Categorydigital rights

Interview with Netzpolitik.org: Regulierung und Datenschutz im Internet der Dinge

I

In September I spoke at Netzpolitik’s annual conference, Das ist Netzpolitik. While I was there, Netzpolitik.org also recorded an interview with me: “Regulierung und Datenschutz im Internet der Dinge“.

A big thank you to Netzpolitik and Stefanie Talaska for the conversation!

New report: A Trustmark for IoT

N

Summary: For Mozilla, we explored the potentials and challenges of a trustmark for the Internet of Things (IoT). That research is now publicly available. You can find more background and all the relevant links at thewavingcat.com/iot-trustmark

If you follow our work both over at ThingsCon and here at The Waving Cat, you know that we see lots of potential for the Internet of Things (IoT) to create value and improve lives, but also some serious challenges. One of the core challenges is that it’s hard for consumers to figure out which IoT products and services are good—which ones are designed responsibly, which ones deserve their trust. After all, too often IoT devices are essentially black boxes that are hard interrogate and that might change with the next over-the-air software update.

So, what to do? One concept I’ve grown increasingly fond of is consumer labeling as we know from food, textiles, and other areas. But for IoT, that’s not simple. The networked, data-driven, and dynamic nature of IoT means that the complexity is high, and even seemingly simple questions can lead to surprisingly complex answers. Still, I think there’s huge potential there to make huge impact.

I was very happy when Mozilla picked up on that idea and commissioned us to explore the potential of consumer labels. Mozilla just made that report publicly available:

Read the report: “A Trustmark for IoT” (PDF, 93 pages)

I’m excited to see where Mozilla might take the IoT trustmark and hope we can continue to explore this topic.

Increasingly, in order to have agency over their lives, users need to be able to make informed decisions about the IoT devices they invite into their lives. A trustmark for IoT can significantly empower users to do just that.

For more background, the executive summary, and all the relevant links, head on over to thewavingcat.com/iot-trustmark.

Also, I’d like to extend a big thank you! to the experts whose insights contributed to this reports through conversations online and offline, public and in private:

Alaisdair Allan (freelance consultant and author), Alexandra Deschamps-Sonsino (Designswarm, IoT London, #iotmark), Ame Elliott (Simply Secure), Boris Adryan (Zu?hlke Engineering), Claire Rowland (UX designer and author), David Ascher, David Li (Shenzhen Open Innovation Lab), Dries de Roeck (Studio Dott), Emma Lilliestam (Security researcher), Geoffrey MacDougall (Consumer Reports), Ge?rald Santucci (European Commission), Holly Robbins (Just Things Foundation), Iskander Smit (info.nl, Just Things Foundation), Jan-Peter Kleinhans (Stiftung Neue Verantwortung), Jason Schultz (NYU), Jeff Katz (Geeny), Jon Rogers (Mozilla Open IoT Studio), Laura James (Doteveryone, Digital Life Collective), Malavika Jayaram (Berkman Klein Center, Digital Asia Hub), Marcel Schouwenaar (Just Things Foundation, The Incredible Machine), Matt Biddulph (Thington), Michelle Thorne (Mozilla Open IoT Studio), Max Kru?ger (ThingsCon), Ronaldo Lemos (ITS Rio), Rosie Burbidge (Fox Williams), Simon Ho?her (ThingsCon), Solana Larsen (Mozilla), Stefan Ferber (Bosch Software Innovation), Thomas Amberg (Yaler), Ugo Vallauri (The Restart Project), Usman Haque (Thingful, #iotmark). Also and especially I’d like to thank the larger ThingsCon and London #iotmark communities for sharing their insights.

We need to approach Smart Cities as empowerment tech for citizens

W

Doing some research-related reading this morning had me go down a bit of a rabbit hole that led to this Twitter thread. The points hold up, I think, so here it is in easier-to-read-and-reference format:

Smart Cities are often framed as part of industrial #iot. I think we need to frame it as empowerment tech for citizens instead.

