Effects of the GDPR in Southeast Asia vs. Europe - A Large-Scale Analysis of IoT Devices

Ever more IoT devices and services find their way into private homes and industry, coming along with a plethora of risks to users' privacy. The General Data Protection Regulation (GDPR) became effective in 2018 and protects rights of IoT (and other) users in the European Union (EU). Manufacturers can address these rights, for example, with firmware updates. In this paper, we conduct a large-scale analysis that identifies changes in the age of the installed firmware and general device age after the GDPR went into effect. We utilize a set of 400 terabytes of real-world IoT data from Censys.io dating from 2015 until the end of 2021. Based on grouped mean age values, we conduct difference-in-differences analyses for devices deployed in the EU, compared to Malaysia (MY), Indonesia (ID), Singapore (SG) and USA. The results show unexpected insights. For a majority of EU member states, the GDPR leads to an increase of the devices' mean age by 101 days compared to the other countries in our data set. Compared to ID it increases by 201 days, SG by 11 days, MY+ID+SG by 89 days and USA by 194 days. Results for MY are not significant, however. This work offers first insights into effects of the GDPR in the IoT ecosystem and highlights the need for more research for sense-making.