It is early days for IoT policy. The European Union held a consultation on the subject in 2013 and issued a report that identifies general areas of concern.i The FTC held a conference in 2013, building on its customary emphasis on privacy and transparency for the development of digital applications. It issued its report in early 2015. ii With Congressional hearings in the offing,iii the Aspen Conference provided a timely forum to raise policy concerns and possible approaches to manage IoT risk and promote opportunity.

Any use of IoT applications that involves the collection of personal data implicates privacy. By privacy, we mean both (1) the actual protection and control of personal information and (2) the more general sense that one can secure a sphere of solitude and anonymity in the world of connected things. Privacy-related policy concerns loom so large that they tend to swallow up other considerations; indeed, they permeate this entire Report and sparked the most vigorous debates at the Conference. This Report begins, however, with an equally fundamental concept. It is the concept of data-as-infrastructure. As the Internet of Things takes off, data becomes infrastructure in the sense that control over and access to data is a basic input into all kinds of economic, civic, personal and social activity.

Data as Infrastructure: Access, Discrimination, Production
The IoT consists of networks of connected devices that generate data and make it actionable. Smart devices get lots of attention, but it’s the data that will drive IoT adoption. Data flows use infrastructure. IoT data itself is infrastructure—as a vital input to progress much like water and roads, and just as vulnerable to capture, malicious or discriminatory use, scarcity, monopoly and sub-optimal investment. When you conceptualize data as infrastructure, you begin to surface policy questions that are either new or more pressing in the IoT context. Danny Weitzner, Director of the MIT CSAIL Decentralized Information Group, observed that while the Internet looked like an application to many first adopters, “now it looks like infrastructure. That might happen with data as well. There is an infrastructural quality to data.”

For Weitzner, what data as infrastructure means is that there should be “a common body of data about the world that will be used in an integrated fashion.” We should therefore treat the vast and dynamic collection of data as “a unified resource with common standards and clear, common access conditions that increase the chance it can be subject to integrated analytics.” Bob Pepper, Cisco’s Vice President of Global Technology Policy, disagreed. He emphasized that IoT data really is not a unified resource because there are going to be so many heterogeneous systems generating data that may be of widespread interest or of little interest outside the entity that generated it.

For Stefaan Verhulst, Co-Founder and Chief Research and Development Officer of the Governance Laboratory (GovLab) at NYU, once you see data as infrastructure, it becomes essential to map data resources. It is important to know what data exists, how robust it is, and what needs to be collected. And critical to this process is citizen engagement. “How do you involve people in the development of data-collection agendas? How do you engage citizens at all stages?” he said. “How do citizens come to participate in the generation of data that helps them and that they think is important?” A recent report by the President’s Council of Economic Advisors, Big Data and Differential Pricing, shows that massive data sets can increase discriminatory pricing based on profiling, but they can also reduce discrimination by improving the accuracy of individualized predictions.iv Which way the process tips depends on transparency, vigilance, education and access to the data that is shaping decisions.

Data Access and Ownership
Access to infrastructure is necessary for competition, innovation, productivity, social inclusion, economic mobility, citizen participation and self-fulfillment. All that is true for access to data. For example, data on disease trends may be an essential input into the development of pharmaceuticals. Traffic data may be an essential input for a small business that wants to locate a restaurant or for a neighbor that wants a new traffic light at a dangerous intersection. Increasingly, journalism relies on sensor data to report what is happening in the world.v Who controls data and who has access to it thus becomes a matter of economic vitality as well as social inclusion and political action. The open data movement in government—expressly endorsed by the White House—recognizes the utility of making it easy to access public data.vi

In order for data to be made widely available, there was broad agreement at the Conference that there should be either common or interoperable IoT data formats. As Weitzner noted, “common formats doesn’t mean that the data is free.” It will often be necessary to charge for data in order to incentivize its production. Pepper cautioned that, given the heterogeneity of the IoT, “the key is to have interoperable standards, not necessarily a common standard.”

Johanna Shelton, the Director of Public Policy & Government Relations at Google, urged the development of access and interconnectivity rules for different layers of IoT data stacks. Put most simply, there is raw data, such as raw traffic data, and there is processed data, such as correlations between traffic and weather or other events. Shelton argued for relatively generous access rules to raw data, while allowing companies to restrict access to processed data. She recounted Google’s experiment in the health space. The company wanted to “draw the intelligence” out of insurance company data but couldn’t get access to the raw data. It may often be the case, she said, that “those who deploy sensors and control the data may not be squeezing all the [socially beneficial] intelligence out of it, and this is an argument for open access to that data.”

Marc Rotenberg, Executive Director of the Electronic Privacy Information Center (EPIC), said the most relevant distinction is not whether data is raw or processed, but whether it is personally identifiable. NOAA data, collected from buoys and atmospheric sensors, is an example of data that is not personally identifiable and that, therefore, should be available to everyone. “This is a sensor network that’s not about people; it’s about the world around us.” Also, “The NOAA data doesn’t actuate events…. It provides information about our environment. It does not trigger action against individuals.”

Verhulst noted that the really valuable information might not be NOAA’s data, but what private companies build on top of the NOAA data, and that’s much trickier to open up. Verhulst pointed to Google Flu data as an example where the insights from the analyzed data are of value to the public. The data sets have some of the qualities of a public good. “It’s a public service to share the processed data.” At the same time, sometimes privacy concerns might compel limited access to data analytics, in addition to or even more than access to raw data. We might also want to have trusted intermediaries to assess data requests and provide discretionary access.

Reed Hundt, CEO of the Coalition for Green Capital, called attention to the intentional analogies of “data infrastructure” and “communications infrastructure.” The latter is largely privately owned, but there is a public interest in ensuring that it is robust and universally available. There might be similar interests in data infrastructure. Even as to private infrastructure, he said that we might “want the government to step in and say, ‘We’d like for this to be universally distributed or made universally available.’ There is some layer of data that rides on top of the physical infrastructure that really ought to be publicly owned, publicly allocated, made available by a public democratic process to absolutely everyone.” Then on top of this data, private entities can innovate and add analytics and utility.