This industrial #iot framing is only natural: Most vendors of smart city tech come from that background. But I think it’s not healthy. A technology that impacts, by definition, all citizens needs to be framed, regulated & designed accordingly. Meaning: If there’s not opt-out (and there isn’t, in public space), we need to make sure this works for everyone, can be understood & queried.

We need strong democratic oversight on smart city technologies and the algorithms, processes, vendors powering them. Which is why we need to follow the principles that made the early open web so strong & resilient: decentralization, open source, etc.

Only if we reframe our thinking of smart cities from industrial to citizen centric can these technologies unfold their positive potential.

///

This echoes the position we developed for a report for the German federal government a while ago as part of research into how to best make smart cities work for citizens. The findings of that report are summarized here.

Netzpolitik13: Das Internet der Dinge: Rechte, Regulierung & Spannungsfelder

N

My slides from Das ist Netzpolitik (Berlin, 1. September 2017). Title: “Das Internet der Dinge: Rechte, Regulierung & Spannungsfelder“.

Vom Hobby-Basteln bis hin zur Smart City: Das Internet of Things (#IoT) hat zunehmend Berührungspunkte mit allen Bereichen unseres Lebens. Aber wer bestimmt was erlaubt ist, was mit unseren Daten passiert, und ob es OK ist, unter die Haube zu gucken? IoT sitzt an der Schnittstelle vieler Technologie-, Governance- und Regulierungsbereiche—und schafft dadurch gleich eine ganze Reihe von Spannungsfeldern.

Due to technical issues with the video projection, my slides weren’t shown for the first few minutes. Apologies. On the plus side, the organizers had kindly put a waving cat on the podium for me. ?

It’s a rare talk in that I gave it in German, something I’m hardly used to these days.

In it, I argue that IoT poses a number of particular challenges that we need to address (incl. the level of complexity and blurred lines across disciplines and expertise; power dynamics; and transparency). I outline inherent tensions and propose a few approaches on how to tackle them, especially around increasing transparency and legibility of IoT products.

I conclude with a call for Europe to actively take a global leadership role in the area of consumer and data protection, analog to Silicon Valley’s (claimed/perceived) leadership in disruptive innovation as well as funding/scaling of digital products, and to Shenzhen’s hardware manufacturing leadership.

Netzpolitik has an extensive write-up in German.

Update: Netzpolitik also recorded an interview with me: Regulierung und Datenschutz im Internet der Dinge.

Speaking about responsible IoT & user rights

S

Happy to announce that I’ll be speaking at not one, but two excellent conferences this fall about a topic I care deeply about: A responsible IoT and users’ rights. In other words, how we can make sure the Internet of Things works for everyone?

Das ist Netzpolitik!
On 1 September 2017 I’ll be speaking at Netzpolitik‘s annual conference Das ist Netzpolitik! (program), in German, about tensions inherent in the power dynamics of IoT as well as the regulatory environment: Das Internet der Dinge: Rechte, Regulierung und Spannungsfelder.

Underexposed
On 9 November 2017, also in Berlin, I’ll be at SimplySecure‘s conference Underexposed (program). My talk there is called The Internet of Sneaky Things. I’ll be exploring how IoT security, funding and business models, centralization and data mining, and some larger challenges around the language we use to consider the impact of data-driven systems combined all form a substantial challenge for all things related to IoT. But it’s not all bleak. There are measures we can—and through ThingsCon, we do—take.

I’m very much looking forward to both events, and to chatting with the other participants there. These are some great communities. If you’re there, please don’t be shy, so come and say hi!

Defining an #iotmark for consumers

D

A long over-due blog post, I wanted to share some thoughts on the recent #iotmark event that Alexandra Deschamps-Sonsino and Usman Haque convened in London as a follow-up to the 2012 Open IoT Assembly (which produced this Open IoT Definition).

Most importantly (spoiler alert!) the #iotmark is a work in progress. You can follow along and/or contribute here.

///

Consumer trust and the Internet of Things

Why is it important to talk about IoT and a label, certification, or trustmark? Because in IoT, it’s really hard for consumers to make an informed decision on which products and services to trust.

