Tuesday, March 14, 2017

With Internet-of-Things, the consumer is not a customer but a supplier!

With Internet-of-Things, the consumer is not a customer but a supplier!

Authors: Joram Teusink, Rick Veenstra

In the soon-to-be world in which everything is connected to everything, we will face quite some (unforeseen) challenges. One of those challenges is related to the protection of privacy and security of the system as a whole. The other one is the role of the consumer. To quickly sum it up in a single statement:

In the world Internet-of-Things, the consumer is not (only) a customer but (also) a supplier.

In this blog post we will focus on why we make this statement and why we think this new paradigm holds true. We will talk about the fundamental shift in the way we think, or should think, about data and privacy.

You own your devices

This sounds rather plausible, right? And it is. Because with every device you buy you take on the responsibility of owning it. Whether it is connected to anything beyond the power cord or not, by paying the bill you accepted the ownership of the 'thing'. This has many consequences, but we´ll first address the issue of data ownership.

Do you own the data?

Imagine the device you bought is connected to a data network. Not exactly a mental stretch with a 'thing' we refer to as a device in the 'Internet of Things'. This device will generate or accumulate data. This might be simple sensory data or more complex data structures that describe behavioral patterns. It tells something about who you are and what you do. This data is often considered sensitive or at least personal. In the near future, this will certainly extend to data we have not yet dared to dream about.

For now, this data may be your thermostat that is building up a profile of your presence and the temperature of your room or your 'smart' TV that is building up a profile of what you like to watch. Another popular application is home security, such as video-cameras that continuously register what is going on in your most private environment. Which is by the way an intrusion to your privacy that the police and intelligence agencies are only allowed to with a legal warrant. All this collected data is privacy sensitive. It becomes even more sensitive when combined with data that is collected by other devices you may own or services you use.

This data is valuable for you. Or at least it should be. Most people do not want their conversations with their lovers to be openly shared across social media -- especially not if that conversation is spiced with photographic material of a certain private nature. But that is not the only data that is valuable. Almost all data about you should be valuable to you and treated as sensitive. "Why?" you might ask. Because this data can be used to influence you. Your data is being used in ways that cause no direct damage, at least no damage that you could easily identify. But the way you are being influenced is not necessarily in your direct interest; it is primarily aimed at increasing the profit of some company.

Companies are willing to spend substantial money to get access to this data. Because they can use it to tailor their ways of influencing your behavior, which is the very nature of advertisements.

There are many business models in which large corporations get access to your sensitive data. But for now, we will stick to the one that is the easiest to grasp and is the basic premise that most people base their use of data-collecting devices on:

You own the devices; therefore, you are the owner of all data that is collected by these devices.

Are you selling your data?

Now follow us in the next step. You own and operate devices that collects data about you. What are you doing with this data?

When you use devices that collect all this data, both of which you own, do you use them commercially? It depends a bit on the privacy policies you agreed upon with the supplier of the services, but the answer to this is very likely a "yes". Even when you are just an individual and not a company. This may not be the way you look at it now, so let us explain we make this statement.

Most likely you share this data with a company, in exchange for a service or an 'enhanced experience' as they so exquisitely frame it. This company may be the one that built the device or provided it to you; frequently these things are bundled it with an on-line service directly coupled with the device. It may be a third party, which uses the data to enhance your experience of the device or to provide additional (value adding) services. In both cases, you provide data in exchange for a service.

Usually this can be characterized as one of four types of supplier-customer relations:

  1. You have paid for the service with a one-time fee with the purchase of the device. This usually covers a limited period of time, although this is rarely made explicit. Degradation of service over time is almost guaranteed; the older the device, the flakier support tends to become. Your smartphone or tablet are likely the most explanatory examples.
  2. You pay a recurring subscription fee, which is usually supposed to cover all operational costs of the service provider. This model is the traditional pay-as-you-go service model that has been around since way before the internet was conceived and is still the most viable for the supplier in the long term.
  3. You do not pay any monetary fees, but your usage of the services adds to the momentum and user base for the service provider´s paid services which cover for the cost of the free services as well.
  4. You do not pay any monetary fees, but allow the service provider to use your data to build profiles that it will monetize to its own discretion, i.e. targeted advertising. In this case is covered by the adage ¨if you don´t pay for the product, you are the product¨.
So, whether it is in exchange for money or not, you actually trade (sell) your data.

How does this effect your position in the 'supply chain'?

Our argumentation up to this point can be summarized in three statements:
  • you own the IoT-device; 
  • you own the data it collects; 
  • you trade the data.
If you own stuff that collects or generates data and you trade it with a company, you are essentially a service provider. You are the supplier of your data, and you sell it in exchange for either money, features or services! The other party is the consumer, since it 'consumes' your data. This might sound very silly or strange, so let us explain why we think this holds true.

  1. There is a supplier who sells IoT-devices. It supplies you with equipment, with 'things'. When you buy something, you are the customer.
  2. Upon enabling the IoT-device to provide data to the supplier's services –or those of a third party– you become a supplier yourself: a supplier of data to be precise.
  3. Your customer is in many cases the supplier of your device (the equipment), now in the role of the one who is utilizing your data.
So, in this situation you are performing four roles:

  1. the customer in buying the device;
  2. the supplier of data by trading your data with your customer.
  3. the customer in paying for services which utilize the data generated by the device;
  4. the consumer of the services.
Traditionally we only think about #1 and #4 and consider them as one single role. This has the consequence that role #2 is obscured; it is rarely more than an afterthought when even considered at all. That is why we strongly believe the paradigm shift is needed, or to the very least should be debated.

