Nóra Ní Loideain, Director, Institute of Advanced Legal Studies, University of London
On GDPR and IOT:
IOT fascinating from a privacy advocate’s point of view, both as individual, and as a citizen.
What is the IOT? more internet enabled clothes, cares, offices, homes, cities… things on the internet, plus the internet of everything
eg: Google & Levi smart jean jacket. Gesture based phone calls for cyclists (according to promo video!). as if cycling in cambridge wasn’t interesting enough already
not always conveyed well to public — eg google glass. But can still prove useful, eg in surgery teaching.
the article 29 working party — the pan-EU group working on this stuff — have a specific IOT definition —
David Kaye — the avalanche of connectedness, in which digital connection is enabled for all aspects of digital existence
Smart cities are an interesting case. so many aspects.
Privacy advocates fear IOT is an unstoppable juggernaut. pervasive and ubiquitous IOT will normalise “sustained data gathering from any source possible”.
Bulk collection of metadata — “narrative data” — leads to very detailed individual profiles.
Concerns: non-compliance with data protection principles, especially around GDPR article 5 on data security, and that our private lives may be opened up, with a broad range of intrusive, unauthorised, and unlawful surveillance.
and bad actors will be unlawful. All bad actors wear hoodies :)
Complex interactions of multiple systems in IOT will be unmanageable for users in practice. This challenges their ability to exercise any meaningful control over privacy, data rights, civil liberties
concerns based on noncompliance to date, and future enforcement by regulators… will it be effective? done at all?
Broader (social) concerns: trend of loss of private life entirely; culture of profiling; revelation of new facts about individuals based on combining data
Baby monitor hacking — good example of noncompliance to date. Hackers have had remote control, view footage, wake kids, stream video online
So, GDPR. Will it be a game changer? It’s the update of the 1995 EUdata protection directive. It’s not perfect but a big improvement. new and enhanced rights for data subjects, and more obligations on data controllers and processors (that’s on govt and businesses). Plus more powers for data protection authorities. So a systems approach.
Kicks in May 2018, regardless of Brexit.
New things: transparency and data protection by design and default, right to data portability, right to be informed of high risk data breach, impact assessments, bigger fines.
privacy notices need to be more detailed; if for children, readable by children; responding to requests for info more quickly.
portability: right to get your own data back in a machine readable format and have the right to transmit it to another data controller.. Should help our control, avoiding vendor lockin. also important in the ‘third space’ between governments and companies, and cases like smart cities.
impact assessments: required if new technologies are used, so should apply to IOT. at least if it’s ‘high risk’ for rights of natural persons. Burden to show that it’s not high risk. a new process to build and demonstrate compliance but it’s not novel, privacy impact statements have existed since 1990s
regardless of what happens in Brexit, we’ll still have art8 of the ECHR, the right to a private life.
IOT — greater connectivity, greater risks, to our privacy, autonomy, liberty in our relationships with public authorities and companies. EU Data protection law is evolving — the EU court of justice is taking a purposive approach, very active. it can evolve without a new data protection regulation. the interaction and complex relationship between the legal rights to private life and data protection and ethics and this will increase. Given that this is about information relating to a private life, the purposive approach is likely to drive rights enforcement, even if GDPR doesn’t catch all these cases.
Anil Madhavapeddy, Cambridge Computer Lab & “starter upper”
talking from a system builders perspective. where’s the internet coming from?
The internet was once just 20 computers in US national labs with wires to connect them peer to peer. Then a few similar clusters start to get connected together with internet prototcol.
then lots of growth! small local networks, connected up, IP addresses, mapped to human readable names (DNS), with IETF creating nice open standards. By 2000s this is all great. different countries advance at different rates but it’s basically lovely.
At this stage you get ‘toy’ services. Like directories, manually created, like yahoo. Then we started to crawl the internet to create automatic search indexes. Myspace — curated pages — disappeared. Facebook appear, more algorithmic-driven. But the internet is basically the same
Then there’s more centralisation — this is not how the internet was meant to be! we’re getting these few data centres, loads of data going there. scaling systems just didn’t work any more.
So we came up with teh idea of the cloud. Carve up data centres, in power efficient places, run algorithms on it. and here we are.
but this is just a blip in the internet
data isn’t designed to be gathered in one place and lose all its provenance. Facebook gather all the data and it loses the ability to combine nicely with other data.