Extending the telecommunications analogy, it is possible to conceptualize access to data as a right of interconnection. Users may not be entitled to full sets of raw data or processed data, but to interconnect at certain points in order to make use of the data collected by others. MIT’s Weitzner raised the concept of “data liberation” and the desirability of applying concepts of access and interconnection to data. Chris Libertelli, Vice President of Global Public Policy at Netflix, on the other hand, objected to applying concepts of interconnection to the IoT. “Those norms and policies are completely inappropriate to the question of whether an independent application developer gets the rights to, say, an energy data set…. As a principle of regulatory humility, there should be a consensus that this old stuff [interconnection] shouldn’t apply in the new world of big data meets connectivity.”

Joanne Hovis, President of CTC Technology & Energy, worried that the push toward open data for public entities has resulted in the allocation of significant public resources for collecting and making available data sets. This might not be a problem, if it were not for the fact that “private parties make use of the data to benefit only a segment of the population.” In other words, there’s a transfer of resources from the public to the private sector. We should be attentive to the issue of whether public investment will actually benefit the entire public.

An example of a controversial private-sector purchase of processed public information is Monsanto’s acquisition for over $1 billion of the Climate Corporation. The Climate Corporation develops data on climate change by analyzing 50 terabytes of data daily—much gathered by public sector sensors—about weather, soil quality and other data points relevant to farmers.vii This data is important for farmers’ insurance policies and crop production plans. But now it is the private property of a principal vendor of agricultural inputs. The public data remains public, but the value-added or analyzed data is private and owned by a vertically integrated supplier to farmers.

Robert Atkinson, Co-Founder of the Information Technology & Innovation Foundation, suggested that there were three possibilities for the way the IoT information ecosystem might develop: (1) “Proprietary and Balkanized, with every institution having its own data—GE has its data, Ford has its data—and that would be suboptimal,”; (2) proprietary and combined, like the Nest example, where a company invests enough to do great analytics because it has a large universe of data; and (3) open and combined, “which in some ways is the Nirvana.” Atkinson argued that every factory would be better off if it had access to the data from all other factories and data sets were combined. Whether or not the private sector will see its own way toward this kind of cooperation is an open question.

Outside the IoT context, we have not yet come to conclusions about how large sets of quasi-public data should be managed. Uber has vast amounts of information in the form of the rides that individuals take. The company has come under fire for inappropriate use of this data in privacy-invasive ways.viii Another issue is whether Uber should have to share anonymized versions of this data in order to help urban planners and others that want to better understand traffic patterns. This is data that licensed taxis have to share to help policymakers police discrimination in the provision of taxi service. As tasks formerly undertaken by public or publicly licensed entities shift to a less-regulated sector, questions arise as to what should happen to the data. Is there a public claim on the data, and, if so, how are individual privacy and proprietary business interests protected? These questions are not new to the IoT, but they become more pressing as the data sets explode and municipal functions are privatized.

An important piece of the data access issue is data ownership. There will be plenty of situations where claims to data ownership overlap and conflict. The connected car furnishes an example. Bob Pepper of Cisco forecast that by 2018 a quarter of a billion connected cars will be on the road around the world, each one with an average of four modules (e.g., brakes, steering), each module with multiple sensors generating loads of data.ix He identified questions raised: “That data about my car, my driving…whose is it? Is it mine? Is it the manufacturer's? Is it the dealer's?” New kinds of data collected and transmitted by the connected car could include biometric and behavioral information about the driver, as well as fine-grained location information and automobile performance diagnostics.

Carl Povelites, Assistant Vice President of Public Policy, Mobility at AT&T Services, suggested that ownership has to be pegged to incentives to innovate. “With respect to the onboard diagnostics unit, does the car company own it because it invested in the research and built the systems? Or does the individual own the data so that if the check‑engine light comes on, they should be able to go to any repair shop?” He argued that “companies that are doing the investment must own the data so that they have the incentive to put forward all that money and capital.”

It’s not always obvious whether a data set is most useful for public or private purposes, or whether it will be produced absent private ownership. Aggregated health data, for example, may be a public resource with respect to public health but a private resource with respect to disease research. Coming up with rules of use and access to such data that encourages both kinds of uses is most difficult.

Reed Hundt recommended that “government should define some kinds of data that should not be allowed to be the source of private wealth and instead should be turned into a public good.” Energy use furnished an example. No one ought to be allowed, Hundt argued, to own and exclude others from accessing data about people’s energy use. Instead, it should be collected and publicly reported. That kind of public access would allow entities to tax according to per capita use and would “empower any firm that wanted to offer an energy efficiency solution to use that data so that individuals could avoid the tax.”

Michael Calebrese, Director of the Wireless Future Program in the Open Technology Institute of the New America Foundation, added that government should leverage its power as a regulator or property owner to ensure open access to data that bears on public externalities (such as pollution or energy waste). A number of NGOs are working to make sure that municipal sensor data is open and available as soon asit iscollected.x

EPIC’s Rotenberg disagreed that this kind of data should be widely available when it contains personally identifiable information (PII). Indeed, he advised that government should refrain from collecting domestic energy use data that is PII. Gathering such data might even constitute an illegal search, as the Supreme Court found in a case about surveillance of heat emitted from a marijuana grow room.xi Following the NOAA example earlier, he proposed a way to use data to promote environmental protection without using PII. Authorities could post pollution notifications, similar to automobile speed monitors, which would show varying levels of air pollution. This approach would make use of aggregate data to obtain a public policy outcome without engaging in the collection of PII that creates privacy risks.

Jonathan Chaplin, Managing Partner of New Street Research, thought that “we should establish property rights relating to data and make very clear delineation of what’s personal data that an individual owns and can cede to an organization or a government. But it’s their choice.” David Hoffman, Director of Security Policy and Global Privacy Officer at Intel Corporation, thought a model of data ownership “is going to be a huge rat hole for us and a very difficult exercise.” Marc Rotenberg agreed that an ownership model may work for materials subject to intellectual property protection, but not for personal information. He said the goal of user control over personal data is typically achieved through laws that establish Fair Information Practice Principles. Johanna Shelton remarked that “individual control over information is a really good sound bite, but we know from implementation of the right to be forgotten in Europe that it can be used to trump public accountability and the public’s right to know.”