Partially this is because implications of anything are hard to gauge in the context of connected, data-driven systems. Partially it’s because the categories of IoT products aren’t fully matured yet and it’s not always clear what to expect from one thing over the other. But also, there’s a lot more going on under the hood that makes it nearly impossible to tell quality work from crap.

A shiny box could be built with top security processes in place by a trustworthy organization, or it could be slapped together haphazardly by a scammer. How would you know!

As a starting point, inspired by a conversation at the event, I made this 4-quadrant test:


Trust and expectations in IoT by The Waving Cat/Peter Bihr

This group of 40-50 participants went hard at it with lots of intense and super interesting conversations. IoT is a huge space, and the challenges are manifold and real.

The range of challenges (and hence, opportunities to tackle) include digital rights, transparency, data protection & privacy, innovation, security & safety, reparability and maintenance, business models, literacy, policy, and many more.

Different schools of thoughts: Purists versus Pragmatists

An aspect I found particularly interesting was the different schools of thought present—pretty much what Venkatesh Rao refers to as Purists versus Pragmatists.

I’m painting with a very broad brush here, but you could tell two underlying approaches to solving these very real issues:

  • Part of the group aimed for a purist approach: Aim high, and stick with the high goals. In terms of labeling, this would manifest in a desire to see a strongly backed, third party audited, highly trustworthy and credible certification of sorts.
  • The pragmatists on the other hand were guided by not letting the better be the enemy of the good. Their approach tended towards a more bottom-up, decentralized, organic label based on self-declarations that might get more widely adopted because it requires less overhead and hence would have a lower barrier to entry.


When collaboratively editing the first draft of the #iotmark doc, we broke Google Docs.

While I tend to be a little partial here and lean a little more towards the pragmatic side of things, I fully see why both sides have strong points in their favor. In a context like this, where there’s no golden path that’s guaranteed to work, it boils down to a philosophical question.

Will this get traction?

So where will this go? It’s hard to say yet, but we’re motivated to make it happen one way or another. (I’m involved on a voluntary basis by heading the governance working group together with Laura James.)

The interest is certainly there, as is promising precedence as you’ll see below: Stacey Higginbotham just covered the #iotmark on her (excellent!) blog, staceyoniot.com.

And we know that informal, ad-hoc gatherings can have a real impact. Decisions are made by those who show up! Steffen Ferber was a participant in the 2012 Open IoT Assembly, and he shared the story of how he introduced the Open IoT Definition we signed back then at Bosch.

Now, 5 years later, this impacts Bosch’s work in the space. (If the images in the embed below don’t load, just click through to the tweets.)

To me this is a great reminder and gives me a lot of hope: This type of work might not always seem glamorous and sometimes it’s hard to tell if it has an impact. But often that’s just because it unfolds its impact silently, in the background, and only much later the effect becomes visible.

A nice side effect of Bosch using the Open IoT Definition principles we laid out in 2012 is, by the way, that their products are now all pretty much automatically compatible with the GDPR, Europe’s new data protection regulation. Another case that illustrates that good ethics are good business!

I’m looking forward to continuing the very hands-on work on the #iotmark. Hopefully we can move it to a launch-able v1.0 shortly.

In the meantime, I’m also doing more research into the overall landscape and most promising approaches to an IoT trustmark, and how it might be developed and deployed for maximum positive impact.

It’s a good time to put a label on IoT for sure.

For IoT, we need a holistic understanding of security

F

Like the internet, IoT is a big horizontal layer of technologies and practices. It has touch points across industries (like healthcare, automotive, consumer goods, infrastructure) and regulatory areas. That’s what makes it so hard to discuss, to regulate, and to make secure.

More importantly, security has a pretty clear meaning in IT. But I’d argue that for the Internet of Things we need a more holistic concept of security than for traditional IT—one that includes aspects like data protection, privacy, user rights. A more human rights-style that goes beyond pure security and extends protection into adjacent but equally important areas.

Otherwise even the most technologically secure systems won’t serve the purpose of protecting users from negative consequences.