How can we defeat these short term, centralisation efforts? Facebook can only grow so far. Why? because there’s a limit to the data. Let’s say iCloud, you have a hard limit of 2TB; so there’s many TB in this room. That’s not much. Data sits better where it’s constructed. You don’t need batteries, like my phone whose battery just died. Keep data where it’s generated, take the computation to the data. that’s better
why would a user care? Anil demonstrates that he can talk to his watch and get pictures of cute puppies in about 7sec. HOw many people have smart light bulbs? are they reliable? No, you have to go via a central website, which is a single point of failure.
the 7s puppies go via watch to eduroam to … to google etc and back.
The next phase of the internet will have a small latency budget, so you can get almost instant puppies, such as 10ms. that’s long enough to wait. also want to remove the points of failure. What if you’re trapped by a stupid wifi login box? you don’t get the quality of the internet you expect. There’s not enough resilience.
Each building, each place, will form its own internet. Even your body can be its own internet. Low energy protocols like zigbee or bluetooth LE to ensure all our local devices are connected, then do IP for links to other networks.
This has been an idea for ages but GDPR suddenly suggests a business model for it
data has value dependent on location. If european business, want data processing in an area appropriately secured.
let’s imagine this building, it has 10k sensors, recording stuff. include our laptops and phones. all our conversations should be recorded. But that’s private so it should be encrypted upfront. our own keys were negotiated as we arrived. The building does all this, make sure the conversation is secured, and never leaves the building. If one of us wants to take the data away with us, we ask the building, get permission, take it away to our data store. Our identity is already connected to this area, we are here, so that’s straightforward.
These internet protocols invert how we build things today — centralising data, losing track of all this critical metadata, bad for GDPR.
instead let’s build billions of networks, each a phsyical location, a collection of devices and people, and that’s where all the privacy tech goes. so by not moving hte data, but brigning the computation to it
the amount of private data in your home right now — loads. you’re exporting it today, the Tv, smart meter, lights.
In the new world, the building is self contained. there’s no leakage of data. if companies want to provide services, they are explicitly brought in by you. The system will work 100% of the time, if your utilities are off, you can still turn your lights on if the broadband is down. Without physical access to the environment (and we can use air gaps), nothing can escape
but how can we have the nice facebook experience?
you can have all of it, but you can’t convert the monolith to this broken up, better latency, better energy utilisation, better experience.
iphoneX has bad battery life because it’s talking to the outside world.
IETF working on this for years. Battling forces which want to lock down status quo, the browsers and end points. Prototypes are workable though. But we have to stop with these closed devices, you can’t program them… look at the new openness we need, new generation IOT, no locked down DRM etc
ARM doing a great job, the chipsets for the ecosystem are available. RPi is there, many maker movements are ready
facebooktomorrow will have Zetabytes of data, with us, no privacy concerns.
GDPR brings this to us. economic foundation of this internet.
people will love the low latency and then we can build the ecosystem around it.
it’s possible, we’re working on it, may take a few years, future not shut to us yet.
Daniel Wilson, CRASSH in the chair.
Phil — Nóra shows us a nice way to put users in control, at the centre of their data, but hard to believe it will work. then a very classic computer sciencey response, exciting new tech, which doesn’t actually speak to the concerns of privacy.
so, there’s a lot of hypotheticals about the potential, but skeptical that industry, VCs, angel investors will see GDPR as opportunity! Like idea but no reason to believe it. The history of recent tech rollout is that they will fight it. Don’t see industry lining up…
Nóra — naive to assume consumers will suddenly be empowered in May. But GDPR, whilst not without its difficulties, doesn’t just do that. systemic shift to accountability. The obligations, the geographic coverage, the enforcement mechanisms, new, will have to be taken up. The extant risk assessment approach of the accountability principle — you know the rules, you know what you have to do, and if you don’t there are sanctions. eye watering fines. BUT for google and facebook, it would be a lot more costly if the other sanction is imposed — the block on processing whilst an investigation happens. That’s a bigger threat. Strategically you’d rather take the fine and appeal and drag it out for years, rather than not be able to do the data processing.
GDPR requires adequate funding to the DP authorities too. Need the teeth & resources.
Anil — 15y ago, made Xen hypervisor, which splits a computer up into little bits. No one wanted to fund it. now a huge business (amazon use it). The only thing to beat a network effect is a bigger network effect. If a new thing can grow faster…
everything in IOT is a joke, no significant success. GE invested billions, and closing those depts now. no VC deal flow. The internet doesn’t support the real things you want to do with IOT today. that’s why there’s no business case for the IOT kettle. The new network will support this stuff. new business models.
we can’t do the data any more. can’t put the world’s real time video in one data centre.
new IOT model — the VR and complete surveillance model which records everything everywhere all the time, a new way of networking. Plus pacemakers get more reliable! this is important, many people die because pacemaker software is bad.
we’ll build a new generation of things like VR / AR which are so compelling people want it, which need the new network.
