DADA

Lead Research Organisation: University of Nottingham
Department Name: Horizon Digital Economy Research

Abstract

The IoT represents a convergence of ubiquitous computing and communication technologies, with emerging uses that actuate in the real world. No longer do ubiquitous computing systems simply sense and respond digitally, now they physically interact with the world, ultimately becoming embodied and autonomous. At the same time, the game is changing from one of privacy, where it is often (contestably) cited that "users don't care", to one of user safety, where users (along with regulators, governments, and other stakeholders) certainly do care. Likewise, industry needs to become aware that this shift also changes the legal basis under which companies need to operate, from one of disparate and often weakly enforced privacy laws, to one of product liability.
The current widely adopted approach in which cloud services underpin IoT devices has already raised major privacy issues. Importantly in an actuated future, untrammelled communications implicating a plethora of heterogeneous online services in their normal operation also brings with it resilience challenges. We must ensure the integrity of actuating systems, which will require greater local autonomy alongside increased situated accountability to users. This problem applies in many areas: industrial control, autonomous vehicles, and smart cities and buildings, including the intimate and shared context of the home.

This research seeks to address the challenge in the context of the home, where the network infrastructure protection is minimal, providing little or no isolation between attached devices and the traffic they carry. Scant attention has been paid by the research community to home network security, and its acceptability and usability, from the viewpoint of ordinary citizens.
This research is also deeply rooted in pragmatism and recognises the 'real world, real time' conditions that attach to the IoT:
- that the cyber security solutions currently being defined for IoT systems will not deal with legacy issues and will never achieve 100% adoption;
- that extant businesses limit the period of time for which they will provide software and security updates (if they even remain in business);
- that cyber security is an arms race and threats will continue to emerge in future;
- and that the public will never become network security experts.

Planned Impact

The intended primary beneficiaries are the public at large and society as a whole. We must build an accountable trustworthy infrastructure for IoT. Long term impact would be in an accelerated uptake of such trusted technologies at the expense of current 'wild west' implementations. However, this long term impact will be delivered through the well understood routes in the Pathway to Impact.
Academics in directly involved disciplines (computer science, human-computer interaction, sociology and law) will benefit from the ideas underpinning the research outputs.

Both academics and those in industry will benefit from the socio-technological insights provided by this research, which will be openly available. These insights along with code and data will be promoted through the open source community, the partners, the TIPS2 community and through wider impact activities.

For industry, which is concerned about the compliance implications of emerging legal frameworks (e.g. GDPR), our legal reports and ideation cards will be an accessible entry point to relevant law, especially for SMEs and start-ups who often lack financial resources to invest in compliance advice.

Horizon's systematized response to inquiries will be used to drive policy impact, which must perforce be responsive to the inquiry landscape, but will also be pursued through the good offices of NCSC more directly into government advice and policy.

Publications

10 25 50