereby, I argue that safe and secure should not be remarked as ‘benefits’, but more as requirements for products in general.

Although the phenomenon of IoToys is relatively young, there is a wide variety of products that fall under the category IoToys. IoToys exemplifies the possibilities how digital technologies can be embedded in learning and play methods for children. On the basis of the online content analysis three different categories can be distinguished out of the wide variation of IoToys. For the method of the IoToys categorisation see §3.3.

The first category encompasses tangible IoToys. The outside characteristics of tangible IoToys are similar to their conventional equivalent. The functionality of these tangible IoToys varies. The first subgroup of tangible IoToys occur in the forms of interactive Dolls (Cayla, Hello Barbie), cuddly toys (e.g. CloudPets), and animals (e.g. Cognitoys Dino). These toys are enriched with sensors (mostly microphone and/or camera), actuators (mostly speech) and have the process capability to respond to their environment. Another kind of tangle IoToys can be remarked as ‘Toys to life’. This genre exists of physical toys that are able to interact with a dedicated video game of a games console (for example Xbox/PlayStation/Wii). With ‘Toys to life’ two traditional separate activities (interaction with physical toys and interaction with video games) are brought together (Manches, Duncan, Plowman, & Sabeti, 2015). Examples of the Toys to life genre are Skylanders, Amiibo, Disney Infinity and Lego Dimensions. The business model of Toys to life is based on the fact that besides initial soft- and hardware separate plastic figurines must be bought by the consumers. Birchfield and Megowan-Romanowicz (2009, p. 407) argue that this interweaving of the digital and physical world causes ‘mixed reality environments’. Another subcategory of tangible toys are robotics and (nano) drones. These robots and drones take many forms and range between programmable, remote controlled robots and not difficult to assemble pull back toys (Pemberton, 2017). These robots can be controlled directly from a smartphone or be connected to another device. Furthermore, some of these

(19)

17

robots have the ability to adapt to their environment, learn new skills and change their behaviour (e.g. WowWee Chip the Robot Dog).

The second category of IoToys are wearables. Wearable technology adds a new dimension on how IoT devices are embedded in society, as the devices can be embedded in clothing or be worn on the body. IoToys wearables are used in two different ways. First, as the more traditional wearable that extracts certain data. These wearable IoToys devices are able to automatically, continually track a wide range of accurate and personalized user information, and are thereby capable of communicating with other technologies (Fernandez, 2014). For example, a wearable wristband fitness tracker, named KidFit1, can respond to children’s physical activity (Manches, Duncan, Plowman, & Sabeti, 2015). Another wearable called ‘HereO’ comes in the form of a children’s watch that has the ability to send the location of a child to the parents (Ibid.). Besides the IoToys wearables there are also other IoT driven wearables meant for children that do not fall under the category IoToys. These wearables provide data for parents/caregivers in order to analyse the behaviour of children (for example sleep patterns) (Fernandez, 2014). Disney’s Playmation combines figurines and wearable

devices from popular franchises (such as Star Wars and Marvel) with each other ‘to create

interactive adventures for kids to explore, all without requiring any kind of data connection or dedicated console’ (Etherington, 2015).

The third and final category are Learning Development apps and devices. There are special devices such as laptops (VTech’s Tote & Go Laptop and Brilliant Creations Advanced Notebook) and tablets that are made for children, which can contain books, apps, games and videos that to educate children on various topics such as math, science and (interactive) reading. Thereby the devices could have the ability to auto-adjust to the level of the child. Some of those tablets have a built-in microphones and/or cameras to make pictures and audio/video recordings. There are products where the microphone and/or camera are sold separately, for example LeapFrog Explorer (LeapFrog Enterprises, Inc., 2017). Other learning development apps are installed on normal smartphones or devices. Fisher-Price’s Laugh & Learn Apptivity Case combines an app with a baby-toy-looking case to keep the parent’s smartphone safe and protected (Amazon.com, Inc., 2017). In general, the apps and devices record the activities of the child. Parents can log in on a website to have insights of what their child has learned.

