Originally written in 2016, now republished on Substack with 2026 editorial notes, because apparently the future did not arrive suddenly. It sent plenty of meeting invites and most people ignored them because the subject line looked too technical.
Seven articles. One connected world.
Security, privacy, infrastructure, business models, culture, small operating systems, cryptography, and the charming industry habit of calling everything “smart” before asking whether it is secure, governed, patched, or even remotely sensible.
Reading them today is not nostalgia.
It is a useful reminder that many things change enormously, while the important questions remain patiently seated in the corner, sipping tea and judging our dashboards.

Read it. Share it. Send it to someone who still says: “It is only a sensor.”
Especially them.

The IoT files

Antonio Ieranò

May 13, 2026

The IoT Files are back, because apparently the future has a terrible habit of arriving late, badly documented, and with a subscription plan.

In 2016, I wrote a short series of articles on the Internet of Things. They were originally written for a technical forum that no longer exists, which is rather poetic in a digital-graveyard sort of way. From there, they moved to The Puchi Herald and LinkedIn. Now I am republishing them on Substack, cleaned up, corrected, and annotated with 2026 editorial notes.

The title was, and still is, The IoT Files.

At the time, IoT was the new technological holy grail. Everything was becoming smart. Smart homes. Smart cities. Smart cars. Smart meters. Smart fridges. Smart roads. Smart watches. Smart everything.

The only things that did not always become smart were procurement, governance, security design, privacy awareness, update policies, infrastructure planning, business models, education, interoperability, cryptographic lifecycle management, and occasionally the person saying “it is only a sensor”.

A charming omission, really. Very industry.

Why republish these articles now?

Not because nostalgia is good for the knees.

Not because 2016 was a golden age of wisdom, although at least the smart fridge had not yet fully developed the confidence of a junior consultant.

And certainly not because I enjoy telling the internet, “I told you so”, which would be vulgar, unseemly, and therefore only mildly tempting.

The reason is more interesting.

Re-reading old technical reflections with current editorial notes is a useful exercise because it shows how much changes without changing very much.

The products change.
The acronyms change.
The regulations change.
The dashboards become shinier.
The cloud becomes more cloudy (and foggy).

The sales deck acquires a new gradient and someone adds “AI-powered” in the corner, like parsley on a plate of organisational confusion.

But many of the underlying issues remain astonishingly familiar.

Security is still not a product sticker.
Privacy is still not a checkbox.
Infrastructure is still not magic.
Business models still hide costs under the carpet until the carpet applies for funding.
Culture still decides whether technology is understood or merely endured.
Small systems are still not automatically safe.
Cryptography is still both indispensable and politically inconvenient.

And, in the IoT world, “connected” still does not necessarily mean “controlled”, “secure”, “governed”, “resilient”, or “sensible”.

That is why I added 2026 notes.

The original articles remain historical documents. The notes are there to read them with today’s eyes, but more importantly with tomorrow’s perspective.

Because the right perspective is not simply “what did we think yesterday?”

The real question is: “What were we already seeing, and how did those signals evolve into the problems, regulations, markets, and risks we face now?”

This Substack recovery project is making me realise something rather amusing, in the tragicomic way only technology can manage: many things evolve enormously, but the structural questions remain sitting there, sipping tea, waiting for us to stop being impressed by the packaging.

So here is the series, with my completely unofficial, scandalously subjective, and academically inadmissible “modern relevance rating”.

Rating scale:

1 means “not really valid today, please place gently in the museum”.
10 means “valid today”.
12 means “valid tomorrow as well”, which is obviously outside the scale, but so is much of IoT, so let us not be petty.

The IoT Files, Part I – Intro and Security

https://antonioierano.substack.com/p/the-iot-files-part-i-intro-and-security?

Modern relevance rating: 11/10

This was the opening piece. It framed IoT as more than devices: a connected environment made of sensors, data, services, users, infrastructure, and risk.

The article argued that IoT security could not be treated as a decorative add-on, because connected devices would increasingly affect physical life, not merely digital inconvenience.

In 2016, this still sounded somewhat futuristic. Today it sounds like Tuesday.

Medical devices, connected cars, smart homes, smart cities, industrial sensors, smart meters, wearables, and cloud-dependent consumer products have made the security question painfully real.

Why read it today?

Because the basic argument still stands: when everything becomes connected, everything becomes part of the attack surface. And calling it “smart” does not count as a compensating control.

The IoT Files, Part II – Privacy

https://antonioierano.substack.com/p/the-iot-files-part-ii-privacy

Modern relevance rating: 12/10

This article focused on what IoT means for privacy. Not just personal data in the old-fashioned sense, but inferred data, behavioural data, location data, health data, household data, sensor data, and contextual data.

In other words, the sort of data that does not merely say who you are, but starts sketching your life with uncomfortable enthusiasm.

The 2026 notes bring in GDPR, the EU Data Act, the death of Safe Harbor, the death of Privacy Shield, and the rise of the EU-U.S. Data Privacy Framework. The legal scenery changed dramatically, but the central problem remains: connected devices create a privacy environment, not just a privacy notice.

Why read it today?

Because IoT privacy is not about hiding something. It is about not being involuntarily translated into a permanent behavioural spreadsheet by your watch, car, meter, speaker, camera, thermostat, fridge, and every other cheerful little object reporting back to base camp.

The IoT Files, Part III – Infrastructure

https://antonioierano.substack.com/p/the-iot-files-part-iii-infrastructure

Modern relevance rating: 10/10

This article dealt with connectivity, wireless coverage, bandwidth, digital divide, 5G, DNS, IPv6, public services, and the expensive reality hiding under the glossy IoT promise.

