Privacy and Trust issues in IoT and Open Data

Posted by s.aragon on 29 May 2017 - 9:00am

Privacy and Trust in IoT & Open DataBy Sinan Shi, University College London, David De Roure, University of Oxford, Nikoleta Glynatsi, Cardiff University, Emma Tattershall, Science and Technology Facilities Council, Andrew Landells, University of Southampton, Chris Gutteridge, University of Southampton, Gary Leeming, University of Manchester.

This post is part of the Collaborations Workshops 2017 speed blogging series.

Challenges of understanding risks of privacy within a socially connected infrastructure are not well understood and constantly changing. Personal information can be private but still be accidentally shared by others and made available more widely. One of the largest challenges for privacy is the lack of understanding of what that data could be used for now, and as more data are collected and made available future purposes become even more difficult to predict. Often, seemingly innocuous data sets can be used to derive more private data, such as the waking times and other habits of Twitter users. Privacy regulations change, while terms and conditions around privacy are generally protective of the company collecting the data rather than the individual. The recent change in US law to permit ISPs to sell the browser histories of their customers demonstrates that what we understand now can change quickly.

 As societies and attitudes change, understanding how our data could be linked and used can be difficult. At this stage, many services come and go we do not know what data will be permanent and available, how could be linked to other data sources and impact our future. Sometimes this may be positive or negative: knowing that we grew up in an area with low air quality could affect our ability to access health insurance or it could help us to target interventions that save lives.  

When it comes to data about people, there are two types; personal data with names attached and anonymised data. While we mostly worry about and regulate the first category, the second is also of tremendous value for training machine learning and algorithms, especially by the big companies in this space such as Google and Facebook, and carries risks of re-identification when linked with more personal, public information.

With IoT, the data is often not personal and both the collection of data and the risks not always obvious. For example, flood monitoring systems could be hacked in order to modify insurance premiums or house prices and collection of images of traffic could be used to track individuals movement without consent.  

This issue is exacerbated by Internet of Things (IoT) devices as more and more data is harvested, and often people have no control over their data being collected and what it is used for. This was clearly demonstrated by the recent London Underground survey of passenger journeys derived from watching mobile phone MAC addresses travel the network. Despite being a reasonably innocuous study, there was concern amongst the travelling public that this data was being collected, and it is clear that, while this data could be used to support better design of the transport system there is also a possibility that this data could be used to support advertising decisions to generate revenue for Transport for London. Offering additional services in exchange for this data would likely be one way to start enhancing the information about individuals and increasing its value.

Linking IoT and social platforms creates new online structures that enable and mediate social, economic and cultural interactions on a large scale. Originally an optional extra, platforms now mediate everyday life for many citizens, and yet people are not afforded the same agency and rights that they expect in the "real world", while the platform providers may profit disproportionately from the collective value. With IoT and AI, we anticipate social platforms extending to human-machine collectives at greater scale and with greater automation. Questions of how an ecosystem of different IoT-enabled platforms can afford trust and choice and how we can ensure public oversight and regulation of this data may already be too late: The convenience of free services is accepted in exchange for an unknown future.

However, it is fair to recognise that the Open Data and IoT communities, whether commercial or voluntary, do understand the need for trust and, learning from the experience of the internet and social media, that the impact of the loss of trust can be hugely impactful. The NHS care.data programme, with the stated purpose of bringing together data from across the NHS to support improvement in care, floundered through being unable to properly demonstrate how it can be trusted as a solution. Conversely, solutions such as the Estonian government’s use of blockchain as a public audit of all uses of citizen data has enabled an environment where all aspects of government can be managed digitally. Standards for demonstrating trust and permission will be essential for the IoT and Open Data communities.

 Finally we note that this is an evolving topic that will change and adapt as more is understood about the effects data sharing and IoT will have on social behaviours: Uber drivers use the passenger app to recover their agency as drivers, homeowners leave crime unreported or block sensor readings which may affect property values, alternate devices are used to hide locations and behaviours. Humans are creative and subversive, and machines will reflect this ability as they become further integrated into our lives.