user-centric regulation for the domestic internet of...
TRANSCRIPT
Dr LachlanUrquhart- @mooseabyteResearchFellowinITLaw
HorizonDigitalEconomyResearchInstituteUniversityofNottingham
User-CentricRegulationfortheDomesticInternetofThings
Sensing&PrivacyWorkshop,QMUL,20June2017
USERCENTRICREGULATION(UCR)
• Complexityofregulatingemergingtech
• Turntocreatorsoftech– e.g.PbD
• Problem:SituateroleofITdesignersinregulation
• ConceptualPerspectives– turntoHCI&alignmentwithITlaw
• LegalPerspectives– whatHCIconceptsoffer– caseofIoT &PbD
• ExpertPerspectives – interviewswithleadingtechnologists&ITlawyers
• DesignPerspectives– developing&evaluatingtool.
Source:INCTA.org
1A.CONCEPTUALPERSPECTIVES:ITLAW• Technologydesign=regulatorytool(Reidenberg;
Lessig;Leenes;Brownsword etc)
• Broadeningofactors/purposesofregulation- Black‘postregulatorystate’
• Designersasnewregulatorsshapingbehaviour?
• Designinlaw– user?
• Lessig -‘patheticdots’
• Murray– ‘nodes’
• Inadequateengagementwithhowusersinteractwithtechinpractice?
• Richerpicturevsabstract notionsofusers
• AroleforHCI?
1B.CONCEPTUALPERSPECTIVES:HCI
• HCIandSociety:• ThirdwaveofHCI(Bødker)cultural/emotional
dimensionsofcomputing;ReflectiveDesign(Sengers);responsibilitytousers(HumanDataInteraction)
• Valuesensitivedesign(Friedman)- Humanvaluesintherelationshipbetweenuser,technologyanddesigner
• Extendtolegalissuestoo?• UserCentricFocus:
• HCI- rangeoftoolsandapproachestounderstanduserinteractionswithtechnologyincontext• Designethnography,participatorydesignwith
users – ScandinavianSchool
1C.ALIGNMENT:USERCENTRICREGULATION
• ExplicitAlignmentofITlawandHCI:
• Structuringreflectionandactionbydesigners
• Sensitisetonatureoflegalandethicalresponsibilitiestousers.
• Earlierappreciationoflegaldimension– requiresmutualsupport.
• LegitimacythroughUserProximity
• LegalValues,EthicsandResponsibility
• FromhumanvaluesinHCI tolegalvalues.
• Beyondcompliance- ethicalconcerns.
2A.CASESTUDY:UCRANDTHEINTERNETOFTHINGS
• Trajectory:fromUbicomp,Pervasive,AmI,AAL,SmartHomes,etc...nowIoT
• RiskofVisions:Engineeringchallenges- neglectthepresentandinterestsofusers...egseamlessnetworking
• Applications:energy...security...lighting...healthe.gthermostats,smartmeters,smokealarms,lightbulbs,;fridge?
• Setting:mundane,everyday,augmentroutines…complexsocialspaceofhomevsinvisibleinuse/seamlessness
• CreativeDimensionsofIoT:experiences,trackingstoryofobjects– guitars,books,Warhammeretc
2B.FUZZYPRINCIPLES• NoCanonicalVision– surveyofreportseg ITU;
Cisco;A29WP;IETFetc
• Remotecontrollability&automation(e.g.viaapps)
• Constantconnectivity andnetworking - fordatatransmission&serviceprovision(e.g.cloudbackend,databases)
• Ecosystemofstakeholders,incl.thirdparties &dataflows
• Physicalobjectsambientlysensing&embeddedinsocialandphsyical theenvironment
• Withorwithouthumaninput(lackofUI)
2C.REGULATORYCHALLENGESOFIOT
• Detailedinferencesabouteverydaylife
• Limitedtransparencyofdataflows
• Internationaldatatransfer(cloud)
• Insufficientusercontrol(lackofUX)
• Heterogeneityofdeviceinterfaces
• Controloveraccesstodata
• Datarepurposing
2D.SOLUTION:PRIVACYBYDESIGN• Legally:EUGDPR(2016)Article25
• Technicalandorganisationalmeasures cf stateofart;costs;severityofrisks
• Historically?
• Cavoukian;UsablePrivacy;PrivacyEngineering
• Practically- ToolstoSupportDesigners?
• “whereasforlawyersPbD seemsanintuitiveandsensiblepolicytool,forinformationsystemsdevelopersandengineersitisanythingbutintuitive”(Birnhack,Toch andHadar)
• “Fosteringtherightmind-setofthoseresponsiblefordevelopingandrunningdataprocessingsystems”(JaapKoops andLeenes)
• Needcrossdisciplinaryresponse…
2E.USERCENTRICREGULATIONFORIOT
• 1)RighttobeForgottenandObjectProvenance
• Archiving- Carolan/W40K/TOTeM – objectcentricnarrative
• Balancingtheseinterests- RTBFvsobjectmemories
• 2)TrajectoriesandConsent
• Benford etal(2011)– designinguserexperiences
• RepurposeforobtaininguserconsentinIoT eg smartthermostat ?
