12. End-User Engagement, Protection and Education

http://​u4iot.​eu.

http://​iotforum.​org.

Galton, Francis (1907-03-07). “Vox Populi” (PDF). Nature. https://​doi.​org/​10.​1038/​075450a0. The middlemost estimate expresses the vox populi”.

The EU’s General Data Protection Regulation (GDPR) is a sweeping change to privacy and data protection in Europe and is explained in detail in a later section of this chapter.

http://​www.​iotlab.​eu.

Sanders & Stappers, “Co-creation and the new landscapes of design”, 2008, CoDesign: International Journal of CoCreation in Design and the Arts, Vol. 4 No. 1, Taylor and Francis.

Sleeswijk Visser, Stappers, Van der Lugt & Sanders, “Contextmapping: experiences from practice”, 2005, CoDesign: International Journal of CoCreation in Design and the Arts, Vol. 1 No. 2, Taylor and Francis.

Friedman, Batya, et al. “Value sensitive design and information systems.” Early engagement and new technologies: Opening up the laboratory. Springer Netherlands, 55–95.

Djaouti, Damien; Alvarez, Julian; Jessel, Jean-Pierre. “Classifying Serious Games: the G/P/S model” (2015).

The details of the GDPR are covered later in this chapter.

Take, for example, the deployment of a smart grid system or the introduction of smart traffic cameras by a city. The GDPR prevents the possibility of inferring racial or ethnic origin, religious beliefs, trade union membership and health/sexual information by cross-referencing the data obtained from traffic cameras with geographical information and expressly prohibits such activities unless express consent has been obtained by the data subject. A similar point could be made from an intrusive deployment of a smart grid, from which religious beliefs and health data could be inferred by examining a household’s energy consumption in time vs. the average or (if available) examining the room-by-room energy usage. This problem grows exponentially with big data analytics and the increasing introduction of AI-enabled chips in IoT devices.

Current efforts to maximise communication and transparency between IoT devices and end-users range from the inclusion of printed notices next to the devices to the inclusion of smart tags and Bluetooth beacons to point end-user’s smart devices towards relevant websites and even efforts to deploy massive, geo-aware augmented reality solutions by which the end-user will be able to immediately contact the data controller and processors.

The exact way this will be implemented is yet unclear, as the immense range of datasets to be shared and the wide variety of standards (both open and closed) that could be used have slowed down the necessary coordination among the industry sectors. On this point it is important to remember that security considerations are also of key importance, as the GDPR requires that all possible risks and affectations to personal data are considered both when data is at rest and when it is being transferred. Finally, cross-border data transfers might raise the difficulty of any data portability request by the end-user if no equivalent protection is given by local legislation and no agreements have been made by the relevant controllers.

See, for example, http://​ieeexplore.​ieee.​org/​document/​7733572/​ and Arun, Thangavelu & Venkatesan; Cognitive Computing for Big Data Systems Over IoT: Frameworks, Tools and Applications; Volume 14 of Lecture Notes on Data Engineering and Communications Technologies; Springer, 2017.

For an example on how the privacy by design approach should be considered by IoT applications, see the case of smart health in https://​www.​sciencedirect.​com/​science/​article/​pii/​S187705091731739​8.

As it declares, starting from its Recital 24 that “Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users” (European Parliament & European Council 2009) and require that any programme installed on such equipment to be based on legitimate purposes. This is further expanded by Recital 25, which states that these legitimate purposes include the provision of information society services, and as such “their use should be allowed on condition that users are provided with clear and precise information (…) so as to ensure that users are made aware of information being placed on the terminal equipment they are using” (European Parliament & European Council 2009). Additionally, the recital requires that the user is given the right to refuse and that any information is provided in a user-friendly manner. The contents of these recitals are synthetised and further clarified by Article 5.3 of the directive, which formally introduces these limitations to the applicable body of law of the European Union (in direct connection to the dispositions mentioned in infra note 18).

Confidentiality of the communications was protected by the Directive’s Article 5, which required member states to introduce safeguards on their national legislation to “prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned (…) this paragraph shall not prevent technical storage which is necessary for the conveyance of a communication (…)” (European Parliament & European Council 2009).

The ePrivacy Regulation addresses IoT directly. Recital 12 of the latest draft notes that “The use of machine -to-machine services, that is to say services involving an automated transfer of data and information between devices or software- based applications with limited or no human interaction, is emerging. While the services provided at the application -layer of such services do normally not qualify as an electronic communications service as defined in the [Directive establishing the European Electronic Communications Code], the transmission services used for the provision of machine -to-machine communications services regularly involves the conveyance of signals via an electronic communications network and, hence, normally constitutes an electronic communications service. In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, it is necessary to clarify that this Regulation, in particular the requirement s relating to the confidentiality of communications, should apply to the transmission of machine- to-machine electronic communications where carried out via an electronic communications service”. In accordance with this approach, Article 5(2) of the proposed regulation recognises that “Confidentiality of electronic communications data shall apply to the transmission of machine-to-machine electronic communications where carried out via an electronic communications service”.

In case of X, it is best to do Y according to article Q of the GDPR and our code of conduct.