(20)

18

The above described categorization of IoToys is based on the form or functionality (way to use) of IoToys. It became clear that it is hard to make such a categorization as devices and objects often are combined, creating hybrid forms.

In the whitepaper of the Future of Privacy Forum (FPF) and the Family Online Safety Institute (FOSI) a distinction is made in IoToys devices being ‘Smart Toys’ or ‘Connected Toys’. FPF and FOSI (2016) define Smart Toys as toys that are able to adapt to the actions of the user for example through embedded sensor and communication technologies. For an object to be labelled as ‘smart’ it must have the ability to be identifiable, to communicate and to interact either M2M or to end-users (Miorandi, Sicari, De Pelligrini, & Chlamtac, 2012). Olson et al. (2015, p. 885) argue that the adjective ‘smart’ is often used ‘to highlight positive aspects such as useful enablement, connectivity, and device interventions leading to human convenience’. FPF and FOSI however state that these smart toys are not necessarily connected to the Internet. These smart toys have the processing capabilities on-board.

In contrast, as the concept suggests, connected toys are hooked to the Internet. This connectivity enables devices to collect, process and exchange data with internet-based platforms and other devices using computer services (Future of Privacy Forum & Family Online Safety Institute, 2016, p. 3). As mentioned before, a toy or device can record the data while the user is playing. Aside from enabling surveillance for parents, the recording ensures the preservation of the memory of play (Chaudron, et al., 2017, p. 11). There are different technologies that make the communication or connectivity among devices (including toys), systems and services possible (Future of Privacy Forum & Family Online Safety Institute, 2016). Wireless Radio Technologies such as Wi-Fi, Bluetooth, RFID and Near-Field Communication (NFC), rely on radio waves through which tracking and communication between devices is possible (Electronic Privacy Information Center, 2013). Wi-Fi and Bluetooth are the most common built-in communication technologies in IoToys (Future of Privacy Forum & Family Online Safety Institute, 2016). However, there are IoToys that depend on their USB connection to obtain their functionality/smartness. These USB connected toys, for example VTech’s ‘Cody the smart cub’, can be plugged into the computer. In this way new software, features, sound etcetera can be downloaded on the toy. In case of Cody, the VTech’s Learning Lodge website could be used to customize Cody to the child (VTech Electronics North America, LLC, 2017). The three ways (WIFI, Bluetooth and USB) through which IoToys can be (in)directly connected to the internet are portrayed in Figure 1.

(21)

19

Figure 1 IoToys Connectivity (Van Diermen, 2017, p. 9)

The hybrid forms are called ‘connected smart toys’. For these IoToys an Internet connection is essential as the toys’ intelligence and/or functionality is empowered by a remote server (Chaudron, et al., 2017, p. 27; Future of Privacy Forum & Family Online Safety Institute, 2016). FPF and FOSI (2016) argue that connected toys cause greater privacy and security infringements than smart toys that do not have an internet connection. The capabilities of a smart toy combined with the connected feature make ‘connected smart toys’ the most interesting. Figure 2, derived from the whitepaper Kids & the connected home: privacy in the age of connected dolls, talking dinosaurs, and battling robots, illustrates the distinction between smart toys, connected toys, and connected smart toys and gives some examples.

(22)

20

IoToys are a combination of hardware, software, and services. “Hello Barbie”, developed by toy manufacture Mattel and start-up ToyTalk, is used to briefly explain this combination and the general anatomy of IoToys. According to Boss et. Al (2001) hardware elements can be divided in three main components: firmware, electrical, and mechanical. The firmware is the software that runs on the micro-controller (Figure 4: Marvel 88MW300) that is essential for the functionality of the hardware components. The electrical components form the core for the toy’s functionality. This comprises Hello Barbie’s printed circuit board (PCB) including various chips, modules, and signal connections (see Figure 4). Furthermore, the battery, sensor (microphone) and actuator (speaker) are electrical components. Hello Barbie’s hardware is designed in the part of the doll’s body that does not move (between shoulders and upper leg). The mechanical parts are limited to the power button and push-to-talk-switch as “Hello Barbie” does not make movements by her own. This means that the child only can change the legs, arms and head of the doll manually.

