Human rights and IoT – looking for a win-win solution – WS 05 2017

From EuroDIG Wiki
Jump to navigation Jump to search

7 June 2017 | 11:00 - 12:30 | Ballroom II, Swissotel, Tallinn, Estonia | video record
Programme overview 2017

Session teaser

The Internet of Things - pervasive, connected devices - reaches into our daily lives with unprecedented intimacy. It offers new ways to tackle societal challenges and new economic opportunities - yet what is the Human Rights' perspective?


Human Rights, Internet of Things, privacy, accountability, responsibility

Session description

The Internet of Things (IoT) continues to develop rapidly. Cisco estimates that by 2020, there will be 50 billion Internet-connected devices. IoT devices ranging from health monitoring devices to smart thermostats and smart toothbrushes have become increasingly embedded in our everyday lives. What effect does the spread of IoT have on our own privacy and autonomy, and that of the people around us? How can data protection principles such as consent and limited purpose apply in a world of pervasive connected devices?

IoT It also offers new opportunities for innovation that help us address societal challenges such as early warning systems for natural disasters and IoT-enabled ecosystems that support people to continue living independently much longer than would be possible without those tools. In this way, IoT not only poses a risk to the right to privacy, but also an opportunity to work towards the fulfillment of other human rights, such as the right to health. How does IoT enable human rights and further sustainable development? And how is it changing our assumptions about self, self-determination and self-fulfilment? Our panel of experts will give technical, ethical and practical perspectives on this theme, which affects the lives of all of us.

The Internet of Things (IoT) is a combination of protocols and applications, embodied in hard- and software that is opening the doors to exciting new opportunities and innovation, but is also resulting in pressing questions which needs to be answered including:

  1. IoT is extending the Internet to many “Things” that collect and share information and/or act, based on information collected and/or triggered by people. Who is accountable for what?
    a) Who pays for the development and deployment of IoT ecosystems when the commercial application is not feasible but the societal need is high;
    b) If harm results from IoT ecosystems, who “pays” for it?
  2. What is the role of standard setting bodies, the technical community, civil society, governments and and the private sector, in order to help realize a sustainable and trusted IoT ecosystem that supports both commercial applications as non-commercial applications that help address societal challenges?
  3. How can the world achieve a trusted IoT ecosystem when it comes to security and privacy online?

The workshop will discuss the IoT ecosystem from different perspectives quoting examples from Europe and beyond. It will be informed by the work done in IGF context by the Dynamic Coalition on the Internet of Things that has been active since the IGF 2008 in Hyderabad and has presented a document on Global Good Practice for IoT from a multi-stakeholder perspective. The results of this panel will feed into the global IGF 2017 session of the DC IoT.


3-4 very short presentations and a moderated discussion opening the floor to all EuroDIG participants around the questions posted above, leading to messages concerning different issues arising related to IoT and human rights for the discussants to debate and agree or disagree.We look for an open discussion engaging and involving all stakeholders.

Further reading

Main page of IGF Dynamic Coalition on IoT


Focal Point:

Subject Matter Expert (SME):

  • Farzaneh Badeii (Internet Governance Project - Georgia Tech)

Key Participants Short introductions will be provided for confirmed speakers only:

  • Pearse O'Donahue (government) was recently appointed Acting Director for the Future Networks Directorate of DG CONNECT at the European Commission, dealing with policy development and research supporting the Digital Single Market from the angles of 5G networks, IoT, cloud and data flows and conceptualising new and innovative approaches towards service platforms and next generation Internet. As Head of the Cloud and Software Unit in DG CONNECT, he is also responsible for the strategic development and implementation of policy on cloud computing and software. Until October 2014, Pearse was Deputy Head of Cabinet of Vice-President Neelie Kroes, previous European Commissioner for the Digital Agenda. He was responsible for advising the Vice-President on the development and implementation of policy on electronic communications, networks and services, as well as broadband, spectrum and other related policies such as Internet governance. Secretariat Pearse O'Donahue
  • Jari Arkko (technical community) is a Senior Expert with Ericsson Research. He has also served as the Chair of the Internet Engineering Task Force (IETF), the Internet technology standards development organisation, from 2013 to 2017. He has published 45 technical specifications (RFCs) at the IETF. He is a frequent speaker in numerous Internet technology and policy conferences, and has worked both on technology and Internet governance topics. Jari received his Licentiate’s degree from Helsinki University of Technology in 1996. As a developer, he has worked on routers, testing tools, AAA systems, AI, and cellular networks. His interests include Internet architecture, the Internet of Things, privacy, and cutting through technology hype. He likes to personally build and and use the technology that he works with. Today he works on Internet evolution and
  • Peter Kimpian (government) is currently working at the Data Protection Unit of the Council of Europe as national expert being seconded by the Hungarian Data Protection and Freedom of Information Authority. Working as an international privacy and data protection expert for the last 6 years Peter has been a member of subgroups of Article 29 Working Party, of JSB Europol, CSG Schengen and other alike organisations. Being in charge at the national data protection authority mainly with international privacy and data protection issues related to cooperation in law enforcement sector and national security he has been involved as data protection expert in issues among others like EU PNR Agreements with third states, EU PNR Directive, TFTP Agreement, regulation on drones and Privacy Shield agreement. At the Council of Europe he is carrying on dossiers related to internet governance, domain names’ related privacy issues, data protection in law enforcement sector and the modernisation of convention 108.
  • Alison Harcourt (research) specialises in regulatory change in communications markets. She is interested in solutions to regulatory problems based around the citizen/consumer and/or civil society voice. She has written on the regulation of traditional and new media markets at EU and international levels contributing to the literature on agenda setting, regulatory competition, soft governance, Europeanisation, policy transfer and policy convergence. Currently, Alison is PI on the ESRC funded project 'International Professional Fora: a study in civil society participation in internet governance' (September 2015 - September 2018)
    Setting standards is crucial in moving forward with IoT, and in the end a means to keep te overall “costs” (in the broadest sense of the word) as low as possible. Alison will cover standard developing organisation activity in the field of IoT drawing on research from an ESRC project. It outlines the number of SDO fora working on IoT which number over 150 then focuses on the work of the IEEE, W3C and IETF, namely the IEEE’s P2413 group, the IETF’s LPWAN and Thing-to-Thing T2T WF and the W3C’s Web of Things WG, with examples from home utilities monitoring, smart farming and connected cars.

