With 2015 being hailed as a potentially pivotal year for the Internet of Things, privacy could easily become a victim of the competitive forces that drive its development.
As we approach the end of the 2020s, we will be able to look back 15 years and see how, for what used to be called the Internet of Things (IoT), 2015 was a pivotal year. The hype was nearing its initial peak, ready for its downward plummet. But that also meant the concerns over what the IoT meant for society and the businesses that service it were beginning to surface.
As practically any company with a vague interest in connecting devices to a network jumped on the IoT bandwagon, it was a term that was destined to become suddenly unfashionable as the first hype bubble broke. This, after all, was a technology unlikely to break out from the standard profile of Gartner's hype cycle – a graph of the development of technology from inception to adoption. Seemingly everything is condemned to a burst of sudden interest at the beginning only to be met with exasperation and derision for a while before real adoption begins – assuming that the technology does not disappear without trace.
As Rob Chandhok, senior vice president of software strategy for Qualcomm, said at the Hot Chips conference in 2014: "It's a term that's so overloaded now. I think in five years' time we won't talk about the the Internet of Things, we will just be back to talking about the Internet." As everything with an Internet address is already a 'thing', he said, the term IoT would turn out to be redundant. "But we will have a billion more devices connected."
However, it is worth noting that the one technology not to be forced to roll along the hype-cycle rollercoaster was the Internet itself. Although the stock market bubble around Internet and telecom companies burst at the end of 2000, usage of the technology did not decline anywhere near as precipitously. By that point, it already had mass adoption and had seen usage grow quickly from the point that the world wide web did actually go worldwide. The key difference, though, for the Internet is that its underlying technologies were kept more or less locked away from the general public just before the point when software such as Mosaic for web browsing became available.
The IoT was not so resilient to the sudden downturn in interest as commercial difficulties began to surface. This did provide time to fix some of the technical issues but it made the commercial justification much harder. At first, the people building the networks thought they were best placed to succeed financially. They were wrong. A shadow infrastructure of data arbitrage and processing built on top of their systems captured much of the financial advantage of what we now call the real-time net and, while it helped provide an incentive to build the networks, it was also well entrenched to dominate the market and suppress concerns over the growth of data trading.
The Federal Trade Commission issued a report in 2014 warning of the lack of transparency and potential dominance of this group of companies but it went largely ignored, partly because they were less visible to consumers than the highly public social-media companies.
We should have had a debate about data ownership but, like so many other pieces in the evolution of technology, it never really happened despite attempts from within unexpected parts of the industry. ARM and AMD warned about the issues in 2014 with the publication of a jointly written white paper. Stephen Pattison, vice president of public affairs at ARM, said the concern was that, if data-privacy issues were not tackled, growth of the IoT would stall. "We want to make sure that the broad market for products of which we are an ingredient will grow."
Pattison explained the problem: "The law of unintended consequences is crucial. The extraordinary thing about data is that it's almost infinitely reusable. So, the focus has to be on use rather than collection.
"Where consumers are unhappy is where they become the topic of data, where your health data does not just go to your personal trainer but to your employer and that data is used to make predictions about you."
But too many players were involved; too many divergent corporate interests pulled the legislators into inaction. Although the EU tightened up privacy laws by focusing not just on the individual but the devices they carried – largely driven by longstanding concerns held by the German public – in the end policy could not keep up with technology.
The UK government, for example, worked on the basis that for the smart grid market to function, service providers needed access to consumer data outside contract periods. Companies simply had to cite 'business relationships' to gain access to data although protests did manage to curtail the amount of fine-grained usage data they could obtain. Companies chipped away at the edges of what the legislation meant until they obtained the ability to profile a large proportion of the user base – or passed data to others who would do the job for them. And countries outside Europe often simply had less interest in legislating for privacy.
Even where privacy was a concern, many technologists thought anonymising data by simply stripping off names and replacing them with hashes or IDs was enough. In fact, anonymity became the bane of true privacy.
What governments and corporations did not consider adequately were the ways in which data mining could be used across many different sources to piece profiles together – many databases and data streams were not built with what Microsoft researcher Cynthia Dwork termed "differential privacy" in mind. The technique, which involves adding a level of noise to anonymised data and which was used for the 2001 UK census, was not easy to deploy, particularly with data coming from many different independent sources. Those with an interest in breaking the system had more funding than those trying to protect it - particularly as few organisations had a genuine interest other than legal pressure.