Figure 3 shows that the software of toys can be divided in drivers, middleware and application (Boss, Bruce, Case, & Miller, 2001). The drivers are essential in the communication between the toys’ hardware and software, and for the implementation of toy-specific behaviour (Ibid.). The interaction between the toy’s hard- and software varies from simple in- and output tasks to complex data streaming. The driver provides a software interface through which other systems and applications can access and

use hardware functions. ‘Middleware serves several purposes including hardware abstraction, grouping of software features, and reduction of complexity’ (Boss, Bruce, Case, & Miller, 2001, p. 4). Middleware thus filters and translates the information derived from the drivers for other software applications. Lastly, the application provides ‘all needed user-interface components as well as the majority of the functionality behind the user interface’ (Ibid.).

(23)

21

Figure 4 Hello Barbie anatomy (Bouvet, 2016; Somerset Recon, Inc, 2015).

2.3 IoT(oys) risks

The previous paragraph mentioned the benefits that the IoToys has. However, security incidents and privacy infringements by connected IoToys suggest that those benefits come at a cost. In this paragraph, the risks of IoT in general and IoToys specific are discussed.

First, there are safety risks attached to all products. Safety in this regard comprises physical and mechanical properties, flammability, chemical properties, electrical properties, hygiene and radioactivity of a product. The various properties could under certain circumstances cause physical damage/health implications to the user and the environment. However, the IoT paradigm also yields various other risks. IoT devices (including toys) are entering the domestic sphere. Subsequently, ‘dualisms of “security versus freedom” and “comfort versus data privacy” enter the domestic ‘smart’ environment (Mattern & Floerkemeier, 2010, p. 56).

From a cyber security perspective, implications rise considerable as billions of (conventional) objects are connected and embedded with intelligence (Deloitte MCS Limited, 2015; Lindqvist & Neumann, 2017). Park & Shin (2017) argue that privacy and security are the main concerns for manufacturers, developers, service providers, and end-users. The application and functionality of IoT drives on enhanced accessibility and moderated procedures for accessing networks (Ibid.). Park & Shin (2017, p. 193) argue that the previous characteristics make the IoT environment vulnerable for STRIDE threats: ‘spoofing, tampering, repudiation,

(24)

22

information disclosure, denial of service (DoS), and elevation of privilege’. Spoofing refers to various techniques of deceiving that are used in order to gain access to resources (TechTarget, 2017). There are also various kinds of tampering attacks that ‘attempt to modify trusted data toward some malicious aim’ (Davis, 2015). Repudiation stands for the possibility to deny the truth. The opposite, non-repudiation, means the ‘protection against an individual falsely denying having performed a particular action’ (National Institute of Standards and Technology, 2013). This ensures a certain transparency about the actions taken by a given individual. Information disclosure refers to methods and processes that expose information through which an attacker could obtain valuable information (Davis, 2015). In a DoS-attack the attacker targets a specific computer or network (which is connected to the internet) in order to prevent legitimate users from accessing information or services (United States Computer Emergency Readiness Team, 2009). In the most common DoS-attack the targeted server, which has a limited process capability, is affected through large numbers of request. The result is that the computer and/or services are not accessible. Elevation of privilege is ‘the act of exploiting a flaw in a system that gives someone more rights than intended’ (Davis, 2015). As a result a person could access other data and services, which could lead to further exposure. The benefits of the IoToys, or at least how they are promoted, discussed and portrayed are listed in Table 2. Note, both lists are not comprehensive, none of these points have to be true or applicable to all IoToys products. The risks are ranked from most prominent to less published viewpoints.

