Blog

Distinguished Lecture: Responsible Innovation in the Age of Robots & Smart Machines

Many of the things we do to each other in the 21st century –both good and bad – we do by means of smart technology. Drones, robots, cars, and computers are a case in point. Military drones can help protect vulnerable, displaced civilians; at the same time, drones that do so without clear accountability give rise to serious moral questions when unintended deaths and harms occur. More generally, the social benefits of our smart machines are manifold; the potential drawbacks and moral quandaries extremely challenging. In this talk, I take up the question of responsible innovation drawing on the European Union experience and reconsidering the relations between ethics and design. I shall introduce ‘Value Sensitive Design’, one the most promising approaches, and provide illustrations from robotics, AI and drone technology to show how moral values can be used as requirements in technical design. By doing so we may overcome problems of moral overload and conflicting values by design.

Jeroen van den Hoven is full professor of Ethics and Technology at Delft University of Technology, he is editor in chief of Ethics and Information Technology. He was the first scientific director of 3TU.Ethics (2007-2013). He won the World Technology Award for Ethics in 2009 and the IFIP prize for ICT and Society also in 2009 for his work in Ethics and ICT.

Spotlight on Tech Policy Lab Scholar Adam Lerner

AdamLerner

The Tech Policy Lab is looking forward to new projects with the arrival of the 2014-2015 academic year. This year we have Adam Lerner, a Ph.D. student in Computer Science & Engineering at the University of Washington, working on privacy technologies. Based in Lab Director Tadayoshi Kohno’s UW Security and Privacy Research Lab, Adam studies censorship, surveillance and privacy in the context of the global Internet and emerging technologies.

Adam spent the spring in Berkeley, California developing a new system, Rangzen, in collaboration with De Novo Group (http://denovogroup.org/). Rangzen is a collaboration with Yahel Ben-David (De Novo Group, Berkeley EECS),  Barath Raghavan (De Novo Group, ICSI), Giulia Fanti (Berkeley EECS) and Eric Brewer (Berkeley EECS).

Rangzen is a smartphone app which lets people communicate when there are no cell networks and no Internet, such as in the case of heavy governmental censorship or a natural disaster. It’s a mesh networking platform, which means it allows phones to propagate messages through gossip, passing all the messages they’ve heard about to other nearby phones over Bluetooth or Wifi. It fights spam and propaganda by prioritizing messages based on social relationships: when a message arrives at a phone, Rangzen decides how much to trust that message based on how many friends the owners of the phones have in common. In anti-censorship mode, it’s a completely anonymous system which preserves users’ and authors’ anonymity, using cryptography to check how many friends users have in common without revealing who those friends are.

We asked Adam how he became interested in working on anti-censorship programs:

“Anti censorship systems are one of those areas where technical solutions can be really significant. They’re not the whole pie – civil liberties don’t magically emerge from an app – but they’re definitely a piece of it. The key is to get the threat model right. If you build a circumvention system that defeats censorship which isn’t practiced anywhere, you’re probably not helping anyone. What I liked about working with De Novo Group is that they want to build systems that are innovative research, and actually apply those systems in the real world.”

Privacy and Security Concerns for the Smart Watch Age

Smartwatch

(photo credit Kārlis Dambrāns)

The Internet of Things (IoT) is quickly expanding the next big product in its interconnected family – the smart watch. While these high-tech watches are not necessarily new, recent releases from companies like Samsung, LG and Apple have given them a more mainstream public appeal and market share. In welcoming the watches to the Internet of Things, customers  are also introduced to the various privacy and security questions that researchers and governments have scrutinized in IoT. This past month Tech Policy Lab members participated in the Workshop on Usable Privacy & Security for wearable and domestic ubIquitous DEvices (UPSIDE). The workshop brought academics from around the country to discuss various IoT privacy issues. The FTC addressed these issues on a larger stage last fall, hosting an IoT-focused workshop to identify and address privacy and security problems. As the smart watch maneuvers its way onto the wrists of customers, wearers should  take note these problems.

The health and fitness craze that inspired products like FitBit and Garmin’s Connect has strongly impacted the design of recent smart watches. Products like the Samsung Gear Fit and the Apple smart watch have incorporated pedometers and heart rate monitors to allow users to measure their daily activity. With the increasing prevalence of health monitoring in everyday technology, it was no surprise that the FTC devoted one of their four workshop panels to the topic last fall. The “Connected Health and Fitness” panel brought in business and academic experts to discuss the benefits as well as the data privacy and security risks involved. As the smart watch’s popularity increases, preventing these risks will become imperative. Data theft could lead to location data and activity patterns being extracted from the pedometer or heart rate readings. Risks could even come from the company itself. What would happen if a health insurance provider was being sold health data collected from a prospective candidate’s smart watch? Protecting this data from both unwanted collection and use will be a necessary measure to ensure privacy in the age of the internet-enabled watch.

