DADA – smart home IoT cybersecurity from a socio-legal perspective
Since joining Horizon in December 2018, the main part of my research has largely been developed around DADA, working closely with Mac and Lachlan Urquhart on Compliance by Design. As a smart home cybersecurity technology still “in the making”, DADA has already problematized a number of legal notions – notably in data protection law – that have not been an issue in a non-smart home setting. For instance, it is not clear whether the “household exemption” that privileges use of personal data for purely personal or domestic purposes, applies to the use of DADA or similar technologies by smart home owners. Also, the complex architecture of DADA, which involves a wide range of stakeholders, also challenges the concept of “data controller” and may potentially “turn everyone into a joint controller”.
With these concerns in mind, Mac, Lilian (Edwards), Lachlan and I have been developing a research paper to address such legal issues with DADA and Databox as the use cases. We believe it is important to flag up the difficulties in applying the data protection legal framework to certain disruptive technologies in an IoT context. The paper is now being finalised and we plan to submit a full version to the ACM FAT* 2020 Conference.
In the meantime, we have been disseminating some preliminary findings of the paper. Lachlan and I presented some of our research to the technology law community at the BILETA 2019 Conference in Belfast. Lilian presented some further developed ideas at TILTing Perspectives 2019 Conference.
At BILETA 2019. Photo credit: Wenlong Li
We are already planning a follow-on paper to investigate in greater depth some of the ethical and societal issues foreshadowed in our work. Working closely with the other work led by Andy (Crabtree) and Murray (Goulden), we hope to harness their unique and helpful methodology of presenting “scenarios” of DADA to focus groups, in order to expose the potential challenges and to test user attitudes. As part of our work Lachlan and I have scheduled some interviews with representatives from the IoT industry to gain some insights into the compliance and design challenges in practice.
Data protection law in other areas
Apart from smart home IoT, complying with data protection proves also challenging in a wide range of other fields. I have been working with colleagues from across the UK to explore some of the uncharted territories. Andy, Lachlan and I have finished a paper entitled “Right to an Explanation Considered Harmful” (available on SSRN), in which we argue some solutions offered by the machine learning community to implement the GDPR’s “right to explanation” may have created unrealistic expectations.
In another area, perhaps closer to my heart as a researcher, my colleague Edward Dove from Edinburgh Law School and I have examined how the “research exemption” has been constructed differently under EU, UK, Irish and South African data protection law. This article has been submitted to International Data Privacy Law and is currently under review. On a slightly different subject, we are also in the process of developing another analysis piece on how the GDPR may impact “citizen science”, which we aim to submit to the Journal of Law, Medicine & Ethics by the end of August.
Policy impact
An important part of my work at Horizon also involves preparing written evidence or responses to public inquiries or consultations. Submissions are made to Parliament Joint Select Committee on Human Rights inquiry “The Right to Privacy (Article 8) and the Digital Revolution” (submission in HTML and PDF), the DCMS Consultation on the Government’s regulatory proposals regarding consumer Internet of Things (IoT) security, the CDEI call for evidence on online targeting, and the BEIS/DCMS Smart Data consultation.
Other engagement activities
On the “borderlands” of my research interests are a number of talks and other engagement activities. In May, I gave a talk titled “Fifty Shades of Grey(lists)” at the GikII sessions at TILTing Perspective 2019, where I made a (hopefully not too far-fetched) comparison between the exploitative data controller/subject relationship and the erotic-romantic relationship shown in the novel/movie. In June, my contribution to the online discussion on social credit system featured on the academic blog Verfassungsblog. In July, I went back to Edinburgh to give a talk at Edinburgh Law School on the differences between data protection, consumer protection and competition law in terms of dispute resolution among national regulators.
Tags: cyber security, data, IoT, smart products