Tagthingscon

Monthnotes for September 2018

M

It’s fall time. But while the days are starting to get shorter, productivity is up. Let’s dive right in.

ThingsCon & the Trustable Tech mark

Lots of progress on the Trustable Tech mark we’re launching under the ThingsCon umbrella.

We just had a lovely two day workshop at Casa Jasmina, Torino’s open source smart home of the future (a project by Bruce Sterling, Jasmina Tesanovic and Davide Gomba).

A warm welcome at Casa Jasmina, and a ThingsCon haiku by Dries de Roeck

There I also spoke, together with Michelle Thorne at Magic Monday, Casa Jasmina’s IoT meetup. Which was extra fun, because 3 years ago we were the first speakers at that meetup, and the first guests at CJ.

Here’s the slide deck:

We also signed up the first official academic/policy launch partner for the trustmark, one of the globally leading internet & society institutes. It’s super exciting. More on that soon.

In related news, we’ll soon have a business master class from ThingsCon, so keep an eye on our social media and website. Also, the big annual ThingsCon Conference that this year takes place at Rotterdam. Super Early Bird tickets are still up I believe this weekend, end Early Bird through October. It’s going to be amazing and you really don’t want to miss out on this one.

Media, etc.

Over on ReadWrite, I wrote an op-ed about the RiOT Report. Reminder: Our annual ThingsCon report The State of Responsible IoT is out.

What’s next?

Mozfest London (Oct), ThingsCon Business Masterclass (Nov; more soon), ThingsCon Rotterdam (Dec).

If you’d like to work with me in the upcoming months, I have very limited availability but am always happy to have a chat.

Have a great October.

Yours truly, P.

Monthnotes for August 2018

M

Lots of ThingsCon & Trustable Tech goodness this month.

The State of Responsible IoT 2018

Our (now-)annual ThingsCon report The State of Responsible IoT is out.

It’s an annual collection of essays by experts from the ThingsCon community. With the Riot Report 2018 we want to investigate the current state of responsible IoT. In this report we explore observations, questions, concerns and hopes from practitioners and researchers alike. The authors share the challenges and opportunities they perceive right now for the development of an IoT that serves us all, based on their experiences in the field. The report presents a variety of differing opinions and experiences across the technological, regional, social, philosophical domains the IoT touches upon.

Our contributors are a veritable all-star lineup from around the globe including Christian Villum, David Li, Dries de Roeck, Prof. Dr. Eduardo Magrani, Prof. Dr. Elisa Giaccardi, Ester Fritsch, Prof. Dr. Gaia Scagnetti, Holly Robbins, Iohanna Nicenboim, Prof. Dr. Irina Shklovski, Iskander Smit, Dr. James Pierce, Dr. Laura James, Luca van der Heide, Maya Indira Ganesh, Peter Bihr, Dr. Rachel Douglas-Jones, Dr. Ronaldo Lemos, Prof. Dr. Seyram Avle, Prof. Dr. Silvia Lindtner, and Simon Höher.

Trustable Technology mark

With lots of priceless input from Jason Schultz, the kind help from our partner test companies, and based on feedback from across the ThingsCon network, we’ve managed to hugely streamline the application process for ThingsCon’s Trustable Tech mark—while also making it a lot more robust by putting human experts in the loop.

Current overview presentation from earlier this week:

Media, etc.

Brand Eins interviewed me about IoT and how it challenges our notion of ownership and trust. Details in my blog post here. The text is now available for free (no more paywall).

What’s next?

Trips to Torino for a ThingsCon & Trustmark workshop & to London for Mozfest.

If you’d like to work with me in the upcoming months, I have very limited availability but am always happy to have a chat.

Have a great September.

Yours truly, P.

New ThingsCon Report: The State of Responsible IoT 2018

N

State of Responsible IoT 2018 header

A quick cross-post from the ThingsCon blog about a report we’ve been working on and that we just pushed online: The State of Responsible IoT 2018

A lot has happened since we published the first ThingsCon State of Responsible IoT report in 2017: Responsibility and ethics in tech have begun to enter mainstream conversations, and these conversations are having an effect. The media, tech companies, and policy makers all are rethinking the effect of technology on society.

