Kantara Response to FTC IoT Privacy and Security Implications
Dear Kantara Community, Recently Kantara Initiative Trustees, Members and Participants provided their international and industry expertise to develop a brief response to a call for input by the US Federal Trade Commission (FTC) [1] regarding privacy and security implications of the Internet of Things (IoT). Pervasive implementation the IoT, and access control of associated data, will have significant implications with regard to Identity Management use cases and beyond. Kantara Initiative intends to address these implications through its network of experts and programs. The full response can be read on our Kantara blog [2]. We thank our stakeholders for their excellent input and we're looking forward to a workshop focusing on IoT that is being planned by FTC for the fall 2013. Please feel free to share the response with interested parties. We are very interested to hear feedback that can be shared on this list or via our contact form [3]. Joni Brennan Executive Director Kantara Initiative [1] http://www.ftc.gov/opa/2013/04/internetthings.shtm [2] http://kantarainitiative.org/privacy-and-security-iot/ [3] bit.ly/contact_kantara
Hello Joni (and the Kantara commnity). Ummm... I'm not from the US (I'm Australian), and my thoughts on "the internet of *things*" have thus far not curried much resonance with people in general. Also, my concepts have still to yield anything demonstrable. Hence, I'm reluctant to contribute directly to conferences and other requests for input. But I will write this message. I'd like to perhaps suggest that the term "things" be replaced with "individuals". I believe an internet of individuals is the ultimate destination for the internet as it evolves to be a medium through which individual presence is not only projected, but is also manifest. In an internet of individuals, every component (every "thing" or "device") is used by, and indeed, is used to manifest individual presence. In this vision, every router, switch, node and any other well defined contraption of any type that can exchange state (a device) with any other device will be directed by and accountable to the intentions of individual wills that compose them. This vision requires a system that projects individual presence in such devices. I believe that my Clique Space concept is such a system. As far as I am aware, Clique Space is the only concept that has any chance of turning this internet of things into its ultimate expression as an internet of individuals, Development continues, and I hope one day soon(ish) to be able to demonstrate that the Clique Space basic infrastructure (Agent Devices which collaborate to exchange information about other devices operating through other media) works. I would love some help in getting my proof-of-concept done quicker, so I post this letter here as an attempt to garner interest. I'd welcome anyone's comment. Owen. On 12 June 2013 18:24, Joni Brennan <joni@ieee-isto.org> wrote:
Dear Kantara Community,
Recently Kantara Initiative Trustees, Members and Participants provided their international and industry expertise to develop a brief response to a call for input by the US Federal Trade Commission (FTC) [1] regarding privacy and security implications of the Internet of Things (IoT). Pervasive implementation the IoT, and access control of associated data, will have significant implications with regard to Identity Management use cases and beyond. Kantara Initiative intends to address these implications through its network of experts and programs.
The full response can be read on our Kantara blog [2]. We thank our stakeholders for their excellent input and we're looking forward to a workshop focusing on IoT that is being planned by FTC for the fall 2013.
Please feel free to share the response with interested parties. We are very interested to hear feedback that can be shared on this list or via our contact form [3].
Joni Brennan Executive Director Kantara Initiative
[1] http://www.ftc.gov/opa/2013/04/internetthings.shtm [2] http://kantarainitiative.org/privacy-and-security-iot/ [3] bit.ly/contact_kantara
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
-- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com
Hi Owen, Thank you for this interesting perspective. However, the Internet of Things (IoT) includes individuals as a layer. IoT includes things and entities as well. All of these intersect. As part of our scope, Kantara intends to focus on Identity of Things. Also, while the comments were not formally representative of Kantara as an organization, I can confirm that many non-US people and companies did contribute. We're proud of Kantara's transparent and multi-national representation so non-US, Australia and any other perspectives are always welcome. Best Regards, Joni On Wed, Jun 12, 2013 at 2:22 PM, Owen Thomas <owen.paul.thomas@gmail.com>wrote:
Hello Joni (and the Kantara commnity).
Ummm... I'm not from the US (I'm Australian), and my thoughts on "the internet of *things*" have thus far not curried much resonance with people in general. Also, my concepts have still to yield anything demonstrable. Hence, I'm reluctant to contribute directly to conferences and other requests for input. But I will write this message.
I'd like to perhaps suggest that the term "things" be replaced with "individuals". I believe an internet of individuals is the ultimate destination for the internet as it evolves to be a medium through which individual presence is not only projected, but is also manifest. In an internet of individuals, every component (every "thing" or "device") is used by, and indeed, is used to manifest individual presence. In this vision, every router, switch, node and any other well defined contraption of any type that can exchange state (a device) with any other device will be directed by and accountable to the intentions of individual wills that compose them.
This vision requires a system that projects individual presence in such devices. I believe that my Clique Space concept is such a system. As far as I am aware, Clique Space is the only concept that has any chance of turning this internet of things into its ultimate expression as an internet of individuals,
Development continues, and I hope one day soon(ish) to be able to demonstrate that the Clique Space basic infrastructure (Agent Devices which collaborate to exchange information about other devices operating through other media) works. I would love some help in getting my proof-of-concept done quicker, so I post this letter here as an attempt to garner interest.
I'd welcome anyone's comment.
Owen.
On 12 June 2013 18:24, Joni Brennan <joni@ieee-isto.org> wrote:
Dear Kantara Community,
Recently Kantara Initiative Trustees, Members and Participants provided their international and industry expertise to develop a brief response to a call for input by the US Federal Trade Commission (FTC) [1] regarding privacy and security implications of the Internet of Things (IoT). Pervasive implementation the IoT, and access control of associated data, will have significant implications with regard to Identity Management use cases and beyond. Kantara Initiative intends to address these implications through its network of experts and programs.
The full response can be read on our Kantara blog [2]. We thank our stakeholders for their excellent input and we're looking forward to a workshop focusing on IoT that is being planned by FTC for the fall 2013.
Please feel free to share the response with interested parties. We are very interested to hear feedback that can be shared on this list or via our contact form [3].
Joni Brennan Executive Director Kantara Initiative
[1] http://www.ftc.gov/opa/2013/04/internetthings.shtm [2] http://kantarainitiative.org/privacy-and-security-iot/ [3] bit.ly/contact_kantara
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
-- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com
Hi Joni. See my responses in situ below. On 13 June 2013 01:08, Joni Brennan <joni@ieee-isto.org> wrote:
Hi Owen,
Thank you for this interesting perspective. However, the Internet of Things (IoT) includes individuals as a layer. IoT includes things and entities as well. All of these intersect.
Yea, the internet is composed of devices. All these devices are put wherever they are put to serve the purposes of the individual who put them there. I don't see how individuals need to be called a "layer"... an individual merely possesses devices which interact by the direction of the individual who possesses them; often with devices that another individual possesses. Clique Space is a system that models and mediates this activity.
As part of our scope, Kantara intends to focus on Identity of Things.