One well-received recommendation was that there be a federal law that individuals have a right of access to their personal IoT or even all data collected by any government or private entity, although the practical difficulties in effectuating such a right are daunting.xii

Data Production: Government Subsidies and Facilitation
The IoT will yield almost unimaginable quantities of data. But it won’t necessarily produce all the data that is needed. As in the production of all public goods, there will be a dearth of commercial incentives to invest in data collection and analysis that produces public benefit without sufficient benefit capable of private capture.

Reed Hundt, CEO of the Coalition for Green Capital, proposed the creation of a data infrastructure bank that would fund projects that collect and make such data available. This would be a federal funding mechanism for “everything from better utility network data to transportation infrastructure sensors, public video surveillance, and the means to collect and analyze performance of educational services.” The purpose would be to release traffic and road information so that “anybody in the business of selling an intelligent transportation service would have that data available to them.” Judgments would have to be made all the time about privacy, for example excluding license plate information while including pothole information. Another example would be data about the thermal envelope of all buildings so that data about inefficient energy use would be publicly available.

There was widespread agreement that if the government is going to fund collection of data, it should be guided by two principles. First, it should focus on externalities, such as pollution or congestion, on the theory that the private sector doesn’t have the motive to gather that data. Second, it should focus on data that is non-rivalrous, meaning that anyone can use it without increasing the cost or diminishing the utility of the data for others.

Chief Democratic Counsel of the U.S. House Committee on Energy and Commerce, Shawn Chang, embraced a “dig once” philosophy for government when it comes to IoT sensors and data collection. Where the government is supporting infrastructure development, for example by excavating for new roads, it should consider how IoT sensors and data fit in. Marjory Blumenthal, Executive Director of the President's Council on Science and Technology, expanded, “If you're thinking about government‑funded roads, then you could provide an expectation that they would incorporate sensors and use technology to enhance monitoring and support maintenance. Where the public grants a right‑of‑way, you could tie that to certain implementations for the public good.”

Chang focused on the $7 billion FirstNet—the new interoperable national public safety network that will be funded from federal spectrum auction revenues. The construction of this network provides great opportunities for government to build sensor networks into first responder operations. Chang recommended “leveraging this network to bake into these future public safety devices or transportation systems IoT capabilities that would be useful to collect information on public works, health or environmental needs.” When the ambulance, fire truck or police car is moving, it might as well be collecting information that could be used to improve transportation or environmental functions. This would also have the advantage of developing clients for the FirstNet network, assuming that private and public sector entities valued the collection of this data. Client development is important, given that the FirstNet business model is to “collect fees from users in order to have a sustainable business case going forward.”

Christine Varney, an attorney with Cravath, Swaine & Moore LLP, advanced the possibility of building IoT applications into the functions of the Accountable Care Organizations (ACOs) created by the Affordable Care Act. She said these organizations “could use the IoT to gather and disseminate, in a continual loop, health information up and down the chain [assuming privacy controls]. There would be an opportunity to expand access, continue to be more efficient, reduce costs and get better quality outcomes.”

Varney point out that the result might be “a sensor on an imaging machine that feeds right into the radiologist and the primary care doctor and the insurer and the prescription, the pharmacy, and the pillbox—the entire chain of care.” Because ACOs are generally regional, the opportunity exists to experiment across a number of different ACOs. And because ACOs have incentives to reduce costs and keep the savings, they would have every interest in getting smarter about the care they offer by exploiting sensor networks.

GovLab’s Verhulst focused on what he called “corporate data philanthropy.” To the extent that there is data that is important for the equitable delivery of services, for civic participation and for competition and innovation, how do we get companies involved in creating and sharing this data? He wants to explore ways to incentivize or push companies to create data pools that are open to the public.

Data as Infrastructure Recommendations Basic Principles: (1) There should be broad accessibility of data and data analytics, with open access to some; (2) government should subsidize and facilitate data production, especially where data is an under-produced public good. Broad Accessibility of Data and Data Analytics New data sources should be exposed in standard formats with interoperable interfaces (APIs). This should be a foundation of IoT architecture to ensure efficiency, consumer welfare and innovation gains. Government should publish metadata (e.g., NOAA). Government should establish metadata standards to foster interoperability (e.g., for anonymized medical records). NIST should use convening power to foster global standards for the IoT, with demonstrable security protection. USTR should challenge national/non-global standards as trade barriers. Data Production: Government Subsidies and Facilitation Subject to the development of security safeguards, government should leverage areas of investment to incentivize adoption of IoT systems and to drive IoT innovation through government purchasing and deployment. The following are examples: Health Care: Offer Accountable Care Organizations a common data infrastructure platform for data collection and analysis, create incentives for experimentation, and produce best practices. Public Safety: Build in data sharing concerning other verticals like transportation and infrastructure conditions, and encourage citizen adoption and feedback. Energy: Bring IoT to energy inefficient homes using a race-to-the-top model. Ensure there is no monopoly holder of data. Transport: Dig once. Require new and reconstructed highways to incorporate sensors and support maintenance. Make open PII-free data, especially if generated using public property or rights of way. Build in data collection and impact measurement in grant-making. Review current regulatory restrictions that may impede the creation of new types of data (e.g., FDA medical device rule). Develop a plan for the federal government (e.g., Commerce Department) to track the impact of the IoT. Develop common tools for information assessment, dissemination and engagement. Create a data infrastructure bank that provides anonymized versions of data from utility networks and transport infrastructure sensors, as well as from other sectors. Continue support for current government open data efforts (e.g., NOAA, anonymized health care billing data). Incentivize private investment in both infrastructure and innovative uses of IoT data. Improve federal, state and local agency use of data. Incentivize use of digital as a default strategy. Use long-term savings for capital expenditures, equipment and focused adoption efforts. Put users first, and understand how needs can be met through the IoT in ways that are agile and subject to iterative improvement. Focus on better data, mass customization, digital by design and budget incentives to promote adoption. Possibly develop a coalition of cities to address scale and resource issues. Identify gaps in data availability and subsidize production. SBA Initiative: Coordinate with state and local economic development groups to create actionable market intelligence about trends, supply chains, training, etc. Possibly develop “IoT startup-in-a-box.” Invite states, local governments and NGOs to participate in providing turnkey solutions (“Smart City-in-a-Box”), empowering anchor institutions.