Moderator Maarten Botterman will be moderating this session. Maarten Botterman is Director of ICANN, Chairman of the IGF Dynamic Coalition on the Internet of Things, and Chairman of the Supervisory Board of NLnet Foundation. As independent authority on future Internet and Internet Governance matters he combines insight in new technology potential with user interests to develop strategic opportunities for policy and businesses. He builds on experience as former Director at RAND Corporation (European Office), Scientific Officer European Commission, and Senior Advisor/Head of Unit at the Dutch Ministry of Transport. Maarten Botterman

Remote Moderator Rachel Pollack will be the remote moderator of this session. Rachel Pollack Ichou is an associate programme specialist at UNESCO, where she manages the flagship series World Trends in Freedom of Expression and Media Development. She has actively participated in national, regional and international forums related to internet governance, including the IGF, EuroDIG, ICANN and WSIS follow-up. She holds a Masters in Social Science of the Internet from the University of Oxford and is also a graduate of Harvard University and the École des Hautes Études en Sciences Sociales. Rachel Pollack

Organising Team (Org Team)

Reporter Elisabeth Schauermann, YouthDIG

Video record


  • As IoT becomes more important and implemented in everyday life, there has to be a clear effort to keep it human-centric. Policy development, technical standardisation and technological innovation have to follow that approach.
  • Data generated by IoT can be used to further develop health care and other crucial fields in society, but the use of any personal data has to happen responsibly and in accordance with thorough privacy considerations.
  • User’s rights, especially concerning privacy and personal data, have to be effectively safeguarded. Privacy by design and security by design is key. The high level of legal protection that we have in Europe should become a global standard.
  • In order to balance human rights protection, economic interests and the growing possibilities of technology, security issues of cloud services, IoT devices, and interoperability need to be addressed continuously.


Provided by:, Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: 1-877-825-5234, +001-719-481-9835,

This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.

>> MAARTEN BOTTERMAN: Good morning everybody. Welcome to this session about human rights and IoT.

So it's really about the fact that IoT is happening as we speak. And it's also about the fact that in this society, there are new technologies to help us to survive. So how can we benefit from IoT at the same time be aware of what it brings in changes to our lives and how we deal with that.

So we have a great panel of people here to take you through to this programme. The panelists, it's just to introduce the topic, it's not for discussion because for that we need all of you. So you're co-responsible for the success of this session!

I'm very happy to have with us Elis Schauermann, who will be reporting on behalf of what is happening here. So on behalf of all of us, Elisabeth, thank you very much. She is also organizer of YOUthDIG. So I thought that was -- when we came in, that happened over a weekend, a lot of energetic sounds of people who participated there. So thanks for that initiative.

Rachel Pollack working for UNESCO is willing to help us out in moderation of the online participation. So please, when questions come up at the appropriate time, please raise your hand and I'll see it. And you have your own microphone.

And then with us we have a couple of people who will do the introductions. I'm happy to have here with us Mr. Pearse O'Donohue. Those of you who were on time this morning heard him speak. He is responsible to the European Commission for not only the future Internet but also Internet governance. And recently it was put together by the Commission in one directorate in support of the policy activities.

Before that he worked with Neelie Kroes on the digital agenda, so the predecessor of the digital single market, I would say as well. And he has been very much involved in the base of the cloud computing as head of the unit in that involvement.

So, Pearse, can I invite you to share from the European Commission perspective how the Internet of Things plays a role in society.

