Dr LachlanUrquhart- @mooseabyteResearchFellowinITLaw

HorizonDigitalEconomyResearchInstituteUniversityofNottingham

User-CentricRegulationfortheDomesticInternetofThings

Sensing&PrivacyWorkshop,QMUL,20June2017

USERCENTRICREGULATION(UCR)

• Complexityofregulatingemergingtech

• Turntocreatorsoftech– e.g.PbD

• Problem:SituateroleofITdesignersinregulation

• ConceptualPerspectives– turntoHCI&alignmentwithITlaw

• LegalPerspectives– whatHCIconceptsoffer– caseofIoT &PbD

• ExpertPerspectives – interviewswithleadingtechnologists&ITlawyers

• DesignPerspectives– developing&evaluatingtool.

Source:INCTA.org

1A.CONCEPTUALPERSPECTIVES:ITLAW• Technologydesign=regulatorytool(Reidenberg;

Lessig;Leenes;Brownsword etc)

• Broadeningofactors/purposesofregulation- Black‘postregulatorystate’

• Designersasnewregulatorsshapingbehaviour?

• Designinlaw– user?

• Lessig -‘patheticdots’

• Murray– ‘nodes’

• Inadequateengagementwithhowusersinteractwithtechinpractice?

• Richerpicturevsabstract notionsofusers

• AroleforHCI?

1B.CONCEPTUALPERSPECTIVES:HCI

• HCIandSociety:• ThirdwaveofHCI(Bødker)cultural/emotional

dimensionsofcomputing;ReflectiveDesign(Sengers);responsibilitytousers(HumanDataInteraction)

• Valuesensitivedesign(Friedman)- Humanvaluesintherelationshipbetweenuser,technologyanddesigner

• Extendtolegalissuestoo?• UserCentricFocus:

• HCI- rangeoftoolsandapproachestounderstanduserinteractionswithtechnologyincontext• Designethnography,participatorydesignwith

users – ScandinavianSchool

1C.ALIGNMENT:USERCENTRICREGULATION

• ExplicitAlignmentofITlawandHCI:

• Structuringreflectionandactionbydesigners

• Sensitisetonatureoflegalandethicalresponsibilitiestousers.

• Earlierappreciationoflegaldimension– requiresmutualsupport.

• LegitimacythroughUserProximity

• LegalValues,EthicsandResponsibility

• FromhumanvaluesinHCI tolegalvalues.

• Beyondcompliance- ethicalconcerns.

2A.CASESTUDY:UCRANDTHEINTERNETOFTHINGS

• Trajectory:fromUbicomp,Pervasive,AmI,AAL,SmartHomes,etc...nowIoT

• RiskofVisions:Engineeringchallenges- neglectthepresentandinterestsofusers...egseamlessnetworking

• Applications:energy...security...lighting...healthe.gthermostats,smartmeters,smokealarms,lightbulbs,;fridge?

• Setting:mundane,everyday,augmentroutines…complexsocialspaceofhomevsinvisibleinuse/seamlessness

• CreativeDimensionsofIoT:experiences,trackingstoryofobjects– guitars,books,Warhammeretc

2B.FUZZYPRINCIPLES• NoCanonicalVision– surveyofreportseg ITU;

Cisco;A29WP;IETFetc

• Remotecontrollability&automation(e.g.viaapps)

• Constantconnectivity andnetworking - fordatatransmission&serviceprovision(e.g.cloudbackend,databases)

• Ecosystemofstakeholders,incl.thirdparties &dataflows

• Physicalobjectsambientlysensing&embeddedinsocialandphsyical theenvironment

• Withorwithouthumaninput(lackofUI)

2C.REGULATORYCHALLENGESOFIOT

• Detailedinferencesabouteverydaylife

• Limitedtransparencyofdataflows

• Internationaldatatransfer(cloud)

• Insufficientusercontrol(lackofUX)

• Heterogeneityofdeviceinterfaces

• Controloveraccesstodata

• Datarepurposing

2D.SOLUTION:PRIVACYBYDESIGN• Legally:EUGDPR(2016)Article25

• Technicalandorganisationalmeasures cf stateofart;costs;severityofrisks

• Historically?

• Cavoukian;UsablePrivacy;PrivacyEngineering

• Practically- ToolstoSupportDesigners?

• “whereasforlawyersPbD seemsanintuitiveandsensiblepolicytool,forinformationsystemsdevelopersandengineersitisanythingbutintuitive”(Birnhack,Toch andHadar)

• “Fosteringtherightmind-setofthoseresponsiblefordevelopingandrunningdataprocessingsystems”(JaapKoops andLeenes)

• Needcrossdisciplinaryresponse…

2E.USERCENTRICREGULATIONFORIOT

• 1)RighttobeForgottenandObjectProvenance

• Archiving- Carolan/W40K/TOTeM – objectcentricnarrative

• Balancingtheseinterests- RTBFvsobjectmemories

• 2)TrajectoriesandConsent

• Benford etal(2011)– designinguserexperiences

• RepurposeforobtaininguserconsentinIoT eg smartthermostat ?

• space(home– contestedsocialspace),

• actors(thirdpartyflowsandtransientvisitors),

• interface(waves,beeps,feedback);

• Time(longitudinal)

• 3)SeamfulDesign&LegalUncertainty

3A.PRACTICALPERSPECTIVES• SemiStructuredInterviews• 6techlawyers

• 14yearsaverageexp.– partners,associates

• Expertise:contracts,dataprotection(DP),intellectualproperty,e-commerceetc.