One of the papers presented at UPSIDE was on the hunt for privacy flaws in IoT products like Google Glass and the smart watch. Titled, “When Everyone’s A Cyborg: Musings on Privacy and Security in The Age of Wearable Computing,” the paper by Serge Egelman highlighted one of the major issues – “the continuous capture of audio and video.” While UPSIDE only provides the abstract for the paper, extrapolating where audio and video recording could breach a smart watch user’s privacy is easy. A user wants their watch to listen while giving it  instructions, but unwarranted recording would present a security risk. The same is true for the camera. Unchecked recording devices could leak the  extremely personal data of  an unknowing user. Similar to the health and fitness privacy risk, this data could be misused by a thief or third-party company by way of reconnaissance, blackmail or harassment.

Privacy in the land of smart watches is not entirely hopeless, however, as it may fare better than other IoT devices in some instances. Specifically, updates and patches to address security issues could be much more common on a watch than a product like an electrical grid monitor. The issue is something the FTC addressed in its questions to the public for their conference. Two of the questions identified the FTC’s attention to the issue: “How can companies update device software for security purposes or patch security vulnerabilities in connected devices, particularly if they do not have an ongoing relationship with the consumer?” as well as “Do companies have adequate incentives to provide updates or patches over products’ lifecycles?”

In both cases the smart watch poses an optimistic answer. For the first question, the smart watch is likely to be exempt, as it will engage any user enough to form an ongoing relationship with them. By delivering notifications, sounding morning alarms, and even telling the user the time, it directly impacts and interacts with a user’s life on a daily or even hourly basis. Adequate incentives to provide updates are present as well. The smart watch is one of the newest hardware endeavors among competing companies like Apple, Samsung and Google. For one of these companies or even a smaller one to have their product succeed, they must convince the customer it is better than the rest and that it is something worth buying in the first place. A product that has unpatched security threats would do neither.

The smart watch fits into the privacy and security discussions of the IoT just as well as it fits onto a wrist. Prevalent issues such as health monitoring and audio or video capture could cause serious risks to consumers. Eliminating these risks and providing a safe product will be vital to the product’s success, bringing a great new addition to the Internet of Things family.

Building a Cybersecurity Roadmap: Developing America’s Edge

Derpery

Recently the Lab sent member Aaron Alva to Washington DC (from one Washington to another!) to attend a cybersecurity event co-hosted by the Center for National Policy and the Christian Science Monitor. The event included a Q&A with the White House cybersecurity coordinator Michael Daniel, and a panel with experts including DEF CON founder Jeff Moss.

In the below post, Aaron highlights key takeaways from the event, specifically from the White House coordinator.

Mr. Daniel shared a few key areas that will be important to our nation’s cybersecurity progress in the future:

  1. Cybersecurity is a hard policy problem;
  2. the cybersecurity workforce needs to grow—in numbers, skills, and disciplines;
  3. the White House will attempt piecemeal legislation for cybersecurity since wholesale bills haven’t worked; and
  4. the National Institute of Standards and Technology (NIST) Cybersecurity Framework, while voluntary, is important and will be emphasized by the White House.

Mr. Daniel had some insightful comments on cybersecurity as a policy issue. He noted that cybersecurity is emerging as one of the defining policy challenges for the 21st century, yet it is not obvious why cybersecurity is such a difficult problem. Cybersecurity could be an easy problem. It could be ensuring that everyone patches vulnerabilities so that intruders cannot get into systems. But, taking a step back, cybersecurity is difficult because it cuts across social, private, and public lives. Mr. Daniel asserted that cybersecurity is not merely a technical problem—it is also an economic, political, and human behavior problem. It is a “wicked problem.” It is a problem that will take a wide variety of disciplines to help solve.

Second, Mr. Daniel emphasized the need for a cybersecurity workforce. His idea of a cybersecurity workforce encompasses two main themes—size and diversity of skills. Mr. Daniel noted that the workforce needs to be much bigger. He referenced government initiatives to increase workforce size. These initiatives include increasing the number of university Centers of Excellence in Information Assurance (UW is a Center of Excellence in Academics & Research). They also include growing the NSF CyberCorps scholarship program (of which I am a recipient). Mr. Daniel also described the need for more diverse skills for the cybersecurity workforce. He referenced the National Initiative for Cybersecurity Education (NICE initiative), which has developed a heatmap of cybersecurity roles necessary for a robust workforce. He noted that cybersecurity careers need to include individuals who understand how cybersecurity interacts with industries, businesses, and the law.

