Monday, 17 October 2016

Children and the Internet inquiry

Together with colleagues from Horizon we submitted evidence to the House of Lords Select Committee on Communications inquiry into Children and the internet. The evidence was from the ESRC funded CaSMa project looking into citizen-centric approaches to social media research. Working with 5Rights, we investigated young people's attitudes to various topics related to internet use, including:

o Personal data tracking
o Removal of embarrassing or inconvenient content
o Unhealthy dependence upon digital communication technologies
o Effect of online networks on young people’s self-esteem, feelings of exclusion, anxiety
o Digital literacy

Using Youth Juries, a specific form of vignette methodology, we elicited interesting insights into how young people are growing up with technology, and putting the lie to the cliche "young people don't care about privacy anymore" - they most certainly do... a final report on this project coming soon, so watch the twittersphere @horizonder.

Then last week it was time to don the grey suit again and head to the Palace of Westminster to offer verbal evidence (video, transcript). It's a long (and of course thoroughly riveting) watch/read, but in summary:

Baroness Kidron: ".... I would really like to hear from you what industry could do that is a little bit more radical and a little bit more user-friendly when we are talking not simply about protection but about the normative use of “children being children” in this digital sphere."

Professor Derek McAuley: "Stop trying to monetise every piece of data."

It'll be radical shake up of the Digital Economy when that comes to pass.

Wednesday, 2 March 2016

How risky is your IoT

Copy of an article first appearing on the IoTUK blog.

In a previous blog, we kicked off a discussion about the categorisation of IoT applications and systems; and their technical complexity.
Today we will analyse risk as a further dimension in helping us differentiate various IoT applications. Our mission in all of this categorisation is to start an in-depth discussion about the subsets of IoT applications and their common problems and solutions; otherwise we are in an endless apples and oranges discussion.
Our risk dimension includes privacy, safety and resilience; in fact anything that in project management terms should be included on a (sensibly used!) project risk register. We are interested in what could go wrong, how to decrease the likelihood of such events and how to mitigate the effects; because rest assured things will go wrong.

The inevitability of failure

It is the nature of all computers and communications systems to do unexpected things; even if we could dream of removing all software bugs, the very physics of the systems lead to an underlying failure rate (see metastability). Many of these IoT systems will involve interactions with fallible human beings. Things fail and IoT designers need to deal with it.
We have included privacy here, as one aspect of the impending EU General Data Protection Regulation move, welcomed by many, to a risk based assessment of the requirements for handling personal data.
Such risk assessments are subtle and not solely related to the type of the data, but the context in which it is being used – it might be an annoyance to have your credit card details stolen, but if it is published they were stolen from Ashley Madison’s website that tells a different story.

Privacy risks

Privacy risks are present everywhere where we have sensing technologies in IoT. It will often be possible to correlate the sensing with an individual’s activities.
You can expect to see this data used in unexpected ways – the court case involving FitBit data is a sign of a trend where IoT data can be used as evidence of a person’s innocence or guilt. Mitigations could include strong encryption, ephemeral data or only maintaining statistical and aggregated data in the longer term.
Many IoT devices also have the ability to actuate and affect the physical world – so what could possibly go wrong? Human safety checks are absent when moving to automation in IoT. We will need to design with safety in mind as everyday domestic objects become known killers – whether automatic door openers or even something as mundane as a venetian blind.
Picking up the theme of care for the elderly in their homes, again from a previous blog, we also start to see the need for resilience in our IoT designs. A particularly dangerous episode for many elderly people is a power outage – from the heating stopping, to lack of lighting, leading to increased risk of falls or other accidents.

Resilient IoT design

A resilient IoT design would include several hours of protected power supply for the sensors and router; backup communications using 3G as the ADSL or cable modem may not be available to access the internet (fixed line telecoms operators are required to have the phone service available during a power outage, not the broadband); and the ability to act independently of internet servers to raise alarms, so that operations are maintained when there are network and server failures or DDOS attacks on the infrastructure.
To build an IoT we trust we must first learn to handle the risks. Importantly, while showing damages in privacy cases has proven hard, the rise in citizens injured by devices will rapidly lead to product liability cases.