Berto Jongman: Daniel Castro on Internet of Things and New Thinking on Data

Advanced Cyber/IO

Berto Jongman
Berto Jongman
The “Internet of Things” Requires New Thinking on Data

In the world of tech where buzzwords come and go faster than you can say “synergy”, the “Internet of Things” is a bit of an oddity. It is an old concept (first coined in 1999) used to describe a futuristic world where everyday objects—from toasters to dog collars to running shoes—can communicate electronically with other devices. But whereas many buzzwords die off after a few years of overuse, there has been a surge in interest in the Internet of Things of late for the simple fact that the vision is quickly becoming reality.

The emergence of a host of popular consumer products such as FitBit (a personal exercise tracking device), Nest (a smart home thermostat), and Withings “Smart Body Analyzer” (a smart scale that also tracks air quality, heart rate, and body composition) has shown that it is both feasible and useful to embed intelligence in everyday devices. Nest, for example, combines sensors and user feedback to learn the heating and cooling preferences of its users, monitor energy use and environmental conditions over time, and even optimize energy consumption based on price signals from the energy company. While a casual observer might mistakenly dismiss products like these as just the latest gee-whiz gadgets in the steady progression of consumer goods, a closer look reveals that these “smart” products are at the forefront of improvements to major social problems including in areas such as health care, transportation, and the environment.

Consider the nation’s aging population. Over the next 30 years, the number of Americans 65 years and older will double to 80 million. Providing affordable housing and care for this population will be a challenge, especially since the cost of living in a nursing home is fives time more than the cost of living at home. One way to address this problem is through the use of sensors in the home that can help monitor the health of its residents. For example, researchers have found that using automated tools to detect changes in health lead to improve health outcomes because health care providers are able to intervene sooner. Additional monitoring solutions can also help ensure personal safety by, for example, detecting if someone has fallen or if a gas burner has been left on. By helping individuals live at home independently and safely, these devices not only improve quality of life, they also help address the serious financial costs of providing high-quality care.

In addition, it is more than just homes and offices that are becoming part of the Internet of Things. The Internet of Things also consists of major industrial devices like jet engines and wind turbines (sometimes referred to as the Industrial Internet). In fact, sensors are being embedded in everything from bridges to parking spots to water pipes. Sensors in bridges, for example, can provide real-time intelligence about the safety of infrastructure and help prevent disasters such as the collapse of the I-35 Mississippi River Bridge in Minneapolis. Or, to take another example, sensors on the roadways can detect traffic patterns, reduce congestion, and help first responders. As the potential applications grow, entire cities are being transformed into data-intensive operations where all aspects of citizen services, from traffic to trash management to crime, are managed—at least in part—by a computer.

Many of these transformations are largely invisible—a smart meter does not physically appear that different than a traditional meter—but they will have a profound impact on our economy and society. McKinsey Global Institute estimates that services using personal-location data alone can help consumers capture $600 billion in economic surplus. However, realizing these benefits will require policymakers to break out of the old ways of thinking about data and privacy. In particular, there will be at least three important changes:

1. Much of the data generated by the Internet of Things will not be personally identifiable information

Many of the existing privacy rules and regulations are based on a framework where most information is assumed to be about people, whether it is health data or financial data. But with the Internet of Things the focus is no longer exclusively on data about individuals; instead it includes data about the environment, infrastructure, and other devices. For example, a smart refrigerator does not need any personal information to know that it is running low on milk. In fact, a substantial amount of data will be exchanged automatically between devices without any direct human involvement. Juniper Research estimates that the number of machine-to-machine (M2M) devices will exceed 400 million by 2017, with much of this market consisting of vehicle telematics (i.e. devices that remotely monitor a vehicle) and consumer electronics devices.

Although much of the data generated by the Internet of Things will not be personally identifiable information, some data may fall into a gray area where it will be possible to use it to make predictions about individuals. For example, a smart toaster may collect information about its past use. Is this personally identifiable information? On the face, it would appear not since it is merely information about the toaster’s basic operations. But what if the data from the toaster could be used to predict an individual’s health (perhaps based on how many carbs an individual is eating)? Or what if how “light” or “dark” an individual likes their toast correlates with long-term health (perhaps darker toast eaters use more artery-clogging butter)?