• space(home– contestedsocialspace),
• actors(thirdpartyflowsandtransientvisitors),
• interface(waves,beeps,feedback);
• Time(longitudinal)
• 3)SeamfulDesign&LegalUncertainty
3A.PRACTICALPERSPECTIVES• SemiStructuredInterviews• 6techlawyers
• 14yearsaverageexp.– partners,associates
• Expertise:contracts,dataprotection(DP),intellectualproperty,e-commerceetc.
• 7technologists• 32yearsaverageexp.– CTOs,chief
consultants,MDs• Expertise:wirelessnetworking,infosec,
datascience,telecoms,cloudcomputing,interactiondesign
3B.BUSINESSINSIGHTS• 1)Differentiatedresources
• SMEs
• investment– notcompliance
• Lackofresources
• Multinational
• systematic,resourcesavailable;internaladvice
• 2)Businessmodelsandmotivationsforengagement(IoT market).
• Cheapdevice- Monetisepersonaldata- Stockpiledataforlateruse
• ProtectBrandvalues…fearofhacks,scandals
• Makingabetterproduct- fearofcompetitivedisadvantage
3C.REGULATORYINSIGHTS• ContextualisingPrivacybyDesignandLegalValues
• Technologists:Uncertaintyofterm– contestedvalues– needtocontextualisePbD fordifferentsectorseg smartcars,energyetc
• RegulatoryChallengesinpractice
• Smartphonesasmediatingdevicesforconsent
• ComplexityofIoT ecosystemseg smartbuildingvsfitbit
• ManagingRiskandtheRealitiesofEnforcement
• Commercialmindednesstoenablegrowth
• Difficultiesassessingriskofenforcement/sanctions
• Paceoftechchangevslawplayingcatch-up
• A29WPadvicevvaluable
3D.TECHNOLOGICALINSIGHTS
• ApplicationLedFramingsofTechnology
• Moveawayfromneedtodefinewhatisorisn’tIoT –focusonapplications,contextsofuse…notvisions
• AppreciatingConflictingAgendas
• Technologistspulledmanyways– businesscase,compliance,security,usability
• CommunicatingtheRelevanceofLawtoDesigners
• Contextualiseandtranslatelaw- internalcodesofpractice,standards,personallife/scenarios
4A.DESIGNPERSPECTIVES- PRIVACYBYDESIGNCARDS
• Raiseawareness;Supportengagement;Resourceforreflectiononlegalconcepts
• Ideationcardstosurfaceandexploreissues
• Historyofusevaluesensitivedesign,security,IDEO…
• Structuredapproachtointroducenewconceptsintodesignprocess
• TranslationofLegalese
• OriginalDeck- ACMCHI2015
• ExpansiontowholeGDPR
• Project:UofNottingham,MicrosoftResearchCambridge,UofEdinburgh
4b.Clusters
LegalPrinciples
- Informed,unambiguousconsent
- Purposelimitation
- Dataminimisation
Rights:
- Tobeforgotten
- Subjectaccess
- Todataportability
Responsibilities
- DataSecurity
- DPImpactassessment
GlobalDataFlows
- AdequateProtection
- CloudComputing
Definitions
- PersonalData
- Datacontroller
- DataProcessing
4C.TESTINGTHECARDS
• 3organisations:
• Largemediacompany(MOZ)
• InnovationnetworkingbodyforSME/Start-up(INC)
• Smalltechbusinesstradeassociation(SBA)
• 24participants
• Tableopp.
• Findings:RegulatoryLiteracy
Job Cluster Example Jobs Percentage ofOverall Participants
1. Business Strategy andManagement
e.g. Managing Director; Facilitator;International Development;Auditor/Accountant; Marketing; PatentAttorney
33% (8)
2. Technology, Design andCreative
e.g. Software Engineer; IT Consultant;Programmer; Cyber Security and PrivacyConsultant; Producer; Graphic Designer;UX Designer;
50% (12)
3. Research e.g. Industry Research Scientist; SeniorLecturer; PhD Student
17% (4)
4E.REGULATORYINTERACTION
• Motivations:ASpectrumofValuesandResponsibilities
• Protectionofreputation,guardingagainstbadpublicity,litigationorlossofpublictrust.
• Necessity- SMEs
• NegotiatingwiththeLaw
• Richdiscussionoflaw– notusinglegalterms
• Legalauthoritymandatesaction
• MOZ- cardsempoweremployees– knowledgeengagingwithinternaladvicegivingbodies
• SBA– easierentrypointtolaw
4F.SENSE-MAKINGSTRATEGIES
• SupportMechanismswithNetworks,CommunityandLeadership
• SMEs- selfhelp– facetofacesocialnetwork
• CardsasAwarenessRaising,butwhatnext?
• Concise,creative,fun,toolthatpromptsreflection
• DesirefromSMEsfurtherresources– roadmapoffurtheraction
4G.MANAGINGCOMPLEXITY
• DesignerResponses- RiskManagement,UtilityandGranularityofData
• Balancedesireformoredata,withlegalcompliancerisks
• Keenawarenessofprivacy– controlgranularityinternalandexternal(occupantsvsthirdparties)
• SecuritybigconcernforSME
• PragmatismandUserCentricity
• Difficultyreconcilingcommercialnatureofconsentanddesireforconsenttobebetterforusers
• Translationcomprehensionnotjustinfo
• InternationalTransfer- Localstorage,avoidUScloud