The lines between the Internet of Things (IoT), algorithmic decision-making, Artificial Intelligence/Machine Learning (AI/ML), and data-driven services are all ever-more blurry. We can’t discuss one without considering the others. That’s not a bad thing, it just adds complexity. The 21st century one for black and white thinking: It’s messy, complex, quickly evolving, and a time where simple answers won’t do.

It is all the more important to consider the implications, to make sure that all the new data-driven systems we’ll see deployed across our physical and digital environments work well—not just for the users but for all who are impacted.

Things have evolved and matured in big strides since our last State of Responsible IoT. This year’s report reflects that evolution, as well as the enormous breadth and depth of the debate. We couldn’t be happier with the result.

Some background as well as all the relevant links are available at thingscon.com/responsible-iot-report/ or using the short URL bit.ly/riot-report. The publication is available on Medium and as a PDF export.

This text is meant for sharing. The report is published by ThingsCon e.V. and licensed under Creative Commons (attribution/non-commercial/share-alike: CC BY-NC-SA). Images are provided by the author and used with permission. All rights lie with the individual authors. Please reference the author(s) when referencing any part of this report.

Monthnotes for June & July 2018

M

Lots of travel and a brief time off means a combined summer-ish edition of month notes for June & July. A lot has happened over the last 8 or so weeks, so let’s dive right in. In no particular order…

Trustable Technology mark

The ThingsCon trustmark for IoT has a name, finally! Meet the Trustable Technology mark, or #trustabletech for short. The URL (trustabletech.com) still forwards to the trustmark page on ThingsCon.com, but will have its own place soon. The most current version of the explainer presentation is up on Slideshare:

What’s more, I’m not alone in this endeavor—far from it! More and more folks from the ThingsCon network have been giving their input, which is priceless. Also, Pete Thomas (University of Dundee) has been taking the design lead and been a great sparring partner on strategy questions, and Jason Schultz (NYU Law) has been thinking about legal and policy implications. A big thank you to Pete & Jason! I’m super excited this is moving along at such a clip.

Going forward, the next steps are to finalize and then test more extensively the checklist for the assessment that’s open for comments in this gDoc. Jason and I also just presented the trustmark at the most recent ThingsCon Salon Berlin (video below), and I’ll be presenting it again at ThingsCon Salon Cologne on August 3rd. (Thingscon.com/events has all up-to-date details.)

Media, etc.

Brand Eins interviewed me about IoT and how it challenges our notion of ownership and trust. Details in my blog post here.

My somewhat eclectic newsletter Connection Problem has completed Season 3 with just over 30 installments. I’m taking a writing break of a few weeks, and then I’ll kick off Season 4 soon. Sign up now if you want to follow along!

ThingsCon

With ThingsCon, we co-signed not one but two declarations and open letters: The Toronto Declaration about AI and human rights (initiated by AccessNow) and the Open Letter to G20 Leaders.

Travel & Events I Attended

I got to join a whole bunch of things those last few weeks.

I thoroughly enjoyed both a workshop on IoT security and market surveillance by Stiftung Neue Verantwortung, where we discussed all things certification, incentives and assessment frameworks; and the always fascinating Museum of the Future workshop in Berlin. I’d been to one in Amsterdam before, and even though I’m spoiled by greatly curated events, the group that Noah & team convene in this context is humbling and fascinating and the only thing I wished is that I could have been there full time, which this time alas wasn’t possible.

In between the two I got to go to New York City for meetings and a quick swing-by at Data & Society, as well as Toronto for the Mozilla Foundation’s all-hands where I was kindly invited to participate as a fellow. Speaking of committed & warm & driven groups!

After that, some family time in the Pacific Northwest, and a short vacation, which included a little road trip through the Cascades. What a stunning & wonderful region!

What’s next?

On one hand I’m gearing up the planning for fall. If you’d like to work with me in the upcoming months, I have very limited availability but am always happy to have a chat.