Some policymakers may be inclined to imposing strict rules on all of this information because of privacy concerns. Imposing unnecessary restrictions on the collection of data may harm many of the beneficial applications of the Internet of Things. Policy discussions should not get hung up on whether certain information is personally identifiable information, but should instead focus on whether the use of this information results in specific harms to individuals. Resolving how data can be used is much more important than deciding whether it can be collected, especially because whether it is personally identifiable information may not be clear at the outset.

2. Notice and choice will be less useful

Privacy on the Internet is mostly based on notice and choice. Businesses provide consumers notice about the privacy practices of their websites, mobile apps, and online services through privacy policies or terms of service, and consumers can choose whether to use those products and services. This system, while imperfect, appropriately minimizes the cost of privacy while providing consumers transparency, competition, and choice. Although many devices that will make up the Internet of Things will come with strong privacy protections built in, providing privacy notices will pose new challenges with the Internet of Things for the simple fact that many Internet-enabled devices will not have displays, will have small displays, or will not directly interact with individuals.

Some of these challenges will be resolved more easily than others. While some consumer goods (such as the “smart” toaster mentioned previously) might come packaged with a paper privacy notice, if the privacy policy cannot be changed, this may limit the ability of the manufacturer to send software updates to the device. Other sensing applications, such as a parking sensor or traffic sensor, might simply not have a screen or interface for consumers and so they will present additional difficulties sharing privacy policy information with consumers. In addition, as more and more devices collect and use data, mandatory privacy disclosure rules could end up inundating consumers with undesired notifications.

Once again a better approach would be to allow more permissive data collection but closely restrict uses that result in consumer harm. Focusing on use would allow more opportunities for innovations in both the devices that will make up the Internet of Things and the solutions proposed to address big societal problems.

3. Data minimization rules will significantly limit benefits

One of the classic pre-Big Data privacy principles was data minimization: the idea that an entity collecting data should limit the collection of information to what is directly needed to accomplish a specific purpose. However, this principle is based on the mistaken belief that it is always possible to predetermine what information is useful and collect only that minimum amount of information. The reality is that data-driven innovation often involves discovery, sometimes from unexpected data sources. Rather than being a predictable linear process moving from step A to B to C, it is a cycle with multiple feedback loops. Many of the benefits from data come from exploratory analysis that finds new correlations, trends, relationships, and insights that were not obvious at the outset. Restricting data collection with rules like data minimization will likely severely limit the potential opportunities of the Internet of Things.

While it has taken longer than some expected for the vision of the Internet of Things to become a reality, the potential benefits for the economy and society are enormous. As we move forward, it will be incumbent on policymakers to work diligently to clear away outdated policies designed for a “small data” world to ensure that the opportunities ahead for “big data” can be realized.

About the Author

Daniel Castro is a Senior Analyst with the Information Technology and Innovation Foundation and Director of the Center for Data Innovation. Mr. Castro writes and speaks on a variety of issues related to information technology and internet policy, including privacy, security, intellectual property, internet governance, e-government, and accessibility for people with disabilities. His work has been quoted and cited in numerous media outlets, including The Washington Post, The Wall Street Journal, NPR, USA Today, Bloomberg News, and Businessweek. In 2013, Mr. Castro was named to FedScoop’s list of “Top 25 most influential people under 40 in government and tech.”

Before joining ITIF, Mr. Castro worked as an IT analyst at the Government Accountability Office (GAO) where he audited IT security and management controls at various government agencies. He contributed to GAO reports on the state of information security at a variety of federal agencies, including the Securities and Exchange Commission (SEC) and the Federal Deposit Insurance Corporation (FDIC). In addition, Mr. Castro was a Visiting Scientist at the Software Engineering Institute (SEI) in Pittsburgh, Pennsylvania where he developed virtual training simulations to provide clients with hands-on training of the latest information security tools.

He has a B.S. in Foreign Service from Georgetown University and an M.S. in Information Security Technology and Management from Carnegie Mellon University.
Follow @castrotech on Twitter.

This post originally appeared on the ITIF Website.

Opt in for free daily update from this free blog. Separately The Steele Report ($11/mo) offers weekly text report and live webinar exclusive to paid subscribers, who can also ask questions of Robert. Or donate to ask questions directly of Robert.