Third, the White House cyber czar briefly described his role as coordinator, and his new approach to cybersecurity legislation. He described his role is as a soft power in the White House. His goal is to align policy within the government bureaucracy. Mr. Daniel asserted that cyber is too big to put one person in charge, and the more appropriate role for the White House cyber coordinator is to get various agencies to coordinate.

Mr. Daniel also emphasized the need for cybersecurity legislation, and that legislation was long overdue. He stated that the White House will try a new approach. The White House will work to pass pieces of cybersecurity legislation however possible. The new piecemeal approach is in contrast to the typical approach of attempting to pass cybersecurity legislation all within a single bill.

Fourth, Mr. Daniel discussed the NIST Cybersecurity Framework. The Framework was developed by NIST by direction of an Executive Order from the White House. The Framework emphasizes that organizations should use risk management practices for cybersecurity through five categories. Organizations should Identify assets to secure; Protect those assets in a manner consistent with risks; Detect attacks; Respond efficiently after an incident to mitigate harm; and Recover from an incident.

Mr. Daniel believes that the Framework should be voluntary, but stressed that the US has a long history of effective voluntary standards. He noted that ultimately market forces will push the Framework forward. In a number of questions, Mr. Daniel referred back to the Framework’s main categories to emphasize the need for organizations to use risk management practices to deal with cybersecurity issues.

Finally, as part of the Q&A, I had the opportunity to ask Mr. Daniel a question. I asked what can be done to change the conversation from fear of being breached to one more realistically tailored to the fact that breaches will occur. I referenced recent headline breaches of Target, JPMorgan Chase, Home Depot, and others. I noted that these headlines primarily focused on the incident itself, rather than what the companies did in response to being attacked. His answer was telling, and I think he was correct. Mr. Daniel used the NIST Cybersecurity Framework to illustrate that there’s a missing part to the conversation. “But what [the NIST Cybersecurity Framework] is really saying is you got to actually figure out what information you have that you care about, and why do you care about it? What do you actually want to protect it from? Is it exposure at all? Or is it that you want to protect it from manipulation, that’s your greatest concern. And so that starts to define how you think about it and how you protect it, which is that second step.” See the full exchange here.
Aaron 2
In conclusion, the White House cybersecurity coordinator provided helpful insights into the executive branch’s approach to cybersecurity. Mr. Daniel’s emphasis on the policy challenges, workforce needs, legislation, and risk management practices show a White House that desires to engage on a number of cybersecurity issues. Mr. Daniel remained optimistic that progress can be made on these issues, and that itself was welcomed news to the DC audience.

 

 

Guest Post: Comparative Analysis of Data Protection in Korea and the European Union

6951249071_e37a15474c_h

This is a guest post by Yoon Sukbe, a member of the South Korea Ministry of Science, ICT and Future Planning and visiting scholar at the University of Washington School of Law.

The paradigm of data protection is being changed due to the advancement of network technology. Decentralization and effectiveness of Internet technologies enhance convenience of access and user’s benefit. However, the development of technologies increases the risk of data security breaches. Especially, clouding computing enables to transfer computer resources (e.g., networks, servers, storages, software, applications and services) to another place. The borderless nature of cloud computing causes controversy regarding jurisdiction between nations which have different regulations as well as the complexity of the protection of data protection. Generally, data protection systems could be classified into two categories. One is the horizontal and comprehensive approach of the EU and the other is the vertical and sectoral approach of the U.S. In the cloud computing context, it is very important to review the EU’s opinion on the limitation of data center for applying EU’s law on other country’s cloud computing service. Also, it is helpful for Korea to review the problem of its current data protection legal system and to suggest alternative system for strengthening the protection of personal data.

1. Is EU’s approach on data protection consistent with its position in world trade discussion?

High ranking officials of European Commission have said the necessity of regulation governing the location of cloud computing data center for data protection and industry development. Viviane Reding, the EU’s Commissioner for Justice, said that European government could promote the development of European clouds by making sure that data processed by European companies are only stored in clouds to which EU data protection laws and European jurisdiction applies. European Commissioner Digital Agenda Neelie Kroes posed a series of principles for the regulations of EU data located in clouds on EC’s website. Are these statements compatible with EU’s commitment in WTO?