• 7technologists• 32yearsaverageexp.– CTOs,chief

consultants,MDs• Expertise:wirelessnetworking,infosec,

datascience,telecoms,cloudcomputing,interactiondesign

3B.BUSINESSINSIGHTS• 1)Differentiatedresources

• SMEs

• investment– notcompliance

• Lackofresources

• Multinational

• systematic,resourcesavailable;internaladvice

• 2)Businessmodelsandmotivationsforengagement(IoT market).

• Cheapdevice- Monetisepersonaldata- Stockpiledataforlateruse

• ProtectBrandvalues…fearofhacks,scandals

• Makingabetterproduct- fearofcompetitivedisadvantage

3C.REGULATORYINSIGHTS• ContextualisingPrivacybyDesignandLegalValues

• Technologists:Uncertaintyofterm– contestedvalues– needtocontextualisePbD fordifferentsectorseg smartcars,energyetc

• RegulatoryChallengesinpractice

• Smartphonesasmediatingdevicesforconsent

• ComplexityofIoT ecosystemseg smartbuildingvsfitbit

• ManagingRiskandtheRealitiesofEnforcement

• Commercialmindednesstoenablegrowth

• Difficultiesassessingriskofenforcement/sanctions

• Paceoftechchangevslawplayingcatch-up

• A29WPadvicevvaluable

3D.TECHNOLOGICALINSIGHTS

• ApplicationLedFramingsofTechnology

• Moveawayfromneedtodefinewhatisorisn’tIoT –focusonapplications,contextsofuse…notvisions

• AppreciatingConflictingAgendas

• Technologistspulledmanyways– businesscase,compliance,security,usability

• CommunicatingtheRelevanceofLawtoDesigners

• Contextualiseandtranslatelaw- internalcodesofpractice,standards,personallife/scenarios

4A.DESIGNPERSPECTIVES- PRIVACYBYDESIGNCARDS

• Raiseawareness;Supportengagement;Resourceforreflectiononlegalconcepts

• Ideationcardstosurfaceandexploreissues

• Historyofusevaluesensitivedesign,security,IDEO…

• Structuredapproachtointroducenewconceptsintodesignprocess

• TranslationofLegalese

• OriginalDeck- ACMCHI2015

• ExpansiontowholeGDPR

• Project:UofNottingham,MicrosoftResearchCambridge,UofEdinburgh

4b.Clusters

LegalPrinciples

- Informed,unambiguousconsent

- Purposelimitation

- Dataminimisation

Rights:

- Tobeforgotten

- Subjectaccess

- Todataportability

Responsibilities

- DataSecurity

- DPImpactassessment

GlobalDataFlows

- AdequateProtection

- CloudComputing

Definitions

- PersonalData

- Datacontroller

- DataProcessing

4C.TESTINGTHECARDS

• 3organisations:

• Largemediacompany(MOZ)

• InnovationnetworkingbodyforSME/Start-up(INC)

• Smalltechbusinesstradeassociation(SBA)

• 24participants

• Tableopp.

• Findings:RegulatoryLiteracy

Job Cluster Example Jobs Percentage ofOverall Participants

1. Business Strategy andManagement

e.g. Managing Director; Facilitator;International Development;Auditor/Accountant; Marketing; PatentAttorney

33% (8)

2. Technology, Design andCreative

e.g. Software Engineer; IT Consultant;Programmer; Cyber Security and PrivacyConsultant; Producer; Graphic Designer;UX Designer;

50% (12)

3. Research e.g. Industry Research Scientist; SeniorLecturer; PhD Student

17% (4)

4D.THEDECK1 Systemcard 1 Users

card2 Constraintscards

2 LegalCards

4E.REGULATORYINTERACTION

• Motivations:ASpectrumofValuesandResponsibilities

• Protectionofreputation,guardingagainstbadpublicity,litigationorlossofpublictrust.

• Necessity- SMEs

• NegotiatingwiththeLaw

• Richdiscussionoflaw– notusinglegalterms

• Legalauthoritymandatesaction

• MOZ- cardsempoweremployees– knowledgeengagingwithinternaladvicegivingbodies

• SBA– easierentrypointtolaw

4F.SENSE-MAKINGSTRATEGIES

• SupportMechanismswithNetworks,CommunityandLeadership

• SMEs- selfhelp– facetofacesocialnetwork

• CardsasAwarenessRaising,butwhatnext?

• Concise,creative,fun,toolthatpromptsreflection

• DesirefromSMEsfurtherresources– roadmapoffurtheraction

4G.MANAGINGCOMPLEXITY

• DesignerResponses- RiskManagement,UtilityandGranularityofData

• Balancedesireformoredata,withlegalcompliancerisks

• Keenawarenessofprivacy– controlgranularityinternalandexternal(occupantsvsthirdparties)

• SecuritybigconcernforSME

• PragmatismandUserCentricity

• Difficultyreconcilingcommercialnatureofconsentanddesireforconsenttobebetterforusers

• Translationcomprehensionnotjustinfo

• InternationalTransfer- Localstorage,avoidUScloud

QUESTIONS?

• ThanksforListening• lachlan.urquhart@nottingham.ac.uk

• @mooseabyte