Privacy by Design
Informational privacy discussions frequently turn to the need to design privacy protections into systems from the start. And so it is with the IoT. These design choices would set defaults about how much data and what kind is collected, how and where it is aggregated, and for what purpose it can be used.xiii Privacy-by-design principles recognize that individual control may be unrealistic as a practical matter. Moreover, as a matter of principle, there may be a social cost to lax privacy even where individuals are happy to relinquish it.

If we treat excessive sharing of personal information as a social cost, much as pollution is, then we might adopt the equivalents of pollution control strategies. EPIC’s Marc Rotenberg recommended that before an entity launches a new sensor network, it do a privacy impact assessment: “Do your privacy impact assessment up front, understand the risks that others might be exposed to, and then go ahead.” Comcast Corporation‘s Senior Strategic Advisor, Joe Waz, called this kind of practice “data hygiene”—determining what data needs to be collected and what shouldn’t be collected as a basic principle.

Environmental or seismic monitoring may not raise privacy concerns because they are unlikely, at least initially, to rely on personal information. By contrast, smart home and smart street applications will very likely raise concerns, whether the data is anonymized or not. Most experts acknowledge that in a world of big data, a large percentage of anonymized data can be re-identified and become personally identifiable.xiv The implementation of Fair Information Practice Principles (FIPPs) for all consumer-facing IoT applications thus becomes very important, as the FTC acknowledged in its 2015 IoT report.xv These principles are notice, choice, access, accuracy, data minimization, security and accountability. In the IoT world, the efficacy and cost of each practice is uncertain and variable. While it might be desirable to preserve choice for individuals to opt-out or control usage of their personal data, user choice will frequently be illusory in a ubiquitously sensed environment. This reality puts more pressure on privacy by design strategies to reduce risks of privacy breaches and impose liability for them.

In the world of the IoT, privacy by design that bakes in privacy protections to early-stage system design is even more important than it is in the Internet world because so many IoT applications have little or no user interface. The IoT is often invisible to individuals, using pervasive communications networks to process and convey information without any chance for individual intervention.xvi People can’t be constantly queried as they walk into a store or onto a street whether they consent to data gathering or whether they understand how their data will be used. To Danny Weitzner of the MIT CSAIL Decentralized Information Group, IoT transparency is a tricky concept: “It’s going to be hard to read privacy notices off of sensors scattered around the roadways.”

A recent report by the Federal Trade Commission acknowledged that it is not obvious how traditional data protection and FIPPs (e.g., data minimization, security, notice and choice) can be applied to the IoT.xvii The FTC report emphasized that practical difficulties in providing consumers with choice and meaningful transparency means there should be a greater reliance on privacy by design upfront, such as minimizing data collection and maximizing anonymization techniques.

A Lot of IoT Data Is Personal
Many sensor networks do not gather data from people. Neither NOAA meteorological sensors, nor NASA space sensors, nor a company’s gas pipeline need to gather personal data. Policymakers need not concern themselves too much with these kinds of applications as far as privacy goes. With respect to personal information, however, EPICS’s Marc Rotenberg and others suggested that any sensor network that gathers information on individual human activities is likely to have privacy implications even if it minimizes personally identifiable information.

Rotenberg argued that data anonymization should be a default rule, and where anonymization cannot be achieved, data should not be collected. Even where anonymization is possible, we must recognize that the possibilities for re-identification are legion. This was one of the themes of the 2014 International Privacy Conference, where privacy officials from around the world met to discuss the IoT and big data, issuing at the end the Mauritius Declaration.xviii Because “sensor data is high in quantity, quality and sensitivity,” they concluded that “the inferences that can be drawn are much bigger and more sensitive, and identifiability becomes more likely than not.” Similarly, the 2014 White House PCAST report flagged the difficulty of real and permanent anonymization in the big data context, where correlations from discrete data sets enable re-identification.xix

The digital dossiers emerging from the IoT might include not only online activities but also constant and perfect location tracking, eating habits, conditioning, sleep patterns, and so on. Therefore, the Declaration says that this data should be regarded and treated as personal data even when individual data points are not personally identifiable. It must be protected as a public good, as “a joint responsibility of all actors in society,” and not just a matter of individual choice. Many Conference participants reached similar conclusions. Marc Rotenberg expressed doubt that individuals have sufficient information or incentive to make privacy choices. Instead, these need to be macro choices about what kinds of architectures we want deployed. Like environmental protection, privacy protection is a societal value that can’t be achieved at the level of individual consumer actions.

But what to do? Is the standard menu of Internet privacy strategies sufficient, including transparency, user control and local processing of data? Conference participants disagreed about the appropriateness and adequacy of these strategies for the IoT.

Preserving Choice
While recognizing the difficulty of relying on individuals to police IoT data collection practices, there was discussion about giving people the right to exercise control over data gathering and usage where possible. These opt-in or opt-out scenarios are most closely associated with the civil liberties frame of privacy.

Some Conference participants argued that individuals should have recourse to a “cone of silence.” Others aspired to a “silence of the chips”xx or a “Do Not Track” for the IoT. Marc Rotenberg said, “I think we really need to talk about the off switch.” As data flows away from us through our health and ambient temperature monitors, all the processing takes place in the background. Rotenberg continued that the consumer has “no notice and choice, so we really need to get serious about the intrusions that are entirely opaque to consumers.”

MIT’s Danny Weitzner emphasized the importance of “protecting an individual’s zone of solitude or control or autonomy…in relation to all this data being collected.” He suggested that the solution might be to allow a user to enter a room and know, based on some notice that pops up on a mobile device, “here’s the privacy status of this room.” You can leave or you can push a button to exclude yourself from data collection. Joanne Hovis, of CTC Technology & Energy, also emphasized the importance of being able to check-out of sensor networks.

But Eli Noam, Director of the Columbia Institute for Tele-Information and Garrett Professor of Public Policy and Business Responsibility at Columbia Business School, cautioned that individual opt-outs may result in bad data, with especially harmful consequences for efforts to monitor and control disease outbreaks. The Boston-based app called Streetbump seeks to use individuals as sensor networks to crowdsource information about where there are potholes that need to be filled in the municipality. Voluntary participation means that where people agree to download and use the app will determine whose potholes become visible. As much as privacy may be a public good, there are countervailing public goods that are advanced by full participation in sensor networks.