In 1994 EU (fomerly EC) committed to the liberalization of computer and relation services, except the movement of natural person (mode 4) , during the Uruguay round of negotiation. This means that there is not any limitation of market access and there is national treatment of cross border supply of service (mode 1) and supply through commercial presence (mode 3) in this sector including data processing services, data base services. Mode 1 indicates that a user receives services from other countries through its telecommunication or postal infrastructure. Thus the country liberalizing the mode 1 of Computer and related services sector is not able to establish the incompatible regulation.

Computer and related services under the General Agreement on Trade in Services (GATS) is composed of the Consultancy Services related to the Installation of Computer Hardware (CPC 841), Software Implementation Services (CPC 842), Data Processing Services (CPC 843), Data Base Services (CPC 844), Maintenance and Repair (CPC 845) and other Computer Services (CPC 849). If clouding computing service is defined as the delivery of computational resources from a location other than the one from which the user is computing , it corresponds to the Data Processing Services and Data Base Services.

However, there could be an argument that the clouding computing service is included in the scope of the commitment of the EU, because this kind service was not feasible in 1990s when the Uruguay round was negotiated. With this perspective, it would be helpful for our understanding to consider Oracle’s CEO Larry Ellison’s statement that the redefinition of cloud computing is just for incorporating everything what we already do.

In the current world trade regime, it has been suggested that the principle of “technology neutrality” applies under the GATS. Application of this principle would mean ensuring a level playing field for all services irrespective of the technological platform used to deliver them . Particularly, in 2002 EU officially requested all WTO Member countries make commitments in Computer and related services at the highest possible level (i.e. the two-digit level – Provisional CPC Division 84) for minimizing the risk of the confusion in seeking to determine whether a particular Computer and Related Service has been committed when the service actually offered involves services covered in a number of different subsectors, and so help to better reflect technological developments and commercial realities in this sector .

Local presence obligations are a clear limitation of cross border supply of services (mode 1). Thus, if WTO Member countries which have already committed Computer and related services establish regulation on the place of cloud data center, it would be a breach of GATS rules. In this context, it is needed for EU to review whether its scheme would be compatible with its commitment or not.

2. Suggestion for reformation of Korean data protection legal system

When it comes to the data protection legal system, Korea takes comprehensive approach. All kinds of transactions are covered by relevant laws. But there are important differences compared with European system.

Korean data protection regulation is similar to that of the EU, taking comprehensive approach. But Korea has multiple laws on data protection. Besides “Data Protection Law” as a basic law, there are “Telecommunication Network Act” for telecommunication sector, “Use and Protection of Credit Information Act” & “Electronic Financial Transaction Act” for financial service sector, and so on. Enforcement of many laws could cause confusion and weaken the law abiding attitude. For example, if there were an accident of financial data leak online, more than four kinds laws mentioned above would apply to the accident. As a country taking comprehensive approach, it would be logical to maintain single law for data protection in private transaction.

With regards to the data protection, there are two relations. One is between government and people, and the other is between company and its customer. Higher level of data protection is required in former than latter because government is able to collect extensively. Sometimes personal data collection is done against information holder’s will or without the knowledge of him or her. While, company is permitted to collect personal information on the ground of customers’ consent and customers provide their information for benefit. Thus it is generally accepted that more strict regulation should applied to relations between government and people. But there are little differences in Korean Data Protection Law. It is desirable to separate the data protection legal system into government and private.

Korean data protection regulations are not enough strong compared with the U.S, EU or Canada. Even though access of own information is widely accepted in many countries, in Korea for instance, data controller holds no liability for refusing access of customer without customer’s loss. Companies in Korea actually do not have any responsibility to permit the access of personal data provider because the burden of proof for damage is on customers. It is true that the Korean government tends to favor siding with companies than individuals. However, as the globalization is rapidly evolved especially through online, Korean companies should abide by foreign data protection laws. Considering the current trend, strengthening the level of data protection would not be new pressure to companies. Rather it could be helpful for them to possess competitiveness in global market.

References
(1) Carol. Celestine, “Cloudy” Skies, Brighter Future? In Defense of a Private Regulatory Scheme for Policing Cloud Computing, Univ. of Illinois Journal of Law, Technology & Policy (2013)
(2) Peter Swire & Kenesa Ahmad, Foundation of Information Privacy and Data Protection, IAPP (2012)
(3) Sebastian Zimmeck, The Information Privacy Law of Web Applications and Cloud Computing, Santa Clara Computer & High Technology Law Journal (2013)
(4) Bruce Schneider, Liars & Outliers: Enabling the Trust That Society Needs to Thrive, John Wiley & Sons, Inc. (2012)
(5) Eduardo Ustaran, European Privacy: Law and Practice for Data Protection Professionals, IAPP (2012)