Connected and autonomous cars, remote health monitoring, real-time industrial production optimization, smart cities—these are some of the key applications enabled by the Internet of Things (IoT). IoT offers connectivity and easy retrieval of streaming information from sensors and actuators, but those are not the most important benefits. Rather, integrating the newly available data with the scale, speed, and power of distributed server-based computing enables complex uses cases such as intelligent traffic management for prioritizing ambulance routing or leveraging satellite imagery and ground sensors to inform crop irrigation decisions.
With these benefits come questions about what data can be used to influence actions in the real world, how it can be used, and for what purpose. In the past year, there have been a couple of incidents or stories in the media which crystallize some of those questions, such as:
- How does America’s constitutional right to privacy extend to the connected technologies and streams of information being introduced at an astounding pace?
- What about privacy regulations of other countries or regions, like the European Union or Singapore?
- What can we do to better secure new sources of information and corresponding technologies against criminal actors, or ones that just want to have fun at someone else’s expense?
- How do we govern what companies can see and do with our information when, all of sudden, the companies making and selling connected products can see everything that happens to their products in the market with alarming precision?
A common theme above is the discussion of who has appropriate and legal rights to act upon the information being captured on the rapidly expanding population of connected devices. As policy makers and commercial leaders iterate on the answers in a manner satisfying both constituents and businesses, businesses will need to match pace with solutions for handling the changes as it relates to the data that they ingest, process, store, and expose.
What does this mean for you? That depends. If your business is contained in a single country and within a single lightly-regulated industry such as retail or media then the treatment and processing of data rights, while still applicable, will have less impact than if your ambitions are broader. This is not an easy space. Companies that efficiently adapt to change will have a leg up in both addressing customer concerns and handling changing regulatory landscapes.
In this post, we’ll cover the difference between data rights versus privacy and security—this will give you perspective on ever-shifting regulatory policies and core commercial complexities around data usage. You’ll also be introduced to some projects that show how the technology industry is evolving to develop scalable solutions around intersecting concerns in data management and authorization.
What are data rights?
We should take a moment to establish working definitions of key concepts framing the discussion area: privacy, security, and data rights. While different perspectives exist, we will use the following distinctions for this post:
- Privacy—The fundamental rights of anonymity, freedom from intrusion or interference, and ability to determine and control usage of owned resources (in this case data).
- Security—The establishment of protected boundaries for access to assets (things, data, etc.) through which only known and authorized parties are permitted.
- Data rights—The definition and application of policies that govern what contextual actions and usages are allowable by known users on known resources.
The concept of data rights encompasses more than simply privacy and security concerns. It extends the foundational principles of compliance and enforcement to also include the complicated morass of context in usage and ownership. I’ve illustrated my interpretation of how data rights fits into the context of some of the core concepts in security and access management—users, resources and policies—in the image below.
Policy change is constant
Recent history has shown that increased connectivity has spurred intense, prolonged debate and policy creation in terms of how access should be regulated. As we expand this connectivity to devices in the physical world (on phones, in transportation, in homes, in the factory), the same pattern of debate will likely emerge. These communications and connections will need to be established and governed in the context of our privacy, security, and rights to the data flowing through them.
The E.U.-U.S. Safe Harbor Framework is an excellent example of legislators reacting to current concerns about usage of data and then having to adapt to the potential impacts on consumers and corporations. This framework was the de facto governing regulation for US companies doing business in the EU until October 2015, when a court struck down the framework, sending US companies scrambling to understand the impacts of dealing with European businesses and consumers. Four months later, the Privacy Shield Framework was enacted, which re-established the principles of the Safe Harbor Framework but with slightly different regulations.
If I’m a US company doing business in the E.U., how am I expected to keep up with the implementation of complicated regulations when they keep changing? Given that pattern, what other legislation will be introduced by governments around the world to both protect their citizens and their national security?
It will take time for the community of governments, businesses, and technology practitioners to narrow in on legally (and contextually) accepted definitions for rights on data. Despite the volatility that this uncertainty entails, companies are not going to stop investment and development using connected devices to wait for the dust to settle.
Shaping and defining how to speak about data rights will be critical to scaling business models for extending and improving upon the foundational concerns of privacy and security on new connected technologies.
More than access, it’s about trust and wrangling risk
Why do we care about these policies and their effect on the rights that govern contextual actions? Establishing programmatic mechanisms of trust in any sort of commercial relationship helps minimize material risks. For businesses, a violation of trust could lead to potential loss of revenue, fraud, penalties from governing organizations, legal action, devaluation of intangible assets such as brand, or mild to severe cases of consumer inconvenience. From a consumer’s perspective, we all want the peace of mind that those voluminous privacy policies we blindly click accept on (which we really should fully read) are implemented and that the proper protections have been erected to guarantee the privacy of our property (in this case, our data) from usage beyond the bounds of the law or without appropriate consent.
At the root of this handshake is ensuring that the agents allowed to use or act upon our resources are trustworthy, and that those allowed into the sanctums of a company’s computing resources (made up of applications/systems, devices, infrastructure and data) don’t perform inappropriate, illegal, or contractually impermissible acts, whether through inadvertent consequences or direct malintent. Having rights policy measures and safeguards in place allows consumers to trust businesses, and businesses to operate a little more peacefully knowing that the risk of violating that trust is minimized.