On the other I’m pretty much heads-down to get the trustmark to the next level. This includes the nitty gritty work of both improving the trustmark assessment tool, and of lining up launch partners. It also means planning a little road show to expose this idea to more eyes and ears, including ThingsCon Salon Cologne, Mozfest, ThingsCon Amsterdam, and a few other events in between. We’re also in the middle of copy-editing the upcoming 2018 issue of the ThingsCon report “The State of Responsible IoT” (#RIoT). More on that soon.

So back to the text mines!

Have a great August.

Yours truly, P.

A Trustmark for the Internet of Things: First thoughts

A

I’ve been researching the potential of consumer trust labels for IoT for quite some time as I believe that trustworthy connected products should be easier to find for consumers, and the companies (or other organizations) that make connected things should have a way to differentiate their products and services through their commitment to privacy, security, and overall just better products.

One milestone in this research was a report I authored last fall, A Trustmark for IoT, based on research within the larger ThingsCon community and in collaboration with Mozilla Foundation. (Full disclosure: My partner works for Mozilla.)

Ever since I’ve been exploring turning this research into action. So far this has taken two strands of action:

  1. I’ve been active (if less than I wanted, due to personal commitments) in the #iotmark initiative co-founded by long-time friend and frequent collaborator Alexandra Deschamps-Sonsino. The #iotmark follows a certification model around privacy, security, and related topics.
  2. I’ve also been collecting thoughts and drafting a concept for a separate trustmark that follows a commitment model.

At this point I’d like to share some very early, very much draft stage thoughts about the latter.

A note: This trustmark is most likely to happen and be developed under the ThingsCon umbrella. I’m sharing it here first, today, not to take credit but because it’s so rough around the edges that I don’t want the ThingsCon community to pay for any flaws in the thinking, of which I’m sure there are still plenty. This is a work in progress, and shared openly (and maybe too early) because I believe in sharing thought processes early even if it might make me stupid. It’s ok if I look stupid; it’s not ok if I make anyone else in the ThingsCon community look stupid. That said, if we decide to push ahead and develop this trustmark, we’ll be moving it over to ThingsCon or into some independent arrangement—like most things in this blog post, this remains yet to be seen.

Meet Project Trusted Connected Products (working title!)

In the trustmark research report, I’ve laid out strengths and weaknesses of various approaches to consumer labeling from regulation-based (certification required to be allowed to sell in a certain jurisdiction) to voluntary-but-third-party-audited certification to voluntary-self-audited labels to completely self-authorized labels (“Let’s put a fancy sticker on it!”). It’s a spectrum, and there’s no golden way: What’s best depends on context and goals. Certifications tend to require more effort (time, money, overhead) and in turn tend to be more robust and have more teeth; self-labeling approaches tend to be more lightweight and easier to implement, and in turn tend to have less teeth.

The mental model I’ve been working with is this: Certifications (like the #iotmark) can be incredibly powerful at weeding out the crap, and establishing a new baseline. And that’s very powerful and very important, especially in a field as swamped by crappy, insecure, not-privacy-respecting products like IoT. But I’m not an expert in certifications, and others are, so I’d rather find ways of collaborating rather than focusing on this approach.

What I want to go for instead is the other end of the spectrum: A trustmark that aims not at raising the baseline, but a trustmark that raises the bar at the top end. Like so:

Image: Peter Bihr (Flickr)

I’d like to keep this fairly lightweight and easy for companies to apply, but find a model where there are still consequences if they fail to follow through.

The mechanism I’m currently favoring leans on transparency and a control function of the public. Trust but verify.

Companies (or, as always, other orgs) would commit to implementing certain practices, etc., (more on what below) and would publicly document what they do to make sure this works. (This is an approach proposed during the kickoff meeting for the #iotmark initiative in London, before the idea of pursuing certification crystalized.) Imagine it like this:

  • A company wants to launch a product and decides to apply for the trustmark. This requires them to follow certain design principles and implement certain safeguards.
  • The company fills out a form where they document how they make sure these conditions for the trustmark are met for their product. (In a perfect world, this would be open source code and the like, in reality this wouldn’t ever work because of intellectual property; so it would be a more abstract description of work processes and measures taken.)
  • This documentation is publicly available in a database online so as to be searchable by the public: consumers, consumer advocates and media.