Relatedly, as IoT applications become more pervasive, it may become more difficult to maintain the opt-out option. Consider the trivial example of EZPass or other sensor-based smart card payment systems. Society has to decide that it will maintain an alternate payment system for those who want to opt-out. Or institutions can try to adopt systems where non-PII is shared. Atkinson remarked that he would be more inclined to support these kinds of opt-outs as long as the individual opting out did not impose “negative externalities” on everyone else. By removing their data from the analytical “pool,” what is rational for the individual can be irrational for society. To counter this, we may want to consider systems where those who opt-out should pay for any added expense imposed by their choices. Opting for privacy, as has been well-documented, is expensive.xxi

Data Aggregation and Location
Others, such as New Street Research’s Jonathan Chaplin, said that the privacy protection measures should not be designed into data collection functions, but into protocols around data usage. What we should worry about is that data can be used in harmful ways, not that some set of data has been assembled.

David Hoffman, Director of Security Policy and Global Privacy Officer for Intel Corporation, refined this idea. He thought that the most important moment in the life of IoT data is neither the moment of its collection nor the moment of its usage. Rather, what’s most important is the point of aggregation. Where data is aggregated will impact how it is used. Data can reside locally in the things that transmit, receive and process it. At the other extreme, data can reside in the distant cloud. In between, there is the “fog”—a repository for data that is more proximate than the cloud, perhaps aggregating data at the individual or institutional level.xxii Proponents of privacy by design will often advocate for data localization as a way to reduce the risks of privacy-compromising re-identification and unwanted usages. For privacy, security and efficiency reasons, Cisco’s Bob Pepper advocated the use of “fog” storage as an alternative to cloud storage.

Hoffman agreed that if the data is held at or near the point of collection, data privacy and usage controls will be easier to enforce. If the data is aggregated more centrally, it becomes an attractive target for theft and runs the risk that advanced analytics will be used against the larger data set. Hoffman emphasized, however, that there is a trade-off here. More centralized data storage may yield more efficient and useful data analytics. So, for example, you might want to insist on surveillance video being stored locally at the edges of the network for processing rather than being aggregated in some more central place where it can be cross-referenced with lots of other data (and rather than not being collected at all). This local storage will promote privacy interests, though probably at the price of some utility.

Another issue in designing networks is how long to retain data in order to mitigate risk. Hoffman said he prefers to think of the assessment as a risk assessment rather than a privacy assessment “because there are non-privacy risks that emerge from access to this huge quantity of data that we’ll have from sensors.” These include security concerns, like a terrorism risk. These risks can be reduced if data doesn’t hang around forever.

Christine Varney of Cravath, Swaine & Moore LLP, raised the possibility of data minimization policies that “make data evaporate after certain periods of time.” But Weitzner worried that it was “magical thinking” to base policy on the ability to destroy data after its principal use: “You either have to define primary purpose so narrowly that we'll lose huge benefits from the data, or you define it so broadly that it's completely meaningless.” We might want to know, for example, what happened to someone 40 years ago in order to understand disease patterns. Columbia University’s Eli Noam said he believes we can solve this problem by having presumptions about the longevity of data collection that can be overcome in particular use cases.

On the issue of personal information, David Hoffman noted that the reason the OECD has eight different Fair Information Practice Principlesxxiii is because some of what’s not personally identifiable information can become identifiable in the future, so different restrictions are required at different stages. He thinks that it might be time for comprehensive federal privacy legislation “with the idea that we can articulate a process that would describe socially productive uses for data that should be allowed, and uses that we would never allow for data.”

Risk-Reward
In the end, Weitzner noted, we have to face the real challenge: “We want lots of benefits from this data, and we’re unlikely to give most of those up, so we'd better figure out how to make sure that people aren't harmed in the process.”

One example of this risk-reward trade-off is the issue of territorial data localization. Bob Pepper of Cisco emphasized the global nature of the IoT. If the function of the IoT is to convert data to knowledge and then to actionable intelligence, then he thought we should be wary of the data localization policies currently being considered and adopted around the world. These could present significant barriers to the most innovative uses of data. The argument is that data localization requirements are incompatible with the free flow of data and optimal (distributed) system architecture.

For the most part, Conference participants seemed to think that IoT privacy approaches should be risk-based depending on the kind of data collected. We should not view privacy protections as binary, but rather should adopt different levels of control depending on the risks to privacy. The group produced the following risk categories, recognizing that lots of data (e.g., location information) fall between or across categories:

Category 1: Clear risk of misuse or harm from personal information (or easily re-identifiable information) on sensitive matters. Examples would be health information and associations. Possible control: requirements like the Fair Credit Reporting Act and the Genetic Information Nondiscrimination Act to ensure data accuracy, decisional fairness, user control, accountability mechanisms and possibly collection restrictions.

Category 2: Lower risk of misuse or harm from personal information (or easily re-identifiable information) on less sensitive matters. Examples would be information on purchasing choices or energy usage, where the purpose of data use is for marketing and less consequential profiling. Possible control: user control mechanism.

Category 3: Very little risk of misuse or harm from non-personal information (with no re-identification). Examples: environmental pollution, traffic patterns. No controls.

Marc Rotenberg of EPIC did not support this taxonomy and cautioned that the better approach is one that simply distinguishes between data that is personally identifiable and data that is not. IoT systems should be designed to avoid collecting PII at all by using privacy enhancing techniques. Where systems do collect PII, Rotenberg said they should employ Fair Information Practice Principles: “This line between PII and non-PII is key for privacy and for innovation, as the collection of personal data necessarily carries responsibilities and liability, while techniques that achieve the same outcomes without PII avoid these regulatory burdens.”

Privacy Recommendations Basic Principles: (1) IoT systems should design in privacy controls that minimize collection of personally identifiable information; (2) IoT systems should effectuate Fair Information Practice Principles to the extent possible, including anonymization and data minimization; (3) individuals should have a way to control collection and transmission of their personal data. IoT applications should minimize the collection and retention of personally identifiable information, recognizing that non-PII may become PII once analytics have been applied. IoT systems should implement Fair Information Practice Principles, including transparency (machine readable) about data collection and use, data minimization, and consumer access and opportunity to correct. There should be an individual right to disconnect (not feasible in all cases). The privacy value of processing as much data as possible locally must be balanced against the utility of aggregating data. There needs to be accountability through mandatory logging of all transactions. There should be individual right of access and tools for analysis to reveal responsibility for rules violations.

