CategoryIoT

“The world doesn’t know where it wants to go”

&

Image: Compass by Valentin Antonucci (Unsplash) Image: Compass by Valentin Antonucci (Unsplash)

One of the joys of my working at the intersection of emerging tech and its impact is that I get to discuss things that are by definition cutting edge with people from entirely different backgrounds—like recently with my dad. He’s 77 years old and has a background in business, not tech.

We chatted about IoT, and voice-enabled connected devices, and the tradeoffs they bring between convenience and privacy. How significant chunks of the internet of things are optimized for costs at the expense of privacy and security. How IoT is, by and large, a network of black boxes.

When I tried to explain why I think we need a trustmark for IoT (which I’m building with ThingsCon and as a Mozilla fellow)—especially regarding voice-enabled IoT—he listened intently, thought about it for a moment, and then said:

“We’re at a point in time where the world doesn’t know where it wants to go.”

And somehow that exactly sums it up, ever so much more eloquently than I could have phrased it.

Only I’m thinking: Even though I can’t tell where the world should be going, I think I know where to plant our first step—and that is, towards a more transparent and trustworthy IoT. I hope the trustmark can be our compass.

Monthnotes for May 2018

M

Trustmark

What’s been happening in the world of the ThingsCon trustmark for IoT?

  • As the concept evolves, I’ve updated the trustmark deck that explains a current snapshot of my thinking and published a first (prototype/draft stage) checklist for the assessment that’s open for comments in this gDoc.
  • As part of some prep work for Dundee Design Festival with fellow Mozfellow Jon Rogers and the Open IoT Studio, I had the opportunity to spend a couple days working with Pete Thomas on the design aspects of the trustmark (visuals, naming, etc.).
  • Speaking of collaborators, I also had the chance to chat with a whole bunch of organizations in the same space to see if and how we can work together, including Ranking Digital Rights, The Digital Standard, Doteveryone, #iotmark, Consumer Reports, and the University of Dresden. More on that soon.
  • And on a more hands-on note, I got a Google AIY Voice kit and a Snips.ai kit and started playing with them.
  • We’re planning a ThingsCon Salon Berlin with a focus on the trustmark, with legal super star Jason Schultz (NYU) in mid-July. Thingscon.com/events has all up-to-date details once it’s all confirmed.
  • Got interviewed about IoT, ownership & trust, and of course the trustmark, once more—and for one of my favorite mags, no less. Exciting! I’ll share the link once it’s available.

All of this and some more is also available over on the ThingsCon blog (category: trustmark)!

Designing IoT

We had a super interesting workshop in Antwerp around IoT and ideation tool kits with designer and PhD researcher Dries de Roeck, who also hosted a ThingsCon Salon in Antwerp the evening before. So that was awesome. Thanks Dries!

What’s next?

NYC then Toronto in June for conferences and meetings. Then a family vacation break after that.

If you’d like to work with me in the upcoming months, I have very limited availability but happy to have a chat.

Have a great June!

Monthnotes for April 2018

M

Media & Trustmark

Some nice media action in April around the ThingsCon trustmark for IoT.

Offscreen Magazine kindly invited me to contribute a piece about IoT and how we can create IoT in a more responsible way. (Also, trustmark shout-out!)

The Wall Street Journal‘s cybersecurity newsletter (paywalled) did an indepth interview with me about the trustmark. Some more info about that interview over on thingscon.com.

Mozilla’s Internet Health Report featured our trustmark report from last fall.

And if you read German, I started a column over on Netzpiloten.de with a piece on risks and chances of IoT, and the role a trustmark has to play: Das IoT—Gefahren und Chancen im Internet of Things. (Full disclosure: I was project lead at Netzpiloten from 2007 to 2010, and Dearsouvenir GmbH is a joint venture between The Waving Cat GmbH and Netzpiloten AG.)

