BCS, The Chartered Institute for IT, recently asked some of its members about their awareness of the IoT, its applications and more. Although autonomous agents in one form or another have been around for twenty years or so, the internet of things, which Cisco believes will have 50 billion connected devices by 2020, is at another level.
Awareness is high - nearly all the respondents had heard of smart-meters, with 69 per cent cognisant of health applications such as blood pressure monitoring. Actual use is less impressive: when asked whether they owned or were considering installing a smart meter or any smart sensors at home only 17 per cent said yes, with a further 24 per cent considering it.
The survey gets interesting when looking at what people actually want from the IoT.
Improved integration of domestic IoT capabilities came up on a number of occasions and it has wider implications than just your fridge ordering more milk for you. As a consumer, knowing that you have certain food in the fridge is useful, but from a societal perspective having access to data that gives a greater understanding of local, regional and national habits which can then be cross referenced against waste data collected from, for example, weighing bins becomes a powerful tool.
Imagine if that data were further cross-referenced with local (anonymised) health data. This example demonstrates that IoT technology should not be looked at as an independent vertical but as part of an interconnected world.
If vehicle telematics were interoperable with GPS journey monitoring and the traffic light system, even simple things such as traffic jams could be reduced, if not eliminated. On public transportation automated monitoring of passenger usage could enable better utilisation of capacity, and dictate when extra services may be required.
These sorts of approaches are in development - and will not only benefit transport users, but local communities. Imagine how much better Twickenham in London would be if these systems were in place for major events, or indeed any suburban area with large entertainment venues.
On a purely personal level, some are interested in the ideas of the ‘quantified self’. With systems such as these engaged an individual could much more effectively assess his or her impact on the environment - perhaps a precursor to much more widespread ‘green-thinking’.
Healthcare is an area that has already seen extensive usage of IoT-enabled devices. IBM has, for several years, been running an experimental community in Italy. Called ‘Living Safe’ the project is being run in Balzano to help older residents who live by themselves to do so for longer, with the use of relatively simple monitoring systems.
Helping the elderly in society to live more independently and actively adds to their self-worth, with concomitant societal benefits, and also reduces the impact on welfare and health services. A win-win.
Ethics and opt-outs
Respondents to the BCS survey were asked whether they thought consumers should have a basic right to opt out of an IoT solution? 82 per cent said yes. Privacy is not seen as optional, but a basic digital civil liberty. So, whilst the IoT has the potential for great good, it is also seen by some to be ‘creepy’ and ‘scary’ - especially if it intrudes without explicit understanding and consent into our everyday lives.
Indeed 68 per cent had privacy concerns related to smart meters and sensors, a relatively straightforward and easily understood IoT application. The IoT is inextricably linked with big data and its usage, reflected in the view of half of the respondents who disagreed with the idea that the current trend of gathering data is morally right and ethical. 74 per cent either strongly agreed or tended to agree that we need a global treaty to address this.
A further 94 per cent (70 per cent strongly agreeing, 24 per cent tending to agree) thought there should be tighter regulation on the use of personal data. 74 per cent felt the same about comparable regulation on business.
What do you see as the role of government in terms of regulating increased data collection by everyday objects? This question garnered a number of responses citing the requirement of international regulation, with the need to participate in global forums to agree rules and then to enact national legislation to ensure they are enforced.
The rules should cover acceptable levels of security and the degree to which that security is maintained. The role of government was seen as being to set the law and standards for the IoT in order to prevent abuse of personal data. Whilst the Data Protection Act was mentioned as achieving this to a limited extent, it was consistently seen as inadequate.
One of the problems here, of course, is that the pace of technological change completely outstrips the rate of change of law laid down through statute. As an added wrinkle, as well as international issues, there will be the extraterrestrial with later adoption of satellite-based technologies outside any terrestrial boundaries (although GPS is already widely used).
Legislation in practice
Respondents came up with several practical considerations:
- to define what may be held and for how long with enforcement;
- to set the rules and appoint a competent and empowered body to oversee their application and to ensure that transgressors are punished;
- to extend the role of the Information Commissioner’s Office (ICO) and give it better teeth, while ensuring that the ordinary individual can access and use the ICO;
- to ensure a public debate and awareness campaign of the issues involved;
- to audit who is gathering what data and set appropriate safeguards to protect society with adequate balance of majority minority, especially where a monopoly or quasi-monopoly exists;
- to ensure that all hardware objects have certification to a standard covering data protection and human rights.
Strength of feeling amongst those in the industry is reflected in a question about suitable penalties for breaching rules in relation to the IoT and abuse of information garnered from it. Here are some of the suggestions:
- at least 20 per cent of company profit, and jail time of a minimum of two years for top management;
- a fine of ten times the benefit that a data breach has brought its user with custodial sentences for serious breaches;
- financial penalties with a sliding scale depending on severity;
- unlimited fines and dissolution of companies that repeatedly breach or ignore legislation;
- a fine of 10 per cent of global turnover and up five years in prison for directors of the company; proportionate to an organisation’s turnover;
- a complete ban from holding data again.
This is rather summed up with this comment: ‘only a truly draconian punishment would ensure that the appropriate corporate governance is embedded from the outset.’
