Democracies and the Internet of Everything

Dr. David A. Bray

Distinguished Fellow

Stimson Center

Over the last few weeks I’ve had opportunities to meet with leaders in both Taiwan and Australia from multiple sectors and multiple parties to hear their perspectives on the internet and the accelerating adoption of the Internet of Everything (IoE).

The internet in Taiwan already is impacting how organizations involve volunteers to improve online public services and combat cybercrime. In both Taiwan and Australia, the accelerating adoption of the IoE prompts questions about whether traditional multi-party democratic nations can keep up with the accelerating pace of change – or whether new forms of public-private partnerships within and across societies are necessary?

Last week I had the opportunity to meet with both Australia’s Minister and Shadow Minister of Communications from each party, and this week I was fortunate to have two opportunities at the University of Melbourne and an “internet of things” meet-up to share thoughts gathered from discussions in both countries. In this post I summarize five highlights from those conversations, including the need to:

  • Empower Individual Choices Regarding IoE Data
  • Explore how the IoE Intersects with Virtual Currencies
  • Prepare for a Future Where the IoE Interfaces With 3D Fabs
  • Consider the Possibility of New IoE Public-Private Partnerships
  • Increase IoE Privacy and Resiliency By Design

In my opinion, both Australia and Taiwan can help bridge East-meets-West perspectives regarding the IoE – and as referenced before, all discussions and views shared on this trip have been solely in a personal, non-work capacity, as part of a five-week 2015 Eisenhower Fellowship.

1. Empower Individual Choices Regarding IoE Data

Given how potentially pervasive and ubiquitous IoE devices could become, the IoE will require a joint effort across both the public and private sectors to empower individuals. With internet-enabled wearables, health devices, transportation services, home appliances, and more – the need to improve both the privacy and resiliency of such IoE devices becomes increasingly important. Individuals should have the right to choose how much – or how little – information from their IoE devices they want to share where, when, and with whom.

As heard during conversations in Taiwan and Australia, some companies, particularly those funded by ad revenue, may at first be resistant to such a consumer-focused choice architecture, yet I’d suggest the long-term viability of a free and open cyber future requires us to internalize a reflective of Kant’s Categorical Imperative from philosophy, namely: “do unto others as they would permit you to do unto them and their data” (and in return, tailor your services accordingly).

Specifically: individual privacy can be protected by empowering consumers to choose when, where, and in what context their data should be shared with data requestors. Right now the umpteen-pages of different End User Licensing Agreements (EULAs) associated with most downloadable apps are way too long for most of us to parse and understand.

For the IoE, consumers may need open source agent or mobile app that can parse these agreements and broker individual choices for interfacing with other websites, mobile apps, or online services that are requesting their data.

If a website or service requests to do something with a consumer’s data that they have not given permission to in advance, the user’s open source agent would query the use – using clear and succinct language – whether in context X, they are willing to share data Y, with entity Z.

Such an approach empowers consumers to make choices through a single interface that, with time, will learn their preferences and broker the storage of data about an individual separately from services requesting access to that data. This idea also allows companies to know that the data they receive from a consumer is with informed consent, and they can potentially offer different incentives for various types of data shared.

For example: if you are willing to share your IoE car’s location information, you might receive discounts on places to shop along the routes you frequent. Or if you’re willing to share some of the anonymized information from your wearable fitness devices, you might receive gym discounts or even potentially subsidized health insurance.

With the informed consent of individuals, local and state governments might be interested in anonymized data sets of the health of communities – potentially allowing a future where the investment in a new park or community recreation center can translate into lower blood pressures and healthier local constituents. Choices will empower consumers and allow providers to offer different cyber services based on specific, informed choices by consumers.

2. Explore How the IoE Intersects with Virtual Currencies

Monetization of data generated by the IoE raises an interesting question:

At what point does data about your preferences, likes, and activities become yet another form of “money” or even “virtual currency” that you can chose to opt-in and trade with companies or opt-out of such exchanges?

Potentially Taiwan, Australia, or other nations could experiment with taking the idea of an open source, freely available IoE agent – one that could broker individual privacy preferences and requests for consumer data – a step further by having that agent also broker your monetary interface with ecommerce services, banks, and virtual currency outlets.

Such an open source IoE agent would employ a “many eyes” approach both to detect software bugs, establish trust, and allow application programming interface (API) hooks to other online services. Such an IoE agent should be able to use a combination of natural language processing and machine-learning to parse human laws and EULA forms into formats more easily understood and decided upon by individuals.

Just like choices to share information about the IoE data, consumers could also make informed choices about sharing information about transactions made using virtual currencies – to include potentially making the transaction public (to better inform advertisers) in exchange for discounts, or keeping it private out of a matter of personal preference.

In time, democracies like Taiwan and Australia may need to recognize what makes us individuals isn't just our physical presence, but the data about us in both the cyber and physical realms – including what we purchase using the IoE.

3. Prepare for a Future Where the IoE Interfaces With 3D Fabricators

In addition to intersecting with increased use of virtual currencies, the IoE might also interface physical objects produced by 3D fabricators. From the different perspectives shared in both Taiwan and Australia, it is clear that consumers should be able to choose what IoE personal data sources they share and in what context with other internet sites, apps, and services – the same may be true for IoE-related exchanges of virtual currencies and online digital services as well. Such an empowered solution prepares us not only for the cyber elements of IoE ahead, but also for physical elements of the IoE.