In an effort to make it easier to follow the trustmark project’s progress I also started a regular trustmark update over on ThingsCon.com (ThingsCon Trustmark Update 04/2018).

And last but not least, my co-fellows Julia Kloiber, Jon Rogers and I are also listed in the Mozilla Fellowship directory—Mozilla supports the development of the trustmark through my fellowship. (Full disclosure: My partner works for Mozilla.)

Miscellaneous ThingsCon

Also, ThingsCon is part of an EU grant proposal consortium which required a lot of paperwork. (That’s a good sign, right?)

We also had two ThingsCon Salons in Germany and some more action over in the Netherlands, both of which are easier to follow over on ThingsCon.com.

What’s next?

Between these things and lots and lots of research and conversations that will be shaping the development of the trustmark for the next few months, April was pretty packed.

I’ll be heading to Antwerp for a ThingsCon Salon and a workshop with Dries de Roeck tomorrow, and to first NYC then Toronto in June for conferences and meetings.

If you’d like to work with me in the upcoming months, I have very limited availability but happy to have a chat.

And on that note, I’m off for a last round of calls and off to the airport in the morning.

Have a great May!

A Trustmark for IoT: Some updates

A

Just for the record, a few quick updates regarding my work on a trustmark for IoT.

Last year I did some research with the ThingsCon network and Mozilla about the potential of a trustmark for IoT. (Learn more about my report “A Trustmark for IoT”.) This year, we want to turn this research into action.

This is work that I’ll be doing under the ThingsCon umbrella with support from Mozilla Foundation—as of March 2018 I’m a Mozilla Fellow. (Read the ThingsCon announcement about the fellowship.) It’s an inherent part of this project to work as much in the open as possible. With this constellation in mind, the project documentation won’t happen primarily here at this blog and instead in the following places:

Also, I’m happy to report that the initiative is already getting quite a bit of attention, including an interview with the Wall Street Journal for their cybersecurity newsletter (paywall), and a mention in Mozilla’s Internet Health Report 2018. (See the media mentions round-up on the ThingsCon blog.)

Full disclosure: My partner works for Mozilla.

Monthnotes for March 2018

M

Before we’re headed into the long Easter Holiday weekend, a quick rundown of what happened in March.

Mozilla Fellowship & an open trustmark for IoT

I’m happy to share that I’ve joined the Mozilla Fellows program (concretely, the IoT fellows group to work with Jon Rogers and Julia Kloiber), and that Mozilla supports the development of an open trustmark for IoT under the ThingsCon umbrella.

There’s no doubt going to be a more formal announcement soon, but here’s the shortest of blog posts over on ThingsCon.

(As always, a full disclosure: My partner works for Mozilla.)

I had already shared first thoughts on the IoT trustmark. We’ll have a lot more to share on the development of the trustmark now that it’s becoming more official. You can follow along here and over on the ThingsCon blog.

By the way, this needs a catchy name. Hit me up if you have one in mind we could use!

Zephyr interviews: The Craftsman, Deutsche Welle

We were humbled and delighted that Gianfranco Chicco covered Zephyr Berlin in the recent issue of his most excellent newsletter, The Craftsman. Links and some background here.

We also had an interview with Deutsche Welle. We’ll share it once it’s available online.

It’s great that this little passion project of ours is getting this attention, and truly humbled also by the super high quality feedback and engagement from our customers. What a lovely crowd! ?

Learning about Machine Learning

I’ve started Andrew Ng’s Machine Learning Stanford course on Coursera. Due to time constraints it’s slow going for me, and as expected, it’s a bit math heavy for my personal taste but even if you don’t aim to necessarily implement any machine learning or code to that effect there’s a lot to take away. Two thumbs up.

