Privacy and Security, Security and Privacy. These are the two most talked about issues in IoT that everyone seems to be unable to figure out and do so while allowing lower TCO and increased efficiency. I have written before about security at Michael Holdmann’s Blog and will focus this post on privacy.
The requirement for a pub/sub service broker architecture seems to be the general consensus, other than a few hold outs, of the base architecture for IoT and the fact that you need an event driven fabric is also pretty clear. Now we need to understand who has ultimate authority over the data that is being produced by the billions of predicted devices. This topic was discussed during the Agriculture session at IoT World Palo Alto June 17, 18 2014. It was stated that the same topic would be discussed next year at the conference as there is no solution today.
The agriculture panel discussion topic asked whose data is it, how can they have the control to decide not only who gets the data but more importantly from which device(s) and which specific data of the device(s). The first issue is whose data is it and the consensus among the majority is it belongs to the farmer as he owns the land. What about the manufacturer and state/federal/non-profit agencies that could look at the data to engineer better machinery for lower energy consumption or understand the environment and help the whole region as opposed to only the owner of the land where the device is located by receiving the data for understanding of soil types, watering habits etc. to produce more fruitful and nutritious crops.
This article is not to debate whether state/federal/non-profit agencies have the rights to use the data for purposes of understanding regional success of growing crops, it is to understand how to protect the privacy of the data and what the function of the pub/sub platform should be. In most pub/sub systems, the subscriber has the ability to decide on the data it chooses to access and/or keep, the subscriber adds itself to a roster (friend list) assigned to nodes/container nodes which the subscriber can choose to receive the data from. This is not giving full privacy rights to the publisher of the data, the publisher must be given capability to authorize all additions to roster.
There are two distinct models that allow full privacy capabilities to the publisher. 1) manufacturer/supplier owns the node 2) you own the node. If manufacturer owns the node, they must supply a unique id for that node which you then publish the data from each individual device to that node, which you and only you have full authorization to instruct the unique id (device) to do. You can also publish information to any other entity you choose by publishing to a node they have set up. When you own the node, they provide you an id of their user (client) so you the publisher can grant them access to subscribe to that node. You could then allow access only to the devices that would fit a profile of a subscriber, let’s face it, the GE refrigerator repairman does not need to know what is happening with my Whirlpool stove and vice versa.
To further enhance privacy, detaching the device ID from an IP address and structuring the device ID as an email address for instance using the MAC address or serial number of the device for unique identifier (firstname.lastname@example.org) with no need to attach profile of human or business is required. The statement, attached profile, may seem strange however there are instances where a user’s personal profile may be attached to a device, a cable set top box for instance. Allowing discovery over a cable system to the ratings agency by understanding real time remote click and allowing customization of content to the likes/dislikes of the set top box (user) is of great interest to the advertising community and cable system operator, doing so without a personal profile attached i.e. gender, age, name address, etc. is required.
Now that the publisher has been handed the keys to his/her own kingdom, the question of how do companies/agencies gain access to the data for purpose of understanding and creating efficiency across a micro or macro grid for instance in energy, or more importantly to companies, using data as a revenue stream now gets asked. This is achievable, you must however now request permission of the owner to do so.
Let’s look at a home, under two scenarios 1) the homeowner has access to data in the house, as available with AT&T Digital Life, also needed is an entity (utility/service) that can act on the event that may happen in case the homeowner is not in a position to do so and 2) there is need for the data to be used by entities like utilities, for understanding of power consumption and addressing averages at the street, neighborhood, city, county, regional level.
Scenario 1- The homeowner is out of town and an event happens, it is great the AT&T Digital Life lets you see this on your smart device, what if it is an event that can only be addressed in person like a water sensor indicating your wash machine is flooding? The ability for the homeowner to simultaneously have the event sent to a service company or utility that can act upon and limit damage in real time is essential. The publisher having the right to authorize at the individual device level and authorize which event is sent to which subscriber(s) is imperative in IoT.
Scenario 2- The ability to allow utilities to understand device usage can be done anonymously so personal identification is protected. This may make it easier for a homeowner to allow a utility to control, with full override capability by the homeowner, devices within the house. We already have accepted the capability of motion detectors to allow the turning off of lights after a preset time with no activity in a room or the TV turning off after no activity for a while, what about the ability to lower energy consumption from an air conditioner or heater based on same scenario.
Now some of this intelligence needs to stay only local, which is the belief of the author, that it is an Internet of Nodes not an Internet of Things, there is a hierarchy. Some data needs to go out of the home, building, plane, train, etc. (node) when things are acting out of normal operational state. Let’ say there is a large energy draw from a single home in a neighborhood, construction is being done for instance. Would it be feasible for the utility to have the right/capability to make adjustments to power draw from other homes, based on non-motion NOT time of day, to homes in close proximity for the purpose of averaging out the usage on the street in order to average the overall power consumption of the grid? Same scenario can go up the levels to make sure the entire grid is creating energy efficiency.
A simpler capability, using a time of day was accomplished in building automation with Remote Device Management of a movie theater chain saving on average 30% power consumption. During times of high volume (lots of people watching movie) employees would adjust the air conditioner as the body heat raised the ambient temperature of the theater. The issue became that employees forgot the re adjust the thermostat when closing causing unnecessary power consumption. With the ability to detect that the A/C was still on after the theater was closed and allowing the system to automatically adjust the thermostat to the proper night time level was one of the operational capabilities that allowed the savings.
So, privacy and security is capable today, and the capability outlined in the post is reliant on using a specific protocol, XMPP. The protocol is currently used on every iOS for all app and platform notifications and part of every Android system. It is the protocol for Google Cloud GCM Connection server. It has been adopted as the standard by UPnP Forum, AllSeen alliance, ISO/IEC/IEEE in P21451-1-4 and IEC TC57 for energy industry. I, in no way am advocating the protocol to be the ONE that rules all, I am advocating due to the security and privacy function defined in the protocol standard as well as the federation of disparate systems, that it be the protocol for Gateway to Cloud of IoT. It is not for constrained networks, or very small memory devices, which is why I believe the IoT is a hierarchy with nodes (domains) and different levels of data needs.
I look forward to discussions and thoughts on this post, as well as opportunities to work with your organizations to deploy a future proofed IoT platform that will allow not only the systems you currently have in place but the addition of new and future systems to be adapted without having to fork lift out the old and replace with entirely new equipment and systems.