>> PEARSE O'DONOHUE: Thank you very much. Yes, so as some of you were still asleep and some of you were hung over, I was given a second opportunity to talk to you. But for those of you who were paying attention, I'll try not to bore you.

But I'll start with what I finished at the morning session, which is that we are looking at the next-generation Internet perspective to put the human at the centre of the Internet. We will have and have had a discussion about what does that mean.

But in terms of the Internet of Things, of course, that's where it becomes most important. We are not talking about the Internet where you interface with the screen, sort of with one interaction. It's where the Internet of Things brings the Internet around you. It makes you part of the Internet. And it means that your data and data about you is being generated in all sorts of ways and is being captured by different players, different systems, different platforms, some of which you are not aware of.

So in that context you have to think about the individual also, about the rights. Now in Europe of course we have a very strong point of departures. Not only do we have the treaty, but we have the fundamental rights. That has become real. People were not very sure. How does that actually affect individuals? It was actually when the court ruled with regards to the US Safe Harbor arrangement on personal data. It didn't actually use a legal base in the treaty itself. It actually referred to the Charter on Fundamental Rights, that the lack of guarantees of our personal data was in breech of individuals' fundamental rights in the European Union. So that is a real living document and which can actually instruct us about rights. And when we do then seek to, in a more tangible way, perhaps, seek to implement policy, we have to have that as a clear point of reference.

So already we are talking with the industry community that we worked with in the Alliance for the IoT, which has a website which hopefully is transparent in its work. We are looking at security by design. It's obviously of interest to the industry because they will not be able to sell their products and services if people don't have confidence in them. But, of course, if it were to become pervasive without the intervention of the individual or without discussions about the individual's interest, it could be a serious problem. So we need to have privacy by design. We need to have security by design. But we need to have a discussion upstream of that in terms of the standards as to how that is actually given effect to.

We are doing work -- we've recently issued a policy and initiative called building a European Data Economy. And the Internet of Things actually influences our thinking a lot about that. First of all, about all of the data that is generated, but also in relation, for example, to liability or responsibility, which interestingly is the French word for liability. When it comes to breeches or when it comes to damage or wrong being done to an individual or even a user company by the Internet of Things or even by the ecosystem, a series of autonomous devices and systems that have somehow come to the wrong conclusion, created the wrong action, and somebody or something has suffered as a result, we need to look at that. But, of course, that is giving one safety net, talking about liability. What we need to do, however, upstream is to ensure that wherever and whenever possible there isn't a problem in the first place. Now, I mentioned data protection and privacy, but it is also in relation to the security of individuals and to their personal integrity.

So this is why, as part of our next-generation Internet, Internet of Things features prominently. But also the challenges of Internet of Things, as I said, because of its multiplicity and the way it's around us.

Also, we have to flip the discussion, because we do tend to be defensive. We do tend to think, probably rightly, though, about the potential risks and problems, and therefore to seek to remedy them. But we must also think about all of the benefits that the Internet of Things can bring. And the question is asked to us as well: How do you ensure that everybody benefits from an Internet of Things society? How do you, in societies or elements of society who don't have the resources to deploy or to use or to have the individual devices, which some of us may take for granted?

And that again is something which we have to ensure that while talking about digital divides with regard to digital literacy or access to the Internet, there is a whole new digital divide that we must be aware of if the Internet develops into this all encompassing system, from which some people are excluded. And that's why working on emerging technologies, working on policies, we have to in the next three to five years, as well as developing broadband, which is a pretty straightforward or linear proposition, we have to now also look at the deployment of Internet of Things especially in the healthcare Sector, in regards to old and elderly people, perhaps whom we are ourselves encouraging to live longer and autonomously, we must ensure that the technology, including the Internet of Things technology, is there for them.

And the last point I would make, and which is of course challenging to us, when we have a mandate to look at policies with regard to socioeconomic development in Europe, we must always be aware of the fact that this has an impact on what is the global Internet. But it therefore has an impact on others. Or has the potential to do so.

We have strong protections of the individual, of the human, in Europe. But individuals elsewhere are no less valued and valuable. So we must, in working with International organisations, with the EuroDIG stakeholders working with your partners Internationally, with administrations from Member States of the European Commission working with other administrations, in the trade area, but particularly in the standards area, we must ensure that what we consider to be adequate for the protection of individuals and society in Europe actually becomes the norm world wide. Because if that is what is required to protect European citizens, we should expect the same level of respect and treatment for all others.

So work on International standardization, whether it's on security but also particularly on safety as well as security, they are things which we have a mandate, we have an obligation to do. We can't be too intro speculative about it. So having a discussion today, which I think we're going to have now, will be very interesting. Because we, at the Commission, we don't always get this right. We need you to pull us along the track that I just mentioned to make sure that our work is actually for the good, but it's also for the good of Internet users across the globe and not necessarily just in Europe.

I'll stop there. I look forward to the discussion.

>> MAARTEN BOTTERMAN: Thank you very much, Pearse. And please do stay on the stage.