Table 2 Publically available discourses on IoToys Risks (Chaudron, et al., 2017, p. 8)

 Data security (biographical data)

 Device security (toy can be hacked and used as a surveillance device)  Device security (toy can be hijacked to behave badly or erratically)  Device security (geolocational tracking of children)

 Children’s privacy (secrets recorded, incremental effect of data collection and sharing over a lifetime)

 Overuse and balance in life (sleep, physical activity, socialising)  Lack of real authentic play (developmentally important)

 Lack of parent child interaction (developmentally important)

 Play too controlled or contrived—driven by scripts and algorithms (e.g. Hello Barbie).

(25)

23

IoT devices (including IoToys) could potentially be compromised and used for two main objectives:

1 Device functions as a gateway to the valuable data in a system

Nowadays, children’s digital footprint is shaped at younger age than before among others due to connected devices. As these connected devices record valuable data of the user and its environment there are risks attached. There are different kinds of data that can be retrieved from IoToys. Figure 2 showed that there are smart toys that are not connected to the internet. As a result, these toys do not cause security and privacy infringements. The toys that are connected do cause these privacy risks. In their privacy policy, CogniToys (2016) make a distinction between usage data, account data and play data. In Table 3 four possibilities of data sharing are described.

Table 3 IoToys classification based on types of data (Van Diermen, 2017)

As noted in, play data encompasses the most sensitive data. From each sensor (e.g. vision, audition, olfaction, sonar, infrared energy, temperature vibration) data (e.g. images, sounds, movements, locality, and information about health) could be recorded while children are playing and interacting with those toys3. I argue that the quantity of sensor technologies

3 _{It should be noted that not every sensor technique is already used in IoToys. However, the}

application of those sensors is infinite.

Type of

shared data Description

None The toy has intelligence but is not connected, i.e. no risk from a security and privacy

perspective.

Usage data

The toy can be updated with new versions of software or firmware in some way. There is no information send from the device to the Internet. Some form of usage data is collected and stored anonymized. The updates should be freely available.

Account data

Usage data and personal data such as name, email address, age, gender etc. are collected by the manufacturer or service provider. This covers all types of personal data, including the account data of friends.

Play data

Play data are the recordings made by the toy, voice as well as video or photographs, while the child was playing with the toy. Although still personal data, this data is the most sensitive type that might require additional security measures compared to account data.

(26)

24

embedded in a toy influences the play data sensitivity. The combination of data of different sensors within a device, results in a complete picture of the end users’ environment. Therefore, Figure 2 misses the dimension of ‘multiple sensors’. In Figure 5, the characteristic ‘multiple sensors’ is added to FPF and FOSI’s IoToys classification in Figure 2. Connected smart toys that have multiple sensor technologies therefore contain the most risks. In those devices, all the risks of the different categories and technologies of toys come together.

Figure 5 Connected/Smart/Sensor IoToys

Schneier (2016) argues that are three things that affect the basic principles of the data of users: data theft (confidentiality), data modification (integrity), or data obstruction (availability). These risks are also applicable in the IoToys. Data can be breached due to loss, neglect and unsecure practices (inadvertent data exposure). The previous risks facilitate malicious activities. On one hand the content of the data can be valuable (ID theft, Information theft). On the other hand, the data can be used as leverage against an individual or organisation. The privacy of end-users is not necessarily infringed by a malicious party that compromised a certain network or device. Manufactures, services- and other (third) parties themselves violate the privacy rights of end-users when data is used for secondary purposes (Electronic Privacy Information Center, 2013). Stealth advertising, for example, is a risk attached to internet connected toys. Children do not see the difference between stealth advertising and editorial content (Wharton School of the University of Pennsylvania, 2012). Therefore, adversaries could influence the behaviour of children. Often these actors lack consumer consent or are not transparent. This was also the case with Cayla. The users of Cayla automatically accepted the terms and conditions when putting Cayla into use. The terms and conditions stated that the company behind Cayla reserved the right for targeted advertising towards children. At the same

(27)

25

time, the company could basically share data with any third party. And, the company was not obliged to notify the user when the terms and conditions changed (Forbrukerrådet, 2016). “My friend Cayla” is a clear example what could go wrong with IoToys.

