The Waving Cat

Categorydigital rights

New report: A Trustmark for IoT

By Peter Bihr
In connected world, digital rights, IoT, Research, work
3 Min read
N

Summary: For Mozilla, we explored the potentials and challenges of a trustmark for the Internet of Things (IoT). That research is now publicly available. You can find more background and all the relevant links at thewavingcat.com/iot-trustmark

If you follow our work both over at ThingsCon and here at The Waving Cat, you know that we see lots of potential for the Internet of Things (IoT) to create value and improve lives, but also some serious challenges. One of the core challenges is that it’s hard for consumers to figure out which IoT products and services are good—which ones are designed responsibly, which ones deserve their trust. After all, too often IoT devices are essentially black boxes that are hard interrogate and that might change with the next over-the-air software update.

So, what to do? One concept I’ve grown increasingly fond of is consumer labeling as we know from food, textiles, and other areas. But for IoT, that’s not simple. The networked, data-driven, and dynamic nature of IoT means that the complexity is high, and even seemingly simple questions can lead to surprisingly complex answers. Still, I think there’s huge potential there to make huge impact.

I was very happy when Mozilla picked up on that idea and commissioned us to explore the potential of consumer labels. Mozilla just made that report publicly available:

Read the report: “A Trustmark for IoT” (PDF, 93 pages)

I’m excited to see where Mozilla might take the IoT trustmark and hope we can continue to explore this topic.

Increasingly, in order to have agency over their lives, users need to be able to make informed decisions about the IoT devices they invite into their lives. A trustmark for IoT can significantly empower users to do just that.

For more background, the executive summary, and all the relevant links, head on over to thewavingcat.com/iot-trustmark.

Also, I’d like to extend a big thank you! to the experts whose insights contributed to this reports through conversations online and offline, public and in private:

Alaisdair Allan (freelance consultant and author), Alexandra Deschamps-Sonsino (Designswarm, IoT London, #iotmark), Ame Elliott (Simply Secure), Boris Adryan (Zu?hlke Engineering), Claire Rowland (UX designer and author), David Ascher, David Li (Shenzhen Open Innovation Lab), Dries de Roeck (Studio Dott), Emma Lilliestam (Security researcher), Geoffrey MacDougall (Consumer Reports), Ge?rald Santucci (European Commission), Holly Robbins (Just Things Foundation), Iskander Smit (info.nl, Just Things Foundation), Jan-Peter Kleinhans (Stiftung Neue Verantwortung), Jason Schultz (NYU), Jeff Katz (Geeny), Jon Rogers (Mozilla Open IoT Studio), Laura James (Doteveryone, Digital Life Collective), Malavika Jayaram (Berkman Klein Center, Digital Asia Hub), Marcel Schouwenaar (Just Things Foundation, The Incredible Machine), Matt Biddulph (Thington), Michelle Thorne (Mozilla Open IoT Studio), Max Kru?ger (ThingsCon), Ronaldo Lemos (ITS Rio), Rosie Burbidge (Fox Williams), Simon Ho?her (ThingsCon), Solana Larsen (Mozilla), Stefan Ferber (Bosch Software Innovation), Thomas Amberg (Yaler), Ugo Vallauri (The Restart Project), Usman Haque (Thingful, #iotmark). Also and especially I’d like to thank the larger ThingsCon and London #iotmark communities for sharing their insights.

Read onRead later

We need to approach Smart Cities as empowerment tech for citizens

By Peter Bihr
In digital rights, Research
2 Min read
W

Doing some research-related reading this morning had me go down a bit of a rabbit hole that led to this Twitter thread. The points hold up, I think, so here it is in easier-to-read-and-reference format:

Smart Cities are often framed as part of industrial #iot. I think we need to frame it as empowerment tech for citizens instead.

This industrial #iot framing is only natural: Most vendors of smart city tech come from that background. But I think it’s not healthy. A technology that impacts, by definition, all citizens needs to be framed, regulated & designed accordingly. Meaning: If there’s not opt-out (and there isn’t, in public space), we need to make sure this works for everyone, can be understood & queried.

We need strong democratic oversight on smart city technologies and the algorithms, processes, vendors powering them. Which is why we need to follow the principles that made the early open web so strong & resilient: decentralization, open source, etc.