Thank you for the introduction. The research has been a major

bringing together of researchers around Europe that helps us to stimulate it across borders. And in that way the European Commission has played a role already facilitating that.

On the global level such standardisation also happened. And from the world, Yari Arkko has been very deeply involved in Internet standards setting for many years. He works for Ericsson. And he is one of the few people I know that prior to this session he blocked his thoughts. So a clear reflection of his thinking and also very eloquent in how you express that. I'm really looking forward to hearing your thoughts on how standards can help in making all this IoT possible in a useful way to society and how we can progress with that. Please. Would you like a hand microphone or... okay.

>> JARI ARKKO: I'll go with this. So hello, everybody. So I've spent a lot of time both in my day job at Ericsson and with various standardisation organisations, such as IETF, working on the IoT technology. I wanted to point out that the topic of today, human rights and IoT, so the IoT, that we also have a research group and lots of debates around the human rights aspect, and whether that relates to Protocol development or not. And that's an interesting discussion. Did you read the document? There was a document on the human rights Protocol considerations research groups page.

And I don't usually approach things from the angle of the human rights, but trying to understand how things develop into the world affect me or people close to me, such as my kids. And I also try to approach things from the technology aspect, how that affects the discussion. I think that sometimes when we are having these IoT discussions, we don't fully grasp when the technology is.

And when done right, of course, there are great things for the society and individual humans. But it takes effort to get there and get things right and avoid the dangers that are kind of obvious. And it takes education to understand some of the things, for all of us. It's a learning process.

I do want to highlight four issues today in this opening part. The first thing, that it's not about the gadgets. The gadgets in IoT, they are the visible tangible things, it's easy to focus on that. But that's usually not the most important piece. It's not the full picture. We would be far better off to consider Cloud servers as an even more important component in the system. And that's where most of the intelligent functionality will be. And that's what you also want to have use and control, if use and control is the goal. So I would say that IoT is mostly in the Cloud, with some exceptions, and will come to that.

And also the IoT is not a separate thing from the rest of the Internet. These are very general Internet questions, you know, who owns your data and how much control do you have and privacy and all of that. It just gets bigger given that there is more data and more devices.

Similarly, let's not focus on the devices, but focus on data. That is what matters. How that gets used by who and under what rules.

And architecture, also, matters. Like I said, Cloud is a big part of some of this system or many of the systems, but that is not true of all cases. There are many examples, like light control systems in a house. You probably don't want that to go through a Cloud system or Internet connection. In case the Internet is down, you can't turn off your lights or turn them on. So the decentralized model is important. We have a research group at the IETF, the "think the thing" research group looking at that.

The second point that I wanted to make is collateral damage. We talk about security and privacy a lot. But it's not just from the point of view of this particular application in a very narrow point of view. It's also about protecting others in the Internet. Because the Internet is kind of a common space, and you can reach other people there. And many of the attacks that happen are not to this particular application that is having some vulnerability, but to others. Like the attacks that happened last year that brought down some common or popular Internet services were launched from IoT device or with the help of those compromised devices, but they were against some other parts of the Internet. So that is really important.

So I have this friendly neighbor principle. You cannot connect systems without considering what the effect of those systems might be on others in the Internet in the same common space.

The third point that I wanted to make is interoperability. That is a key issue for creating a large market to begin with, that we all can benefit from the economic and other benefits. But it's also very important for bringing things into user control and ability to change providers, and competition. Competition aspects are key, so we are not locked into one provider of light systems and then we are forever stuck with that.

And I think we are on a good path there. Most Internet -- as the name says, IoT is about Internet. But most of the smart gadgets are connected to the Internet or run over the Internet Protocols and there is a lot of interoperability on many protocol layers. Unfortunately, that doesn't usually extend to the applications. There are lots of cases where the applications don't talk to each other. The classic example of buying a house with Microsoft light switches and trying to plug in Apple light bulbs, that might be difficult. So we really need to ensure that that doesn't happen. We have standards that make those connections possible.

And the standards, by the way, they are also very important for some of those security issues. Because, again, it's not just about you getting your little application running and your business off the ground, it's also about making sure that whatever you're designing is safe for others. And that's usually a discussion we can have in standards forums and other forums, obviously, as well. But that's what the standardization forums try to do when you have basic components that are safe to be operated.

I want to finish with the fourth thing. Right of the user, which is obviously important. The ability of the user to be in the driver's seat. If that is the case, then you're probably on a good path. If it's not the case, that the user is being forced or not asked about, and so forth, then that is not a good situation to be in.

And I'm just thinking, like one tiny slice of that user control aspect as an example here. And, again, being a techie, I want to emphasize the right to tinker. And this is not just an issue for people like myself, who try to make some IoT gear. It's also important for things like software updates. You know, you have devices that can have decades of lifetime, and sometimes the manufacturers are not there around anymore to do software updates. And it's also important for innovation, to think about things like open WRT and so forth.

So I'll stop here and let others continue. Thank you.