2 Device functions as a gateway for computing power to execute attacks

On 20th September 2016, a distributed denial-of-service (DDoS) attack showed the

vulnerabilities and possible impact that arise within the IoT paradigm. Instead of the earlier well-known techniques to perform a DDoS attack, this DDoS attack used malware called Mirai that searches for vulnerable devices such as closed-circuit TV cameras (CCTVs), and digital video recorders (DVRs) (Lindqvist & Neumann, 2017). These ‘things’, were exploited and turned into bots. The attack was designed to take the website KrebsOnSecurity.com offline, however it failed. (Krebs, 2016a). A month later another DDoS attack, also using Mirai Malware, was executed successfully on Internet Infrastructure company DYN (Krebs, 2016b). The above describes the collective risk that IoT technology causes on an organisational and societal level. A DDoS attack could target and affect critical infrastructures, which may have a disruptive impact in society. In most cases the user or owner is not aware that their device is compromised and used in an attack on other systems (Lindqvist & Neumann, 2017). Van Eeten & Bauer (2013) argue that for the main part security externalities are caused by devices from home users and small and medium-size enterprises. As far as the writer is informed, there is no evidence that IoToys are used in a DDoS attack. However, in theory, IoToys could be used in DDoS attacks as well.

The above point out the grey area of risks in the IoT paradigm in which the physical and virtual environment affect each other (Park & Shin, 2017). Security failures within IoT technology could (in)directly affect human lives (Lindqvist & Neumann, 2017; Electronic Privacy Information Center, 2013). For example, hacked devices used in industrial processes could cause safety issues. Moreover, hacked medical devices could become unreliable causing health issues. Furthermore, hackers could use an IoT device as a surveillance device (Chaudron, et al., 2017). IoT devices often contain data about the location (e.g. through IP-address or GPS). In this way, a hacker could plan his break-in when nobody is at home (and therefore becomes a burglar). Sexual predators and other malicious actors in this regard could cause life-threatening situations in case they find out what the child’s location is.

(28)

26

2.4 Risk mitigation through regulation

New technologies bring certain (new) risks and additional security concerns (Van Eeten & Bauer, 2013). Lindqvist and Neumann (2017) argue that new risks also evolve through developments in the market. Luiijf (2014) in this regard argues that no or insufficient time is spent on security in case a new cyber wave, such as IoT, emerges. Luiijf (2014) states that there are two reasons for the lack of security measures, when these new cyber developments occur. First, security measures form an obstacle (i.e. time, money etcetera) in the human urgency to make progression and to enhance functionality for example by creating gadgets (Luiijf, 2014). As they strive for continuous progression, manufacturers focus less on what happened in the past. In this process manufacturers fail to learn from cyber insecurity lessons in the past (Luiijf, 2014). Common failures for example are that new products, which are often remotely accessible, are deployed with simple and identical manufacturer-supplied default usernames and passwords such as admin/admin or user/user (Luiijf, 2014). In perspective with IoT risks described in the previous chapter, these default usernames make it easy to hack the devices. The website Shodan.io, a popular search engine for finding connected things, searches any IP addresses with open ports and shows which unsecured services there are "available" at the address. For example, users can search for unsecured webcams that might just “accidentally” be placed in the bedroom of (sleeping) children. Another problem comes in hand with urgency of manufactures to constantly forge ahead. As all manufactures will constantly bring new technologies and products to the market, previous products will date quickly. At a certain moment the manufacturer will not foresee these old products with updates and security patches. Schneier (2017a) argues that those devices become vulnerable and that they will pollute the internet in case a malicious actor has seized the devices.

Second, IoT products are predominantly developed by non-ICT manufacturers, instead of traditional ones (Luiijf, 2014). Furthermore, start-ups are active on the IoT market as well. These designers and software manufacturers aim at functionality and a fast time-to-market, and do not give prominence to security (Luiijf & Klaver, 2015). The trend with internet connected products is that manufactures will sell the product when the software or security is not finished in order to have a fast time to market. In theory, the software/security updates could take place when the consumer already is using the product. In practice, this means that the market is filled

(29)

27

with vulnerable devices. Schneier (2017a) argues that most IoT products will not receive any security patches at all.