Equity, Inclusion and Opportunity
Data as infrastructure raises prospects of citizen empowerment and, likewise, of disempowerment. Who and what is “checked-in” to the network, who and what becomes visible as a result of data sharing, who has power, and who is subject to unwanted surveillance or control? As our environments become smarter, they may adjust to our presence in ways that presuppose our wishes and needs. The delivery of services then becomes smarter for those who are sensed accurately, but faulty predictions and un-sensed needs are problems.

Ensuring that the IoT becomes an IoT for everyone requires attention to the same technology adoption issues that have long troubled broadband rollouts. Lee Rainie, Director of the Pew Internet & American Life Project, thought that we ought to apply learning from the broadband adoption literature to the IoT. It takes lots of tech support and convincing non-adopting members of the public that there’s a value proposition for them. Shawn Chang of the U.S. House Committee on Energy and Commerce emphasized the need to subsidize buildout for underserved communities. Julia Johnson, President of Net Communications, focused on digital literacy as a key component, as well as empowering anchor institutions and community-based groups to bridge gaps in technology diffusion.

The broadband adoption experience teaches that we should have technology adoption strategies for (consumer-facing) IoT systems that aim at full participation. Blair Levin, a Fellow in the Aspen Institute Communications and Society Program, worried that the IoT “is not a very attractive vision, particularly for the under-adopting community” because it’s about things. He thought that proponents need to communicate a vision of the collective goods that are created, and not just private or consumer goods. There must be a narrative about the IoT that is about more than smart toasters and smart energy. The IoT must not only respect privacy but also give people agency, a sense that they’re empowered to contribute, and an understanding about how personal inputs create a desirable broader outcome.

In order to make the IoT interesting to low adopters, there has to be data that’s relevant to those communities. Shawn Chang also emphasized respect: “You can’t just come into a community and tell them: ‘This is what you need and this is the value proposition for you.’” It’s important to empower leaders within communities to demonstrate the benefits of adoption and to shape the kinds of sensor networks that are developed.

Data discrimination is a big concern, as noted in the White House report on big data.xxiv The IoT produces data from an ever expanding array of sources and experiences. As big data becomes bigger, data correlations that could lead to discriminatory actions become ever more difficult to understand or even identify.xxv Nicole Turner-Lee, Vice President and Chief Research & Policy Officer of the Minority Media and Telecommunications Council, urged consideration of economic disparities when it comes to the IoT. The Fitbit device that tracks exercise, diet, and sleep patterns, is being used to lower insurance premiums or create other entitlements.xxvi What happens to the poor, the chronically ill, and others who, for whatever reason, are not introduced to these technologies? Jonathan Barzilay, Director of Freedom of Expression at the Ford Foundation, urged, “If there is some health benefit that derives from having a home or body that is connected to the IoT, we have to ask who gets to participate in that benefit?” This is a matter of fairness, but also efficiency. Where there are network effects, everyone gets better when anyone gets better. For example, Barzilay pointed out that “if there’s a highway where one-third of the cars have perfect information and two-thirds that are distracted and confused, you’re not actually going to realize the benefits.”

Turner-Lee raised the difficulty of distinguishing between the mere convenience and the necessity of participating in the IoT. When a public benefits agency requires its beneficiaries to wear a Fitbit, the choice about IoT ceases to be a real choice, but a matter of health care. She thinks that the energy sector provides an excellent opportunity to address the issue of how the IoT can be used to foster equity among consumers: “Low‑income families spend about 35 percent of their net income on their energy bill, and people on fixed income rely upon stable energy pricing in order to make ends meet. The energy industry is still relatively highly regulated. Therefore, government has some leverage here to make the IoT work in ways that bring economic benefits to the most people.”

She noted that in some areas, there are vertically integrated utilities that have a lot of rich data that is not being put to the best use. How can that data be opened up? Another source of opportunity is the technology shift that’s already happening to smart grids, smart meters and other power-saving incentives. Julia Johnson observed that “we're seeing a friction between environmental groups and low‑income groups, because low‑income groups believe that most of the advances being proposed to help the environment will negatively impact their ability to pay their bills and then be productive citizens.” We should think about how IoT data might show that some existing energy pricing mechanisms are regressive, while other new mechanisms could benefit the environment and low-income communities at once. This would be “a real win/win.”

Broadband adoption and inclusion efforts not only inform our understanding of the IoT future; broadband access and adoption are prerequisites for equitable IoT deployment. Returning to a central plank in the broadband adoption platform, Aspen Fellow Blair Levin urged that governments use the IoT as another prompt to ensure agencies adopt a digital-first strategy to move all government services to digital, thereby spurring digital adoption: “The Internet of Things cannot be all that it should be unless everybody is on, and we have to get everybody on the Internet before everyone is on the IoT, and getting everybody on requires digital readiness, not just connectivity.” A Brookings Institute report, Getting Smarter About Smart Cities, similarly concluded that smart cities have to prioritize broadband and educational inclusion.xxvii Recent efforts to extend the functionality and reach of public libraries have similarly emphasized the role of community anchor institutions in democratizing technological advances.xxviii Several Conference participants emphasized the potential role of anchor institutions in making IoT innovations available and meaningful to community members who trust and have access to local health clinics, schools and libraries.

To avoid the retrofitting that has characterized the Internet with respect to disabled access, Fernando Laguarda, Time Warner Cable’s Vice President, External Affairs and Policy Counselor, stressed the importance of designing accessibility into the IoT from the start: “There's a lot of benefit to the government’s getting in early to establish the importance of inclusion, accessibility and engineering design principles that foster inclusion.”

For example, the IoT presents great opportunities to design sensor networks for medical telemetry in ways that make services more accessible for individuals with disabilities. Touch screens may be difficult to manipulate, and if these concerns were considered in advance, we could design intelligent home products and services that are accessible for everyone, and we would have a better deployment when it comes to being able to include a community that depends a lot on automation. Danny Weitzner of the MIT CSAIL Decentralized Information Group argued that accessibility does not need to be engineered from scratch: “What you really want is to make sure that IoT apps have general web accessibility (HTML5) compliance built into them.”