Maybe my ignorance, but I don't really see why things and individuals can be considered separately if you're going to deal with the subject of identity - which is important to the individual's claim for possession of things. I don't understand the necessity of considering individuals as "layers" in a system. The relationship between the individual and the things (or devices) one possesses is very intuitive, and I don't see the necessity for making it any more complicated than it appears. Enjoy. Owen. -- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com
Hi Owen, While it may seem that the identity management system for things is the same as for people (on an abstract) there are a few additional requirements IoT brings along. The most important aspect is that there are various limitations (in terms of code size, memory, bandwidth, battery life) of these devices. For that reason not all of the work that was suitable for a laptop/tablet/smart phone environment is also immediately applicable to the IoT environment. If you want to read more about it have a look at two workshop reports: Smart Object Workshop Report: http://tools.ietf.org/html/rfc6574 Smart Object Security Workshop Report: http://tools.ietf.org/html/draft-gilger-smart-object-security-workshop-01 (Smart Objects = Internet of Things) Ciao Hannes From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of ext Owen Thomas Sent: Wednesday, June 12, 2013 6:42 PM To: Joni Brennan Cc: community Subject: Re: [Kantara - Community] Kantara Response to FTC IoT Privacy and Security Implications Hi Joni. See my responses in situ below. On 13 June 2013 01:08, Joni Brennan <joni@ieee-isto.org<mailto:joni@ieee-isto.org>> wrote: Hi Owen, Thank you for this interesting perspective. However, the Internet of Things (IoT) includes individuals as a layer. IoT includes things and entities as well. All of these intersect. Yea, the internet is composed of devices. All these devices are put wherever they are put to serve the purposes of the individual who put them there. I don't see how individuals need to be called a "layer"... an individual merely possesses devices which interact by the direction of the individual who possesses them; often with devices that another individual possesses. Clique Space is a system that models and mediates this activity. As part of our scope, Kantara intends to focus on Identity of Things. Maybe my ignorance, but I don't really see why things and individuals can be considered separately if you're going to deal with the subject of identity - which is important to the individual's claim for possession of things. I don't understand the necessity of considering individuals as "layers" in a system. The relationship between the individual and the things (or devices) one possesses is very intuitive, and I don't see the necessity for making it any more complicated than it appears. Enjoy. Owen. -- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com<http://www.owenpaulthomas.blogspot.com>
Hi Hannes. On 13 June 2013 01:47, Tschofenig, Hannes (NSN - FI/Espoo) < hannes.tschofenig@nsn.com> wrote:
Hi Owen, ****
** **
While it may seem that the identity management system for things is the same as for people (on an abstract) there are a few additional requirements IoT brings along. The most important aspect is that there are various limitations (in terms of code size, memory, bandwidth, battery life) of these devices. For that reason not all of the work that was suitable for a laptop/tablet/smart phone environment is also immediately applicable to the IoT environment. ****
** **
If you want to read more about it have a look at two workshop reports:****
** **
Smart Object Workshop Report:****
http://tools.ietf.org/html/rfc6574****
** **
Smart Object Security Workshop Report: ****
http://tools.ietf.org/html/draft-gilger-smart-object-security-workshop-01* ***
** **
(Smart Objects = Internet of Things)****
** **
Ciao Hannes
Certainly. connecting every diode, every capacitor, every transistor, and any other small electrical component to Clique Space would be an odd thing to consider reasonable. And surely, not every electronic component which may stand alone would be able to be connected. But the requirements for connecting components to a Clique Space are not onerous, and in most cases, I think connecting such components is reasonable. The only thing a device has to do is to be able to do whatever function it does, AND 1: to be able to tell another device what it is doing. I think this is well within the conceivable realm for most devices. An additional advantageous characteristic a device might possess is 2: the ability to be controlled by another device. If a device has the characteristic 1, then it would be able to be modelled within a Clique Space. If a device has both 1 and 2, it could be modelled and controlled from a Clique Space. I don't think it conceivably useful that a device have 2 without having 1, but I could be wrong. Amongst the large number of device types that can be connected to a Clique Space are devices which can render to a display screen or otherwise represent the activity of other devices. These devices are used by individuals to control the activity of all the devices they possess to meet their individual aims. I've called these type of devices View/Persistence Mechanism (V/PM) devices because the individual has available to them, the potential to view and persist the device activity stream as the capability of the device permits. Perhaps a final relevant side-note to make is to underscore what a device is to a Clique Space. A device is *anything* which encloses a minimal functional state sufficiently capable of being represented as a set of Enabling Constraints in a node Media Profile. Media Profiles are hierarchical, so one device type might build on the functionality of one or more others simply by "inheriting" the node Media Profiles describing the functionality of these other devices. With this very loose, but systematic definition, any object physical or algorithmic, has the potential of becoming known to and aware of one or more Clique Spaces to which it is connected. Owen. -- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com
Hi Owen, I am not saying that every electronic component will suddenly interconnected with the Internet by itself but if you just look at regular hardware that you can buy today (like an Arduino) then you will see that there are limitations and those force developers to select a subset of the features they normally have. So, you have to decide what you implement and there are consequences of doing so. For example, you may not have a certificate revocation built into these devices. An example quote from an IETF mailing list discussion: http://www.ietf.org/mail-archive/web/dtls-iot/current/msg00015.html Zigbee IP does not mandate use of CRLs or OCSP for device certificates (in IEEE 802.1AR-speak ... the UDevID). Supporting these mechanisms for device certificates on constrained devices and networks, at mass scale, is highly problematic. Needless to say that there are security implications... This is what the FTC is likely interested in. Ciao Hannes From: ext Owen Thomas [mailto:owen.paul.thomas@gmail.com] Sent: Thursday, June 13, 2013 9:51 AM To: Tschofenig, Hannes (NSN - FI/Espoo) Cc: Joni Brennan; community Subject: Re: [Kantara - Community] Kantara Response to FTC IoT Privacy and Security Implications Hi Hannes. On 13 June 2013 01:47, Tschofenig, Hannes (NSN - FI/Espoo) <hannes.tschofenig@nsn.com<mailto:hannes.tschofenig@nsn.com>> wrote: Hi Owen, While it may seem that the identity management system for things is the same as for people (on an abstract) there are a few additional requirements IoT brings along. The most important aspect is that there are various limitations (in terms of code size, memory, bandwidth, battery life) of these devices. For that reason not all of the work that was suitable for a laptop/tablet/smart phone environment is also immediately applicable to the IoT environment. If you want to read more about it have a look at two workshop reports: Smart Object Workshop Report: http://tools.ietf.org/html/rfc6574 Smart Object Security Workshop Report: http://tools.ietf.org/html/draft-gilger-smart-object-security-workshop-01 (Smart Objects = Internet of Things) Ciao Hannes Certainly. connecting every diode, every capacitor, every transistor, and any other small electrical component to Clique Space would be an odd thing to consider reasonable. And surely, not every electronic component which may stand alone would be able to be connected. But the requirements for connecting components to a Clique Space are not onerous, and in most cases, I think connecting such components is reasonable. The only thing a device has to do is to be able to do whatever function it does, AND 1: to be able to tell another device what it is doing. I think this is well within the conceivable realm for most devices. An additional advantageous characteristic a device might possess is 2: the ability to be controlled by another device. If a device has the characteristic 1, then it would be able to be modelled within a Clique Space. If a device has both 1 and 2, it could be modelled and controlled from a Clique Space. I don't think it conceivably useful that a device have 2 without having 1, but I could be wrong. Amongst the large number of device types that can be connected to a Clique Space are devices which can render to a display screen or otherwise represent the activity of other devices. These devices are used by individuals to control the activity of all the devices they possess to meet their individual aims. I've called these type of devices View/Persistence Mechanism (V/PM) devices because the individual has available to them, the potential to view and persist the device activity stream as the capability of the device permits. Perhaps a final relevant side-note to make is to underscore what a device is to a Clique Space. A device is anything which encloses a minimal functional state sufficiently capable of being represented as a set of Enabling Constraints in a node Media Profile. Media Profiles are hierarchical, so one device type might build on the functionality of one or more others simply by "inheriting" the node Media Profiles describing the functionality of these other devices. With this very loose, but systematic definition, any object physical or algorithmic, has the potential of becoming known to and aware of one or more Clique Spaces to which it is connected. Owen. -- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com<http://www.owenpaulthomas.blogspot.com>
