DADA

Lead Research Organisation: University of Nottingham
Department Name: Horizon Digital Economy Research

Abstract

The IoT represents a convergence of ubiquitous computing and communication technologies, with emerging uses that actuate in the real world. No longer do ubiquitous computing systems simply sense and respond digitally, now they physically interact with the world, ultimately becoming embodied and autonomous. At the same time, the game is changing from one of privacy, where it is often (contestably) cited that "users don't care", to one of user safety, where users (along with regulators, governments, and other stakeholders) certainly do care. Likewise, industry needs to become aware that this shift also changes the legal basis under which companies need to operate, from one of disparate and often weakly enforced privacy laws, to one of product liability.
The current widely adopted approach in which cloud services underpin IoT devices has already raised major privacy issues. Importantly in an actuated future, untrammelled communications implicating a plethora of heterogeneous online services in their normal operation also brings with it resilience challenges. We must ensure the integrity of actuating systems, which will require greater local autonomy alongside increased situated accountability to users. This problem applies in many areas: industrial control, autonomous vehicles, and smart cities and buildings, including the intimate and shared context of the home.

This research seeks to address the challenge in the context of the home, where the network infrastructure protection is minimal, providing little or no isolation between attached devices and the traffic they carry. Scant attention has been paid by the research community to home network security, and its acceptability and usability, from the viewpoint of ordinary citizens.
This research is also deeply rooted in pragmatism and recognises the 'real world, real time' conditions that attach to the IoT:
- that the cyber security solutions currently being defined for IoT systems will not deal with legacy issues and will never achieve 100% adoption;
- that extant businesses limit the period of time for which they will provide software and security updates (if they even remain in business);
- that cyber security is an arms race and threats will continue to emerge in future;
- and that the public will never become network security experts.

Planned Impact

The intended primary beneficiaries are the public at large and society as a whole. We must build an accountable trustworthy infrastructure for IoT. Long term impact would be in an accelerated uptake of such trusted technologies at the expense of current 'wild west' implementations. However, this long term impact will be delivered through the well understood routes in the Pathway to Impact.
Academics in directly involved disciplines (computer science, human-computer interaction, sociology and law) will benefit from the ideas underpinning the research outputs.

Both academics and those in industry will benefit from the socio-technological insights provided by this research, which will be openly available. These insights along with code and data will be promoted through the open source community, the partners, the TIPS2 community and through wider impact activities.

For industry, which is concerned about the compliance implications of emerging legal frameworks (e.g. GDPR), our legal reports and ideation cards will be an accessible entry point to relevant law, especially for SMEs and start-ups who often lack financial resources to invest in compliance advice.

Horizon's systematized response to inquiries will be used to drive policy impact, which must perforce be responsive to the inquiry landscape, but will also be pursued through the good offices of NCSC more directly into government advice and policy.

Publications

10 25 50
 
Title Defence Against Dark Artefact: The Game 
Description A board game designed to help developers and users of smart home technologies reflect on cybersecurity threats and management strategies. 
Type Of Art Artwork 
Year Produced 2021 
Impact As part of the game development process, the research team has run a series of focus groups, where participants reported enhanced awareness and engagement with cybersecurity issues involved in IoT products. 
 
Description IoT devices in the home represent a serious security risk. Our investigations have concludes that the current technology led designs do not accord with user models or understanding of these in home devices and now work is underway to perform user centred design studies to address this. The work has also thrown up legal uncertainty about the degree to which the "personal use exception" in EU GDPR (and UK DPA 2018) can be used to exempt house holders from becoming data controllers - work continues to seek clarity on this, although it may be in the purview of the courts.
Exploitation Route A small UK SME that delivers routing hardware and software to "big brand" consumer electronics companies are starting to add features from our research into their platform.
Sectors Digital/Communication/Information Technologies (including Software)

URL https://www.horizon.ac.uk
 
Description DCMS have been provided with briefings of in home security and end to end encryption to inform policy work around Online Harms White Paper. DADA representatives also attended and supported DCMS in meetings with commercial software and service providers in the controversial discussions around DNS over HTTPS, specifically on the implications for in home security, and more generally on the proposed default option being a bad idea. A UK SME who supplies technology to consumer electronics companies investigating integrating ideas from the project into their products.
First Year Of Impact 2019
Sector Communities and Social Services/Policy,Digital/Communication/Information Technologies (including Software)
Impact Types Societal,Policy & public services

 
Description Comments on EDPB Guidelines on controller and processor
Geographic Reach Europe 
Policy Influence Type Gave evidence to a government review
URL https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-072020-concepts-c...
 
Description Comments on the European Data Protection Board's Guidelines 4/2019 on Article 25 Data Protection by Design and by Default
Geographic Reach Europe 
Policy Influence Type Gave evidence to a government review
URL https://edpb.europa.eu/sites/edpb/files/webform/public_consultation_reply/comments_on_edpb_guideline...
 
