Historically the functions that are now migrating to the Internet of Things (thermostats, ovens, lighting systems, etc.) were standalone devices that were not accessible over the internet.  To operate them required physical presence.  And the ability to access them was mediated by physical access to the devices.  As device access migrates to the internet, device "owners" gain the ability to control devices from afar.  Physical presence is no longer necessary and ceases to be the determinant of device access and control.  This is a boon for the device owner.  But the new capability of remote access also exposes the device to control by third parties whose motives may not align with the owner.  It is beneficial to be able to remotely tell your thermostat to raise the temperature in your home because you are returning from a trip a day ahead of schedule.  But it could be problematic to have some devious person remotely turn your thermostat off in the dead of winter.  

Because of this new vulnerability, it becomes important to build into new "internet-enabled" devices some form of identity and access management to allow the device "owner" to manage who can and can't access the device and what privileges each might have upon accessing it.

Ownership of a device on the Internet of Things is not always clear cut.  If John purchases a new car, the ownership of the cart seems clear.  But if the car includes a device that transmits data on the performance of the engine that is transmitted back to the manufacturer to help the manufacturer improve its products,the who owns the sensor and the ability to control where the data are sent becomes less clear. If the contract John signs when he purchased the car gives the manufacturer (or dealer) control of the sensor and the data it transmits, does this change if the sensor also records John's location, driving speed, and other factors that measure his "performance"?   If the manufacturer has the right to these data, do they have a liability if John's enemy hacks into the database to discover John's location and then shoots him?  If the contract also stipulates that if John wants to see the data, he must pay a subscription fee, is this reasonable?  If John retains any ownership of the data, does this change if he resells the car to someone else? What if his driving record is still retained in the device in the car?   If the manufacturer retains control of the data, does this require John to specify this fact when he goes to resell the car?

If a weather sensor purchased with taxpayer dollars is installed by a government entity, do you have the right to access its data?  What if you live outside the jurisdiction of the government entity?  Should you be allowed to be a "free rider" and use the data for your own gain?