>> MAARTEN BOTTERMAN: Thank you. We are very much looking forward to raising some of the issues that will deal with what you already mentioned, I think.

Before we go into discussion, I would love to welcome Professor Alison Harcourt here. I met her a month ago, as she is leading a project on also looking at standards and what role they play and the different actors play in this world, where legislation is moving much less fast than technology. And where the traditional standard setting probably doesn't do it anymore, either.

So very welcome here and I'd like to hear your thoughts on this.

>> ALISON HARCOURT: Thanks, Maarten, for inviting me. I'm at the University of Exeter. My name is Alison Harcourt. There are five of us here who are working on this project. We are looking at standard developing organisations and we wanted to look at SDOs with nonstate involvement. So no formal state involvement. So very different from (?) Or the ITU. And we decided to focus on the IETF, where Yari is working, and also the W3C and IEEE, mainly because they work on interoperability. But we have looked at a number of other organisations as well. If you go to our website you can see which standard organisations we have identified. And we have done a survey last year and now we're working on interviews and running workshops.

I don't want to repeat too much of what Yari said, but we are working on these three main organisations because they are voluntary and their key aim is interoperability which doesn't rely on prior knowledge. And we're also interested in standards which are standards -- which require sort of standard essential parts. Because IPR is a salient issue within these fora. These fore are also interested in reducing costs. So of course the main focus of the IEEE is on the lower protocol layers, the physical layer, Mac layer. The IEFT activity is positioned above that layer, looking at the networking and the transport layer. And the W3C, of course, is working on HTL and APIs.

How does this relate to IoT? I just wanted to draw your attention to the working groups within these fora, and Yari has done that. He mentioned the thing to thing working group, which is a working group looking at device to device. This working group also works as a contact point for other standard developing organisations as well.

But there is also the LPWAN working group. These low power wireless area networks. It's a new technology. It's only a few years old. It's to be used with 5G and can operate in licensed and unlicensed frequency bands. And it can link up a large number of devices across the network. And that's what the advantage is. And it can connect in ways that don't use a lot of power, and the IETF is working on this. And it's working on enabling IPv6 connectivity within the LPWAN technologies. So that is something to pay attention to.

And then of course there is the thing to thing network working group, and that began in April, I think, in 2006 last year. And there has been a lot of interest in this as well.

The IEEE is important for IoT as well, because it established of course the 802 standard, the 15.4 standard is the recent standard for short range low power transmission. And it allows for larger packet transmissions over IPv6. And they have a working group and it's called the P2413 group. And this works specifically on the Internet of Things. It was established two years ago. And its main aim is that there will be no new architecture or standards, and it seeks commonalities across application domains.

There is also the W3C's Web of things group, and that was established this year in 2017. It's main aims are potentials for using scripting languages, like Javascript, JASON, EXI, and formats for data and metadata in use with IoT.

So if you are familiar with IoT devices in the home, we talk about washing machines, we talk about how we're going to use our mobile phones to switch on, you know, a fridge or to defrost things or to switch on our televisions and washing machines at certain points in time. But I looked at a McKenzie Global Institute Report from last year and it says that most the development is in industry for factories, smart cities, of course, and retail and agriculture. Smart farming is very important. It includes information on things like consistency of soil, animal health, fertilizer applications, weather is very important. We had an example yesterday in a session here about flooding and how the Internet of Things devices can transmit information about flooding to cars, when you're in transit.

Animals are monitored on their activity in farming. Pulse, body temperature. These are all sorts of things that we don't think about when we think about the Internet of Things. So farmers can detect illnesses. And this has all sorts of implications not so much for human rights, but for research and development of -- for agricultural procedures and the way in which we live in the world today.

So there are questions abounding about privacy and security, which Yari mentioned. And I wanted to ask Yari and others in the room about whether Cloud storage is efficient. And you mentioned the thing to thing working group and how they are working on this. And I wanted to ask you whether it's important for somebody in Sweden maybe to know that I'm sitting in my living room and telling my washing machine to switch on in another room. To turn on. Whether it's important for that information to go up to the Cloud and back down, is that not inefficient, maybe, kind of use of space and networks and so on. Can devices be more autonomous? Can they be locally managed? Can there be home hubs, data boxes, microcontainers, and so on, and that's the question that I would like to ask the group.

>> MAARTEN BOTTERMAN: Thank you for that excellent question as well, and your introduction.

Standards is clearly a key element, as you explained so well, on many levels. And as you said, it's not only about the transport layers, but all the way up. And you mentioned data, if you talk about IoT we do talk about data as well. IoT is not a purpose in itself, it serves for something.

Data, on everything that is sensed, everything that is observed, and that also relates to our lives. This is why, rightly so, I think a lot of attention is also how this affect our personal sphere and others about the area.

So the last introducer, and then the floor is really yours, so start thinking about, and the first question we have already that will be about Cloud.

