Towards a legally-compliant Internet of Things

This project is to forge new directions towards the important, but largely unexplored challenge of aligning the Internet of Things (IoT) with legal and regulatory realities.

The broad vision of the IoT is where the physical world comes online. It entails sensors and actuators seamlessly integrated with virtual services, as part of a wide-scale, potentially global systems infrastructure that dynamically reacts and responds to meet various goals.

This vision has captured mainstream imagination. The connected infrastructure, a large-scale distributed system, enables a potentially limitless range of applications, which can be customised to individuals, groups and organisations, in areas including cities, retail, energy, health and lifestyle, transport and agriculture.

However, with this vision comes legal, regulatory and social challenges. The scale and physical nature of this emerging systems environment involves sensors generating data on many detailed aspects of the world, much of it (potentially) highly personal or otherwise sensitive, and where actuation capabilities give systems a real, physical-world effect.

As such, IoT (and more generally, ICT) applications, systems and services are increasingly subject to law and visible to regulators, while consumers, businesses and governments are beginning to demand more transparency and agency. Having the means for managing the associated risks, responsibilities, and obligations of the IoT is crucial for realising its potential, and the significant economic and social benefits it promises.

This project directly targets these issues, by taking an interdisciplinary (tech-legal) approach towards legally-compliant distributed systems. The aim is to develop the conceptual frameworks for considering tech-legal compliance issues as well as the technical means for enabling systems (and therefore, those responsible) to comply with legal and regulatory obligations. By facilitating compliance, we work to improve agency, trust and accountability in the IoT, as well as reducing the overheads of compliance.

As the IoT is data driven, the specific focus is on data flow management. We seek to improve the *control* and *visibility* of data as it moves throughout the IoT, in line with data management policy, reflecting legal obligations. This is so that those who have rights over data (including end-users), and those responsible for data (including service providers), are able to ensure their requirements and obligations are met, even as data moves `out of their hands'.

This entails investigating how law and regulation, reflecting responsibilities and obligations, and personal preferences, can be embodied in policy, which technical mechanisms enforce end-to-end, system-wide. This includes auditing policy enforcement, to assist in demonstrating compliance, apportioning liability and indicating whether policy adequately captures legal responsibilities. This also entails the development of legal-technical frameworks that provide the methodology for investigating, enumerating and aligning compliance concerns across the disciplines, and identifying the mismatches between law and technology.

Addressing such challenges requires an interdisciplinary approach. This project embodies a technical/legal symbiosis: work on the technical mechanisms for system-wide control and audit will be driven by legal and regulatory realities, and at the same time, we consider how the technical work impacts the emerging liability and policy concerns arising from the physical and increasingly pervasive and intrusive nature of the IoT.

In undertaking this work, we seek to build the foundations for a broader area of multidisciplinary research concerning legally compliant systems.

The IoT is seen by many as the next digital revolution, offering enormous promise to transform society and drive considerable economic growth. The UK Government's Blackett review makes clear the importance of the IoT to the nation, and the potential for the UK to become a world leader in the area. However, significant challenges remain in the path of realising this vision.

This project directly aims at such concerns. By taking a multidisciplinary approach to progress towards a legally-compliant IoT, the goal is to improve levels agency, trust and accountability in the IoT, while fostering innovation through better means for risk mitigation and obligation management.

As such, there is much potential for this work to have significant impact, in a range of areas, to various communities, including:

* Academics - This work will build the foundations for establishing the area of interdisciplinary research on legally-compliant systems, through a range of activities and outputs that better align the technical and legal disciplines. This will ensure that legal developments are technologically aware, and vice-versa. Moreover, this will help drive and consolidate progress on other areas of compliance beyond data management, such as general system availability and reliability.

* Public policy/government - As the IoT matures, a number of societal challenges will arise and require response. This work will provide the means for clarifying technical and legal horizons, and provide the methodologies and results for aligning the disciplines, to ensure that legal and socio-political developments are technology-aware, realistic, socially desirable, and enforceable, and that challenges can be anticipated and addressed with sensitivity.

* The IoT market - The IoT marketplace is evolving. Providing vendors with tools for facilitating compliance with legal obligations will significantly benefit commercial activities in the IoT space, by mitigating risk and liability exposure, while reducing the risks and concerns associated with data sharing. Our work will help shape the direction of the industry, where greater levels of trust and assurance will help encourage innovation.

* UK companies - From the IoT (business) user perspective, issues of compliance and data management represent barriers to adoption. Again, providing the means for better managing compliance and obligations will encourage general technology uptake (both by firms and end-users), thereby improving efficiency and fostering innovation.

* Data researchers/scientists - Big data is driving much academic and industrial research. Improved data management regimes, that entail more compliant systems, assist analytics processes by creating further mechanisms for control beyond the traditional focus on consent and application-specific access controls. This helps mitigate risks and encourage innovation.

* General public - Issues of agency, trust and accountability pervade the IoT. This project directly aims at these concerns, as compliance entails the means for managing rights, bringing transparency and control. As a result, this work will lead to more empowered users - crucial to the evolving digital society.