Schneier (2008) argues that risk management is nothing more than a cost-benefit trade-off of decisions on security. Competition drives manufactures to aim at the lowest price (or at least lower than the competitor). The companies are driven by the balance between ‘the costs of improving security, the expected direct and indirect costs of security breaches, and the benefits of security measures’ (Van Eeten & Bauer, 2013, p. 447). Van Eeten and Bauer (2013) argue that from an economic perspective a certain level of accepting vulnerabilities exists. In some cases therefore it could be ‘more cost-effective to enhance the resilience of the system rather than reinforce its defences’ (Van Eeten & Bauer, 2013, p. 445). The tolerance of insecurity therefore is economically rational (Van Eeten & Bauer, 2008). However, Van Eeten and Bauer (Ibid.) argue that it is essential to question to what extent the cost and benefits for the market are in line with the social cost and benefits. In general, the actors in the market that initialize a certain activity do not take the social costs and benefits into account (Ibid.). This causes externalities, a type of market failure that causes deficient outcomes due to a grey area in market transactions (Ibid.). There is a wide spectrum of measures that can form incentives for actors that cause externalities. Van Eeten & Bauer (2013) argue that actors involved with the maintenance of the internet and its products have their own incentives to provide for security. ‘The incentives typically have the correct directionality, but in a variety of cases they are too weak to prevent significant externalities from emerging’ (Van Eeten & Bauer, 2008, pp. 6-7). The incentives thereby could either conflict or complement each other, and could be useful in other situations (Van Eeten & Bauer, 2008). Incentives are both economic and non-economic factors that are relevant in the decision-making of a certain actor (Van Eeten & Bauer, 2013).

Schneier (2017a) argues that the market is not going to solve the problem as neither the consumer nor seller of IoT products care about the security of devices. In other words, there are no (strong enough) incentives to provide for security of IoT devices. Other or stronger incentives are necessary to mitigate the risks of IoT (including IoToys). Regulation therefore is inevitable (Schneier, 2017b). As mentioned in §1.1 the European Research cluster on the Internet of Things (2015) argues that it is a necessity to include standardization, regulation, legislation, interoperability, certification and other activities in the life-cycle process of Internet of Things (IoT).

(30)

28

Black (2002a, p. 26) defines regulation as: ’the sustained and focused attempt to alter the behaviour of others according to defined standards or purposes with the intention of producing a broadly identified outcome or outcomes, which may involve mechanisms of standard-setting, information-gathering and behaviour-modification.' Shortly, regulation has a certain purpose / aims at a certain goal for which actions by both public as private actors are required (Black, 2002b). In this thesis, regulation aims at obtaining secure IoToys. Black (2002a, p. 5) argues that in a decentred society ‘fragmentation of knowledge, and fragmentation of power and control’ exist between public and private actors. This means that a single public or private actor does not have knowledge to address complex and dynamic issues (Black, 2002a). And, no single actor has the overview to exploit all the tools for effective regulation (Ibid.).

A regulatory society consists of various regulators that operate at different levels in society Black (2002b, p. 170) argues that ‘regulators may operate at a transnational, supranational, national or sub-national level, and be governments, associations, or firms. The others involved may include professional associations, professional advisors, both legal and non-legal, accreditors, auditors, nongovernmental organizations, consumer and other special-issue groups’. Each regulator has its own goals, intentions, purposes, norms and powers to contribute in the regulation of a certain phenomenon (Black, 2002a). The regulators, regulated and other involved actors together form the regulatory system of that phenomenon (Black, 2002b). A regulator will strive to change the behaviour of others in the regulatory system in order to come to a pursued outcome.

The next paragraph describes how something or someone is regulated according to Lessig’s model of modalities.