Kevin Werbach, Associate Professor of Legal Studies at the Wharton School, said he was concerned that masses of IoT-generated data increase the dangers of institutions acting in a discriminatory or anti-competitive manner. The risk was of “algorithmic monopolies”—a topic of heated discussion in big data and digital platform regulatory debates. There was some pushback coming from Marjory Blumenthal of the President's Council on Science and Technology and Danny Weitzner about the focus on algorithms as an object of regulatory interest rather than the anti-competitive or discriminatory behaviors they might abet.

Equity, Inclusion and Opportunity Recommendations Basic Principles: (1) Inclusion by design should be built into IoT systems to ensure accessibility to disabled and underserved, (2) IoT rollouts should benefit the entire population and small businesses. The federal government should convene engineers/user groups to develop specifications for inclusion by design, including accessibility specifications. Industry should be encouraged to adopt these specs and the government should use them for procurement. SBA, NIST and the Manufacturing Extension Partnership should initiate a Startup America initiative around the IoT, including coordination with state and local economic development groups to develop actionable market intelligence for small business. IoT participation incentives should be directed in a way that promotes social inclusion (e.g., energy credits). The IoT rollout must avoid technology redlining. Cities need narratives about how IoT systems benefit the public in terms of economic, social and civic advancement.

Civic Engagement
Social inclusion is one concern in rolling out the IoT, lest segments of the population be left behind. Civic participation is another concern, lest new IoT technologies fail to realize their potential for increasing democratic accountability. How can we use IoT-connected devices to enable and promote civic engagement?

Communications and Society Fellow Blair Levin suggested that “you actually want to see if all of this technology that we're creating does something to improve the way we collectively build the human enterprise.” Citizen engagement should be at the forefront so that when government or even the private sector deploys sensor networks, they should be thinking about how to build in opportunities for citizen feedback about how their institutions and services are being run. This is like the “talk back” or comment component of the Internet. One might think of it as “feedback by design.”

Stefaan Verhulst of NYU’s GovLab saw the challenge in this way: “How can we empower citizens to use the wearables that they already have to increase and improve the services that are delivered to them?” The IoT can transform the availability of feedback, moving away from mere civic petitioning. “We can also use these sensors for co-creation so that we actually can start developing improved services themselves and share feedback.”

David Hoffman of Intel connected the issue of citizen engagement to privacy controls. He noted that “the same kinds of interfaces that would allow people to express their feedback about the cleanliness of public bathrooms could also be used to express choices about how people want their data to be collected from a privacy perspective.” For example, Intel has made a large investment in a headphone company. A new earbud product will be able to read a lot of information about individuals and their health data, as well as information about the surrounding environment, including noise levels. One could imagine that government would like that information in order to assess noise pollution in particular areas. We might want a principle that prevents the government from collecting that data without individual consent. We might also want to engage citizens in a discussion about what amount of noise pollution is unacceptable.

Reed Hundt of the Coalition for Green Capital provided an example of how the IoT could transform regulatory compliance. For example, the FCC is increasingly unable to monitor compliance with its rules. Hundt posited a net neutrality rule that all consumers who pay for a certain broadband speed are entitled to get all their content at that speed. There could be a requirement that consumer devices record broadband speeds and report back to a centralized hub, allowing regulators and service providers (and consumers) to know when the rule is violated.

Citizen Engagement Recommendations Basic Principles: IoT systems should engage citizens in making their governments more accountable and technology deployment more useful. Governments should experiment with pilot projects to enable immediate citizen feedback to government services, using push polls and sensor data. The feedback will inform government on experiments in the IoT such as location-based service delivery systems and IoT in public places. It will enable citizens as sensors to provide actionable intelligence on matters of importance to them. Citizens should be empowered to use wearables to improve services.

Telecommunications Network Architecture
IoT network technology that is open may better promote competition and service innovation. On the other hand, many applications may be so embedded in industrial applications that interoperability is unnecessary and merely exposes systems to added expense and insecurity. Most likely, the ecosystem will be a mixture of open and closed systems, but the appropriate mixture and the points of possible intervention present a governance challenge.

Government has long played a convening role that can help to promote interoperability using the U.S. voluntary standard setting context. The White House Office of Science and Technology Policy has demonstrated the capacity and interest to convene parties to discuss innovation issues, including interoperability. The Commerce Department’s National Institute of Standards and Technology (NIST) can make an important contribution. Marjory Blumenthal, Executive Director of the President's Council on Science and Technology, said NIST should be encouraged “to play a role in global standards setting because we don’t want to be in a situation where somebody else in another country with a different economic structure and different innovation base is trying to push standards on us.”xxix

Most IoT connectivity will be conducted over wireless networks. Werbach of the Wharton School noted that wireless capabilities designed for 300 million mobile phones will have to scale to accommodate 50 billion IoT devices. We will also depend on wired infrastructure to move more data and move it farther.

The majority of connected things will place trivial demands on the network. Columbia University’s Eli Noam noted that most IoT applications will generate only “a trickle” of data, which he estimated for the United States being no more than 200 gigabits per second: “The entire machine-to-machine bursty traffic will be less than my Manhattan apartment building’s traffic on Netflix at night.” Noam acknowledged that there will be applications, like security cameras and telemetry, which will place more substantial demands on the network. Continuity of data transmission will also vary hugely. Some IoT applications will transmit constantly, for example video cameras, while others will be intermittent. It is this heterogeneity that makes network configuration complicated.

Another network challenge is interoperability. Do differential bandwidth demands argue for separate networks? For Noam, this is a desirable outcome. Noam suggested it would be preferable “to have different countries and different companies, different industry constellations” having different network arrangements competing with each other. For some applications, either for privacy (health) or national security (electrical grid), we would not want the equivalent of a public Internet for the IoT, he maintains. It is also very likely that providers of these applications will come very quickly to monopolize their verticals. Robert Atkinson of ITIF disagreed and noted that it should and will be interoperable IP traffic even if some data does not run on the public Internet. Atkinson observed that it isn’t necessarily bad to have private networks. It all depends on the consequences.