Owen, I think that you have lost the thrust of this thread. The discussion is about responding to a regulator's (US FTC) request for comment. The questions asked in their Request for Comment are not seeking technical solutions as much as they are looking into regulatory issues that will need to be solved -- regardless of the technical solution(s) that get implemented Whether Clique Space evolves into one of the technical solutions that people select is not at issue. As the privacy regulator for the US, what is at issue for the FTC is what issues are ripe for them to address from a regulatory perspective to ensure adequate legal privacy protection is afforded to US citizens, residents, and visitors. And, obviously, the same issues apply to every other nation, so it becomes important to get the regulatory regime right to minimize the variations in coverage (and even the conflicts in coverage) as other nations seek to provide regulatory protections to address the same issues. Thank you. Jeff On Thu, Jun 13, 2013 at 4:46 AM, Tschofenig, Hannes (NSN - FI/Espoo) < hannes.tschofenig@nsn.com> wrote:
Hi Owen, ****
** **
I am not saying that every electronic component will suddenly interconnected with the Internet by itself but if you just look at regular hardware that you can buy today (like an Arduino) then you will see that there are limitations and those force developers to select a subset of the features they normally have. So, you have to decide what you implement and there are consequences of doing so. For example, you may not have a certificate revocation built into these devices. ****
** **
An example quote from an IETF mailing list discussion:****
http://www.ietf.org/mail-archive/web/dtls-iot/current/msg00015.html****
** **
Zigbee IP does not mandate use of CRLs or OCSP for device certificates****
(in IEEE 802.1AR-speak ... the UDevID). Supporting these mechanisms for*** *
device certificates on constrained devices and networks, at mass scale,*** *
is highly problematic.****
** **
Needless to say that there are security implications… ****
** **
This is what the FTC is likely interested in. ****
** **
Ciao Hannes****
** **
** **
*From:* ext Owen Thomas [mailto:owen.paul.thomas@gmail.com] *Sent:* Thursday, June 13, 2013 9:51 AM *To:* Tschofenig, Hannes (NSN - FI/Espoo) *Cc:* Joni Brennan; community
*Subject:* Re: [Kantara - Community] Kantara Response to FTC IoT Privacy and Security Implications****
** **
Hi Hannes.****
** **
On 13 June 2013 01:47, Tschofenig, Hannes (NSN - FI/Espoo) < hannes.tschofenig@nsn.com> wrote:****
Hi Owen, ****
****
While it may seem that the identity management system for things is the same as for people (on an abstract) there are a few additional requirements IoT brings along. The most important aspect is that there are various limitations (in terms of code size, memory, bandwidth, battery life) of these devices. For that reason not all of the work that was suitable for a laptop/tablet/smart phone environment is also immediately applicable to the IoT environment. ****
****
If you want to read more about it have a look at two workshop reports:****
****
Smart Object Workshop Report:****
http://tools.ietf.org/html/rfc6574****
****
Smart Object Security Workshop Report: ****
http://tools.ietf.org/html/draft-gilger-smart-object-security-workshop-01* ***
****
(Smart Objects = Internet of Things)****
****
Ciao Hannes****
** **
Certainly. connecting every diode, every capacitor, every transistor, and any other small electrical component to Clique Space would be an odd thing to consider reasonable. And surely, not every electronic component which may stand alone would be able to be connected. But the requirements for connecting components to a Clique Space are not onerous, and in most cases, I think connecting such components is reasonable.****
The only thing a device has to do is to be able to do whatever function it does, AND 1: to be able to tell another device what it is doing. I think this is well within the conceivable realm for most devices. An additional advantageous characteristic a device might possess is 2: the ability to be controlled by another device. If a device has the characteristic 1, then it would be able to be modelled within a Clique Space. If a device has both 1 and 2, it could be modelled and controlled from a Clique Space. I don't think it conceivably useful that a device have 2 without having 1, but I could be wrong.****
Amongst the large number of device types that can be connected to a Clique Space are devices which can render to a display screen or otherwise represent the activity of other devices. These devices are used by individuals to control the activity of all the devices they possess to meet their individual aims. I've called these type of devices View/Persistence Mechanism (V/PM) devices because the individual has available to them, the potential to view and persist the device activity stream as the capability of the device permits.****
Perhaps a final relevant side-note to make is to underscore what a device is to a Clique Space. A device is *anything* which encloses a minimal functional state sufficiently capable of being represented as a set of Enabling Constraints in a node Media Profile. Media Profiles are hierarchical, so one device type might build on the functionality of one or more others simply by "inheriting" the node Media Profiles describing the functionality of these other devices. With this very loose, but systematic definition, any object physical or algorithmic, has the potential of becoming known to and aware of one or more Clique Spaces to which it is connected.****
** **
Owen. ****
-- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com****
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
-- Jeff Stollman stollman.j@gmail.com 1 202.683.8699 Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck
On 13 June 2013 18:46, Tschofenig, Hannes (NSN - FI/Espoo) < hannes.tschofenig@nsn.com> wrote:
Hi Owen, ****
** **
I am not saying that every electronic component will suddenly interconnected with the Internet by itself but if you just look at regular hardware that you can buy today (like an Arduino) then you will see that there are limitations and those force developers to select a subset of the features they normally have. So, you have to decide what you implement and there are consequences of doing so. For example, you may not have a certificate revocation built into these devices. ****
** **
An example quote from an IETF mailing list discussion:****
http://www.ietf.org/mail-archive/web/dtls-iot/current/msg00015.html****
I hope you would have deduced by now that I am no expert in hardware and communications standards. A reason why I'm usually silent. I'm not promising a new and universal security layer with Clique Space. What my idea does appear to be promising me is an infrastructure through which future (the future being a hypothetical time beyond that instant where Clique Space is accepted as being a medium capable of expressing individuals and modelling individual activity) hardware and algorithmic devices can plug into. Clique Space does not try to patch problems in existing device security implementations. I think that the problems with existing devices are a symptom of the lack of a medium which Clique Space could provide. While some device manufactorers try to have a go at providing a very narrow mechanism, these manufacturers sometimes appear to do nothing better than to pepper their products with security flaws. Owen. -- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com
All, While I am not certain that I agree with Owen's particular spin, he does raise a good point that affects privacy -- a point that we failed to address in the FTC response: ownership of and delegation of authority for the devices that comprise IoT. For example, if my electricity provide places a meter in my home, who owns it? My assumption is that the provider owns the device and I must agree to its installation in my home as a condition of obtaining electricity. But then, who is responsible for programming it to reduce my power when demand is high? If it is the electricity distributor, what say do I have in this decision? If it is me, how does the "owner" delegate authority to me to program my usage? What if I want to provide my own meter (in the same way that I may provide my own router for my internet service or use one from my ISP), do I have that right? After all, it is going in my home. But the electricity distributor may be concerned that I will modify the reporting from the meter in order to mask my real use and pay a lower bill.
