Lachlan Urquhart

Jiahong Chen, Lachlan Urquhart

Insecure connected devices can cause serious threats not just to smart home owners, but also the underlying infrastructural network as well. There has been increasing academic and regulatory interest in addressing cybersecurity risks from both the standpoint of Internet of Things (IoT) vendors and that of end-users. In addition to the current data protection and network security legal frameworks, for example, the UK government has initiated the 'Secure by Design' campaign. While there has been work on how organisations and individuals manage their own cybersecurity risks, it remains unclear to what extent IoT vendors are supporting end-users to perform day-to-day management of such risks in a usable way, and what is stopping the vendors from improving such support. We interviewed 13 experts in the field of IoT and identified three main categories of barriers to making IoT products usably secure: technical, legal and organisational. In this paper we further discuss the policymaking implications of these findings and make some recommendations.

Lachlan Urquhart, Peter Craigon

This paper presents the design process and empirical evaluation of a new tool for enabling ethics by design: The Moral-IT Cards. Better tools are needed to support the role of technologists in addressing ethical issues during system design. These physical cards support reflection by technologists on normative aspects of technology development, specifically on emerging risks, appropriate safeguards and challenges of implementing these in the system. We discuss how the cards were developed and tested within 5 workshops with 20 participants from both research and commercial settings. We consider the role of technologists in ethics from different EU/UK policymaking initiatives and disciplinary perspectives (i.e. Science and Technology Studies (STS), IT Law, Human Computer Interaction (HCI), Computer/Engineering Ethics). We then examine existing ethics by design tools, and other cards based tools before arguing why cards can be a useful medium for addressing complex ethical issues. We present the development process for the Moral-IT cards, document key features of our card design, background on the content, the impact assessment board process for using them and how this was formulated. We discuss our study design and methodology before examining key findings which are clustered around three overarching themes. These are: the value of our cards as a tool, their impact on the technology design process and how they structure ethical reflection practices. We conclude with key lessons and concepts such as how they level the playing field for debate; enable ethical clustering, sorting and comparison; provide appropriate anchors for discussion and highlighted the intertwined nature of ethics.

Lachlan Urquhart, Jiahong Chen

This chapter introduces the Accountability Principle and its role in data protection governance. We focus on what accountability means in the context of cybersecurity management in smart homes, considering the EU General Data Protection Law requirements to secure personal data. This discussion sits against the backdrop of two key new developments in data protection law. Firstly, the law is moving into the home, due to narrowing of the so called household exemption. Concurrently, household occupants may now have legal responsibilities to comply with the GDPR, as they find themselves jointly responsible for compliance, as they are possibly held to determine the means and purposes of data collection with IoT device vendors. As a complex socio-technical space, we consider the interactions between accountability requirements and the competencies of this new class of domestic data controllers (DDCs). Specifically, we consider the value and limitations of edge-based security analytics to manage smart home cybersecurity risks, reviewing a range of prototypes and studies of their use. We also reflect on interpersonal power dynamics in the domestic setting e.g. device control; existing social practices around privacy and security management in smart homes; and usability issues that may hamper DDCs ability to rely on such solutions. We conclude by reflecting on 1) the need for collective security management in homes and 2) the increasingly complex divisions of responsibility in smart homes between device users, account holders, IoT device/software/firmware vendors, and third parties.

Lachlan Urquhart, Derek McAuley

Security incidents such as targeted distributed denial of service (DDoS) attacks on power grids and hacking of factory industrial control systems (ICS) are on the increase. This paper unpacks where emerging security risks lie for the industrial internet of things, drawing on both technical and regulatory perspectives. Legal changes are being ushered by the European Union (EU) Network and Information Security (NIS) Directive 2016 and the General Data Protection Regulation 2016 (GDPR) (both to be enforced from May 2018). We use the case study of the emergent smart energy supply chain to frame, scope out and consolidate the breadth of security concerns at play, and the regulatory responses. We argue the industrial IoT brings four security concerns to the fore, namely: appreciating the shift from offline to online infrastructure; managing temporal dimensions of security; addressing the implementation gap for best practice; and engaging with infrastructural complexity. Our goal is to surface risks and foster dialogue to avoid the emergence of an Internet of Insecure Industrial Things

Lachlan Urquhart, Neelima Sailaja, Derek McAuley

There is an increasing role for the IT design community to play in regulation of emerging IT. Article 25 of the EU General Data Protection Regulation (GDPR) 2016 puts this on a strict legal basis by establishing the need for information privacy by design and default (PbD) for personal data-driven technologies. Against this backdrop, we examine legal, commercial and technical perspectives around the newly created legal right to data portability (RTDP) in GDPR. We are motivated by a pressing need to address regulatory challenges stemming from the Internet of Things (IoT). We need to find channels to support the protection of these new legal rights for users in practice. In Part I we introduce the internet of things and information PbD in more detail. We briefly consider regulatory challenges posed by the IoT and the nature and practical challenges surrounding the regulatory response of information privacy by design. In Part II, we look in depth at the legal nature of the RTDP, determining what it requires from IT designers in practice but also limitations on the right and how it relates to IoT. In Part III we focus on technical approaches that can support the realisation of the right. We consider the state of the art in data management architectures, tools and platforms that can provide portability, increased transparency and user control over the data flows. In Part IV, we bring our perspectives together to reflect on the technical, legal and business barriers and opportunities that will shape the implementation of the RTDP in practice, and how the relationships may shape emerging IoT innovation and business models. We finish with brief conclusions about the future for the RTDP and PbD in the IoT.

Lachlan Urquhart

Within this chapter we consider the emergence of ambient domestic computing systems, both conceptually and empirically. We critically assess visions of post-desktop computing, paying particular attention to one contemporary trend: the internet of things (IoT). We examine the contested nature of this term, looking at the historical trajectory of similar technologies, and the regulatory issues they can pose, particularly in the home. We also look to the emerging regulatory solution of privacy by design, unpacking practical challenges it faces. The novelty of our contribution stems from a turn to practice through a set of empirical perspectives. We present findings that document the practical experiences and viewpoints of leading experts in technology law and design.

Lachlan Urquhart, Tom Lodge, Andy Crabtree

This paper explores the importance of accountability to data protection, and how it can be built into the Internet of Things (IoT). The need to build accountability into the IoT is motivated by the opaque nature of distributed data flows, inadequate consent mechanisms, and lack of interfaces enabling end-user control over the behaviours of internet-enabled devices. The lack of accountability precludes meaningful engagement by end-users with their personal data and poses a key challenge to creating user trust in the IoT and the reciprocal development of the digital economy. The EU General Data Protection Regulation 2016 (GDPR) seeks to remedy this particular problem by mandating that a rapidly developing technological ecosystem be made accountable. In doing so it foregrounds new responsibilities for data controllers, including data protection by design and default, and new data subject rights such as the right to data portability. While GDPR is technologically neutral, it is nevertheless anticipated that realising the vision will turn upon effective technological development. Accordingly, this paper examines the notion of accountability, how it has been translated into systems design recommendations for the IoT, and how the IoT Databox puts key data protection principles into practice.