The funny thing about infrastructure is that everybody loves the future until someone asks who will pay for the cables, towers, routers, spectrum, platforms, monitoring, security, maintenance, redundancy, and people who actually know what they are doing.

The 2026 notes update the discussion around 5G, IPv6, DNSSEC, digital divide, and the continuing coexistence of old and new network realities.

Why read it today?

Because IoT is not made of devices. It is made of dependencies. And dependencies need money, governance, standards, resilience, maintenance, boring operational discipline, and at least one engineer who has not yet lost the will to explain DNS to management.

The IoT Files, Part IV – Business Models

https://antonioierano.substack.com/p/the-iot-files-part-iv-business-models

Modern relevance rating: 11/10

This article asked whether IoT could work inside traditional business models.

The short answer was: probably not.

The longer answer was: not unless we understand that the device is only the visible part of a much larger system of services, connectivity, data, subscriptions, platforms, support, cloud costs, security obligations, and lifecycle responsibilities.

The 2026 notes make the point even clearer. Today, especially in Italy, we see telecom operators selling energy, energy providers selling connectivity, connectivity providers selling insurance, utilities becoming service platforms, and everyone trying to become the interface through which the customer experiences the connected home, the connected life, and eventually the connected invoice.

Why read it today?

Because IoT business models are no longer simply B2B or B2C. They are bundles, ecosystems, dependencies, data flows, recurring revenue models, and contractual spaghetti wearing a customer-experience hat.

The IoT Files, Part V – Culture

https://antonioierano.substack.com/p/the-iot-files-part-v-culture

Modern relevance rating: 12/10

This may be the most important article in the series.

Security can be engineered, at least in theory.

Privacy can be regulated, at least on paper.

Infrastructure can be deployed, assuming someone pays and nobody confuses a portal with transformation.

Business models can evolve, especially if finance eventually finds the coffee machine.

But culture decides whether any of this is understood.

The article argued that IoT would reshape language, education, awareness, digital divide, privacy perception, censorship, communication, public services, corporate behaviour, and citizenship.

The 2026 notes connect this to digital skills, digital education, AI, connected environments, and the still-dangerous assumption that using a device means understanding it.

Why read it today?

Because the real divide is no longer only between those who are connected and those who are not. It is between those who understand the connected environment and those who merely live inside it as passive endpoints in someone else’s architecture.

The IoT Files, Part VI – Is a Small OS Good for Security?

https://antonioierano.substack.com/p/the-iot-files-part-vi-is-a-small

Modern relevance rating: 12/10

This article came from a debate in the original technical forum.

Some people argued that a small IoT operating system would be intrinsically more secure than a large one.

My objection was simple: taken in isolation, a smaller OS may reduce some attack surface. But IoT devices do not live in isolation. They live in the wild, inside a heterogeneous zoo of devices, sensors, protocols, gateways, clouds, mobile apps, update systems, vendors, users, business models, and forgotten configuration panels.

In that zoo, the real question is not “how small is the OS?”

The real question is: what does the device sense, control, store, transmit, receive, authenticate, authorise, update, expose, and depend on?

The 2026 notes bring in secure updates, firmware security, software supply chains, ETSI EN 303 645, NISTIR 8259A, the Cyber Resilience Act, and a conference example I used years ago: a sensor controlling the water level of a dam.

If that sensor is tampered with or made to report false values, the problem is no longer “someone hacked a small device”.

The problem becomes physical harm.

Why read it today?

Because smallness is not a control. Minimalism is not a threat model. Embedded does not mean harmless. And “it is only a sensor” may be the most expensive sentence in the room.

The IoT Files, Part VII – The Need for Cryptography

https://antonioierano.substack.com/p/the-iot-files-part-vii-the-need-for

Modern relevance rating: 12/10

The final article deals with cryptography, encryption, key management, data transmission, data storage, lawful access debates, export controls, and the fact that cryptography is both mathematically beautiful and politically inconvenient.

The 2026 version expands the discussion to modern cryptographic governance, secure firmware, PKI, key lifecycle, the EU Data Act, the Cyber Resilience Act, and post-quantum cryptography.

This is where the IoT zoo becomes even more entertaining, by which I mean operationally alarming.

Some devices will be adaptable.
Some will not.
Some will rely on gateways.
Some will rely on cloud services.
Some will have hardcoded algorithms.
Some will have hardcoded keys.
Some will be abandoned.

Some will remain deployed long after their cryptographic assumptions have expired like yoghurt in a forgotten office fridge.

Why read it today?

Because IoT without cryptography is not IoT security. It is connected optimism with a network stack. But cryptography is not magic. It must be implemented, governed, updated, audited, rotated, revoked, and eventually migrated.

Especially when tomorrow arrives with quantum-shaped cutlery.

So, why should you read The IoT Files today?

Because they are not only old articles about old predictions.

They are a map of persistent problems.

They show that many of the issues we now frame through GDPR, NIS2, the Cyber Resilience Act, the Data Act, AI regulation, smart-city governance, connected-product lifecycle, software supply-chain security, and post-quantum migration were already visible in the technical discussion ten years ago.

The vocabulary changed.
The stakes increased.
The regulation arrived.
The market mutated.
The devices multiplied.
The zoo expanded.
But the fundamental questions remained.
Who controls the device?
Who controls the data?
Who controls the key?
Who pays for the infrastructure?
Who maintains the service?
Who updates the firmware?
Who protects the user?
Who understands the risk?
Who is liable when the connected object stops being amusing and starts being evidence?