From a privacy perspective, I consider ownership and delegation of authority to be the two big issues of IoT -- quite separate form the security concerns about access control.
Thank you. Jeff On Wed, Jun 12, 2013 at 8:22 AM, Owen Thomas <owen.paul.thomas@gmail.com>wrote:
Hello Joni (and the Kantara commnity).
Ummm... I'm not from the US (I'm Australian), and my thoughts on "the internet of *things*" have thus far not curried much resonance with people in general. Also, my concepts have still to yield anything demonstrable. Hence, I'm reluctant to contribute directly to conferences and other requests for input. But I will write this message.
I'd like to perhaps suggest that the term "things" be replaced with "individuals". I believe an internet of individuals is the ultimate destination for the internet as it evolves to be a medium through which individual presence is not only projected, but is also manifest. In an internet of individuals, every component (every "thing" or "device") is used by, and indeed, is used to manifest individual presence. In this vision, every router, switch, node and any other well defined contraption of any type that can exchange state (a device) with any other device will be directed by and accountable to the intentions of individual wills that compose them.
This vision requires a system that projects individual presence in such devices. I believe that my Clique Space concept is such a system. As far as I am aware, Clique Space is the only concept that has any chance of turning this internet of things into its ultimate expression as an internet of individuals,
Development continues, and I hope one day soon(ish) to be able to demonstrate that the Clique Space basic infrastructure (Agent Devices which collaborate to exchange information about other devices operating through other media) works. I would love some help in getting my proof-of-concept done quicker, so I post this letter here as an attempt to garner interest.
I'd welcome anyone's comment.
Owen.
On 12 June 2013 18:24, Joni Brennan <joni@ieee-isto.org> wrote:
Dear Kantara Community,
Recently Kantara Initiative Trustees, Members and Participants provided their international and industry expertise to develop a brief response to a call for input by the US Federal Trade Commission (FTC) [1] regarding privacy and security implications of the Internet of Things (IoT). Pervasive implementation the IoT, and access control of associated data, will have significant implications with regard to Identity Management use cases and beyond. Kantara Initiative intends to address these implications through its network of experts and programs.
The full response can be read on our Kantara blog [2]. We thank our stakeholders for their excellent input and we're looking forward to a workshop focusing on IoT that is being planned by FTC for the fall 2013.
Please feel free to share the response with interested parties. We are very interested to hear feedback that can be shared on this list or via our contact form [3].
Joni Brennan Executive Director Kantara Initiative
[1] http://www.ftc.gov/opa/2013/04/internetthings.shtm [2] http://kantarainitiative.org/privacy-and-security-iot/ [3] bit.ly/contact_kantara
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
-- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
-- Jeff Stollman stollman.j@gmail.com 1 202.683.8699 Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck
Good points all but there is also the concepts of shared rights access and control in the same sense that we can co curate and subscribe to feeds from devices Identity of a device for addressing subscribing is but one part the meta data about ownership of device is something that may change overtime and be shared e.g joint ownership of a device shared responsibility and accountability, federated or delegated functional responsibility for aspects of its capability think remote control think levels of access and admin These challenges apply to individuals things and personal data so lets try and cross fertilise Mydex has built an open platform for identity and personal data services QS and IoT are implicitly involved in our world. It features a RESTful api, identity services with multi protocol support we are ISO270001 certified company We are a platform an OIX listed Trust Framework and one of the UK appointed identity providers Our service is free to individuals open to any organisation or developer to connect so please feel free to experiment our sandbox is free to all https://sbx.mydex.org Keep it coming David CEO Co-founder and Mydex Platform Architect Http://mydex.org Sent from my mobile Please forgive typos! 0771 747 3661 On 12 Jun 2013, at 16:17, j stollman <stollman.j@gmail.com> wrote:
All,
While I am not certain that I agree with Owen's particular spin, he does raise a good point that affects privacy -- a point that we failed to address in the FTC response: ownership of and delegation of authority for the devices that comprise IoT.
For example, if my electricity provide places a meter in my home, who owns it? My assumption is that the provider owns the device and I must agree to its installation in my home as a condition of obtaining electricity. But then, who is responsible for programming it to reduce my power when demand is high? If it is the electricity distributor, what say do I have in this decision? If it is me, how does the "owner" delegate authority to me to program my usage? What if I want to provide my own meter (in the same way that I may provide my own router for my internet service or use one from my ISP), do I have that right? After all, it is going in my home. But the electricity distributor may be concerned that I will modify the reporting from the meter in order to mask my real use and pay a lower bill.
From a privacy perspective, I consider ownership and delegation of authority to be the two big issues of IoT -- quite separate form the security concerns about access control.
Thank you.
Jeff
On Wed, Jun 12, 2013 at 8:22 AM, Owen Thomas <owen.paul.thomas@gmail.com> wrote:
Hello Joni (and the Kantara commnity).
Ummm... I'm not from the US (I'm Australian), and my thoughts on "the internet of things" have thus far not curried much resonance with people in general. Also, my concepts have still to yield anything demonstrable. Hence, I'm reluctant to contribute directly to conferences and other requests for input. But I will write this message.
I'd like to perhaps suggest that the term "things" be replaced with "individuals". I believe an internet of individuals is the ultimate destination for the internet as it evolves to be a medium through which individual presence is not only projected, but is also manifest. In an internet of individuals, every component (every "thing" or "device") is used by, and indeed, is used to manifest individual presence. In this vision, every router, switch, node and any other well defined contraption of any type that can exchange state (a device) with any other device will be directed by and accountable to the intentions of individual wills that compose them.
This vision requires a system that projects individual presence in such devices. I believe that my Clique Space concept is such a system. As far as I am aware, Clique Space is the only concept that has any chance of turning this internet of things into its ultimate expression as an internet of individuals,
Development continues, and I hope one day soon(ish) to be able to demonstrate that the Clique Space basic infrastructure (Agent Devices which collaborate to exchange information about other devices operating through other media) works. I would love some help in getting my proof-of-concept done quicker, so I post this letter here as an attempt to garner interest.
I'd welcome anyone's comment.
Owen.
On 12 June 2013 18:24, Joni Brennan <joni@ieee-isto.org> wrote:
Dear Kantara Community,
Recently Kantara Initiative Trustees, Members and Participants provided their international and industry expertise to develop a brief response to a call for input by the US Federal Trade Commission (FTC) [1] regarding privacy and security implications of the Internet of Things (IoT). Pervasive implementation the IoT, and access control of associated data, will have significant implications with regard to Identity Management use cases and beyond. Kantara Initiative intends to address these implications through its network of experts and programs.
The full response can be read on our Kantara blog [2]. We thank our stakeholders for their excellent input and we're looking forward to a workshop focusing on IoT that is being planned by FTC for the fall 2013.
Please feel free to share the response with interested parties. We are very interested to hear feedback that can be shared on this list or via our contact form [3].