Description Evidence submitted to Cyber Security Incentives and Regulation Review
Geographic Reach National 
Policy Influence Type Gave evidence to a government review
URL https://www.gov.uk/government/publications/cyber-security-incentives-regulation-review-call-for-evid...
 
Description Gave oral evidence as expert witness to the House of Commons DCMS Select Committee
Geographic Reach National 
Policy Influence Type Gave evidence to a government review
Impact Gave oral evidence as expert witness to the House of Commons DCMS Select Committee on matters of data ethics, which sparked discussions and raised further interest of the Committee to initiate a formal inquiry
URL https://committees.parliament.uk/oralevidence/1036/html/
 
Description Response to Call for Views: Proposals for Regulating Consumer Smart Product Cyber Security
Geographic Reach National 
Policy Influence Type Gave evidence to a government review
URL https://www.gov.uk/government/publications/proposals-for-regulating-consumer-smart-product-cyber-sec...
 
Description Response to DCMS Call for Evidence: Cyber Security Incentives and Regulation
Geographic Reach National 
Policy Influence Type Gave evidence to a government review
 
Description Written evidence submitted to DCMS regulatory proposals regarding Consumer Internet of Things (IoT) security
Geographic Reach National 
Policy Influence Type Gave evidence to a government review
URL https://www.gov.uk/government/consultations/consultation-on-regulatory-proposals-on-consumer-iot-sec...
 
Description Trust in Home: Rethinking Interface Design in IoT (THRIDI)
Amount £11,326 (GBP)
Organisation Engineering and Physical Sciences Research Council (EPSRC) 
Sector Public
Country United Kingdom
Start 04/2020 
End 02/2021
 
Description 'Adaptive Architecture: Regulating Human Building Interaction'. Controversies in Data Society, Edinburgh Futures Institute, University of Edinburgh, UK. 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Public/other audiences
Results and Impact Talk on 'Adaptive Architecture: Regulating Human Building Interaction' at the Controversies in Data Society Seminar Series, Edinburgh Futures Institute, University of Edinburgh, UK.
Year(s) Of Engagement Activity 2019
 
Description Internet of Things and Surveillance Workshop Newcastle University, UK. 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Presented work on HUman Building Interaction at PETRAS/Horizon sponsored workshop run by Prof Lilian Edwards at Newcastle University.
Year(s) Of Engagement Activity 2019
 
Description 'Edge Computing & Demonstrating Accountability Through the Databox. Regulating Digital Platforms: comparing the British and French Models, University of Edinburgh, UK 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Presented on 'Edge Computing & Demonstrating Accountability Through the Databox at the international conference 'Regulating Digital Platforms: comparing the British and French Models' at the University of Edinburgh, UK
Year(s) Of Engagement Activity 2019
 
Description 'Regulating Future Smart Buildings' Uses and Misuses of Connected Devices, Alan Turing Institute, London, UK. 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Was invited to talk on 'Regulating Future Smart Buildings' at an event run on Uses and Misuses of Connected Devices at the Alan Turing Insitute, London, UK.
Year(s) Of Engagement Activity 2019
 
Description 'The Future of Regulating Smart Cities', Ritsumekian Asia Pacific University, Beppu, Japan 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Postgraduate students
Results and Impact Presented research on 'The Future of Regulating Smart Cities' at Ritsumekian Asia Pacific University, Beppu, Japan in Summer 2019
Year(s) Of Engagement Activity 2019
 
Description Defence Against the Dark Artefacts, with S Piasecki and D McAuley, EUROCRIM 2019. 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Stanislaw Piasecki presented our paper on Defence Against the Dark Artefacts and smart home cybersecurity standards at leading criminology conference EUROCRIM 2019.
Year(s) Of Engagement Activity 2019
 
Description Emerging Technologies in Complex Scenarios Workshop (Nottingham) 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Third sector organisations
Results and Impact About 12 participants, mainly from organisations supporting domestic abuse victims, took part and discussed how IoT technologies, including DADA, could pose new challenges and create new opportunities to their work.
Year(s) Of Engagement Activity 2020
 
Description Expert panel discussion (online) "Who Owns Our Data", organised by UK-Japan Student Conference 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Undergraduate students
Results and Impact 70 participants, mainly from the UK and Japan, attended the online expert panel discussion on the theme of the use of data-driven technologies, and its social and economic implications, which sparked debates and discussions about the future data governance models, and the organiser reported increased interest in the theme.
Year(s) Of Engagement Activity 2021
URL https://www.eventbrite.co.uk/e/privacy-panel-discussion-who-owns-our-data-tickets-135000206251
 
Description Invited Legal Expert to HDI THRIDI Workshop 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact I was invited as the legal expert speaker on an interdisciplinary panel to provide reflections on the first day of the workshop looking at interface design and smart home cybersecurity.
Year(s) Of Engagement Activity 2020
URL https://www.brunel.ac.uk/news-and-events/events/2020/brand-webinars/Trust-in-home-rethinking-interfa...
 
