Wednesday, 2 March 2016

How risky is your IoT

Copy of an article first appearing on the IoTUK blog.


In a previous blog, we kicked off a discussion about the categorisation of IoT applications and systems; and their technical complexity.
Today we will analyse risk as a further dimension in helping us differentiate various IoT applications. Our mission in all of this categorisation is to start an in-depth discussion about the subsets of IoT applications and their common problems and solutions; otherwise we are in an endless apples and oranges discussion.
Our risk dimension includes privacy, safety and resilience; in fact anything that in project management terms should be included on a (sensibly used!) project risk register. We are interested in what could go wrong, how to decrease the likelihood of such events and how to mitigate the effects; because rest assured things will go wrong.

The inevitability of failure

It is the nature of all computers and communications systems to do unexpected things; even if we could dream of removing all software bugs, the very physics of the systems lead to an underlying failure rate (see metastability). Many of these IoT systems will involve interactions with fallible human beings. Things fail and IoT designers need to deal with it.
We have included privacy here, as one aspect of the impending EU General Data Protection Regulation move, welcomed by many, to a risk based assessment of the requirements for handling personal data.
Such risk assessments are subtle and not solely related to the type of the data, but the context in which it is being used – it might be an annoyance to have your credit card details stolen, but if it is published they were stolen from Ashley Madison’s website that tells a different story.

Privacy risks

Privacy risks are present everywhere where we have sensing technologies in IoT. It will often be possible to correlate the sensing with an individual’s activities.
You can expect to see this data used in unexpected ways – the court case involving FitBit data is a sign of a trend where IoT data can be used as evidence of a person’s innocence or guilt. Mitigations could include strong encryption, ephemeral data or only maintaining statistical and aggregated data in the longer term.
Many IoT devices also have the ability to actuate and affect the physical world – so what could possibly go wrong? Human safety checks are absent when moving to automation in IoT. We will need to design with safety in mind as everyday domestic objects become known killers – whether automatic door openers or even something as mundane as a venetian blind.
Picking up the theme of care for the elderly in their homes, again from a previous blog, we also start to see the need for resilience in our IoT designs. A particularly dangerous episode for many elderly people is a power outage – from the heating stopping, to lack of lighting, leading to increased risk of falls or other accidents.

Resilient IoT design

A resilient IoT design would include several hours of protected power supply for the sensors and router; backup communications using 3G as the ADSL or cable modem may not be available to access the internet (fixed line telecoms operators are required to have the phone service available during a power outage, not the broadband); and the ability to act independently of internet servers to raise alarms, so that operations are maintained when there are network and server failures or DDOS attacks on the infrastructure.
To build an IoT we trust we must first learn to handle the risks. Importantly, while showing damages in privacy cases has proven hard, the rise in citizens injured by devices will rapidly lead to product liability cases.

Friday, 8 January 2016

IoT: Finding the true value

https://iotuk.wpengine.com/wp-content/uploads/2015/08/iotlogo1.pngCopy of an article first appearing on the IoTUK blog.

Engineering and Physical Sciences Research Council (ESPRC) recently hosted a day of presentations at the British Library discussing both their previous work, as well as their future plans for the Digital Economy and ICT research programmes within the UK.

Professor of Software Systems Engineering, Anthony Finkelstein, of University College London, took the opportunity to highlight the importance of understanding how technology is embedding itself within society, as well as the social and economic drivers underpinning its adoption. He also reflected on what the role of technology means for the trajectory of future research.

The current narrative around IoT is primarily focused around the technology’s great promise, but first we need to better understand how these technologies need to be shaped so they can be successfully embedded into everyday life.

The issue with casually referring to all emerging solutions simply as the ‘Internet of Things’ is the term is too generic; the emerging solutions need to be much more clearly contextualised in order to understand their opportunities and challenges.

graphThe emergence of the term IoT reflects the growing realisation that with the continued reduction in the cost of processing, storage and communications, we can add an ‘online’ existence to an ever increasing range of everyday objects, where it was previously the preserve of more specialised niches.

As with many technologies as costs decrease, we begin to see a migration from military and scientific uses to more commercial and increasingly consumer applications.

So, to be clear we’ve been putting “things” online for years:
  •  Researchers demonstrating how crazy the internet could be in the early 1990s placed coke machines, coffee pots and toasters on the Internet. Amusement value aside, these provocations lead to more serious research on what happens when things are connected. This research started in the mid-90s when the US government funded a massive programme of wireless sensor networks with applications as far afield as fire suppression systems on battleships to ecological monitoring.
  • The invention of the humble RFID tag dates back to the earliest “identity friend or foe” systems for World War Two aircrafts, which would respond to a radio frequency ping with an identifier. This led to one of the first low cost means to track objects and was widely adopted in manufacturing across supply chain management and in protecting high value products from theft.
  • The definition of the Universal Product Code (UPC) allowed the addition of tracking to objects at near zero marginal cost through printed barcodes, it enabled shops to track inventory, deploy laser scanners for faster checkouts and most recently enable self checkout by mapping the UPC to the products weight to ensure only “expected items in the bagging area”.
  • Indoor locative technology was originally developed at the Olivetti Research Laboratory, which caused controversy in some quarters by tracking people. This technology is now the basis of many successful deployments of technology from Ubisense (founded 2002), which has been adopted by over 50 companies including high tech manufacturing businesses such as BMW and Airbus.
The value in each of these examples is clear but so too are the challenges. Rather than making a sweeping statement about how “IoT has privacy challenges” we can get down to the detail and determine the risks and mitigations associated with how this technology is used.

For example in the early 2000s RFID uses became controversial (e.g. RFID in Razors packs) leading to the RFID Privacy Impact Assessment Framework ratified in 2011 as a model for co-regulation by government and industry.

Just because a product falls under the term ‘The Internet of Things’ does not mean it will automatically transform our lives. Let’s take the ‘smart fridge’[1]. While there has been talk about how it is going to change our domestic food inventory and offer us new dining experiences, we should first question and understand its true consumer value, work through the security and privacy issues and determine whether there is a market for this, or if it is merely a technical flight of fancy, another smart gadget for the home.

[1] Addendum: apparently it's not a 'smart fridge' it's "a sophisticated multi-tasker that reconnects families, organizes groceries and home tasks, and provides entertainment".