If it all checks out, the company gets to use the label for this specific product (for a time; maybe 1-2 years). If it turns out they cheated or changed course: Let the public shaming begin.

This isn’t a fool proof, super robust system. But I believe the mix of easy-to-implement-but-transparent can be quite powerful.

What’s in a trustmark?

What are the categories or dimensions that the trustmark speaks to? I’m still drafting these and this will take some honing, but I’m thinking of five dimensions (again, this is a draft):

  • Privacy & Data Practices
  • Transparency
  • Security
  • Openness
  • Sustainability

Why these five? IoT (connected products) are tricky in that they tend not to be stand-alone products like a toaster oven of yore.

Instead, they are part of (more-or-less) complex systems that include the device hardware (what we used to call the product) with its sensors and actuators and the software layer both on the device and the server infrastructure on the backend. But even if these were “secure” or “privacy-conscious” (whatever this might mean specifically) it wouldn’t be enough: The organization (or often organizations, plural) that make, design, sell, and run these connected products and services also need to be up to the same standards.

So we have to consider other aspects like privacy policies, design principles, business models, service guarantees, and more. Otherwise the ever-so-securely captured data might be sold or shared with third parties, it might be sold along with the company’s other assets in case of an acquisition or bankruptcy, or the product might simply cease working in case the company goes belly-up or changes their business model.

This is where things can get murky, so we need to define pretty clear standards of what and how to document compliance, and come up with checklists, etc.

In some of these areas, the ThingsCon community has leading experts, and we should be able to find good indicators ourselves; in others, we might want to find other indicators of compliance, like through existing third party certifications, etc.; in others yet, we might need to get a little creative.

For example, a indicator that counts towards the PRIVACY & DATA PRACTICES dimension could be strong (if possibly redundant) aspects like “is it GDPR compliant”, “is it built following the Privacy by Design principle”, or “are there physical off-switches or blockers for cameras”. If all three checkboxes are ticked, this would be 3 points on the PRIVACY & DATA PRACTICES score. (Note that “Privacy by Design” is already a pre-condition to be GDPR compatible; so in this case, one thing would add two points; I wouldn’t consider this too big an issue: After all we want to raise the bar.)

What’s next?

There are tons of details, and some very foundational things yet to consider and work out. There are white spots on the metaphorical map to be explored. The trustmark needs a name, too.

I’ll be looking to get this into some kind of shape, start gathering feedback, and also will be looking for partners to help make this a reality.

So I’m very much looking forward to hear what you think—I just ask to tread gently at this point rather than stomping all over it just yet. There’ll be plenty of time for that later.

What’s long-term success? Outsized positive impact.

W

For us, success is outsized positive impact—which is why I’m happy to see our work becoming part of Brazil’s National IoT Plan.

Recently, I was asked what long-term success looked like for me. Here’s the reply I gave:

To have outsized positive impact on society by getting large organizations (companies, governments) to ask the right questions early on in their decision-making processes.

As you know, my company consists of only one person: myself. That’s both boon & bane of my work. On one hand it means I can contribute expertise surgically into larger contexts, on the other it means limited impact when working by myself.

So I tend (and actively aim) to work in collaborations—they allow to build alliances for greater impact. One of those turned into ThingsCon, the global community of IoT practitioners fighting for a more responsible IoT. Another, between my company, ThingsCon and Mozilla, led to research into the potential of a consumer trustmark for the Internet of Things (IoT).

I’m very, very happy (and to be honest, a little bit proud, too) that this report just got referenced fairly extensively in Brazil’s National IoT Plan, concretely in Action Plan / Document 8B (PDF). (Here’s the post on Thingscon.com.)

To see your work and research (and hence, to a degree, agenda) inform national policy is always exciting.

This is exactly the kind of impact I’m constantly looking for.