But right now I would like to ask Peter Kimpian to introduce his thoughts about data protection and privacy. He has been working for the Article 29 Working Party of Europol, and he has been involved in the creation of Schengen. So he has been around and he has been touching upon many of these aspects that touches all for one time.

So, Peter, please.

>> PETER KIMPIAN: Thank you very much.

I will definitely approach this question from a human rights low angle. And I'd start by widening the perspective. Because I think it's not too exaggerated to start with saying that Article 12 of the Universal Declaration of Human Rights says everybody has to have the right to privacy. So does the Article 8 of the European Declaration on Human Rights. So privacy and data protection is a universal human right. And it has to be respected everywhere and in every circumstance. Of course it's not an uncontrollable or an unrestrictable human right, but this is the principle. For that, we have International legal instruments and we have already 100 on the National Privacy on Data Protection legislation all over the world.

In my short presentation I would like to speak to you about some issues when it comes to privacy and data protection consideration regarding the use of this new technology. And to -- maybe to point out some possible way for a solution how to best integrate those considerations into the use of this technology.

So, to start with, it shouldn't be -- nobody should be afraid of this privacy and data protection consideration. It doesn't hinder any business. Now it's actually becoming a selling point for businesses.

But it's based on very simple principles which have to be adopted, of course, to working and processing the environment. And it's true that it has to be integrated to the business's policies. Because it's -- it requires a constant attention and a constant exercise, how to protect persons', customers' data subjects privacy.

But I think the message of privacy legislation in Europe, I think it would be to think responsibly, and to think over your processing activities, and integrate some guarantees and safeguards in order not to harm the strides.

Coming back on, into the grournd, and speaking about IoT, which is a super cool technology, and really we are convinced that it's bringing a lot of benefit for the society and the individuals as well. But at the current stage there are some issues, as you may have heard already about it.

So I would like to point out two of these issues when it comes to privacy and data protection. One is information to data subject, which is very important. And the very well-known and classical data protection principles that the data subject has to be aware about the -- what's happening about the data. And through the whole lifecycle of the data.

The second thing is level of data security. It's an environment now, technology, where efficiency is preferred to security now very often. So it has to be better balanced in a way that it really serves the security that the consumers and the data subjects will expect from this technology.

And in the second part of my short introduction, I would like to point out and to introduce to you and you being informed about, it's the guidelines, what the Council of Europe Committee on Data Protection just published recently. The Data Protection Committee of the Council of Europe comprises 50 members and 70 plus observers. So it's -- I would like -- I would say it's quite (inaudible) and well argued guidelines when it comes to big data. But, however, it can also be applicable by analogy to IoT.

These guidelines put in advance the rights to control and the protection of personal autonomy and the need for awareness and the freedom of choice. There are some recommendations on the ethical and socially -- ethical use and the social use of data, which is I think when it comes to IoT it's very important, equally.

It also speaks about preventive policies and risk assessment, the purpose limitation and transparency, and the privacy by design approach. There is also some guidance on consent and how it should be interpreted in such an environment, as well as to -- there are some provisions on itemization, open data and education.

So I'm really glad to be here and to be on the panel. Thank you for this. And I'm open for any questions you might have.

>> MAARTEN BOTTERMAN: Thank you very much, Peter.

I think we have a good view of the issues that touch upon us. So, really, the floor is yours to come forward. There is a microphone there, and move in the direction. If you really prefer to sit, just raise your hand and we have somebody who will bring a  microphone to you. That is even more convenient.

With this, thank you, Alison for asking the first question, which is a relevant one. So if you have all of this IoT in our environment, and it's all stored in the Cloud, or much of it is stored in the Cloud, how does that work?

What happens if your WiFi connection drops?

First Yari and then Pearse I would love to hear your opinion, too.

>> JARI ARKKO: I wanted to say that the Cloud solutions are definitely not sufficient. They are Widely used, but it's not the only thing.

And also I think you mentioned efficiency in terms of the communications. That's a consideration, but maybe not the primary one. Like independence from like breaking Internet connections is a better reason or your ability to control your own destiny or your own data is a much better reason. But, of course, what mostly drives this Cloud development is that it's so easy, like even, you know, for techies that usually have servers in their basement, like I do. And I actually use Cloud services nowadays mostly because it's so convenient and everything works easier from that perspective. It's a much easier development environment.

But there are distributed architectures and I also wanted to mention that there are Cloud providers that can provide you with some more sort of local solutions, and your ability to sort of control where your data is in terms of the locality and exact level of control that you have on the platform. So I think this is a bit of a requirement issue. That if you demand that you want a better solution than you can get for your largest and greatest Cloud provider from some other part of the planet, that you can get it.

>> MAARTEN BOTTERMAN: Does it make sense to you, Pearse?

>> PEARSE O'DONAHUE: I just wonder, what was the question?

>> MAARTEN BOTTERMAN: Can you move the microphone a bit. Point it at yourself.