Notes from a couple of events on responsible tech

Aspen Institute: I was kindly invited to an event by Aspen Institute Germany about the impact of AI on society and humanity. One panel stood out to me: It was about AI in the context of autonomous weapons systems. I was positively surprised to hear that

  1. All panelists agreed that if autonomous weapons systems, then only with humans in the loop.
  2. There haven’t been significant cases of rogue actors deploying autonomous weapons, which strikes me as good to hear but also very surprising.
  3. A researcher from the Bundeswehr University Munich pointed out that introducing autonomous systems introduces instability, pointing out the possibility of flash wars triggered by fully autonomous systems interacting with one another (like flash crashes in stock markets).
  4. In the backend of military logistics, machine learning appears to already be a big deal.

Digital Asia Hub & HiiG: Malavika Jayaram kindly invited me to a small workshop with Digital Asia Hub and the Humboldt Institute for Internet and Society (in the German original abbreviated as HiiG). It was part of a fact finding trip to various regions and tech ecosystems to figure out which items are most important from a regulatory and policy perspective, and to feed the findings from these workshops into policy conversations in the APAC region. This was super interesting, especially because of the global input. I was particularly fascinated to see that Berlin hosts all kinds of tech ethics folks, some of which I knew and some of which I didn’t, so that’s cool.

Both are also covered in my newsletter, so I won’t just replicate everything here. You can dig into the archives from the last few weeks.

Thinking & writing

Season 3 of my somewhat more irreverent newsletter, Connection Problem, is coming up on its 20th issue. You can sign up here to see where my head is these days.

If you’d like to work with me in the upcoming months, I have very limited availability but happy to have a chat.

That’s it for today. Have a great Easter weekend and an excellent April!

A Trustmark for the Internet of Things: First thoughts

A

I’ve been researching the potential of consumer trust labels for IoT for quite some time as I believe that trustworthy connected products should be easier to find for consumers, and the companies (or other organizations) that make connected things should have a way to differentiate their products and services through their commitment to privacy, security, and overall just better products.

One milestone in this research was a report I authored last fall, A Trustmark for IoT, based on research within the larger ThingsCon community and in collaboration with Mozilla Foundation. (Full disclosure: My partner works for Mozilla.)

Ever since I’ve been exploring turning this research into action. So far this has taken two strands of action:

  1. I’ve been active (if less than I wanted, due to personal commitments) in the #iotmark initiative co-founded by long-time friend and frequent collaborator Alexandra Deschamps-Sonsino. The #iotmark follows a certification model around privacy, security, and related topics.
  2. I’ve also been collecting thoughts and drafting a concept for a separate trustmark that follows a commitment model.

At this point I’d like to share some very early, very much draft stage thoughts about the latter.

A note: This trustmark is most likely to happen and be developed under the ThingsCon umbrella. I’m sharing it here first, today, not to take credit but because it’s so rough around the edges that I don’t want the ThingsCon community to pay for any flaws in the thinking, of which I’m sure there are still plenty. This is a work in progress, and shared openly (and maybe too early) because I believe in sharing thought processes early even if it might make me stupid. It’s ok if I look stupid; it’s not ok if I make anyone else in the ThingsCon community look stupid. That said, if we decide to push ahead and develop this trustmark, we’ll be moving it over to ThingsCon or into some independent arrangement—like most things in this blog post, this remains yet to be seen.

Meet Project Trusted Connected Products (working title!)

In the trustmark research report, I’ve laid out strengths and weaknesses of various approaches to consumer labeling from regulation-based (certification required to be allowed to sell in a certain jurisdiction) to voluntary-but-third-party-audited certification to voluntary-self-audited labels to completely self-authorized labels (“Let’s put a fancy sticker on it!”). It’s a spectrum, and there’s no golden way: What’s best depends on context and goals. Certifications tend to require more effort (time, money, overhead) and in turn tend to be more robust and have more teeth; self-labeling approaches tend to be more lightweight and easier to implement, and in turn tend to have less teeth.

