Opinion editorial

We can’t avoid that smartphones, tablets and wearable devices collecting our data. Smartphones are able to track everything from search queries on google, to usage times and preferences when it comes to social contacts. The whole economy of devices connected to the internet is called the Internet of Things, short IoT. Estimates suggest that by 2020 over 200 billion devices will be connected to the IoT. The market size is estimated to be $3 to $7 billion (peppet, p5). As time goes on, we are getting more and more connected to the internet, which just opens more channels that companies can gather our data. Only few users are aware what actually happens with this data though.

Executive Summary

Data is often described as “the new oil”, which implies its newfound value in modern society. With the emergent increase of new technologies, and thus more data, large companies can gain almost unlimited access to knowledge about the citizens’ preferences, habits and whereabouts. This is happening without the individual being aware of what exactly the companies knows about them, as the data collection is happening in non-transparent terms, which makes data handling an ethical issue. This report will propose the importance of making the data collection happen in more transparent terms, where the power will be given back to the individual – a responsibility that lies on the large companies, as they are the ones producing the software, which collects the data. As there is so much data which is used worldwide, this journal argues that one law cannot satisfy all stakeholders – instead the way of handling data and privacy issues should be to make individual privacy settings possible for the individual.

 

The interconnection between technologies is referred to as the Internet of Things (IoT). This implies that all technologies are connected and can exchange data, eg. the smartphone can be connected to the car. This creates great possibilities and efficiency for the individual. Imagine finding a destination on your smartphone, then go to your car and connect it to your phone, so it can show the way on the car’s’ GPS. Furthermore, you want to listen to the new album you just added to your Spotify account on the computer; so you play it from your phone, which is connected to the car’s audio via bluetooth.

 

Findings related to consent policy show a clear lack of specification and consistency, making them hard to understand and locate. For example, IoT devices such as fitness watches and home electricity devices lack a keyboard or touchscreen, which means that it cannot ‘ask’ for user consent. The user must actively search for the consent form online, which studies show, is extremely difficult to find. Furthermore, the ambiguous language used in consent forms makes it tough for users to know exactly what they are accepting. Lastly, the policies omit important aspects as well as being inconsistent in access, modification and deletion rights for the user.

 

Drifting away in the possibilities of IoT, one may forget the fact that it has not been engineered to actually protect data security. Yet another crucial finding within this project, is the issue of the vulnerabilities of these IoT devices to hacking and other security breaches. What has been discovered is that there often exists a trade-off between battery efficiency and device security, from the manufacturers perspective. This absence of thinking about security can lead to new ways of attack, data being breached, stolen and compromised. What IoT does, is merely to turn everyday life objects into an information security target, while distributing those targets far more widely than the current version of the Internet – thus enhancing the risks of security.

 

Intrusion on privacy has been recognized as yet another interrelated challenge with IoT. The issue originates in different things, such as the user being unaware of the quantity and detail of gathered data and the extensive profiling capabilities of the ever more data that is generated by IoT. The Smart Home, as an example, is a home made up by a variety of consumer sensor devices, including thermostats, internet, television, energy management, security etc., all generating piles of data that can be assembled, further analyzed, and reveal specific aspects of habits, behaviors and preferences about the people living there. Gathered data that is considered very sensitive. The challenge of privacy is also bound in the users’ lack of control over their data. This is especially clear when third-party monitors are used, as they may not even ensure the data to be used for the original purpose(s).

 

Privacy and security policies within the IoT network, needs to be up to date and clear to users. This is not only in the best interest of the user but also the enterprises offering IoT devices, who avoid lawsuits and complaints by satisfying privacy and security needs through a clear and concise policy framework.  Organizations, who fail to meet needs and demands in an increasingly digitized and technological future, will become outdated and redundant.

 

Since the ethics surrounding the IoT are so diverse and cannot be specified universally for everyone, a simple law on data-policies cannot work. This journal tries to propose a way to allow users to take control of their own privacy and security measures. Every user should be able to judge for themselves what type of data should and should not be shared. In order for this to work, companies need to be transparent in their handling of data and enhanced education for users, especially those who are not as computer affine as the younger generation, is required to make educated decisions about their policies. SecKit, an implementation of said framework, is an initial advancement in the field which allows users to use pre-existing policies or completely customize their own.

florianrammerstorfer1

In the article “Ethical Design in the Internet of Things” the authors suggest an ethical and implementable framework allowing users to manage and limit the access to private information gathered by the “Things”. Ethics are discussed to emphasize that every user has a different set of moral values, leading to differences in the desired privacy policies the necessity for customizability where the users are granted a higher degree of “individual freedom and choice”. There are a few challenges the framework needs to overcome. These include, but are not limited to, finding an economic incentive for businesses to implement the framework, giving the user enough information to make a rational decision on the policies and bridging the Digital Divide, the gap between experienced and inexperienced users. Furthermore, the open-source software SecKit is presented, which overcomes all of the previously discussed challenges.

My main issue with this is article is that it could be structured better. Especially having more chapters would benefit understanding and navigating through the article. The introduction chapter should be split up into different aspects, for example “Context” (Baldini et al., page 4) and “Flow of Data” (Baldini et al., page 5).

On page 3, the authors wrote: “The main features shared by these different categories of devices are the almost continuous connectivity through a wide range of wireless communications standards (e.g., WiFi, UMTS, LTE, ZigBee) and the capacity to collect data from the real world (e.g., camera) or to act on the real world (e.g., actuators like a domotic system to regulate the temperature of the house), including from an individual (e.g., a sensor collecting blood pressure readings at any time) or data that often can be related to each other through identification of time and (geo)location.”(Baldini et al., page 3) This sentence is hard to read, since the parenthesis break the flow of the reader. There are too many examples in the parenthesis and also too many parenthesis sections overall. I would split the sentence into two sentences or avoid writing examples at all. Since the examples further the understanding of the reader, splitting up the sentence is the best way to go. An example proposition for the correction would be: “The main features shared by these different categories of devices are the almost continuous connectivity through a wide range of wireless communications standards (e.g., WiFi, UMTS, LTE, ZigBee) and the capacity to collect data from the real world (e.g., camera) or to act on the real world (e.g., actuators like a domotic system to regulate the temperature of the house). Acting on the real world can originate from an individual (e.g., a sensor collecting blood pressure readings at any time) or data that often can be related to each other through identification of time and (geo)location.”

In several sections enumerations are used. For example, see this quote from page 17: “The deployment of the SecKit can be based on different scenarios: (a) the SecKit can be embedded in the design of the IoT device, (b) in the design of the IoT application or (c) can be installed and activated for specific calls and data flows by intercepting the Application Programming Interface (API) calls or the data flows at runtime…” (Baldini et al., page 17). In this and other longer sections, it is very hard to keep track of all the points when each point is presented in multiple lines. Therefore a different structure should be used, like  a bullet point list.

In conclusion, I can say that this article has a high contextual and literary quality and there are few things to criticize.