DADA

Lead Research Organisation: University of Nottingham
Department Name: Horizon Digital Economy Research

Abstract

The IoT represents a convergence of ubiquitous computing and communication technologies, with emerging uses that actuate in the real world. No longer do ubiquitous computing systems simply sense and respond digitally, now they physically interact with the world, ultimately becoming embodied and autonomous. At the same time, the game is changing from one of privacy, where it is often (contestably) cited that "users don't care", to one of user safety, where users (along with regulators, governments, and other stakeholders) certainly do care. Likewise, industry needs to become aware that this shift also changes the legal basis under which companies need to operate, from one of disparate and often weakly enforced privacy laws, to one of product liability.
The current widely adopted approach in which cloud services underpin IoT devices has already raised major privacy issues. Importantly in an actuated future, untrammelled communications implicating a plethora of heterogeneous online services in their normal operation also brings with it resilience challenges. We must ensure the integrity of actuating systems, which will require greater local autonomy alongside increased situated accountability to users. This problem applies in many areas: industrial control, autonomous vehicles, and smart cities and buildings, including the intimate and shared context of the home.

This research seeks to address the challenge in the context of the home, where the network infrastructure protection is minimal, providing little or no isolation between attached devices and the traffic they carry. Scant attention has been paid by the research community to home network security, and its acceptability and usability, from the viewpoint of ordinary citizens.
This research is also deeply rooted in pragmatism and recognises the 'real world, real time' conditions that attach to the IoT:
- that the cyber security solutions currently being defined for IoT systems will not deal with legacy issues and will never achieve 100% adoption;
- that extant businesses limit the period of time for which they will provide software and security updates (if they even remain in business);
- that cyber security is an arms race and threats will continue to emerge in future;
- and that the public will never become network security experts.

Planned Impact

The intended primary beneficiaries are the public at large and society as a whole. We must build an accountable trustworthy infrastructure for IoT. Long term impact would be in an accelerated uptake of such trusted technologies at the expense of current 'wild west' implementations. However, this long term impact will be delivered through the well understood routes in the Pathway to Impact.
Academics in directly involved disciplines (computer science, human-computer interaction, sociology and law) will benefit from the ideas underpinning the research outputs.

Both academics and those in industry will benefit from the socio-technological insights provided by this research, which will be openly available. These insights along with code and data will be promoted through the open source community, the partners, the TIPS2 community and through wider impact activities.

For industry, which is concerned about the compliance implications of emerging legal frameworks (e.g. GDPR), our legal reports and ideation cards will be an accessible entry point to relevant law, especially for SMEs and start-ups who often lack financial resources to invest in compliance advice.

Horizon's systematized response to inquiries will be used to drive policy impact, which must perforce be responsive to the inquiry landscape, but will also be pursued through the good offices of NCSC more directly into government advice and policy.
 
Description IoT devices in the home represent a serious security risk. Our investigations have concludes that the current technology led designs do not accord with user models or understanding of these in home devices and now work is underway to perform user centred design studies to address this. The work has also thrown up legal uncertainty about the degree to which the "personal use exception" in EU GDPR (and UK DPA 2018) can be used to exempt house holders from becoming data controllers - work continues to seek clarity on this, although it may be in the purview of the courts.
Exploitation Route BT is a project partner and has taken a keen interest as services that defend the domestic network from rogue devices could be a useful line of business for an ISP.
Sectors Digital/Communication/Information Technologies (including Software)

URL https://www.horizon.ac.uk
 
Description DCMS have been provided with briefings of in home security and end to end encryption to inform policy work around Online Harms White Paper. DADA representatives also attended and supported DCMS in meetings with commercial software and service providers in the controversial discussions around DNS over HTTPS, specifically on the implications for in home security, and more generally on the proposed default option being a bad idea.
First Year Of Impact 2019
Sector Communities and Social Services/Policy,Digital/Communication/Information Technologies (including Software)
Impact Types Societal,Policy & public services

 
Description Comments on the European Data Protection Board's Guidelines 4/2019 on Article 25 Data Protection by Design and by Default
Geographic Reach Europe 
Policy Influence Type Gave evidence to a government review
URL https://edpb.europa.eu/sites/edpb/files/webform/public_consultation_reply/comments_on_edpb_guideline...
 
Description Evidence submitted to Cyber Security Incentives and Regulation Review
Geographic Reach National 
Policy Influence Type Gave evidence to a government review
URL https://www.gov.uk/government/publications/cyber-security-incentives-regulation-review-call-for-evid...
 
Description Written evidence submitted to DCMS regulatory proposals regarding Consumer Internet of Things (IoT) security
Geographic Reach National 
Policy Influence Type Gave evidence to a government review
URL https://www.gov.uk/government/consultations/consultation-on-regulatory-proposals-on-consumer-iot-sec...
 
