[DG-IDoT] Challenges from the Identities of Things

j stollman stollman.j at gmail.com
Wed Feb 26 20:33:11 CST 2014


A few thoughts in the interest of trying to improve your paper.

I think your paper doesn't quite pinpoint the the problems you go on to
discuss.  I think that you address three issues:

   1. the need for identity and access management
   2. device and data "ownership"
   3. the need for a namespace convention.

With regard to the identity issue, you might try the following:

Historically the functions that are now migrating to the Internet of Things
(thermostats, ovens, lighting systems, etc.) were standalone devices that
were not accessible over the internet.  To operate them required physical
presence.  And the ability to access them was mediated by physical access
to the devices.  As device access migrates to the internet, device "owners"
gain the ability to control devices from afar.  Physical presence is no
longer necessary and ceases to be the determinant of device access and
control.  This is a boon for the device owner.  But the new capability of
remote access also exposes the device to control by third parties whose
motives may not align with the owner.  It is beneficial to be able to
remotely tell your thermostat to raise the temperature in your home because
you are returning from a trip a day ahead of schedule.  But it could be
problematic to have some devious person remotely turn your thermostat off
in the dead of winter.

Because of this new vulnerability, it becomes important to build into new
"internet-enabled" devices some form of identity and access management to
allow the device "owner" to manage who can and can't access the device and
what privileges each might have upon accessing it.

With regard to the ownership issue, I think it might be more clear to say
something along the lines of the following:

Ownership of a device on the Internet of Things is not always clear cut.
 If John purchases a new car, the ownership of the cart seems clear.  But
if the car includes a device that transmits data on the performance of the
engine that is transmitted back to the manufacturer to help the
manufacturer improve its products,the who owns the sensor and the ability
to control where the data are sent becomes less clear. If the contract John
signs when he purchased the car gives the manufacturer (or dealer) control
of the sensor and the data it transmits, does this change if the sensor
also records John's location, driving speed, and other factors that measure
his "performance"?   If the manufacturer has the right to these data, do
they have a liability if John's enemy hacks into the database to discover
John's location and then shoots him?  If the contract also stipulates that
if John wants to see the data, he must pay a subscription fee, is this
reasonable?  If John retains any ownership of the data, does this change if
he resells the car to someone else? What if his driving record is still
retained in the device in the car?   If the manufacturer retains control of
the data, does this require John to specify this fact when he goes to
resell the car?

If a weather sensor purchased with taxpayer dollars is installed by a
government entity, do you have the right to access its data?  What if you
live outside the jurisdiction of the government entity?  Should you be
allowed to be a "free rider" and use the data for your own gain?

With regard to the namespace convention, I think you need to first explain
why a namespace is needed.  Then you can describe the alternatives.

With regard to the truck/logistics company example given under the heading
"Governance of data and Privacy", I think you need to add that the data
would also be valuable to the recipients of packages delivered by the
logistics company who need to plan their production around receipt of
materials.  This opens up the driver's location to a much broader audience
that has likely not be vetted by the logistics company, compounding the
complexity of the problem.

I hope that you find this to be of some value.


On Tue, Feb 25, 2014 at 10:35 AM, <Ingo.Friese at telekom.de> wrote:

> Dear All,
> Find attached my paper for the IoT WF 2014.
> In this paper I describe few challenges and give examples how to solve
> them.
> I hope these examples inspire you to talk also your examples/problems to
> the group. We have currently a lack of attendance especially in our calls.
> It would be great to get feedback regarding the paper in order to write an
> improved version
> Ingo
> Challenges from the Identities of Things (paper)<http://kantarainitiative.org/confluence/download/attachments/64389214/PID3057147.pdf?version=1&modificationDate=1393340914114&api=v2>
> Challenges from the Identities of Things (slides)<http://kantarainitiative.org/confluence/download/attachments/64389214/20140217_IDoT_WF2014seoul_v1.0.pdf?version=1&modificationDate=1393341197305&api=v2>
> _______________________________________________
> DG-IDoT mailing list
> DG-IDoT at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/dg-idot

Jeff Stollman
stollman.j at gmail.com
1 202.683.8699

Truth never triumphs -- its opponents just die out.
Science advances one funeral at a time.
                                    Max Planck
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/dg-idot/attachments/20140226/edba1af5/attachment.html>

More information about the DG-IDoT mailing list