(31)

29

2.5 Model of Modalities (Lessig, 2006)

In his book, ‘Code’ Lessig (2006) argues that different threats to liberty occur in a particular time and place. Since the nineteenth century respectively norms, state power and the market constraint or threatened the liberty of the individual in society (Lessig, 2006). Each constraint can be seen as a regulator that has a distinct modality of regulation. Lessig (2006) states that during the rise of the internet and cyberspace the line of thought was that government could not regulate this virtual society. However, Lessig (2006) argues that due to cyberspace a new powerful regulator arises. This regulator, called ‘code’ are ‘instructions embedded in the software of hardware that makes cyberspace what it is’ (Lessig, 2006, p. 121). Lessig’s analysis focusses on the regulation of code, in which he states that code equals law.

According to Lessig (2006) increased attention should be spent on how to deal with code as a regulator, while keeping the other regulators in mind. From the perspective of someone who is regulated, Lessig created the model of modalities, in which he makes a distinction between four modalities that each regulate the dot in Figure 6. This dot is target of regulation. The four modalities are: Architecture, Market, Law and Social Norms. The combination of modalities regulates both the real world and the

virtual world. Each modality is complex in its nature and the interactions between modalities are hard to describe. The definitions of the four modalities are described in Table 4 on page 33.

(32)

30

The first modality is law, which is an obligation imposed (ex-ante) by national regulatory bodies. Here, the state authorities regulate in a formal way by using legislations and following sanctions (punishments). As mentioned in the introduction this is a traditional way of regulating by a state actor. This state actor can affect the other modalities by implementing laws. Lessig (2006) argues that law could have a substantial role in the changing other modalities. For example, the market is affected or constrained by taxes and subsidies. Law could thereby change the regulation of architecture. For example, speeding is forbidden by law, and is punished in case you get caught. Speedbumps are designed (architecture) to change the behaviour of drivers. Norms could be changed by law for example through education. With regard to cyber space Lessig (ibid.) argues that law is essential for the regulatory effect that code could have. The regulator therefore must know how technology interacts with legal regulation, however ‘that interaction is often counterintuitive’ (Lessig, 2006, p. 155).

The second modality are (social) norms, which are collectively determined and self-enforced by members of the community (Lessig, 2006). These norms steer what is socially salient behaviour. In case an individual shows deviant behaviour, he/she has no influence on the consequences formed by the community. Therefore, norms can form a constraint. Lessig (2006) argues that characteristics of visibility and no transience support the norms in a community. In contrast, anonymity, transience and diversity thwart the realisation of norms in a community (Ibid.). In spaces where self-enforcement by the community does not suffice, rules can be imposed through code or by a government authority (Ibid.).

The third modality is the market, which is enforced by property and contracts and driven by price. The quality and price of products and services form constrains. Lessig (2006) argues quantity and diversity of products and services influence these constraints. Here, choice between different products reduces the constraint (Ibid.). There are many variables that influence the price of the products and services that the market provides. For example, stake- and stockholders force companies in the market to maximize their corporate value (Lessig, 2006). These market forces affect the price through which ‘individuals can exit and competitors can steal customers away’ (Lessig, 2006, p. 97). The market elements and effect are heavily regulated by law (Lessig, 2006).

(33)

31

The fourth modality is architecture. As noted at the beginning of this paragraph, code forms the architecture in cyberspace. The difference between a free cyberspace and a more controlled space is a difference in code. Lessig (2006) hereby argues that some architectures are more regulable and/or more suitable for control mechanisms than others. The architecture could consist of embedded instructions that protect societies’ core values such as privacy and security. Lessig (2006) argues that architecture is a form a law: the code embeds certain values and sets restrictions on what is possible and impossible for people. These instructions, restrictions and choices are always built and made by humans. The internet and cyberspace therefore are the products of their design. The consequences of regulation of law and code are different. Through law, government agencies can act ex post, by punishment (e.g. fines) that creates regulation by fear. Code, however, creates (ex-ante) a physical/virtual barrier that affects behaviours.