Only if we reframe our thinking of smart cities from industrial to citizen centric can these technologies unfold their positive potential.

///

This echoes the position we developed for a report for the German federal government a while ago as part of research into how to best make smart cities work for citizens. The findings of that report are summarized here.

Read onRead later

Netzpolitik13: Das Internet der Dinge: Rechte, Regulierung & Spannungsfelder

By Peter Bihr
In conference, connected world, digital rights, IoT, policy, work
2 Min read
N

My slides from Das ist Netzpolitik (Berlin, 1. September 2017). Title: “Das Internet der Dinge: Rechte, Regulierung & Spannungsfelder“.

Vom Hobby-Basteln bis hin zur Smart City: Das Internet of Things (#IoT) hat zunehmend Berührungspunkte mit allen Bereichen unseres Lebens. Aber wer bestimmt was erlaubt ist, was mit unseren Daten passiert, und ob es OK ist, unter die Haube zu gucken? IoT sitzt an der Schnittstelle vieler Technologie-, Governance- und Regulierungsbereiche—und schafft dadurch gleich eine ganze Reihe von Spannungsfeldern.

Due to technical issues with the video projection, my slides weren’t shown for the first few minutes. Apologies. On the plus side, the organizers had kindly put a waving cat on the podium for me. ?

It’s a rare talk in that I gave it in German, something I’m hardly used to these days.

In it, I argue that IoT poses a number of particular challenges that we need to address (incl. the level of complexity and blurred lines across disciplines and expertise; power dynamics; and transparency). I outline inherent tensions and propose a few approaches on how to tackle them, especially around increasing transparency and legibility of IoT products.

I conclude with a call for Europe to actively take a global leadership role in the area of consumer and data protection, analog to Silicon Valley’s (claimed/perceived) leadership in disruptive innovation as well as funding/scaling of digital products, and to Shenzhen’s hardware manufacturing leadership.

Netzpolitik has an extensive write-up in German.

Read onRead later

Speaking about responsible IoT & user rights

By Peter Bihr
In conference, digital rights
2 Min read
S

Happy to announce that I’ll be speaking at not one, but two excellent conferences this fall about a topic I care deeply about: A responsible IoT and users’ rights. In other words, how we can make sure the Internet of Things works for everyone?

Das ist Netzpolitik!
On 1 September 2017 I’ll be speaking at Netzpolitik‘s annual conference Das ist Netzpolitik! (program), in German, about tensions inherent in the power dynamics of IoT as well as the regulatory environment: Das Internet der Dinge: Rechte, Regulierung und Spannungsfelder.

Underexposed
On 9 November 2017, also in Berlin, I’ll be at SimplySecure‘s conference Underexposed (program). My talk there is called The Internet of Sneaky Things. I’ll be exploring how IoT security, funding and business models, centralization and data mining, and some larger challenges around the language we use to consider the impact of data-driven systems combined all form a substantial challenge for all things related to IoT. But it’s not all bleak. There are measures we can—and through ThingsCon, we do—take.

I’m very much looking forward to both events, and to chatting with the other participants there. These are some great communities. If you’re there, please don’t be shy, so come and say hi!

Read onRead later

Defining an #iotmark for consumers

By Peter Bihr
In digital rights, policy, Research, work
5 Min read
D

A long over-due blog post, I wanted to share some thoughts on the recent #iotmark event that Alexandra Deschamps-Sonsino and Usman Haque convened in London as a follow-up to the 2012 Open IoT Assembly (which produced this Open IoT Definition).

Most importantly (spoiler alert!) the #iotmark is a work in progress. You can follow along and/or contribute here.

///

Consumer trust and the Internet of Things

Why is it important to talk about IoT and a label, certification, or trustmark? Because in IoT, it’s really hard for consumers to make an informed decision on which products and services to trust.

Partially this is because implications of anything are hard to gauge in the context of connected, data-driven systems. Partially it’s because the categories of IoT products aren’t fully matured yet and it’s not always clear what to expect from one thing over the other. But also, there’s a lot more going on under the hood that makes it nearly impossible to tell quality work from crap.

A shiny box could be built with top security processes in place by a trustworthy organization, or it could be slapped together haphazardly by a scammer. How would you know!