If one adopts a world view that technology is amoral – then a central question becomes how do we as a world organize to make deliberate choices in how we use globally accelerating advances in digital and physical internet technologies?

Like most technologies, 3D printing combined with IoE sensors and other types of internet-enable devices unfortunately will have both great and not-so-great uses by individuals. In the future, bad actors could use the internet for distribution of digital designs to build explosive drones or other incendiary devices using 3D mass fabricators. This too will be true with elements of the IoE.

Some elements of the IoE and possible future paths, namely those involving the stability of democratic societies, will require individuals to make choices about what they want to be exposed to in both the cyber and physical realms – and the IoE devices themselves will need to provide some resiliency against threats, both cyber and physical, that might disrupt an individual’s chosen preferences.

Though not within the immediate future, in 10 or 15 years, IoE-enabled wearable devices on your clothes may not only sense what you're being exposed to, such as sound waves, visual stimuli, or even aerosolized matter, but also allow you to choose what you want to be exposed to as well what you wish to avoid.

A future including IoE-enabled wearable devices that allow you make informed choices in either the cyber or physical realm might be the only way for multi-party democratic systems to allow individuals to use 3D fabricators that cannot just mold plastic, but also do more advanced capabilities that could be harmful to others. With the IoE, democracies are moving towards a future where human nature hasn’t changed, but what has changed are technologies once previously available only to sophisticated nation-states and large corporations are becoming increasingly affordable and available to individuals.

4. Consider the Possibility of New IoE Public-Private Partnerships

All of these issues, and several more (including cyber resiliency), require horizontal collaborations across multiple entities in the public and private sectors. From my conversations in Taiwan and Australia, the need for new public-private partnerships to keep up with the rate of change involving the IoE and its social impacts was emphasized. No one sector can address all the issues alone.

In the United States, public-private partnerships aren’t too often done – though there have been some examples of success. Though somewhat controversial at the time, In-Q-Tel, a non-profit venture capital organization, was established both to transform some of the bureaucratic culture of the U.S. intelligence community and to invest in technologies that if they went mainstream would avoid development of costly proprietary software or hardware. One successful public benefit of In-Q-Tel includes Google Maps. Another example of a non-profit with a combination of both public and private funding is the U.S. Cyber Challenge, established to identify, attract, recruit and place the next generation of cybersecurity professionals.

Such partnerships may also need to include an increased element of transparency, using an open source philosophy first and foremost to help detect software bugs, establish trust, and allow API hooks to other service.

One example of transparency to build trust includes the FCC’s Speed Test app which made its code open source, available through Github, and by design did not collect either the IP address of the participant nor their location within a 5 mile radius. This open source model helped encourage trust in the apps’ data collection and made sure privacy protections were “baked-in” at the code level.

It is worth asking if there are other open source apps – perhaps for crisis response, public health, or other community needs – where transparent public-private model, combined with freely available open source code, can both increase the resiliency of community services and improve trust across sectors?

Also of note is whether an IoE public-private partnership model might be able to encourage a model similar to Taiwan’s open government movement called “g0v” that includes some 9,000 volunteer coders helping to improve Taiwan’s digital services?

5. Increase IoE Privacy and Resiliency By Design

A fifth point – already emphasized in a previous discussion about a possible “cyber public health” model for the IoE – is that if both IoE privacy and resiliency are to be improved, both the private and public sectors will need to shift from identity-based data collection to aggregate behavior-level data collection. At least in the U.S., a model that focuses on aggregate behavior-level data already exists: public health at the federal level does not collect protected health identifying information of a patient – focusing instead on public health signs, symptoms, and behaviors.

Similarly, a cyber public health approach equally could protect privacy and improve resiliency by anonymously sharing the equivalent of cyber signs, symptoms, and behaviors that different IoE devices are experiencing.

Such a “cyber CDC” for Taiwan or Australia could pair a combination of human experts with machine-learning algorithms to make sense of anonymously shared behavior-based IoE health and resiliency data The algorithms by themselves would be insufficient, humans would need to sort through false positives and provide context to the data; at the same time humans alone would be insufficient given the sheer volume of data associated with the health and resiliency of the IoE.

Companies and consumers in Taiwan or Australia, as well as other democratic nations, could chose to “opt-in” and stream cyber behavior-related information from their IoE connected hardware and software devices. Sharing information on behaviors would protect confidentiality of individual companies and consumers while at the same time improving the ability to spot 0-day exploits, where no known signature of a cyber threat may exist yet, just a set of anomalous behaviors that don’t fit a normal pattern.

Final Thoughts

Like public health in the real world, companies and consumers don’t try to do disease control by themselves – such large challenges require collective action. Similarly, for the IoE, empowering consumers to make choices, encouraging new IoE partnerships across private sector and public sector organizations, and exploring new ways to increase IoE privacy and resiliency by design will encourage a future with more beneficial opportunities for us all.

As always, I welcome comments, feedback, and additional inputs as a diversity of perspectives helps inform possible future choices ahead.

Sep 17, 2015