However, what defines the achieved behaviour, depends by whom the code is enforced and with what values. In the early days of the internet, the architecture of cyberspace was built by actors in the non-commercial sector. Subsequently, commerce increasingly built the architecture of cyberspace. Lessig (2006) argues to what extent the government could be the third generation that built cyberspace architecture. ‘Code codifies values’ which makes that politics (‘a collective decision on how things ought to be’) should be involved in the decision making of regulation by code (Lessig, 2006, p. 78).

(34)

32

Lessig (2006, p. 23) defines regulability as ‘the capacity of a government to regulate behaviour within its proper reach’. In comparison with the real space, cyberspace brings particular challenges for regulability that makes the change of a constraint a difficult process (e.g. cyberspace crosses traditional nation borders). Apart from regulating the individual subject, each modality could in a certain way, depending on the context, affect other modalities (Figure 7). Lessig (2006) argues that regulation is the sum of those constrains. A change in one of the four constraints affects the regulation in total. Lessig (2006) argues that a constraint can be attained through different means and that the cost and benefits of those means differ.

(35)

33

3 Research design and methodology

The previous chapters showed that regulation could have a positive effect on the security and privacy of IoToys. However, it is still unclear to what extent IoToys are regulated in the Netherlands. Furthermore, insights in the current gaps and challenges in the regulation of IoToys are fundamental. Hence, more information about IoToys is required. This chapter elaborates on the research design and methodology applied in this thesis. The chapter furthermore encapsulates the description and justification of the operationalisation of the concepts, the techniques for data collection and analysis.

3.1 Operationalisation of concepts

Table 4 comprises the definitions/conceptualizations of regulation for this thesis.

Table 4 Operationalisation IoToys Regulation

Definition Modalities Definition Data Sources

Regulation

(Black, 2002a; 2002b)

’the sustained and focused attempt to alter the behaviour of others according to defined standards or purposes with the intention of producing a broadly identified outcome or outcomes, which may involve mechanisms of standard-setting, information-gathering and behaviour-modification' (Black, 2002a, p. 26) Law

Law is a command backed up by the threat of a sanction. Law not only commands certain

behaviours but expresses the values of a community;

constitutes or regulates structures of government and establishes rights that individuals can invoke against their own government. This particular aspect of law provides a well-defined constraint on individuals within the

jurisdiction of the law giver, or sovereign. That constraint— objectively—is the threat of punishment (Lessig, 2006, p. 340)

Literature Interview

(36)

34

(Social) Norms

‘..those normative constraints imposed not through the

organised or centralised actions of a state, but through the many slight and sometimes forceful sanctions that members of a community impose on each other…A norm governs socially salient behaviour, deviation from which makes you socially abnormal’ (Lessig, 2006, p. 340)

Market

The market constrains through price. A price signals the point at which a resource can be

transferred from one person to another (Lessig, 2006, p. 341) Literature Interview Architecture (Code in relation to cyberspace)

The instructions embedded in the software or hardware that makes cyberspace what it is. This code is the “built environment” of social life in cyberspace (Lessig, 2006, p. 121)

(37)

35

3.2 Research design 

For this thesis, a holistic single case research design is conducted to analyse the regulation of IoToys within the Netherlands. The thesis has an explorative research question that through qualitative data gathering methods describes how IoToys could be regulated in the Netherlands. By using a holistic single case study design, the relative new concept IoToys can be studied in-depth (Yin, 2003). IoToys is a relatively new phenomenon and little is written about this subject. This research does not aim for external validity, as the research contains social phenomena that are influenced by various complex coherent phenomena (Yin, 2003). A single case study is being used which examines how the IoToys could be regulated explained through Lessig model of modalities. Figure 8 shows that regulation is the stimulus (independent variable) changing the dependent variable: secure IoToys. This case study focuses on one context, where detailed research is conducted. The unit of analysis is the Netherlands. The unit of observation of this thesis are both public as private practitioners/professionals involved in the regulation of the IoToys. This seems the most appropriate research design as multiple sources are consulted and both ‘what’ and ‘how’ questions are answered that lead to valid and balanced results (Yin, 2003).

How to regulate the Internet of Toys in the Netherlands?