Q: when GDPR starts to look like antitrust enforcement, will tech companies use it tactically against each other?
A — Nóra — good point, in that this may be used by competitors to point out bad data protection practices by others. The challenges facing enforcement are so great, so if companies bring actions like that, that’s a good thing… identifying best practice across companies is good, helps companies do well, to argue to a judge or lawyer or max schrems, that they are doing the right stuff.
Phil — in the US, antitrust is coming from civil society. eg action on facebook as a publisher.
anil — cloud folks fighting. Amazon a long way ahead of eg Azure. adding GDPR support already. Partly geographic location but also stuff like secure enclaves, so you can protect more of your data even with a breach in one area. So that’s driving fortune1000 companies. but on-premise is dead, they are all going cloud, partly to address GDPR stuff. Co evolution
Q: Nóra mentioned representatives. Enforcement will be an issue. Imagine the baby monitor with a US company, but no real presence in EU. can you really go after the local representative of that data controller? how can you go after a small producer in the US or the Philippines? Is there any way of realistically enforcement, when the company can just shut down and reopen under another name?
A: Nóra — huge issue esp for companies outside EU. no clear answers. GDPR and recitals don’t bring any light here. ICO has been influential in A29WP… in developing standards. Denham has emphasised collaboration with DP authorities in USA, africa, asia… informal collaborations between authorities might be important too, aside from standards. If you don’t fall in GDPR, territorially or procedurally, there will be other ways to hold to account maybe.
Q: IOT about composing systems, data, etc, which may be managed by different entities. Plugging together is meant to realise value… but may also be a potential security hole.
A: Anil — all our privacy aware calculation systems are statistical. this is a problem. One option is randomised response, where individual answers tell you nothing but the collective distribution is useful. How to build psuedonymity into IOT? and combine multiple identities into us? we are each millions of fingerprints. But none of this has got through to internet protocols. Burning area, my group wants to work on. Decide what facet you want to expose to a given system. Identity management — that’s a hard challenge.
Phil — is it possible to have an open platform IOT and true encryption? the idea that a building might decide how to protect our privacy whilst we are in this room generating data, is absurd. We do have trust in rule of law.
Anil — someone has to hold the keys. My garage key is in my house. I need to go to my house to get my garage key. I don’t need the garage key whilst i give a talk. So you have to segment the problem.
Nóra — important question, clash between privacy and security. Goes back to fundamental fact that privacy and data protection are not absolutes, they have to balance with other interests in society, such as innovation. Companies only store info about us as long as they need it, but we all have rights to access info — that means competing rights. Smart cities — legitimate reasons why public authorities might want to monitor transport, for better service design. the compromise is that the aggregate data is useful but individuals don’t need to be identified for that purpose. Space for pseudonisation, addition of random noise.
Q: always a trade off between accessibility and security. gold watches are in a a glass case, chocolate bars are on open shelves. Retailer can make those value judgements. The problem here is we aren’t equipped to reason about the value of the stuff we are talking about, the data. People don’t know what they should protect or share.
Daniel: freedom as a political subject. Is privacy and this sort of legal framework a useful way to think about solutions to the issues raised earlier around microtargeting?
Phil — relevant for specific scenarios where info we generate is used against us, or used to undermine something we value as a human right or governance good. So privacy can help with that. We can be more aware of our data shadow, whether it’s credit cards or IOT, and how political actors could use that.
can imagine new privacy regulations where there’s significant industry investment around a vision of a platform… opportunity to get ahead of a tech before it rolls out (with political/civic design). we can write civic engagement into a platform upfront, can’t write it in later.
Daniel — sounds like GDPR mostly good. Not sure if it’s privacy or prive-acy though :D
final event of 3 year technology and democracy project. at the start people wondered why the two were brought together. No one asks that now.
Hope event has helped broaden understanding.
Need to take a longer view. So obsessed with the five big tech companies, hard to see that it’s not the only manifestation of tech. Must try to visualise a world in which the things we see as fixtures no longer exist. (eg google, facebook)
Imagine Cerf and Kahn in 1973… wondering how to do this internet design thing — designing for a world they can’t envisage. they came up with 2 axioms
- we are designing a system no one owns or controls
- we are designing a system not optimised for any application we know of
still good principles