Is it possible that network heterogeneity taken too far could frustrate competition and innovation? Are we better off with a real Internet of Things, with highly interconnected networks, connections across verticals (home, health, transport) and common platforms? As in other technology roll-outs, there are the trade-offs between having APIs being open to competing devices and locking users into a particular ecosystem. Conference participants’ disagreement about the appropriate balance between interconnectivity and heterogeneity at the level of network architecture echoed other disagreements about open vs. proprietary data and data analytics and, of course, reflects fundamental differences about how best to promote innovation.

Privacy, security, cost, competition, innovation and access may all hang in the balance. A highly interconnected IoT could reduce costs, increase functionality and spur innovation and competition for applications that use common standards. On the other hand, the more interconnected the IoT is, the greater are the privacy and security risks. There may be no reason for your car to speak to your refrigerator, and no reason that they should be using anything like common APIs or continuous addressing. On the other hand, society may have a greater interest in ensuring that pollution data gathered by disparate private and public sensor networks is made available in ways that make it useful for a wide array of health devices. European Union regulators have begun to ask whether it is better to have heterogeneous networks of things and distinct addressing systems around the world, or whether there should be some coordination and harmonization. The responses have been decidedly mixed.

Security
Given the vast interconnectivity of things envisioned, IoT development could increase security vulnerabilities at both the level of individual devices and at systemic levels. Scary scenarios have penetrated media narratives. Writers for the Showtime thriller Homeland scripted the remote murder of the fictional vice president by means of hacking into a cardiac device.xxx Researchers have shown that they can remotely hack into an automobile to control the car’s basic functions.xxxi Real hackers had no trouble getting into the connected home security cameras of TRENDnet’s SecurView in 2013. In a Federal Trade Commission enforcement action, the government found that a system marketed as “secure” was in fact run on faulty software that left cameras open to online viewing, and in some cases listening, by anyone with the cameras’ Internet address.xxxii

A recent Hewlett Packard study of the 10 most popular consumer IoT applications revealed that most of these devices had security vulnerabilities ranging from insufficiently strong password protection to lack of encryption. Most collected some form of personal information, such as name, address, date of birth, health information and even credit card numbers, and then connected this data flow to the cloud. Once this information is transmitted unencrypted on a home network, “users are one network misconfiguration away from exposing this data to the world via wireless networks.”xxxiii

In 2008, the National Intelligence Council released a study of long-term risks to U.S. national security interests. The IoT was one of them. Its study modeled different implementation and adoption scenarios of the IoT and found opportunities and risks. Starting with the opportunities, it found that “if the United States executes wisely, the IoT could work to the long-term advantage of the domestic economy and to the U.S. military. Streamlining—or revolutionizing—supply chains and logistics could slash costs, increase efficiencies and reduce dependence on human labor.” It went on to note that the “ability to fuse sensor data from many distributed objects could deter crime and asymmetric warfare.”xxxiv

The report also offered this view of the future:
[B]y 2025, robotic supply chains are common and considered more secure and less prone to human tampering than traditional shipping and receiving. At ports, containers report their contents to heavy equipment, which routes goods to trucks automatically; at distribution points, pallets and forklifts similarly communicate and route goods which arrive in stores largely untouched by human hands. RFIDs in individual food packages drive popular adoption of RFID readers in cell phones that provide an indication of food origins and provenance.xxxv

But there are also risks. The very same technologies that are adopted to reduce security risks may actually exacerbate them. These technologies may make supply chains more vulnerable as mission-critical material arriving on U.S. shores are contaminated by malware. The study warned that “an open market for aggregated sensor data could…help criminals and spies identify vulnerable targets.” Despite best efforts, “We may be unable to deny access to networks of sensors and remotely-controlled objects by enemies of the United States, criminals and mischief makers. Foreign manufacturers could become both the single-source and single-point-of-failure for mission-critical Internet-enabled things. Manufacturers could also become vectors for delivering everyday objects containing malicious software that causes havoc in everyday life.”xxxvi

Conference participants expressed concern about these and other security vulnerabilities. They considered whether IoT systems and device providers should have to make security vulnerability notifications, similar to data breach notifications that many states require today for large data processors.xxxvii So, for example, if the vendor of automatic license plate readers finds that there’s a vulnerability and the system is hackable, it would have to notify the authorities and the public. Participants also discussed the possibly of a product liability framework around IoT devices. Generally, software, as a service, is excluded from product liability regimes, which focus on goods. The IoT combines the software service and the hardware good into a single actuator and, therefore, clouds the distinction between goods and services.

Intel’s David Hoffman raised the issue of large appliances that are connected to the IoT but not replaced as frequently as the Internet devices most used today. In these cases, there will be many devices whose software cannot be adequately updated and thus present a problem for the entire network. He proposed a rule to sunset these devices before they can export their vulnerabilities into the network: “If the devices are not affirmatively renewed, they should die at some point.”

The 2015 FTC report on the Internet of Things noted that for many IoT devices “if a vulnerability were discovered after manufacture, it may be difficult or impossible to update the software or apply a patch.”xxxviii A leading scholar of the IoT has proposed as a central governance principle that devices “should have some knowledge about their own functionality and be able to ‘call for help’ in case of failure.”xxxix

IoT security vulnerabilities start at the point of data collection. Most of the sensors currently deployed are simply not capable of establishing an encrypted link for communications because they have been designed to optimize battery power and minimize computing requirements. This is the finding of the EU’s Article 29 Data Protection Working Party.xl FTC Chairwoman Edith Ramirez emphasized that “data security is huge when it comes to the Internet of Things. As a general matter, companies today are not doing enough on this front. Government needs to set standards.”

Security Recommendations Basic Principles: (1) Device reliability, (2) data integrity, and (3) safety for active systems IoT systems should adopt security-by-design principles, deploying risk-based security measures. Governments should continue to develop protection, disaster response and redundancy plans for critical-infrastructure, focusing on the special threats that the IoT poses. The private sector and government should adopt expiration dates for autonomous IoT devices. There should be NIST standards development for safety and security practices, including resilience after a breach (e.g., cybersecurity framework, encryption).

ENDNOTES