>> PEARSE O'DONAHUE: I just wonder if the full question was asked. Because behind the question as to whether it's efficient is whether that is the real reason that the way that the technology has been designed is simply to turn on your washing machine. Or is it because, as we know, in many cases it is to capture data. Now, the question therefore is not whether it does it, but whether the user is, first of all, aware of that. And, two, is happy with that and has given consent implicitly or explicitly? And I suppose that's where we need to be. Because I wouldn't dare argue with an engineer, but I still have to say the Cloud itself is a distributed system. And we have increasing use of edge computing, which, as we develop 5G, as we develop the 5G platform, including some of the low powered technologies, the WAN, for example, that was described, the edge computing will be a critical part. And then it won't be a question of should I allow my data to go onto the edge, which is part of the Cloud, it will be necessary for integration systems, particularly in mesh operations.

But I think what we need to drill down to immediately is: Is the user aware that their data is being sent to the Cloud and therefore out of their control? Are they consenting to that?

But of course from a policy point of view, the European Commission would certainly encourage the use of data. If you can just take the working example that Alison gave, there are lessons that can be used in aggregated data that can be used for useful grid management, energy saving, et cetera. What time of the day is it normally done. And can the system ping you back saying wouldn't it be better if you waited two hours? But also, for ecological reasons, we could have a better understanding of power consumption.

So I think that's really, particularly when we are talking about human rights, is what we need to decide. Because whether it's an engineer or regulator, we will always find good reasons for the Cloud to be used.

>> MAARTEN BOTTERMAN: Yes. Very much. Thank you.

Peter, I can see you were triggered by this --

>> PETER KIMPIAN: Yes, Cloud is an appealing word for data protection experts.

But I fully agree and subscribe to what Pearse said. But I just wanted to add one more element, which is legally it makes it even more complicated, this issue. This is the localization of the Cloud. Where is this Cloud based? And what are the guarantees that can -- it can provide? Whether it's contractual, whether it's legal, hard obligations, soft obligations? You know, it really, really complicates or can complicate legally the use of this technology .

>> MAARTEN BOTTERMAN: Yes. Thank you very much.

It's just also a discussion catching up with reality now. Because we didn't used to do things in the Cloud that much as we do it now, or over the last three years, even, I would say. And industry is often developing ideas for different reasons. One of them could be to catch the data, which is one example. But other things can just be to provide a service. A very clear example there would be the assumption TVs that collect in their Cloud your commands, so they can compare it with other commands and understand what you say. It's never intended to spy on you, yet these data are out there. And I think industry becoming aware of that and of the potential impacts of such issues, it's one of the things that we go through while technology will continue to evolve.

So please introduce yourself and then we welcome your question.

>> AUDIENCE: My name is Yutta Croll. I'm coming from the German Digital Opportunities Foundation. And I would like to pick up something that Alison has said with regard to smart farming and the monitoring of the animals' health. And you had questioned whether this is linked to human rights. And I would say the same technology is applied to monitoring people's health. And when it comes to children, for example, we already have these Internet of Things or Internet of Toys, stuffed animals monitoring the house of the children. And, of course, it is a question of human rights, whether this infringes the human rights of the child but also whether it's safe to have these data transfer to the Cloud.

So I really would like to discuss whether we have, under the principle of safety by design or security by design, other options as not to transfer these data, these health monitoring data to the Cloud, but maybe transfer them in other ways.

Because I think it's good for parents to have the opportunity to monitor the house, but on the other hand they need to be aware of the risks for the safety of the data and also for the safety of the child.

>> MAARTEN BOTTERMAN: Thank you for your question. It's very relevant. It's being aware of it and also technology supporting that it can happen in a secure way. So security built in is an important question here.

One of the examples I saw in all of my travels is that you can also bring your parents, when they get Alzheimer's or whatever to a home where they are monitored 100 percent of the time. And you can eve put on and off their gas, their stove, their water. You can witness that. And it's -- I've seen it, this beautiful American style commercial where it's like in heaven. And you can always interfere and help them out when they get into trouble, because of the losing -- so what does it do to you?

My first reaction is shit, I wouldn't want that. And then you start to think deeper, and then you think of quality of life of people that otherwise might be stuck in a home with closed doors where they cannot walk out without the proper care. And then you see the balance. It's this kind of thinking why we need the debate.

Can we secure these things in an appropriate way so we can feel safe and feel good about it. What way forward here? Pearse, I know there is a human centric element issue explained this morning in the main room. How do we deal with this?

>> PEARSE O'DONOHUE: Well, I think the answer has to be that we can control it. But if we have it purely technologically controlled, then we are going to lose, one way or the other, some of the benefits of the technology. So we actually have to have greater design, which is tailored to the human, but also rules with regard to the intervention.

To go back to the question about health and particularly about toys, now we can be accused of being naive. But the European Commission's starting point is, of course, we have now have strong data protection regulation, which must be implemented. And if it's not implemented properly, then obviously then there is a problem with regard to our basic approach, so we have to be very careful about that. But any data about a child or any other subject where it's personal or can be related back to that individual subsequently, probably using technology, then that is personal data and must be protected.

