Log in / Register
Home arrow Computer Science arrow The Privacy Engineer’s Manifesto
< Prev   CONTENTS   Next >

The Intelligence Stage

The intelligence stage is the new, now and future frontier (Figure 1-6). This stage in computing and communicating and creating is about people, devices, and systems seamlessly making handshakes, connecting, processing information, and providing services that are designed to improve the quality of life and are tailored to our needs. It is driven by increased bandwidth, throughput, processing power, analytic skills, data-reading abilities, and the desire to provide value. Here, at last, consumerization— where individuals alone or collectively—is able to drive the changes of the feature sets of computing as much as the former stages of technology forced conformity to the technology.

Figure 1-6. Intelligence stage

Some early examples of the computing in the intelligence stage are:

• Smart grid technologies recording and optimizing energy use on homes within communities

• Mapping apps that provide real-time traffic updates and suggest course corrections

• Connected appliances such as mini-bar refrigerators that automatically inventory themselves

• Augmented reality and gaming as a tool as well as recreation

• Localized shopping applications that give real-time pricing comparisons

These apps take in user-provided information, observed information or behavior, and output results that can be life improving, labor saving, and time efficient.

Whereas the hallmark of the access stage was the sharing of information, the intelligence stage may be considered as far more person and data centric rather than tool centric. In this stage, the use of information provided or collected and behavior and information observed can drive technology, social, cultural, and ethical change.

One of the implications of the dawning intelligence stage is the implication that power may be derived from being a creative, flexible thinker who can effectively gather, distill, and communicate information from a variety of sources.


By Tyson Macaulay, vice President, global Telecommunications Strategy, McAfee

Pity the fool who insists on a definition of the internet of Things (ioT). There are literally dozens (50+ at last count by the ioS Special Working on the ioT in March 2013), originating from august and well-regarded institutions. So let's put one out there for the purposes of this discussion and leave it as a stake in the ground and reference point.

Here we go: the ioT includes devices that are manipulated by people (smartphones, desktops, tablets), devices that support very limited interfaces with people or animals (point of sale devices, medical devices), and devices that observe or manage the physical world (remote sensors, location trackers, meters, industrial controls, smart anything) in automated or semiautomated manners. And it all sits on a common network technology like internet protocol (iP) or behind a gateway sitting on an iP network. one way or another, most of these networks are connected.

When Is personally Identifiable Information in the Iot actually personally Identifiable Information?

Pity the fool who looks for consensus related to what equals personally identifiable information (Pii) in the ioT.

The massive amount of data present in the ioT means there is no question that the ioT, en masse, is personal. it simply is. if you can access, correlate, and associate identity and activity in the ioT, you will pretty much be able to write a biography that will shock mothers and end marriages. Every time.

For instance, if you could capture the data flows from a given device (say a power meter), and if you could sift out the extraneous signaling and network handshakes from the service payloads, and if you could get the mapping of the device iP address to a subscriber id held in a usage database, and if you could map the id to a subscriber's real name held in a customer management database, then, maybe you might have personal information for a bachelor in a bachelor apartment and have breeched a law. Maybe.

That is a lot of ifs. But more important, it assumes that all this information—already segregated for business reasons unrelated to privacy—can be brought together without obstacle.

A proposed pII Code of Conduct

What would be useful for risk mangers in the ioT are some basic rules or a code of conduct for dealing with privacy in the ioT.[1] For instance, start with a truth we can agree on, hopefully: ioT Privacy Maxim: information is personal if identity can be correlated with activity. if information is about activity or events that are not about people, then it is not intrinsically personal. For instance, information about the temperature of the nickel smelter is probably not personal even in the wildest dreams of the most partisan privacy advocate.

However, if the identity of a person getting on a bus is recorded in their transit pass, and the time, date, and gPS coordinates of the bus are also logged somewhere, then Pii could certainly, but not necessarily, have been generated. it is about correlation between identity and activity.

if ioT data flows contained information that could be correlated for later use or disclosure about a identifiable person, it might be Pii. But not so fast!

Move to rule number 1: ioT Privacy Rule #1: Pii exists if correlation of identity to activity is viable and probable.

A frequently cited tenant of the audit profession is “would a well-informed and reasonable person agree?” When it comes to privacy and the ioT, the same tenant should apply. is the assertion of both viability and probably of correlation rendered by reasonable and well-informed people? is it reasonably possible to affect the correlation? Are the sources accessible such that a reasonable and well-informed person believes that it would come to pass given the time, skills, resources, and motivations of putative threat agents? Without the security jargon: is this a serious risk?