As a starting point, inspired by a conversation at the event, I made this 4-quadrant test:


Trust and expectations in IoT by The Waving Cat/Peter Bihr

This group of 40-50 participants went hard at it with lots of intense and super interesting conversations. IoT is a huge space, and the challenges are manifold and real.

The range of challenges (and hence, opportunities to tackle) include digital rights, transparency, data protection & privacy, innovation, security & safety, reparability and maintenance, business models, literacy, policy, and many more.

Different schools of thoughts: Purists versus Pragmatists

An aspect I found particularly interesting was the different schools of thought present—pretty much what Venkatesh Rao refers to as Purists versus Pragmatists.

I’m painting with a very broad brush here, but you could tell two underlying approaches to solving these very real issues:

  • Part of the group aimed for a purist approach: Aim high, and stick with the high goals. In terms of labeling, this would manifest in a desire to see a strongly backed, third party audited, highly trustworthy and credible certification of sorts.
  • The pragmatists on the other hand were guided by not letting the better be the enemy of the good. Their approach tended towards a more bottom-up, decentralized, organic label based on self-declarations that might get more widely adopted because it requires less overhead and hence would have a lower barrier to entry.


When collaboratively editing the first draft of the #iotmark doc, we broke Google Docs.

While I tend to be a little partial here and lean a little more towards the pragmatic side of things, I fully see why both sides have strong points in their favor. In a context like this, where there’s no golden path that’s guaranteed to work, it boils down to a philosophical question.

Will this get traction?

So where will this go? It’s hard to say yet, but we’re motivated to make it happen one way or another. (I’m involved on a voluntary basis by heading the governance working group together with Laura James.)

The interest is certainly there, as is promising precedence as you’ll see below: Stacey Higginbotham just covered the #iotmark on her (excellent!) blog, staceyoniot.com.

And we know that informal, ad-hoc gatherings can have a real impact. Decisions are made by those who show up! Steffen Ferber was a participant in the 2012 Open IoT Assembly, and he shared the story of how he introduced the Open IoT Definition we signed back then at Bosch.

Now, 5 years later, this impacts Bosch’s work in the space. (If the images in the embed below don’t load, just click through to the tweets.)

To me this is a great reminder and gives me a lot of hope: This type of work might not always seem glamorous and sometimes it’s hard to tell if it has an impact. But often that’s just because it unfolds its impact silently, in the background, and only much later the effect becomes visible.

A nice side effect of Bosch using the Open IoT Definition principles we laid out in 2012 is, by the way, that their products are now all pretty much automatically compatible with the GDPR, Europe’s new data protection regulation. Another case that illustrates that good ethics are good business!

I’m looking forward to continuing the very hands-on work on the #iotmark. Hopefully we can move it to a launch-able v1.0 shortly.

In the meantime, I’m also doing more research into the overall landscape and most promising approaches to an IoT trustmark, and how it might be developed and deployed for maximum positive impact.

It’s a good time to put a label on IoT for sure.

Read onRead later

For IoT, we need a holistic understanding of security

By Peter Bihr
In digital rights
1 Min read
F

Like the internet, IoT is a big horizontal layer of technologies and practices. It has touch points across industries (like healthcare, automotive, consumer goods, infrastructure) and regulatory areas. That’s what makes it so hard to discuss, to regulate, and to make secure.

More importantly, security has a pretty clear meaning in IT. But I’d argue that for the Internet of Things we need a more holistic concept of security than for traditional IT—one that includes aspects like data protection, privacy, user rights. A more human rights-style that goes beyond pure security and extends protection into adjacent but equally important areas.

Otherwise even the most technologically secure systems won’t serve the purpose of protecting users from negative consequences.

Read onRead later

Are we the last generation who experienced privacy as a default?

By Peter Bihr
In connected world, digital rights, IoT, policy
6 Min read
A


Attack of the VR headsets! Admittedly, this photo has little to do with the topic of this blog post. But I liked it, so there you go.

The internet, it seems, has turned against us. Once a utopian vision of free and plentiful information and knowledge for all to read. Of human connection. Instead, it has turned into a beast that reads us. Instead of human connection, all too often we are force-connected to things.

This began in the purely digital realm. It’s long since started to expand into the physical world, through all types of connected products and services who track us—notionally—for our own good. Our convenience. Our personalized service. On a bad day I’m tempted to say we’ve all allowed to be turned into things as part of the the internet of things.