Of course this sort of question is subjective. How was data obtained? What was it used for? Was the data collected for medical reasons - perhaps these breaches may be seen as less of an issue than data collected to bombard people with marketing, or data collected for the purposes of theft or terrorism?
As one respondent commented: ‘If my data is obtained and money is stolen from me then I want the same penalty as if the money had been stolen in any other way. If I am sent marketing information about a new washing machine when I don’t need one, then it’s a different story and a different penalty.’
One person suggested imprisonment on a proportionate basis - the number of people affected by a breach. ‘100 people affected, maybe a one-year prison sentence; over 10,000 people affected, throw away the key.’
When this sort of breach involves IT professionals then the professionalism issue, about which BCS tirelessly campaigns, comes into play.
The survey asked: ‘Is the current security of the internet, applications and networks in general safe to build the IoT on?’ Only 13 per cent said yes, with a definitive 74 per cent in the ‘no’ camp. The internet is seen as being quite fragile and in need of serious upgrade and architecture change by many in IT. The implication of that view is that, technologically, it probably isn’t the platform on which to build anything like IoT at this time.
Specific concerns were expressed over the domain name system (DNS). Lori MacVittie of F5 recently commented on the IoT and DNS: ‘We often focus on the impact on data centre architectures. That’s because there will be an increasing need for authentication, for access control, for security and for application delivery as the number of potential endpoints (clients, devices, things) increases. That means scale in the data centre. What we gloss over, what we skip, is that before any of these “things” ever makes a request to access an application it had to execute a DNS query. Every. Single. Thing.’
One respondent quoted Castell’s dictum: ‘you can’t secure an ontologically unreliable and insecure technology by use of an ontologically unreliable and insecure technology.’ TCP/IP was not designed with security or rights management in mind, it’s an evolutionary technology. Some hold that if we had the opportunity to start from scratch that TCP/IP is not what we would have used.
Techies are often accused of rushing in with immediate technical solutions to issues, and not considering the security implications at the outset. Of course building the IoT on the current infrastructure means this approach is a given, although some of the respondents were of the view that good sense, good engineering and an ethical understanding of proportionality will make this successful nonetheless.
At the moment even ‘manned’ devices are not actively maintained / upgraded so remain open to compromise, and this could be exacerbated if the multiple unmanned objects on the IoT are not correctly configured.
The additional security precautions that those who responded to the survey would like to see overlapped with many of the points already mentioned. ‘Real international responsibility with teeth and real penalty for misuse’. ‘Security policies/procedures will need to be tighter around the use of personal and sensitive data’. ‘IT information security and the computing industry have tended to forget the human!’
Again some practical solutions were proffered:
- full implementation of IPV6;
- longer encryption keys, standardisation of security elements on smartphones;
- a wholly new, ontologically reliable and secure machine architecture;
- enforceable rights management over identifiable data;
- total anonymity outside of agreed local interactions and segregation of specific data types to ensure that it cannot be misused;
- a worldwide public key infrastructure (PKI), headed by the UN, with each country having its own PKI. Each country’s postal authority would be an ideal candidate to host the PKI as they have a relationship with all citizens, businesses and properties;
- ensure there is an independent body which certifies the devices and the support processes to ensure that security management is an integral feature;
- data from connected things should be protected in transit as standard;
- virus checking built into the ‘things’ on the IoT - they will need more processing power and storage;
- all collected data to be encrypted at the point of collection;
- standard, non-proprietary, security elements associated with all devices and sensors etc. on the internet.
In terms of regulatory bodies, participants were asked whether current regulators e.g. OFGEM, OFCOM, OFWAT and the ICO, have done enough to ensure that IT solutions procured are sufficiently secure now and audited to ensure they remain secure. 70 per cent said no.
At the moment IPv4 and IPv6 do not talk directly to each other, which poses near-term issues on how and when vendors and providers will choose to switch. Another issue is the sheer speed of change. Respondents were asked: ‘How quickly do you see the IoT taking shape in everyday life?’ Less than three years was the answer of 46 per cent, with 37 per cent envisaging only a three to five year gap.
It’s still people who have to use and control these IoT-connected devices. It was suggested that they need to be designed with the ability to easily turn off the transmission of data over the internet without any deterioration in performance. And the vendors need not only to be transparent about what they are selling, but know the implications of what they are selling.
The other issue is the sheer range of things covered by the IoT; some optional, such as wearable tech, and some not e.g. smart meters. So the biggest challenge may simply be that it is not one challenge. And it’s not simple.
In conclusion (for now…)
The IoT brings, and will bring, benefits that could create a societal shift in consumption and interaction and, as such, should be championed ethically and responsibly, with due consideration for the risks. As one respondent says: ‘The IoT has the potential to significantly improve our lives and IT professionals need to engage as much with these developments as in shouting about the problems.’
This is a subject not well understood by the general public. But people have a right to know the implications of the data usage choices they might unwittingly be making and understand the communications going on between machines around them. Both privacy and protection against hostile users need to be built into solutions, not assumed to be provided by the underlying network.
BCS is involved in advising government of the implications of the IoT as part of our charter responsibilities.