Joni Brennan Executive Director Kantara Initiative
[1] http://www.ftc.gov/opa/2013/04/internetthings.shtm [2] http://kantarainitiative.org/privacy-and-security-iot/ [3] bit.ly/contact_kantara
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
-- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
-- Jeff Stollman stollman.j@gmail.com 1 202.683.8699
Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck _______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
Hello David. On 13 June 2013 03:06, David Alexander <david@mydex.org> wrote:
Good points all but there is also the concepts of shared rights access and control in the same sense that we can co curate and subscribe to feeds from devices
Identity of a device for addressing subscribing is but one part the meta data about ownership of device is something that may change overtime and be shared e.g joint ownership of a device shared responsibility and accountability, federated or delegated functional responsibility for aspects of its capability think remote control think levels of access and admin
So, what you're saying here is that the type of things "out there" multiplies and differentiates exponentially over time. Indeed, I think everyone would agree with you; I certainly do. However, have you considered how these things are used? Have you considered how the use of these things is regulated (currently in an unsystematic way) through the behaviour and preference of the individual; a preference that often depends upon considerations of individual characteristics and group membership which are unrelated to the function of a particular device? My Clique Space concept takes care of both "device functionality" and "individual identity and group membership" characteristics through two discrete but interlocking mechanisms: Enabling Constraints and Limiting Constraints respectively. A Limiting Constraint is a value which is applied to an Enabling Constraint parameter which specifies some functional unit of a device.
These challenges apply to individuals things and personal data so lets try and cross fertilise
I'm not sure that Clique Space offers a direct solution to personal data rights issues; the theory of PKI (and the ethical and moral behaviour of individuals) seems to me to fill in many gaps which are unreachable to Clique Space in relation to data and IP. At the very least, I believe that provided a device will cooperate with a Clique Space to which it is connected, Clique Space will reliably tell an individual when a device on which data is stored is being accessed. It will disclose the identity (Identity) of the individual who accessed this device, and you, as the possessor of the device, would indeed be able to control which individuals are able to access the data held within based on Limiting Constraint affinity. Devices siphon state information to Clique Spaces to which they are connected. These Clique Spaces (I only think one Clique Space per device is attractive, but I'm only one individual) cross-reference the changes in activity of the storage device and the activity of some access device possessed by the individual desiring access. The access device might or might not be connected to a Clique Space. If 1: the access device is also connected to a Clique Space, and 2: if the access device is possessed by some Identity other than the one to which the storage device is connected, and 3: the individual possessing the access device desires that an Identity be disclosed to the individual to which the storage device is associated, then Clique Space can compare characteristics in the given Identities of both individuals, correlating the intentions disclosed in the two Identities by comparing applicable Limiting Constraints. If sufficient Limiting Constraint affinity is found, a Clique (most probably in this case, a Clique comprising of the minimum two Participants) can form, and access to the data is permitted. That's the very short description of how Clique Space would work in the scenario where one individual accesses a data storage device possessed by another. Although still largely untested, I believe all of the process I have just described can be modelled and mediated using the concept of Cliques, and by extension, the simple data model I have developed in my Clique Space concept.
Mydex has built an open platform for identity and personal data services QS and IoT are implicitly involved in our world. It features a RESTful api, identity services with multi protocol support we are ISO270001 certified company
We are a platform an OIX listed Trust Framework and one of the UK appointed identity providers
From this short description, I gather that there may be a fit between my Clique Space concept and your Mydex product. I realise that we may both have our own proprietary interests, so I'd welcome an off list conversation if you want to explore the possibility of exploring this fit further.
Our service is free to individuals open to any organisation or developer to connect so please feel free to experiment our sandbox is free to all https://sbx.mydex.org
Keep it coming David CEO Co-founder and Mydex Platform Architect Http://mydex.org
Sent from my mobile Please forgive typos! 0771 747 3661
On 12 Jun 2013, at 16:17, j stollman <stollman.j@gmail.com> wrote:
All,
While I am not certain that I agree with Owen's particular spin, he does raise a good point that affects privacy -- a point that we failed to address in the FTC response: ownership of and delegation of authority for the devices that comprise IoT.
For example, if my electricity provide places a meter in my home, who owns it? My assumption is that the provider owns the device and I must agree to its installation in my home as a condition of obtaining electricity. But then, who is responsible for programming it to reduce my power when demand is high? If it is the electricity distributor, what say do I have in this decision? If it is me, how does the "owner" delegate authority to me to program my usage? What if I want to provide my own meter (in the same way that I may provide my own router for my internet service or use one from my ISP), do I have that right? After all, it is going in my home. But the electricity distributor may be concerned that I will modify the reporting from the meter in order to mask my real use and pay a lower bill.
From a privacy perspective, I consider ownership and delegation of authority to be the two big issues of IoT -- quite separate form the security concerns about access control.
Thank you.
Jeff
On Wed, Jun 12, 2013 at 8:22 AM, Owen Thomas <owen.paul.thomas@gmail.com>wrote:
Hello Joni (and the Kantara commnity).
Ummm... I'm not from the US (I'm Australian), and my thoughts on "the internet of *things*" have thus far not curried much resonance with people in general. Also, my concepts have still to yield anything demonstrable. Hence, I'm reluctant to contribute directly to conferences and other requests for input. But I will write this message.
I'd like to perhaps suggest that the term "things" be replaced with "individuals". I believe an internet of individuals is the ultimate destination for the internet as it evolves to be a medium through which individual presence is not only projected, but is also manifest. In an internet of individuals, every component (every "thing" or "device") is used by, and indeed, is used to manifest individual presence. In this vision, every router, switch, node and any other well defined contraption of any type that can exchange state (a device) with any other device will be directed by and accountable to the intentions of individual wills that compose them.
This vision requires a system that projects individual presence in such devices. I believe that my Clique Space concept is such a system. As far as I am aware, Clique Space is the only concept that has any chance of turning this internet of things into its ultimate expression as an internet of individuals,
Development continues, and I hope one day soon(ish) to be able to demonstrate that the Clique Space basic infrastructure (Agent Devices which collaborate to exchange information about other devices operating through other media) works. I would love some help in getting my proof-of-concept done quicker, so I post this letter here as an attempt to garner interest.
I'd welcome anyone's comment.
Owen.
On 12 June 2013 18:24, Joni Brennan <joni@ieee-isto.org> wrote:
Dear Kantara Community,
Recently Kantara Initiative Trustees, Members and Participants provided their international and industry expertise to develop a brief response to a call for input by the US Federal Trade Commission (FTC) [1] regarding privacy and security implications of the Internet of Things (IoT). Pervasive implementation the IoT, and access control of associated data, will have significant implications with regard to Identity Management use cases and beyond. Kantara Initiative intends to address these implications through its network of experts and programs.
The full response can be read on our Kantara blog [2]. We thank our stakeholders for their excellent input and we're looking forward to a workshop focusing on IoT that is being planned by FTC for the fall 2013.
Please feel free to share the response with interested parties. We are very interested to hear feedback that can be shared on this list or via our contact form [3].