Description Just AI Seminar Series 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Third sector organisations
Results and Impact Invited to participate in a lunchtime seminar run by the Ada Lovelace Institute/Nuffield Foundation to discuss my research projects.
Year(s) Of Engagement Activity 2020
 
Description Presentation at BILETA 2019 Belfast 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Other audiences
Results and Impact Presentation on the legal challenges of the Defence Against Dark Artefacts (DADA) project. About 20 academics attended the session, who showed great interest in the project and provided helpful feedback on the way forward.
Year(s) Of Engagement Activity 2019
URL https://biletabelfast.files.wordpress.com/2019/04/bileta-belfast-2019-programme-published.pdf
 
Description Presentation at Ethicomp 2020 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Industry/Business
Results and Impact Presented to the international community of ethical computing, specifically on smart home regulation, which sparked discussions among the audience.
Year(s) Of Engagement Activity 2020
 
Description Presentation at Gikii 2020 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Industry/Business
Results and Impact Presented research to the legal and technology community, specifically on regulating consumer IoT products, which sparked discussions among the audience.
Year(s) Of Engagement Activity 2020
 
Description Presentation at Transforming Privacy Law into Practice Workshop (Oxford) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Industry/Business
Results and Impact Presented "Cybersecurity Standards and Data Privacy Risks Related to the Use of IoT Devices in Smart Homes of People Living with Dementia" (S Piasecki (presented) J Chen and L Urquhart) to around 30 participants from academia, industry and regulators and had discussion on related topics.
Year(s) Of Engagement Activity 2019
 
Description Presentation at Trust, Privacy, and the Internet of Things Early Career Workshop (Aberdeen) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Postgraduate students
Results and Impact Presenting work on DADA and discuss with early-career researchers the potential implications of smart home cybersecurity technologies, and further work in the future.
Year(s) Of Engagement Activity 2019
 
Description Presentation at workshop: Surveillance and Liability in an Internet of Things World (Newcastle) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Policymakers/politicians
Results and Impact Presenting findings from DADA and discuss the implications of IoT technologies on surveillance and liabilities with a group of around 20 from various stakeholders.
Year(s) Of Engagement Activity 2019
 
Description Regulating Ubicomp by Design, Design Informatics Seminar Series, University of Edinburgh. 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach Local
Primary Audience Professional Practitioners
Results and Impact Talk on my research on Regulating Ubicomp by Design for the Design Informatics Seminar Series, University of Edinburgh.
Year(s) Of Engagement Activity 2019
 
Description Regulating Ubicomp by Design, Law School Staff Seminar Series, University of Edinburgh. 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach Local
Primary Audience Professional Practitioners
Results and Impact Presented about my research on Regulating Ubicomp by Design to the Law School Staff Seminar Series, University of Edinburgh.
Year(s) Of Engagement Activity 2019
 
Description Responsible Research and Innovation Workshop 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach Regional
Primary Audience Postgraduate students
Results and Impact Workshop for new Horizon CDT students using the Moral-IT cards to think about design, security, privacy and ubicomp.
Year(s) Of Engagement Activity 2019
 
Description The Moral-IT Cards: A Tool for Ethics by Design 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact This talk introduces the Moral-IT deck, a Responsible Research and Innovation toolkit built to support designers' reflection on ethical issues when creating new technologies.

Awareness of technologists' responsibilities is growing as it no longer becomes sustainable to focus purely on building functioning systems, but instead they need to consider the wider social, ethical and legal implications of their work. The toolkit uses physical ideation cards, a design tool popular in human computer interaction research. The cards prompt engagement with digital ethics concepts by posing questions about requirements from law, privacy, security and ethics frameworks in a more accessible, visually appealing card-based form.

In this talk, Lachlan Urquhart will describe a user-friendly impact assessment board that has been developed. It poses questions about risks (including ranking their severity), considering the likelihood of occurrence, mapping out appropriate safeguards, and formulating strategies for implementing the safeguards. Lachlan will also discuss our empirical evaluation of the toolkit through a series of workshops using focus groups and questionnaires, as well as the advantages and disadvantages of a card-based approach, findings from data analysed, and lessons for building ethics into design. What does the use of such cards could tell us about cards as a tool, the technologies under discussion, and the nature of the ethics of emerging technology?

Dr Lachlan Urquhart is a Lecturer in Technology Law at the University of Edinburgh and Visiting Researcher at Horizon, University of Nottingham. He has a multidisciplinary background in computer science (PhD) and law (LL.B; LL.M). His main research interests are in human computer interaction, ubiquitous computing, data protection and cybersecurity. He has won over £2m in grants from funding bodies including from EPSRC, ESRC, AHRC, Universitas 21, Impact Accelerator Funds, and Research Priority Funds. For recent publications and project activities, see here.
Year(s) Of Engagement Activity 2020
URL https://www.cdcs.ed.ac.uk/events/moral-IT-deck-tool-ethics-by-design