Monthnotes for January 2018

M

January isn’t quite over, but since I’ll be traveling starting this weekend, I wanted to drop these #monthnotes now. A lot of time this month went into prepping an upcoming project which is likely to take up the majority of my time in 2018. More on that soon.

×

Capacity planning: This year my work capacity is slightly reduced since I want to make sure to give our new family member the face time he deserves. That said, this year’s capacity is largely accounted for, which is extra nice given it’s just January, and it’s for a thing I’m genuinely excited about. That said, I think it’s important to work on a few things in parallel because there’s always potential that unfolds from cross-pollination; so I’m up for a small number of not-huge projects in addition to what’s already going on, particularly in the first half of the year. Get in touch.

×

On Sunday, I’m off to San Francisco for a work week with the good folks at Mozilla because reasons and a number of meetings in the Bay Area. (Full disclosure: my partner works at Mozilla). Last year I’ve done some work with Mozilla and ThingsCon exploring the idea of a trustmark for IoT (our findings).

Image: commons (SDASM Archives)

Should you be in SF next week, ping me and we can see if we can manage a coffee.

×

IoT, trust & voice: More and more, I’m coming around to the idea that voice is the most important—or at least most imminent—manifestation of IoT regarding user data. Voice, and how it relates to trust, is what I’ll be focusing on a lot of my work in 2018.

×

User profiling in smart homes: Given my focus on voice & trust in IoT this year, I was very happy that Berlin tech & policy think tank Stiftung Neue Verantwortung invited me to a workshop on user profiling in smart homes. It was all Chatham House rules and I don’t want to dive into specifics at this point, but smart homes and voice assistants are worth a deep dive when it comes to trust—and trustworthiness—in IoT.

Connected homes and smart cities

Not least because (as I’ve been hammering home for a long time) the connected home and the smart city are two areas that most clearly manifest a lot of the underlying tensions and issues around IoT at scale: Connected homes, because traditionally the home was considered a private space (that is, if you look at the last 100 years in the West), and embedded microphones in smart homes means it’s not anymore. And smart cities, because in public space there is no opt-out: Whatever data is collected, processed, and acted on in public space impacts all citizens, if they want it or not. These are fundamental changes with far reaching consequences for policy, governance, and democracy.

×

Worth your time: A few pointers to articles and presentations I found worthwhile:

  • Kate Crawford’s talk on bias in AI training data is ace: The Trouble with Bias [Youtube].
  • TechCrunch has a bit of a top-level explainer of GDPR, Europe’s General Data Protection Regulation that goes into effect in May this year. It’s being widely lauded in Europe (except by the usual suspects, like ad-land), and been unsurprisingly criticized in Silicon Valley as disruptive regulation. (See what I did there?) So it came as a pleasant surprise to me that TechCrunch of all places finds GDPR to be a net positive. Worth 10 minutes of your time! [TechCrunch: WTF is GDPR?]
  • noyb.eu—My Privacy is none of your Business: Max Schrems, who became well-known in European privacy circles after winning privacy-related legal battles including one against Facebook and one that brought down the US/EU Safe Harbor Agreement, is launching a non-profit: They aim to enforce European privacy protection through collective enforcement, which is now an option because of GDPR. They’re fundraising for the org. The website looks crappy as hell very basic, but I’d say it’s a legit endeavor and certainly an interesting one.

×

Writing & thinking:

  • In How to build a responsible Internet of Things I lay out a few basic, top-level principles distilled from years of analyzing the IoT space—again with an eye on consumer trust.
  • On Business Models & Incentives: Some thoughts on how picking the wrong business model—and hence creating harmful incentives for an organization to potentially act against its own customers—is dangerous and can be avoided.
  • I’ve been really enjoying putting together my weekly newsletter together. It’s a little more personal and interest-driven than this blog, but tackles similar issues of the interplay between tech & society. It’s called Connection Problem. You can sign up here.

I was also very happy that Kai Brach, founder of the excellent Offscreen magazine kindly invited me to contribute to the next issue (out in April). The current one is also highly recommended!

×

Again, if you’d like to work with me in the upcoming months, please get in touch quickly so we can figure out how best to work together.

×

That’s it for January. See you in Feb!