Joni Brennan Executive Director Kantara Initiative
[1] http://www.ftc.gov/opa/2013/04/internetthings.shtm [2] http://kantarainitiative.org/privacy-and-security-iot/ [3] bit.ly/contact_kantara
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
-- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
-- Jeff Stollman stollman.j@gmail.com 1 202.683.8699
Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
-- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com
Hi Jeff, There was a point in the submission about 'the Internet of My Things' as I recall; less bullish than perhaps it might be but I guess such is the nature of writing to government. In any case, I completely agree, the real issues around the intersection of things data and personal data have yet to be aired. There is no doubt an implied assumption that we adopt the Pavlov's Dog model and tick a different box for each thing we connect to. Well that does not work before the IoT kicks in; it;s hardly going to get better when the number of boxes to tick multiplies hugely. Anyway, enough work in there to keep us all busy for the next decade…. Cheers Iain On 12 Jun 2013, at 16:17, j stollman <stollman.j@gmail.com> wrote:
All,
While I am not certain that I agree with Owen's particular spin, he does raise a good point that affects privacy -- a point that we failed to address in the FTC response: ownership of and delegation of authority for the devices that comprise IoT.
For example, if my electricity provide places a meter in my home, who owns it? My assumption is that the provider owns the device and I must agree to its installation in my home as a condition of obtaining electricity. But then, who is responsible for programming it to reduce my power when demand is high? If it is the electricity distributor, what say do I have in this decision? If it is me, how does the "owner" delegate authority to me to program my usage? What if I want to provide my own meter (in the same way that I may provide my own router for my internet service or use one from my ISP), do I have that right? After all, it is going in my home. But the electricity distributor may be concerned that I will modify the reporting from the meter in order to mask my real use and pay a lower bill.
From a privacy perspective, I consider ownership and delegation of authority to be the two big issues of IoT -- quite separate form the security concerns about access control.
Thank you.
Jeff
On Wed, Jun 12, 2013 at 8:22 AM, Owen Thomas <owen.paul.thomas@gmail.com> wrote: Hello Joni (and the Kantara commnity).
Ummm... I'm not from the US (I'm Australian), and my thoughts on "the internet of things" have thus far not curried much resonance with people in general. Also, my concepts have still to yield anything demonstrable. Hence, I'm reluctant to contribute directly to conferences and other requests for input. But I will write this message.
I'd like to perhaps suggest that the term "things" be replaced with "individuals". I believe an internet of individuals is the ultimate destination for the internet as it evolves to be a medium through which individual presence is not only projected, but is also manifest. In an internet of individuals, every component (every "thing" or "device") is used by, and indeed, is used to manifest individual presence. In this vision, every router, switch, node and any other well defined contraption of any type that can exchange state (a device) with any other device will be directed by and accountable to the intentions of individual wills that compose them.
This vision requires a system that projects individual presence in such devices. I believe that my Clique Space concept is such a system. As far as I am aware, Clique Space is the only concept that has any chance of turning this internet of things into its ultimate expression as an internet of individuals,
Development continues, and I hope one day soon(ish) to be able to demonstrate that the Clique Space basic infrastructure (Agent Devices which collaborate to exchange information about other devices operating through other media) works. I would love some help in getting my proof-of-concept done quicker, so I post this letter here as an attempt to garner interest.
I'd welcome anyone's comment.
Owen.
On 12 June 2013 18:24, Joni Brennan <joni@ieee-isto.org> wrote: Dear Kantara Community,
Recently Kantara Initiative Trustees, Members and Participants provided their international and industry expertise to develop a brief response to a call for input by the US Federal Trade Commission (FTC) [1] regarding privacy and security implications of the Internet of Things (IoT). Pervasive implementation the IoT, and access control of associated data, will have significant implications with regard to Identity Management use cases and beyond. Kantara Initiative intends to address these implications through its network of experts and programs.
The full response can be read on our Kantara blog [2]. We thank our stakeholders for their excellent input and we're looking forward to a workshop focusing on IoT that is being planned by FTC for the fall 2013.
Please feel free to share the response with interested parties. We are very interested to hear feedback that can be shared on this list or via our contact form [3].
Joni Brennan Executive Director Kantara Initiative
[1] http://www.ftc.gov/opa/2013/04/internetthings.shtm [2] http://kantarainitiative.org/privacy-and-security-iot/ [3] bit.ly/contact_kantara
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
-- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
-- Jeff Stollman stollman.j@gmail.com 1 202.683.8699
Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck _______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
Iain Henderson iain@thecustomersvoice.com
On 13 June 2013 01:17, j stollman <stollman.j@gmail.com> wrote:
All,
While I am not certain that I agree with Owen's particular spin, he does raise a good point that affects privacy -- a point that we failed to address in the FTC response: ownership of and delegation of authority for the devices that comprise IoT.
Indeed, I feel that responsibility and privilege are not adequately addressed anywhere in any of the discourse I have so far witnessed on identity. Have a look at my recent blog post<http://owenpaulthomas.blogspot.com.au/2013/05/the-individual-as-axiom.html>for my comments about this. However, I'm wondering what aspect of my spin in particular you might not agree with...
For example, if my electricity provide places a meter in my home, who owns it? My assumption is that the provider owns the device and I must agree to its installation in my home as a condition of obtaining electricity.
Sure, that would sound fair. Maybe the provider of the meter installs the device in your home and one of their employees connects the meter through an Identity which this individual projects in Clique Space. You, as the customer, engage another "device" in a Clique with the meter. This Clique might become your account. If the meter isn't engaged with your "device" in this Clique, it isolates you from the electricity supply.
But then, who is responsible for programming it to reduce my power when demand is high?
You and your supplier are responsible. You might do this through Clique Space by setting Limiting Constraints. These Limiting Constraints would have to accord with those of the supplier because the Clique would not exist if they didn't; meaning your electricity supply would be cut off.
If it is the electricity distributor, what say do I have in this decision?
You and your supplier agree to what the deal will be. So long as both of you agree to the way the meter will operate, the Clique exists, and so does the electricity supply.
If it is me, how does the "owner" delegate authority to me to program my usage?
In Clique Space, this can be done in a combination of ways. If we now just consider the abstract brush strokes of the underlying device collaboration, the ways depend upon the type of devices that are interacting (which device functionality the device's vendor have decided to expose to Clique Space), and how you and your meter-monitoring supplier employee friend have configured your Identities. It is up to the two Participants in the Clique to decide who is going to be doing what. Maybe your friendly meter monitor has many of the Limiting Constraints supplied for his Participant by his employer through a hierarchy of Mode Profile Elements which this individual has activated in their identity. Maybe you have nothing so complicated, and decide to express Limiting Constraints in your Participant from properties that you have set against your Identity.
What if I want to provide my own meter (in the same way that I may provide my own router for my internet service or use one from my ISP), do I have that right? After all, it is going in my home.
Maybe your electricity supplier will allow you to do that so long as you allow one of their employees to connect to your meter. Maybe even you can connect to the meter yourself, and Clique Space will relay the fact that you have connected to your meter, that you have engaged this meter in a Clique which shows to them that you are receiving an electricity supply from them. Again, they'll charge you appropriately for this supply while the Clique is in existence.
But the electricity distributor may be concerned that I will modify the reporting from the meter in order to mask my real use and pay a lower bill.
Indeed. Maybe it wouldn't be a good idea if your supplier allowed you to connect your own meter. Maybe the supplier would also have their own power switching gear on the pole from which your cables are attached, and because this switch is also connected to a Clique Space through another friendly power supply employee's identity, it isolates the power from the street because of the fact that no Clique exists between you and the meter on the other end of the cable.