Because you as a customer also perform role #2, we can state:

In the world of IoT, the consumer (of a device) is a supplier (of data).

The consumer as data supplier: privacy considerations

If you consider the data flow we described as a supply chain, you make the shift from a customer/consumer-centric view to a set of demand-supply relations that is very common in the corporate world. And if you are familiar with data protection in this context, you might get a little itchy. Because this viewpoint has quite some implications for accountability and liability regarding data protection and security.

If you are a company and selling data to a data consumer (your customer), you are required to do at least four things:

  1. specify the Terms of Use for the data;
  2. obtain consent of the data subjects (the individuals about whom you collect data) to this Terms of Use;
  3. cover the use of this data by a legally binding agreement with your customer;
  4. take every reasonable precaution to ensure that the data is only used by authorized parties and only for the intended purpose for which it has been collected. This is the topic of Information Security and Privacy.
These obligations are all within the scope of the EU General Data Protection Regulation (a.k.a. the EU-GDPR).

If you are an individual, requirement #2 may be considered as implicitly satisfied since the data subject is the very same entity that provides the data. This does in no way limit your responsibility regarding data protection (requirement #4). It is just rather difficult to sue yourself for inadequate performance or non-compliance.

But when you provide services with collected data about other subjects that you do not legally represent, this (at least theoretically) can get very ugly very quick. If you want to make it really complicated, you might add another ingredient to this cocktail: the right to be forgotten that is embedded in the EU-GDPR. But that´s another topic for someone with a legal background.

We'll now step into the complications of requirement #4: the obligation to protect the security of the data you collect and distribute.

Ownership of a device: the obligations

Okay, you purchased a device and connected it to The Internet of Everything. As we have shown before you have now become a service provider. You are going to provide data to your customer. Data that will probably have privacy-sensitive characteristics, so you are required to protect this data from unauthorized access and use.

By paying the bill you accepted the ownership of the 'thing'. In doing so you made yourself accountable for all benefits and costs that come with the simple existence of the 'thing'. You are not only 'responsible' for reaping the benefits but also for the burden of operations and maintenance during its entire life cycle. Even if you manage to outsource this, which for consumer grade IoT is not (yet) likely, if at all possible, in the end you stay accountable.

If you own the device and you own the data, then you are responsible for its security. No one else but you, really! European privacy legislation is based on this very principle. Whether you generate Personal Identifiable Information (PII) or are the custodian of PII that is trusted to you by its subject (the individual about whom the data has been collected), you are what the EU-GDPR calls the 'processor' and ultimately accountable for the entire supply chain.

We could collapse role #2 (the supplier of data) with role #4 (the consumer of the processed data). If we consider it this way, the device owner (being both supplier and consumer) outsources a part of the data processing. Probably to the provider of 'value adding services'. At least the Dutch Privacy legislation requires you to cover this processing with a legally binding Data Processing Agreement (DPA). This should specify the responsibilities (not the accountability) transferred to third parties. You mandate other companies to handle data you are responsible for. You set constraints on the exact 'processing activities' that will be performed and the conditions under which they will do this.

At least that is the theory. We all know that only in theory there is no difference between theory and practice; in practice, there is. But alas, it is not only the theory but also the law.

But consumers buying things and using services accompanied with them do not sign such DPA with their third parties. At best, they accept the Terms of Service that govern such services. And let’s hope that is not an instance of what we call 'the biggest lie on the internet': they click a checkbox stating something like "I have read the (...) and accept to be bound by this" without reading the text. It is quite likely that these terms of service just contain a full waiver to the service provider for all responsibilities that should be contained in a Data Processing Agreement.

Where the snake bites its own tail

Now we have the situation where the consumer remains ultimately responsible for data processing that he has completely outsourced. Even worse: processing has been outsourced in a way that has essentially stripped him from any control over it.

In your role as a consumer of services, you subscribe to a service using your PII. You agree that this service provider will be processing your sensitive data. You would require adequate protection of this valuable data. But your service provider has outsourced the data collection process to a party that is unable to adequately protect this data as it is generated, collected, stored and transferred. This would be unacceptable because the supplier is violating the EU GDPR.

But in this case, you are the data provider yourself. You as a service consumer agree that the service is delivered by an unreliable data provider and therefore you cannot hold the service provider accountable for any consequence of this data provider failing. Ridiculous if a third party were involved, but legally valid if you are the data provider yourself.


The way we look at the Internet of Things --especially in the consumer domain-- needs a fundamental change in perspective. If we consider the data flow generated by IoT-devices as a supply chain, we make the shift from a customer/consumer-centric view to a set of demand-supply relations. This is a rather uncomfortable position, because it has quite some implications for accountability and liability regarding data protection and security.

At the same time consumers (including ourselves) are not acting in alignment with the roles that this viewpoint uncovers. We end up being service providers who are completely responsible for data protection over the entire supply chain. Yet our customers and suppliers are usually not bound to any obligations to protect this data. And we lack the tools to do it properly ourselves.

Thinking of IoT as a chain of demand-supply relations may help to identify systemic weaknesses. It may turn out to be a good start for finding effective strategies to fight the undesirable exploitation of these weaknesses.

About the authors

Joram Teusink and Rick Veenstra are both Information Security Officers and close friends.

Re-posts on…



Post a Comment