Ethical considerations for the Web of Things

With sensors and actuators throughout cities and homes, there is a risk that the Web of Things is abused by regimes wanting to take surveillance of their citizens to the extreme, so that Big Data == Big Brother (see George Orwell's dystopian novel "Nineteen Eighty-Four"). Other fears relate to abuse of privacy by companies that collate information to build detailed profiles on users, or which purchase or otherwise obtain data collected by the state. If insufficient attention is paid to security, this could open the door to discrimination and criminal activities.

A more recent perspective is given in Dave Egger's novel "The Circle". The Guardian columnist Simon Jenkins (front page, 25 October 2013) describes the novel as satirising Silicon Valley's "completion of the singularity". Each person becomes a global avatar, bugged and followed 24 hours a day. The trail we leave in our online activities together with pervasive sensors, and ever smarter software will make it ever easier to track people throughout their lives in intimate detail.

The PEW report on The Future of Big Data includes quotes by people who are concerned by the potential negative impact. Separately, Ajit Jaokar suggests that Open Source could be helpful as many eyes can help to detect security backdoors and potential security exploits that snoopers could take advantage of.

This page is intended for an exploration of the ethical issues associated with the Web of Things, and some of the ways that we can create technical, social and legal safeguards to limit abuse.

Pervasive Surveillance

The disclosures by Edward Snowden of the activities by the US NSA and the UK GCHQ have shone a light on the ability for state institutions to gather information on a massive scale by tapping Internet cables, and through backdoor arrangements with Internet companies.

• Wikipedia article on Edward Snowden

The Web of Things threatens to enable even richer surveillance through sensors in people's homes, their person (smart phone, health monitors), in the street, in stores and at work. Whilst most people agree with the need for surveillance to counter terrorism, the fear is that once gathered the information will be accessible for other purposes, and could be used to discriminate people based upon their personal habits, employment status, religion, their friends and relations, and so forth.

To avoid this, laws and codes of practice have been drawn up, e.g. the following document on the use of the widely deployed surveillance cameras in the United Kingdom:

• UK Home Office Camera Code of Practice

According to the New York Times US agencies have pressed the NSA for access to surveillance data. This includes agencies working to curb drug trafficking, cyberattacks, money laundering, counterfeiting and even copyright infringement. The NSA claims to limit use of their data to avoid misuse that violate Americans' privacy.

In the UK, restrictions have been placed upon local authorities to limit their ability to authorise directed surveillance, e.g. to investigate benefit fraud or to gather evidence of anti-social behaviour. The revisions to the law states that authorising officers may not approve directed surveillance unless it is for the purpose of preventing or detecting a criminal offence.

Unfortunately, the laws and codes of practice may be breached by individuals able to work around the system. Examples include:

• News International phone hacking scandal
• Hundreds of police officers caught illegally accessing criminal records computer
• Private investigators accessed police files, says leaked report

The risk of such abuse is likely to rise as the Web of Things expands. Counter measures include increased security, and audit trails of who accessed what data, when and for which reasons.

Combining the Internet of Things with other sources of information

Search engines, advertisers, websites and others collect information on how people are using their services. This can be used to provide personalized services and more relevant advertising, but it presents a risk of abuse when data is put to purposes other than the intended ones. Data retention is an issue, e.g. where teenage photo's surface in later life. A further problem is where mistakes are made as it can be hard to track down and correct them. Such mistakes could be intentional, e.g. an attempt to place misinformation to damage someone's public standing or credit worthiness. Criminals can break into corporate websites to gain illegal access to records, e.g. for identity theft and the use of credit card details for fraud.

There are increasing concerns over fingerprinting where multiple cues are combined to uniquely identify a device, and hence the user, even when that user has indicated a desire not to be tracked. The use of cloud based services threatens to make this worse through the ability to combine personal data from sensors with other sources of information.

• How unique is your browser - Panopticlick, EFF
• Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting

Implications for Standardization

Security and privacy are important considerations for proposed standards. The W3C Web Security Interest Group's mission is to serve as a forum for discussions on improving standards and advancing the security of the Web. This includes review of specifications proposed by other W3C groups. The W3C Device APIs Working Group, for example, closely examines API specifications to minimize personal information leaked through the use of those APIs. Trusted applications are able to get richer access to the device and personal data, but this trust needs to be justified, e.g. through external review, and the reputation of the application developers.

Standards for the Web of Things will need to carefully consider security and privacy, and this has implications for how identity, authentication, provenance and access control are managed.