Description 'Adaptive Architecture: Regulating Human Building Interaction'. Controversies in Data Society, Edinburgh Futures Institute, University of Edinburgh, UK. 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Public/other audiences
Results and Impact Talk on 'Adaptive Architecture: Regulating Human Building Interaction' at the Controversies in Data Society Seminar Series, Edinburgh Futures Institute, University of Edinburgh, UK.
Year(s) Of Engagement Activity 2019
 
Description Internet of Things and Surveillance Workshop Newcastle University, UK. 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Presented work on HUman Building Interaction at PETRAS/Horizon sponsored workshop run by Prof Lilian Edwards at Newcastle University.
Year(s) Of Engagement Activity 2019
 
Description 'Edge Computing & Demonstrating Accountability Through the Databox. Regulating Digital Platforms: comparing the British and French Models, University of Edinburgh, UK 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Presented on 'Edge Computing & Demonstrating Accountability Through the Databox at the international conference 'Regulating Digital Platforms: comparing the British and French Models' at the University of Edinburgh, UK
Year(s) Of Engagement Activity 2019
 
Description 'Regulating Future Smart Buildings' Uses and Misuses of Connected Devices, Alan Turing Institute, London, UK. 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Was invited to talk on 'Regulating Future Smart Buildings' at an event run on Uses and Misuses of Connected Devices at the Alan Turing Insitute, London, UK.
Year(s) Of Engagement Activity 2019
 
Description 'The Future of Regulating Smart Cities', Ritsumekian Asia Pacific University, Beppu, Japan 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Postgraduate students
Results and Impact Presented research on 'The Future of Regulating Smart Cities' at Ritsumekian Asia Pacific University, Beppu, Japan in Summer 2019
Year(s) Of Engagement Activity 2019
 
Description Defence Against the Dark Artefacts, with S Piasecki and D McAuley, EUROCRIM 2019. 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Stanislaw Piasecki presented our paper on Defence Against the Dark Artefacts and smart home cybersecurity standards at leading criminology conference EUROCRIM 2019.
Year(s) Of Engagement Activity 2019
 
Description Emerging Technologies in Complex Scenarios Workshop (Nottingham) 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Third sector organisations
Results and Impact About 12 participants, mainly from organisations supporting domestic abuse victims, took part and discussed how IoT technologies, including DADA, could pose new challenges and create new opportunities to their work.
Year(s) Of Engagement Activity 2020
 
Description Presentation at BILETA 2019 Belfast 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Other audiences
Results and Impact Presentation on the legal challenges of the Defence Against Dark Artefacts (DADA) project. About 20 academics attended the session, who showed great interest in the project and provided helpful feedback on the way forward.
Year(s) Of Engagement Activity 2019
URL https://biletabelfast.files.wordpress.com/2019/04/bileta-belfast-2019-programme-published.pdf
 
Description Presentation at Transforming Privacy Law into Practice Workshop (Oxford) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Industry/Business
Results and Impact Presented "Cybersecurity Standards and Data Privacy Risks Related to the Use of IoT Devices in Smart Homes of People Living with Dementia" (S Piasecki (presented) J Chen and L Urquhart) to around 30 participants from academia, industry and regulators and had discussion on related topics.
Year(s) Of Engagement Activity 2019
 
Description Presentation at Trust, Privacy, and the Internet of Things Early Career Workshop (Aberdeen) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Postgraduate students
Results and Impact Presenting work on DADA and discuss with early-career researchers the potential implications of smart home cybersecurity technologies, and further work in the future.
Year(s) Of Engagement Activity 2019
 
Description Presentation at workshop: Surveillance and Liability in an Internet of Things World (Newcastle) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Policymakers/politicians
Results and Impact Presenting findings from DADA and discuss the implications of IoT technologies on surveillance and liabilities with a group of around 20 from various stakeholders.
Year(s) Of Engagement Activity 2019
 
Description Regulating Ubicomp by Design, Design Informatics Seminar Series, University of Edinburgh. 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach Local
Primary Audience Professional Practitioners
Results and Impact Talk on my research on Regulating Ubicomp by Design for the Design Informatics Seminar Series, University of Edinburgh.
Year(s) Of Engagement Activity 2019
 
Description Regulating Ubicomp by Design, Law School Staff Seminar Series, University of Edinburgh. 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach Local
Primary Audience Professional Practitioners
Results and Impact Presented about my research on Regulating Ubicomp by Design to the Law School Staff Seminar Series, University of Edinburgh.
Year(s) Of Engagement Activity 2019
 
Description Responsible Research and Innovation Workshop 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach Regional
Primary Audience Postgraduate students
Results and Impact Workshop for new Horizon CDT students using the Moral-IT cards to think about design, security, privacy and ubicomp.
Year(s) Of Engagement Activity 2019