It really is all about taking risk out of the equation, because when you look at what the costs are to a business for violating those trusts and protections, they are material and could have lasting ramifications:
- Regulatory risk—Penalties for lack of compliance can cost dearly. For example, a HIPAA violation can cost up to $50,000 per record (up to $1.5M total).
- Commercial risk—Think trade secrets, resulting in losing competitive market advantage and identity theft. In a 2012 study by the Bureau of Justice Statistics, the cost of identity theft was $24.7B in America.
- Market value and brand perception—If there are trust issues, the market cap of a company, as well as the brand perception, could suffer pretty severe depreciation, which has a forward effect on future sales. An example of this, while one of reputational and not technical integrity, lies within the repercussions of the intentional violation of emission regulations by VW.
Why is this so complicated?
Discerning who is accessing your assets and managing what they are allowed to do has always been a privacy and security concern, even before the advent of computer systems. Plenty of enterprise level solutions for this exist out in the marketplace and in the cloud platforms; identity and access management (I&AM) capabilities are table stakes for any MVP product. Most, if not all, cloud platforms allow for regulatory compliance and security, but few will guarantee it or implement it fully. That means that anyone needing I&AM in the cloud needs to spend the time and costs implementing and testing or auditing—AWS refers to their flavor of this as the shared responsibility model.
Implementing and maintaining an access and permission scheme is typically declarative in that the specific permissions and policies for a particular role of user must be created and users associated to roles and programmatically enforced each system. For those of you who live the joys of dealing with Microsoft ActiveDirectory and LDAP in a large enterprise, you can attest that it’s doable, but a nuisance.
When the myriad of IoT devices and sensors that will be network-connected (right now the forecast is upwards of 20 Billion by 2020) is brought into play, the operational burden of maintaining these roles for an increasing variety of user types and permutations could easily become unmanageable. This will drag down the productivity promise of being able to use data to drive actions in the real world.
Additional complexity lies in the fact that data is more easily transferable than a physical asset; companies are also entering into more and more complex commercial and business relationships, which obscures ownership and rights to data and can quickly get out of hand. Let’s explore one potential example of how this might manifest itself. Say you are working with a small startup of ~50 employees. Let’s call them Initech:
- Initech built a platform to provide health operations and analytics in a SaaS model for healthcare insurers in the US.
- Initech’s first customer, a health insurer for which the platform was built, has a subsidiary providing business and IT operations, with which Initech outsourced most of their functions.
- That first health insurer is also an investor in Initech.
- Employees of the health insurer, some of whom were part of the subsidiary providing operations for Initech, were also members of the health plan and had their information processed on Initech’s systems.
Above is one of the more complex business arrangements I’ve encountered. However, it is becoming more common in XaaS models and it prompts the inquiry as to who owns what data rights and how easy would it be to implement a standard access control scheme.
Imagine if in addition to just information about members, the platform had to process all of the sensor readings off all the medical devices involved in care, and allow physicians access to their patients information, but only with informed consent. Dizzy yet? While that is complicated, we haven’t even fully broached the regulations regarding HIPAA and the HITECH act, let alone any other governmental constraints coming from jurisdictions outside of the US.
Where to start without getting disoriented?
It will take time to discover addressable patterns for the issues discussed above and for equilibrium to be achieved between technological advancement, policy creation, and industry adoption of rights to data access and usage. However, as mentioned, companies won’t be able to wait before beginning to act. How does one begin to balance these realities?
- Decide if investing in this concern makes sense for your business. It depends on your industry sector—heavily regulated industries such as defense, banking, or healthcare will benefit more from this type of investment—and what breadth of coverage of your product, service and/or operations have data rights concerns. The more sectors and diversity in type of data that you handle will increase the implementation cost and the risk exposure.
- Become knowledgeable about what data is handled and stored by your business and technologies that make updates to enforcement and access controls transparent to the data consumer—key areas for governance. For those who go looking for frameworks or tools, you won’t be surprised that there are a number of open source projects or startups in these spaces.
- To understand the underlying data used by a company’s systems, it may be worth investigating the features of products such as those offered by Maana, Alation, Cloudera Navigator (though this assumes a Hadoop distribution choice which carries more implications than just knowledge of data) or the project roadmaps of Apache Atlas and Falcon.
- For transparent technical access policy enforcement implementations, monitor and pay heed to the evolution of startups like BlueTalon and the open source projects of Apache Sentry, Ranger, and Knox.
The amount to which these address the true concern of complexity of data rights varies. Time will tell which of these products or projects will evolve to address more business, contractual, or broad regulatory implementations at a granular level, but paying attention and evaluating their adoption, features and product roadmaps will bring your company’s technology architecture a step along the journey.
In this post, we’ve looked at one of the core challenges posed by the rise of IoT. We know that the inherent hurdles here aren’t going to slow down progress as new types of devices come online, as more regulations are written and rewritten, and as their commercial arrangements become more intertwined.
Moving this conversation from thought exercise to action becomes even more critical as we allow data to take a decision-making role in our physical world. Because the risk and costs of ignorance or negligence will affect lives, we need to design these new solutions with data rights in mind, which means we should be discussing this complex problem and decomposing it from the start.
Hopefully, this post has given you some of the conceptual building blocks with which to explore what data rights means to you and why they’re important to any business, especially those that are looking to leverage information from connected devices. If you’d like to talk more, please get in touch.