Friday, 8 January 2016

IoT: Finding the true value of an article first appearing on the IoTUK blog.

Engineering and Physical Sciences Research Council (ESPRC) recently hosted a day of presentations at the British Library discussing both their previous work, as well as their future plans for the Digital Economy and ICT research programmes within the UK.

Professor of Software Systems Engineering, Anthony Finkelstein, of University College London, took the opportunity to highlight the importance of understanding how technology is embedding itself within society, as well as the social and economic drivers underpinning its adoption. He also reflected on what the role of technology means for the trajectory of future research.

The current narrative around IoT is primarily focused around the technology’s great promise, but first we need to better understand how these technologies need to be shaped so they can be successfully embedded into everyday life.

The issue with casually referring to all emerging solutions simply as the ‘Internet of Things’ is the term is too generic; the emerging solutions need to be much more clearly contextualised in order to understand their opportunities and challenges.

graphThe emergence of the term IoT reflects the growing realisation that with the continued reduction in the cost of processing, storage and communications, we can add an ‘online’ existence to an ever increasing range of everyday objects, where it was previously the preserve of more specialised niches.

As with many technologies as costs decrease, we begin to see a migration from military and scientific uses to more commercial and increasingly consumer applications.

So, to be clear we’ve been putting “things” online for years:
  •  Researchers demonstrating how crazy the internet could be in the early 1990s placed coke machines, coffee pots and toasters on the Internet. Amusement value aside, these provocations lead to more serious research on what happens when things are connected. This research started in the mid-90s when the US government funded a massive programme of wireless sensor networks with applications as far afield as fire suppression systems on battleships to ecological monitoring.
  • The invention of the humble RFID tag dates back to the earliest “identity friend or foe” systems for World War Two aircrafts, which would respond to a radio frequency ping with an identifier. This led to one of the first low cost means to track objects and was widely adopted in manufacturing across supply chain management and in protecting high value products from theft.
  • The definition of the Universal Product Code (UPC) allowed the addition of tracking to objects at near zero marginal cost through printed barcodes, it enabled shops to track inventory, deploy laser scanners for faster checkouts and most recently enable self checkout by mapping the UPC to the products weight to ensure only “expected items in the bagging area”.
  • Indoor locative technology was originally developed at the Olivetti Research Laboratory, which caused controversy in some quarters by tracking people. This technology is now the basis of many successful deployments of technology from Ubisense (founded 2002), which has been adopted by over 50 companies including high tech manufacturing businesses such as BMW and Airbus.
The value in each of these examples is clear but so too are the challenges. Rather than making a sweeping statement about how “IoT has privacy challenges” we can get down to the detail and determine the risks and mitigations associated with how this technology is used.

For example in the early 2000s RFID uses became controversial (e.g. RFID in Razors packs) leading to the RFID Privacy Impact Assessment Framework ratified in 2011 as a model for co-regulation by government and industry.

Just because a product falls under the term ‘The Internet of Things’ does not mean it will automatically transform our lives. Let’s take the ‘smart fridge’[1]. While there has been talk about how it is going to change our domestic food inventory and offer us new dining experiences, we should first question and understand its true consumer value, work through the security and privacy issues and determine whether there is a market for this, or if it is merely a technical flight of fancy, another smart gadget for the home.

[1] Addendum: apparently it's not a 'smart fridge' it's "a sophisticated multi-tasker that reconnects families, organizes groceries and home tasks, and provides entertainment".

Thursday, 8 October 2015

Privacy sometimes means secrets

IPSWITCH survey results infographic
A recent survey (Sep 2015) for IPSWITCH was broadly picked up by the tech press and highlighted the concerns of IT professionals with the looming EU General Data Protection Regulation (GDPR);  69% say their business will need to invest in new technologies or services to help prepare the business for the impact of GDPR including:

  • 62%: encryption
  • 61%: analytic and reporting
  • 53%: perimeter security
  • 42%: file sharing
This was shortly followed by the European Court of Justice ruling on the Schrems case concerning the Safe Harbour arrangements (Oct 2015).This has variously provoked doom laden stories and more measured pieces pointing out that many large companies have seen it coming and taken steps to put in place other legal means to ensure continued operations.

That said these two stories relate to only two of the eight principles (also see below) of the Data Protection Act in the UK, the remaining six presenting us with a whole series of further challenges to compliance. And that's the 1998 act, not even the pending GDPR.

Perhaps the increasing costs and complications of processing Personal Data might lead us to ask some questions about how we design at least some of our future IT systems to avoid the issue in the first place. In particular within the domain of the Internet of Things, there is a widespread presumption that the value in the data that the things communicate is only realised when simultaneously the data is shared (with a 2nd, possibly 3rd party) and the person identified.  We need to challenge this assumption from the perspectives of both the technology and the business model.

Projects such as the hoax drug testing toilet and the IoT toilet roll holder raise plenty of questions around sharing data that we would do well to keep in mind before building technology that at its heart presumes sharing is a good idea (*).

So IoT developing folks ask yourselves some questions:
  • Does this heating control accessible from a roaming mobile phone need to pass unencrypted data through a middle man, or should we take a leaf out of iMessage's book and just encrypt it end-to-end?
  • Ditto baby monitors.
  • Does this thermostat really need to know who I am, with name, address, etc or could it simply operate anonymously?
  • Smart washing machine doing condition monitoring - yes supply anonymous statistics of operation to the manufacturer, but maybe a monthly digest rather than a second by second stream of washing machine consciousness... in fact why not use email to send it and bcc me?
  • What value do you derive from data fusion across users - or is it simply that you wanted to obtain an even more detailed profile of me to sell to marketeers?
Fundamentally, is the majority of the value in IoT really in sharing data or in providing an enhanced product and value add to customers? And like the scorpion in the fable, is your desire to slurp data simply "In your nature...", but ultimately a bad choice for many IoT products.

(*) If you need a daily reminder of some of the lunacy out there, follow @internetofshit (too much toilet humour. ed.).

From the ICO website...

Schedule 1 to the Data Protection Act lists the data protection principles in the following terms:
  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:(a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.