From a privacy perspective, I consider ownership and delegation of authority to be the two big issues of IoT -- quite separate form the security concerns about access control.
I therefore think Clique Space may have a lot to offer IoT. It allows device compatibility and delegation of authority to be independently managed. This has as many philosophical challenges as there are technical ones: philosophical argument about the place of the individual is often a question of the positioning a component of the concept within the appropriate technical framework. It has thus far been my experience on my Clique Space journey that I have had to walk a logical tightrope that pays respect to the concept I am trying to implement, without falling into a trap of infinite regress. I ask you all: who wouldn't want to suck on these deliciously juicy technophilosophical fruit when one seems to have a tree that bares them? I'd like to share.
Thank you.
Jeff
On Wed, Jun 12, 2013 at 8:22 AM, Owen Thomas <owen.paul.thomas@gmail.com>wrote:
Hello Joni (and the Kantara commnity).
Ummm... I'm not from the US (I'm Australian), and my thoughts on "the internet of *things*" have thus far not curried much resonance with people in general. Also, my concepts have still to yield anything demonstrable. Hence, I'm reluctant to contribute directly to conferences and other requests for input. But I will write this message.
I'd like to perhaps suggest that the term "things" be replaced with "individuals". I believe an internet of individuals is the ultimate destination for the internet as it evolves to be a medium through which individual presence is not only projected, but is also manifest. In an internet of individuals, every component (every "thing" or "device") is used by, and indeed, is used to manifest individual presence. In this vision, every router, switch, node and any other well defined contraption of any type that can exchange state (a device) with any other device will be directed by and accountable to the intentions of individual wills that compose them.
This vision requires a system that projects individual presence in such devices. I believe that my Clique Space concept is such a system. As far as I am aware, Clique Space is the only concept that has any chance of turning this internet of things into its ultimate expression as an internet of individuals,
Development continues, and I hope one day soon(ish) to be able to demonstrate that the Clique Space basic infrastructure (Agent Devices which collaborate to exchange information about other devices operating through other media) works. I would love some help in getting my proof-of-concept done quicker, so I post this letter here as an attempt to garner interest.
I'd welcome anyone's comment.
Owen.
On 12 June 2013 18:24, Joni Brennan <joni@ieee-isto.org> wrote:
Dear Kantara Community,
Recently Kantara Initiative Trustees, Members and Participants provided their international and industry expertise to develop a brief response to a call for input by the US Federal Trade Commission (FTC) [1] regarding privacy and security implications of the Internet of Things (IoT). Pervasive implementation the IoT, and access control of associated data, will have significant implications with regard to Identity Management use cases and beyond. Kantara Initiative intends to address these implications through its network of experts and programs.
The full response can be read on our Kantara blog [2]. We thank our stakeholders for their excellent input and we're looking forward to a workshop focusing on IoT that is being planned by FTC for the fall 2013.
Please feel free to share the response with interested parties. We are very interested to hear feedback that can be shared on this list or via our contact form [3].
Joni Brennan Executive Director Kantara Initiative
[1] http://www.ftc.gov/opa/2013/04/internetthings.shtm [2] http://kantarainitiative.org/privacy-and-security-iot/ [3] bit.ly/contact_kantara
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
-- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
-- Jeff Stollman stollman.j@gmail.com 1 202.683.8699
Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck
-- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com
Here in the US, we've recently become aware that the government (that is, the National Security Agency) is collecting metadata on every phone call made in the US. It's unclear the extent to which the NSA is also collecting information about other forms of electronic communications such as emails, tweets, text messages, web browsing habits, etc.. Many people seem to be OK with this if it can help the government detect possible terrorist activities. Others are calling for more transparency and less secrecy with respect to government policies for conducting electronic surveillance of its citizens (and others). Now we have the Internet of Things, which proposes that all of our everyday devices should be connected to the Internet. It's not hard to imagine that the possibilities for additional surveillance are increased when all our devices are networked and talking to each other. Before I'm going to allow my bathroom scale to talk to my refrigerator, I want to know whether the government might be listening in. If the government can override my personal privacy preferences in the name of safety or national security, I'd like to know about it. If we're going to have an Internet of Things, I'd call for the same transparency with respect to government surveillance policies that may exist for interconnected consumer devices that I believe should exist for other kinds of electronic surveillance of citizens that the government may feel is necessary. Bob Pinheiro On 6/12/2013 4:24 AM, Joni Brennan wrote:
Dear Kantara Community,
Recently Kantara Initiative Trustees, Members and Participants provided their international and industry expertise to develop a brief response to a call for input by the US Federal Trade Commission (FTC) [1] regarding privacy and security implications of the Internet of Things (IoT).
Pervasive implementation the IoT, and access control of associated data, will have significant implications with regard to Identity Management use cases and beyond. Kantara Initiative intends to address these implications through its network of experts and programs.
The full response can be read on our Kantara blog [2]. We thank our stakeholders for their excellent input and we're looking forward to a workshop focusing on IoT that is being planned by FTC for the fall 2013.
Please feel free to share the response with interested parties. We are very interested to hear feedback that can be shared on this list or via our contact form [3].
Joni Brennan Executive Director Kantara Initiative [1] http://www.ftc.gov/opa/2013/04/internetthings.shtm [2] http://kantarainitiative.org/privacy-and-security-iot/ [3] bit.ly/contact_kantara <http://bit.ly/contact_kantara>
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
Hi Bob, The NSA activities have certainly gotten a lot of attention. Of course it would be interesting to consider those in the security and privacy write-up (somehow). There are, however, challenges in what one would exactly suggest. To pick your Internet-enabled scale, as an example, it is obviously important to deal with security and privacy protection for the communication from the scale to the Web-based service where the weight (and potentially other information) is stored. You also want to avoid unauthorized access to your data or that your scale is suddenly becomes part of a botnet, etc. However, if the service provider is in the US then there may be little protection you can apply to avoid cases of lawful intercept since a government agency could just walk over to the service provider and ask for the data. It might, however, nevertheless be good to capture these aspects somewhere. Since the documents I had distributed in my earlier mail relate to discussions that happened to those workshops I obviously cannot add them there since we did not discuss this aspect. Ciao Hannes From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of ext Bob Pinheiro Sent: Thursday, June 13, 2013 2:23 AM To: community@kantarainitiative.org Subject: Re: [Kantara - Community] Kantara Response to FTC IoT Privacy and Security Implications Here in the US, we've recently become aware that the government (that is, the National Security Agency) is collecting metadata on every phone call made in the US. It's unclear the extent to which the NSA is also collecting information about other forms of electronic communications such as emails, tweets, text messages, web browsing habits, etc.. Many people seem to be OK with this if it can help the government detect possible terrorist activities. Others are calling for more transparency and less secrecy with respect to government policies for conducting electronic surveillance of its citizens (and others). Now we have the Internet of Things, which proposes that all of our everyday devices should be connected to the Internet. It's not hard to imagine that the possibilities for additional surveillance are increased when all our devices are networked and talking to each other. Before I'm going to allow my bathroom scale to talk to my refrigerator, I want to know whether the government might be listening in. If the government can override my personal privacy preferences in the name of safety or national security, I'd like to know about it. If we're going to have an Internet of Things, I'd call for the same transparency with respect to government surveillance policies that may exist for interconnected consumer devices that I believe should exist for other kinds of electronic surveillance of citizens that the government may feel is necessary. Bob Pinheiro On 6/12/2013 4:24 AM, Joni Brennan wrote: Dear Kantara Community, Recently Kantara Initiative Trustees, Members and Participants provided their international and industry expertise to develop a brief response to a call for input by the US Federal Trade Commission (FTC) [1] regarding privacy and security implications of the Internet of Things (IoT). Pervasive implementation the IoT, and access control of associated data, will have significant implications with regard to Identity Management use cases and beyond. Kantara Initiative intends to address these implications through its network of experts and programs. The full response can be read on our Kantara blog [2]. We thank our stakeholders for their excellent input and we're looking forward to a workshop focusing on IoT that is being planned by FTC for the fall 2013. Please feel free to share the response with interested parties. We are very interested to hear feedback that can be shared on this list or via our contact form [3]. Joni Brennan Executive Director Kantara Initiative [1] http://www.ftc.gov/opa/2013/04/internetthings.shtm [2] http://kantarainitiative.org/privacy-and-security-iot/ [3] bit.ly/contact_kantara<http://bit.ly/contact_kantara> _______________________________________________ Community mailing list Community@kantarainitiative.org<mailto:Community@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/community
Hello Bob. On 13 June 2013 09:22, Bob Pinheiro <kantara@bobpinheiro.com> wrote:
Here in the US, we've recently become aware that the government (that is, the National Security Agency) is collecting metadata on every phone call made in the US.