///

I was born in 1980. Just on the line that marks the outer limit of millenial. Am I part of that demographic? I can’t tell. It doesn’t matter. What matters is this:

Those of us born around that time might be the last generation that grew up who experienced privacy as a default.

///

When I grew up there was no reason to expect surveillance. Instead there was plenty of personal space: Near-total privacy, except for neighbors looking out of their windows. Also, the other side of that coin, near total boredom—certainly disconnection.

(Edit: This reflects growing up in the West, specifically in Germany, in the early 1980s—it’s not a shared universal experience, as Peter Rukavina rightfully points out in the comments. Thanks Peter!)

All of this within reason: It was a small town, the time was pre-internet, or at least pre-internet access for us. Nothing momentous had happened in that small town in decades if not centuries. There it was possible to have a reasonably good childhood: Healthy and reasonably wealthy, certainly by global standards. What in hindsight feels like endless summers. Nostalgia past, of course. It could be quite boring. Most of my friends lived a few towns away. The local library was tiny. The movie theater was a general-purpose event location that showed two movies per week, on Monday evenings. First one for children, than one for teenagers and adults. The old man who ticketed us also made popcorn, sometimes. I’m sure he also ran the projector.

Access to new information was slow, dripping. A magazine here and there. A copied VHS or audio tape. A CD purchased during next week’s trip to the city, if there was time to browse the shelves. The internet was becoming a thing, I kept reading about it. But until 1997, access was impossible for me. Somehow we didn’t get the dialup to work just right.

What worked was dialing into two local BBS systems. You could chat with one other person on one, with three in the other. FIDO net made it possible to have some discussions online, albeit ever so slowly.

///

When I grew up there was no expectation of surveillance. Ads weren’t targeted. They weren’t even online, but on TV and newspapers. They were there for you to read, every so often. Both were boring. But neither TVs nor newspapers tried to read you back.

///

A few years ago I visited Milford Sound. It’s a fjord on the southern end of New Zealand. It’s spectacular. It’s gorgeous. It rains almost year round.

If I remember a little info display at Milford Sound correctly, the man who first started settling there was a true loner. He didn’t mind living there by himself for decades. Nor, it seems, when the woman who was to become his wife joined. It’s not entirely clear how he liked that visitors started showing up.

Today it’s a grade A tourist destination, if not exactly for mass tourism. It looks and feels like the end of the world. In some ways, it is.

As we sought shelter from the pouring rain in the boat terminal’s cafeteria, our phones had no signal. Even there, though, you could connect to the internet.


Connectivity in Milford Sound comes at a steep price

Internet access in Milford Sound is expensive enough that it might just suffice to stay offline for a bit. It worked for us. But even there, though they might be disconnected, the temps who work there during tourist season probably don’t get real privacy. On a work & travel visa, you’re likely to live in a dorm situation.

///

The internet has started to track every move we make online. I’m not even talking about governance or criminal surveillance. Called ad tech, online advertisements that track your every move notice more about you than you about them. These are commercial trackers. On speed. They aren’t restricted to one website, either. If you’ve ever searched for a product online you’ll have noticed that it keeps following you around. Even the best ad blockers don’t guarantee protection.

Some companies have been called out because they use cookies that track your behavior that can’t be deleted. That’s right, they track you even if you explicitly try to delete them. Have you given your consent? Legally, probably—it’s certainly hidden somewhere in your mobile ISP’s terms of service. But really, of course you haven’t agreed. Nobody in their right mind would.

///

Today we’re on the brink of taking this to the the next level with connected devices. It started with smartphones. Depending on your mobile ISP, your phone might report back your location and they might sell your movement data to paying clients right now. Anonymized? Probably, a little. But these protections never really work.

Let’s not but let’s be very deliberate about our next steps. The internet has brought tremendous good first, and then opened the door to tracking and surveillance abuse. IoT might go straight for the jugular without the benefits – if we make it so. If we allow to let that happen.

///

The internet, it seems, has turned against us. But maybe it’s not too late just yet. Maybe we can turn the internet around, especially the internet of things. And make it work for all of us again. The key is to reign in tracking and surveillance. Let’s start with ad tech.

Read onRead later
The Waving Cat