The mental model I’ve been working with is this: Certifications (like the #iotmark) can be incredibly powerful at weeding out the crap, and establishing a new baseline. And that’s very powerful and very important, especially in a field as swamped by crappy, insecure, not-privacy-respecting products like IoT. But I’m not an expert in certifications, and others are, so I’d rather find ways of collaborating rather than focusing on this approach.

What I want to go for instead is the other end of the spectrum: A trustmark that aims not at raising the baseline, but a trustmark that raises the bar at the top end. Like so:

Image: Peter Bihr (Flickr)

I’d like to keep this fairly lightweight and easy for companies to apply, but find a model where there are still consequences if they fail to follow through.

The mechanism I’m currently favoring leans on transparency and a control function of the public. Trust but verify.

Companies (or, as always, other orgs) would commit to implementing certain practices, etc., (more on what below) and would publicly document what they do to make sure this works. (This is an approach proposed during the kickoff meeting for the #iotmark initiative in London, before the idea of pursuing certification crystalized.) Imagine it like this:

  • A company wants to launch a product and decides to apply for the trustmark. This requires them to follow certain design principles and implement certain safeguards.
  • The company fills out a form where they document how they make sure these conditions for the trustmark are met for their product. (In a perfect world, this would be open source code and the like, in reality this wouldn’t ever work because of intellectual property; so it would be a more abstract description of work processes and measures taken.)
  • This documentation is publicly available in a database online so as to be searchable by the public: consumers, consumer advocates and media.

If it all checks out, the company gets to use the label for this specific product (for a time; maybe 1-2 years). If it turns out they cheated or changed course: Let the public shaming begin.

This isn’t a fool proof, super robust system. But I believe the mix of easy-to-implement-but-transparent can be quite powerful.

What’s in a trustmark?

What are the categories or dimensions that the trustmark speaks to? I’m still drafting these and this will take some honing, but I’m thinking of five dimensions (again, this is a draft):

  • Privacy & Data Practices
  • Transparency
  • Security
  • Openness
  • Sustainability

Why these five? IoT (connected products) are tricky in that they tend not to be stand-alone products like a toaster oven of yore.

Instead, they are part of (more-or-less) complex systems that include the device hardware (what we used to call the product) with its sensors and actuators and the software layer both on the device and the server infrastructure on the backend. But even if these were “secure” or “privacy-conscious” (whatever this might mean specifically) it wouldn’t be enough: The organization (or often organizations, plural) that make, design, sell, and run these connected products and services also need to be up to the same standards.

So we have to consider other aspects like privacy policies, design principles, business models, service guarantees, and more. Otherwise the ever-so-securely captured data might be sold or shared with third parties, it might be sold along with the company’s other assets in case of an acquisition or bankruptcy, or the product might simply cease working in case the company goes belly-up or changes their business model.

This is where things can get murky, so we need to define pretty clear standards of what and how to document compliance, and come up with checklists, etc.

In some of these areas, the ThingsCon community has leading experts, and we should be able to find good indicators ourselves; in others, we might want to find other indicators of compliance, like through existing third party certifications, etc.; in others yet, we might need to get a little creative.

For example, a indicator that counts towards the PRIVACY & DATA PRACTICES dimension could be strong (if possibly redundant) aspects like “is it GDPR compliant”, “is it built following the Privacy by Design principle”, or “are there physical off-switches or blockers for cameras”. If all three checkboxes are ticked, this would be 3 points on the PRIVACY & DATA PRACTICES score. (Note that “Privacy by Design” is already a pre-condition to be GDPR compatible; so in this case, one thing would add two points; I wouldn’t consider this too big an issue: After all we want to raise the bar.)

What’s next?

There are tons of details, and some very foundational things yet to consider and work out. There are white spots on the metaphorical map to be explored. The trustmark needs a name, too.

I’ll be looking to get this into some kind of shape, start gathering feedback, and also will be looking for partners to help make this a reality.

So I’m very much looking forward to hear what you think—I just ask to tread gently at this point rather than stomping all over it just yet. There’ll be plenty of time for that later.