Revisiting the Internet of Things

Five years ago was the Open Internet of Things Assembly. There arelots of links about it, and background reading, here. The attendee list reads now as a veritable “who’s who” of creative and thoughtful folks involved in IOT in all kinds of ways. The culmination was a declaration, a definition of the Open Internet Of Things, which many attendees signed.

2012 Open IOT Assembly [credit: Alex D-S]

On Friday some of us will meet again — with new participants too — and attempt to create an updated definition and a plan for how to turn this into a certification mark.

For me, it seems a long time since the Assembly. I was at the Open Knowledge Foundation then, so my talk was about the meaning of open and the different ways different things can be open. Now I’m leading work to find ways to get more responsible digital technologies at Doteveryone, and I’m a member of a new co-operative to develop and support tech we trust. (At Field Ready, where we work on distributed manufacturing to meet humanitarian needs, IOT is still in the future, although definitely on our radar.) I have new perspective and interests to bring to open IOT now, and the ideas we worked on in 2012 remain relevant and powerful.

Ten years ago I was at AlertMe, architecting and developing an internet of things system. We were within 6 months of a shipping product — in January 2008 people we didn’t know were buying AlertMe systems online, and receiving boxed kits ready to install. AlertMe set out to create broadband home security, bringing burglar alarms into the internet age, and redesigning them to be rather more useful to householders. We made a hub to connect to your router, and used a secure ZigBee mesh network to link up a mixture of detectors and buttons, both mobile and static devices. We thought about how the consumer would buy and set up the kit, did low power radio for key exchange, designed for hardware sale on the second hand market, considered the different people in a household and their data and privacy needs. We did user research and user testing and field testing and got independent security experts to review our architecture, and we followed standards where they existed (and contributed to development where they didn’t). It was quite a lot of work, but seemed like the least we should do for a connected home product, especially as we were thinking about the security market (we also thought about future extensions which would use the AlertMe platform, such as energy monitoring and control, which also has security and privacy requirements). It took two years to go from a three-word brief to a shipping product (with customer support and sales channels and all the rest of it), which felt simultaneously very fast and frustratingly slow, as it seemed as if the market for such things was about to take off.

Ten years on, there’s nothing much like that available for mainstream consumers. The IOT products we see for the home and for individuals more generally are mostly simple things — perhaps one device, connecting via wifi to the internet or via bluetooth to some other device such as a phone. Mesh networks are rare, security holes seem disturbingly common, embedded systems hold personal data and forget to get rid of it when they are sold, connected home systems (with very few exceptions) seem to have forgotten that houses have many different people in them. Not only are the products made much simpler, but they often don’t seem to have thought through what even ten years ago were reasonably obvious privacy and security basics. What happened? Did we oversell the “anyone can make hardware” idea? (When I’ve said “hardware is hard,” I didn’t just mean the manufacturing bit :)

Even though all this was possible a decade ago, somehow there is still work to do in driving up standards, and making it easier and more valuable to make secure and trustworthy systems.

I’m looking forward to Friday. Certification marks are something we’re exploring at Doteveryone, and it seems worth a try for IOT as part of making sure that internet of things products and services are reliable, safe and understandable is more critical than ever.

Some recent additions to the Open IOT reading list:

Bruce Schneier on the dangers of global IOT

OWASP IOT security guidelines

ACM statement on IOT privacy and security

Microsoft Cybersecurity policy for the IOT

Berman and Cerf on social and ethical behaviour in the IOT

Waddell on The IOT needs a code of ethics

Cloud Security Alliance on Future-proofing the connected world

Schneier’s list of privacy and security guidelines for IOT