For the People and By the People: Shaping Norms for the Internet of Things

Susan Ariel Aaronson is a research professor and cross-disciplinary fellow at George Washington University. Ethan Wham is social media consultant and a member of the greater Washington, DC chapter of the Internet Society.

In 2012, then CIA Director General David Petraeus gave a disturbing speech on the internet of things (IoT). He noted that individuals, firms, and governments increasingly rely on devices like cars, refrigerators, and smart watches equipped with sensors and connected to the internet. Petraeus contended that IoT-related technologies are changing societal notions of what tasks machines acting “on their own” or in communion with other devices can do. He warned that these devices not only “think, but they are learning to … sense and respond.”

IoT devices use a wide range of data collected from individuals, groups of people, firms, machines, and governments to make decisions that can save time, lives, and money. These devices will dramatically alter how humans interact with machines, businesses, governments, and with each other; they will be ubiquitous. Thus, as General Petraeus noted, although the internet of things will help us become more efficient and productive, these devices may have unanticipated costs to individuals’ security and privacy. For example, an IoT-driven car can help a person travel, but the same car could be hacked or struggle to make ethical decisions (such as choosing between saving a passenger or pedestrian’s life).

Many people are concerned about a future where humans are dependent on IoT devices. In 2016, the Mobile Ecosystem Forum surveyed 5,000 mobile users in eight countries including Brazil, India, and South Africa found that some 62 percent said they were concerned about privacy and some 54 percent said they were most concerned about device security on the internet of things. In a 2016 poll of cybersecurity experts 84 percent of respondents stated there is a medium to high likelihood of a cyberattack disrupting critical infrastructure that rely on IoT devices.

Moreover, many users already struggle to control their privacy and security online. A 2012 study of Facebook users found that although these users sought privacy, “the amount and scope of personal information that Facebook users revealed … increased over time—and … so did disclosures to ‘silent listeners’ including Facebook … third-party apps, and … advertisers.” Given the sheer number of devices and magnitude of information, it will become even harder for users to control their data with IoT devices.

Security and privacy in the internet of things presents what scholars call a wicked problem, where potential solutions could have significant unanticipated side effects. Citizens around the world must play a greater role in the development of norms to protect privacy and security for the internet of things. However, to participate effectively, individuals must first gain a better understanding of how these devices affect their privacy and security.

It will not be easy to develop norms on these issues. Although some governments such as the United States and European Union have organized discussions on the internet of things, the bulk of the world’s population has little exposure to this debate. Moreover, every country has different social mores, yet many multistakeholder organizations contend that norms must be global and interoperable. Finally, every device is different and norms will vary based on use.

Trusted multistakeholder organizations such as the Internet Society (ISOC) and the DONA Foundation can—and should—lead the education and norms building effort. ISOC is an international nonprofit organization that engages in a wide spectrum of internet issues, education and policy development that has long informed and engaged the public on such matters. The DONA Foundation administers, manages, and coordinates the registration and resolution of identifiers for digital objects, effectively providing the address book for the internet of things.

Both organizations already use a wide range of outreach strategies—free online courses, blog posts, articles, papers, crowdsourcing, conferences, and public debates—to both educate more people and get them involved in a norms discussion. Moreover, both organizations have long worked with a variety of users, technologists, policymakers, activists, and business executives.

As ISOC and DONA begin their outreach, there are a number of questions they should encourage individuals to ask themselves to kick start the norms discussion. These could include: Who owns and controls the data conveyed to IoT devices? How should the data be used and protected? How can norms be developed that do not favor one IoT technology or application over another?

Understanding the potential costs and benefits of the burgeoning internet of things will only come through a sustained discussion with internet users, businesses, academics and policymakers. Over time, these discussions will hopefully lead to the development of industry norms, best practices, and regulation conceived both for and by the people.