The ioT is personal to the extent that data containing both identity and activity can be correlated. Correlating an identity to the data generated by everything else a person comes into contact with physically and logically and you have the whole picture. But getting access to that identity is all too often assumed to be simple or even viable, when in fact it is not. This is where the delta between technically competent and incompetent advocates will become apparent and a danger that swallows iT project whole, like Charybdis from Homer's Odyssey, sucking in ships and crew.

To people who contend an iP address is Pii, we say “show us.” Show us how to (legally or illegally—you choose) get logs from the devices that issue the temporary iP addresses (carrier dHCP) to gateway devices (home modems or business routers), then get account ids assigned by different systems (RAdiuS), and then the logs from the account id system that relate the (yet again) separate billing systems, which ultimately identifies people. Then show us how you get event logs from the gateway devices (which rarely do any logging at all) and match those to the temporarily assigned internal iP addresses (home/business dHCP) within the home or business. And then make sure the person using the internal device is the same as the person paying the bills. Seriously.

This could bring us to a second rule, about viability and probability if the nature of the information is still uncertain: ioT Privacy Rule #2: Pii exists if identity and activity information exists in the same repository.

So what might “viable and probable” look like as far as identity correlation in the ioT is concerned? identity data stored in the same repository (information source managed and accessible by the same applications, users, and administrators) as the activity artifacts associated with that identity (logs, transactions, media recordings, etc.) would viably be Pii. Even if the identity data were obscured in some manner, it would still be possible through this single repository to correlate activity and an obscured identity. Meaningless but unique identifiers, over time, will usually yield identity if they can be readily compared to ioT activity.

As a counterbalance to Rule 2 is Rule 3:

ioT Privacy guideline #3: Pii is not intrinsic when identity and activity artifacts are in separate repositories.

if the identity information and ioT activity artifacts are logically or physically separated into two or more repositories, correlation should be assumed nonviable in the face of legitimate controls. in other words, if multiple repositories must be correlated and there are auditable security programs in place to prevent unapproved usage and disclosure of the data, there is no assumption that Pii exists. Especially if security has been controlled among repositories, and the custodian of the information is of good character.

What about the Network?

information and data exist in three primary states: (1) at rest (in storage of some sort), (2) in use (in active memory and being processed), or (3) in motion (within the network, moving among processing or storage).

our earlier discussion about Pii rules was centered around an assumption that data are most often accessed while at rest, in a repository. information in use is also accessible but is far more complicated to gain access to, and a “viability” argument will rapidly come into play: accessing volatile memory used for processing requires highly specialized tools, skills, and privileges—and sometimes physical access to the guts of the system. But what about data in motion?

if you really want to know everything about someone, you tap their network connections. The ability to tap network connections is essentially the ability to watch everything. So does this mean that networks are the ultimate form of Pii, being some form of “dynamic repository” subject to all the regulation and controls of Pii? The answer is “no” and here are just two reasons why networks are not the ultimate vessels of Pii.

First, within any given network, many of the data streams are specifically encrypted from source to destination. So understanding what is in the data stream is frequently not possible, although traffic pattern analysis remains possible even with encrypted data streams. So the Pii is limited to the fact that a given network address (not “identity”) communicated with a place on the internet at a certain time and in a certain volume.

Second, most devices that originate substantial amounts of potential Pii these days are mobile devices, like smartphones. Mobile devices tend to traverse many networks throughout the day. Mobile devices might start on the home Wi-Fi network, move to the 4g cellular network on the way to work, offload to the employer's office network, offload to the local café network at 10 a.m. and then again at lunch and then again at 2:30 p.m., back to the employer network, and then the 4g network, and finally the home network. All these networks are frequently, independently controlled. Also, the same device will be assigned unique, recycled iP addresses each time it jumps from network to network. Trying to track such devices and collect their traffic falls in the “nonviable” category for the national Security Agency, Superman, and probably god. network-based correlation by default usually fails ioT Privacy Rule #1—“not viable,” although exceptions will exist but must be proven rather than assumed.

  • [1] We do recognize this as a fraught proposition of addressing complex questions with simple answers, as Isaac Asimov so famously illustrated over 50 years ago.
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science