The need to pre-process data did not help. Joe Salvo, director of GE Global Research, pointed out in 2014 that the IoT would force organisations to face choices over what data they kept and what they deleted. "We have to learn how to forget things," said Salvo. "It will be one of the differentiators of the future. The need for speed is what will force you to do it. The time it takes to root through those terabytes is too much."
Once organisations failed to keep pace with the incoming stream, they could never catch up without deleting large chunks of it. Even if they could keep pace, backup strategies imposed further costs, which further focused the attention of IT managers on ways to strip data to its bare essentials. They usually focused on what they thought they could salvage from the data itself, believing simple ID codes would be enough to anonymise the data without potentially revealing the source. But the prevailing business trends meant there was a strong incentive to break this, and this shifted much of the power to companies that did not invest directly in the IoT.
The network operators could have played a key role in sifting through the data, preprocessing it and rendering it into a more compact, manageable form. But they failed to act quickly enough. The problem, as we would later learn, was that the underlying financial model for the IoT began some years earlier in the social media revolution and the rise of the first 'thing' – the smartphone. It was here that the data brokers consolidated on their power base.
At the DATE conference in 2013, Benedetto Vigna, general manager of the analogue, MEMS and sensors group at STMicroelectronics, said the phone was the ideal proving ground for IoT concepts. "The mobile phone is an excellent opportunity to miniaturise technology," he claimed. "The smartphone is a way to stress suppliers and research centres to optimise the sensors for a volume market. Over the next few years, the phone will start to have environmental sensors – measuring pressure, temperature and humidity."
Vigna said users armed with mobile phones would act as mobile pollution sensors as they returned that and other usage data to servers. They could also relay information picked up from environmental sensors in the street or in public places. Vigna called this the "distributed phone", adding: "Sensors can be on the phone, on the body or in the environment."
Once you consider the smartphone as a mobile sensing unit, incorporating other sensing units into the architecture is not a major leap. The focus on the phone should have handed a large degree of control to the telecom operators, which also bid for contracts to operate networks needed for the smart grid.
It made sense to deploy microservers alongside basestations to analyse and filter some of the data passing through, which would have relieved some pressure on their own backhaul networks. But they were unable to agree on sharing data with each other. Data users were reluctant to sign deals with individual mobile operators simply to offload some compute and the operators' mistrust of each other stalled any attempt to provide a unified service.
The data brokers had more time to ink those deals and either agree on co-location deals, which the mobile operators saw as easy if low-margin revenue, or simply funnel data into their own virtual data centres, often simply piggybacked on cloud services close to areas with high data-traffic density.
The way that market evolved underlined the idea that knowledge is power but data is just clutter. The brokers were able to sell what passed for knowledge at high margins and pay little more than the cost of piping bits around for the raw data.
Social media and what were now 'traditional Internet' companies such as Google were potentially in an ideal position to capture much of the data. In an attempt to reduce infrastructure costs and lever smaller competitors out of the way, they had successfully cut peering deals with each other, isolating much Internet traffic to these large core networks. But a combination of mutual mistrust and well-meaning legislation designed to preserve some semblance of net neutrality left them unable and unwilling to share the anonymised data they, somewhat ironically, moved around.
Cutting deals for data
The brokers also had more time to deal with local authorities that had, slowly, managed to get their contractors to deploy environmental sensors. The issues surrounding these long-term contracts handed a further advantage to brokerage and analytics companies because they had the flexibility to cut direct deals for data with the suppliers and sell it back to the local authorities.
Local authorities often found their original contracts did not cover key pieces of information they wanted for new applications and it was cheaper to go to the brokers than to pay the onerous penalties for going beyond a fixed-price contract that had been pared to the bone. The sensor data from streetlights, refuse bins and traffic sensors further improved the ability of analytics companies to make sense of other anonymised data in various subtle ways, so they were only too keen to gain access to it.
The analytics companies were not the only ones to profit from the real-time net. As with most gold rushes, those making the profits in the early days were those providing the tools.
Companies involved in deployment generally wound up making losses – financed primarily by venture capital in the belief that obtaining a lock on data would be valuable. In practice, similar data could often be obtained elsewhere, something that the data brokers could supply profitably without ever touching the network.
And so it was the companies at the far end of the chain that profited most from the IoT revolution, more so than those who made the sensors, the network machinery, the middleware or the battery of servers. A series of seemingly logical decisions simply handed the power over to other players.