It's been a feature of the news here in Australia. I like the term metadata. It's magic stuff that promises to excuse a regulator's access to data otherwise considered an invasion of privacy.s
It's unclear the extent to which the NSA is also collecting information about other forms of electronic communications such as emails, tweets, text messages, web browsing habits, etc..
Many people seem to be OK with this if it can help the government detect possible terrorist activities. Others are calling for more transparency and less secrecy with respect to government policies for conducting electronic surveillance of its citizens (and others).
Now we have the Internet of Things, which proposes that all of our everyday devices should be connected to the Internet. It's not hard to imagine that the possibilities for additional surveillance are increased when all our devices are networked and talking to each other.
Before I'm going to allow my bathroom scale to talk to my refrigerator, I want to know whether the government might be listening in. If the government can override my personal privacy preferences in the name of safety or national security, I'd like to know about it. If we're going to have an Internet of Things, I'd call for the same transparency with respect to government surveillance policies that may exist for interconnected consumer devices that I believe should exist for other kinds of electronic surveillance of citizens that the government may feel is necessary.
I would be perhaps a bit more concerned than I currently am (I am a bit) about what Clique Space would provide in terms of monitoring and regulation if my idea gave this power merely to the "regulators". Although my concept could shroud collaborative exchange under a blanket of inescapability because everyone's watching everyone else, this accountability is being applied openly. This is somewhat different to the way counter terrorism and surveillance measures are currently carried out, but indeed, individual accountability may, through aligning the interests of the individual to becoming accountable to their own actions in cyberspace, provide a mechanism through which surveillance can become more transparent and... perhaps... more ubiquitous than it may be now. Your government may be listening to your bathroom scales, but Clique Space will be honest about telling you when this is happening. :) Owen. -- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com
To Bob and all, Recent revelations are not only US impacting. There have been articles that claim UK had determined that data gathered in US systems (even EU data) is not subject to EU regulation. Others dispute the claim of such a notion (or instance). The reality is unclear. But it is evident that data systems cross over borders and impacts of such are still unclear and must be researched. Rmember this started as an IoT thread and not a thread specifically about Prism. In any case, the privacy and tracking concerns only multiply as more and more data is collected, networked and provides correlation. It's not only the data, but the network effect, correlation, access control, and policy/enforcement around all. Finally a reminder that Kantara mission is around identity open standards and marketing of proprietary solutions (non-standard based) are not appropriate for this environment. Thank you to all for careful consideration regarding this reminder. Pardon the brevity from the airport. Best regards, Joni On Thursday, June 13, 2013, Owen Thomas wrote:
Hello Bob.
On 13 June 2013 09:22, Bob Pinheiro <kantara@bobpinheiro.com<javascript:_e({}, 'cvml', 'kantara@bobpinheiro.com');>
wrote:
Here in the US, we've recently become aware that the government (that is, the National Security Agency) is collecting metadata on every phone call made in the US.
It's been a feature of the news here in Australia. I like the term metadata. It's magic stuff that promises to excuse a regulator's access to data otherwise considered an invasion of privacy.s
It's unclear the extent to which the NSA is also collecting information about other forms of electronic communications such as emails, tweets, text messages, web browsing habits, etc..
Many people seem to be OK with this if it can help the government detect possible terrorist activities. Others are calling for more transparency and less secrecy with respect to government policies for conducting electronic surveillance of its citizens (and others).
Now we have the Internet of Things, which proposes that all of our everyday devices should be connected to the Internet. It's not hard to imagine that the possibilities for additional surveillance are increased when all our devices are networked and talking to each other.
Before I'm going to allow my bathroom scale to talk to my refrigerator, I want to know whether the government might be listening in. If the government can override my personal privacy preferences in the name of safety or national security, I'd like to know about it. If we're going to have an Internet of Things, I'd call for the same transparency with respect to government surveillance policies that may exist for interconnected consumer devices that I believe should exist for other kinds of electronic surveillance of citizens that the government may feel is necessary.
I would be perhaps a bit more concerned than I currently am (I am a bit) about what Clique Space would provide in terms of monitoring and regulation if my idea gave this power merely to the "regulators". Although my concept could shroud collaborative exchange under a blanket of inescapability because everyone's watching everyone else, this accountability is being applied openly. This is somewhat different to the way counter terrorism and surveillance measures are currently carried out, but indeed, individual accountability may, through aligning the interests of the individual to becoming accountable to their own actions in cyberspace, provide a mechanism through which surveillance can become more transparent and... perhaps... more ubiquitous than it may be now.
Your government may be listening to your bathroom scales, but Clique Space will be honest about telling you when this is happening. :)
Owen.
-- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com
On 13 June 2013 20:46, Joni Brennan <joni@ieee-isto.org> wrote:
Finally a reminder that Kantara mission is around identity open standards and marketing of proprietary solutions (non-standard based) are not appropriate for this environment. Thank you to all for careful consideration regarding this reminder.
My original reason for responding was that the term Internet of Things suggested to me that standards still needed to evolve to cater for what I think is a logical destination of evolving technology. I didn't mean to hijack this group for the purpose of selling my concept. If anyone would like to explore my ideas with me, I would appreciate further contact off this list. Thanks, Owen. -- Employment-from-home. Make mine part-time. Yes you can. Software developers certainly can be salaried and superannuated part-time from home. Make it so for this one. Clique Space(TM): A seat for the soul. www.owenpaulthomas.blogspot.com
participants (7)
-
Bob Pinheiro -
David Alexander -
Iain Henderson -
j stollman -
Joni Brennan -
Owen Thomas -
Tschofenig, Hannes (NSN - FI/Espoo)