That's not an answer in itself, but it is using these approaches in terms of the device but also the service and the transmission. We have to assume that if we don't know otherwise, we assume it's personal data and that it must be protected.

But then in your application where certainly we can say here is a positive use. Here is a potential to facilitate individuals, and another well-meaning and well-intentioned individual will of course be reassured but also to help that individual. But if that device without the proper controls falls into other set of hands, then maybe you can have a less benign use of technology.

So there again, of course at the end of the day, if you leave it purely to technology, then we will have pressure to put blocks so we won't be able to use the technology and therefore protect some people, protect children and or protect vulnerable elderly people. But they won't be able to benefit from the technology, either.

That's why we're talking about human rights, because it's subjective and it's a societal problem that cannot be resolved by regulation or regulation alone.

>> MAARTEN BOTTERMAN: Thanks you very much. It makes little sense.

Yari, can we be sure? Can we depend on the system?

>> YARI ARKKO: I'm optimistic about the technical aspect of this. You can actually secure things fairly reasonably. But that doesn't solve the policies. Even if you have a perfect system, you or you and your parents still need to be decide whether you want to have them monitored. It's sort of a trade-off at the policy or human level. I mean, are they capable of deciding for themselves or not? And, you know, the down sides and the up sides, and that is still there, even if the technology was there.

But I did have a comment on this sort of technical discussion and following up a bit on this data localization and whether we allow toys to put data on the Cloud. I think it's not only about the physical location of things, physical location of the data or where the Cloud is, it's sort of logical access to the data. So as an example you might have some webcam that you can, like when you are out of home, you can follow what is going on at home or with your parents, for instance. But the question is who has access to the data or the picture of the video feed? Is it you? Maybe that's a different question than -- if it's you and some Corporation that will store it, or maybe doesn't store it, but some friendly intelligence agency will store it for 50 years. And then 40 years from now, after the 13 changes in the administration or presidency or whatever, the political climate is different 40 years from now, and then maybe they want to use that footage from 40 years ago, from your childhood or something.

And that scares me.

>> MAARTEN BOTTERMAN: I can see that. Yes.

>> ALISON HARCOURT: I don't know if any of you saw the WikiLeaks recently, the release of Vault 7, which is about CIA. Because we were probably referring to third countries, maybe, which are less, you know, pro individual rights. But even western countries have been producing malware that has been targetting IoT.


I'll take a couple questions from the room. I've got somebody at the microphone and somebody who asked for the microphone in the room. And we will take a couple of questions, then we will get back to the panel.

I know Pearse has to leave in ten minutes. So if you have specific questions for him, this is also the time to ask it. He won't leave because he's bored. He leaves because he has an appointment with somebody else.

So please, you're standing ,so I would say you go first. Can you introduce yourself, Ian.

>> AUDIENCE: Ian Fish , BCS (?) from the UK.

There was a lot of, and rightly so, bottom-up technical stuff talked about,, as well as some top down. But I look at things from the system to system point of view including humans, and that's where the human rights thing comes in.

I've just got a couple of questions or points. I think they're more like questions.

>> MAARTEN BOTTERMAN: You get two at most.

>> AUDIENCE: Two. Two.I'll do two.

The first is around the issue that the data subject must be aware of the data,, which is collected on them, and that really came to my mind when Pearse was talking. Because he talked about the digital divide. And I thought really we have a different sort of exclusion here, which is an exclusion based on information about the data subject that they may not even know is there. And the question really is: Is that sort of thought right or not? And how does that apply to the human rights of the person?

And the second question is, and again Peter mentioned this, nobody else had before, which was ethics. So when you come to what Pearse talked about, elderly people -- and you will talk about it now, about how they can be helped and the rest of it -- are we now in a situation that because of the possibilities that are now there, that actually ethical questions come right to the top of the pile when dealing with what is possible against what is desirable? Thank you.

>> MAARTEN BOTTERMAN: Can I invite you to ask your question, too.

>> AUDIENCE: Thank you. Is there a sound? You can hear? Okay.

>> MAARTEN BOTTERMAN: What is your name, please.

>> AUDIENCE: My name is Ashwan Eskanova (sp) from Turkey, academician and former politician.

I was late, so if my question has already been touched upon, I apologize in advance.

There is an industrial Internet consortium. I believe you mentioned Exeter is a member of that consortium, if I'm not wrong.

Industrial area, industrial Internet of Things, people -- this is not because I endorse it, I'm just mentioning it as a reality -- people are much more sensitive for the security of their data against industrial espionage, compared to human rights and other ethical issues.

What do you think of that consortium's work? In fact, a couple months ago they published Industrial Internet Security Framework Technical Report. I analyzed it. But the principles put there, the guidelines put there, can it apply to daily Internet of Things? That's the question that I'm curious about, number one.

Number two is IPv6, without IPv6, is it possible at all to have Internet of Things? Thank you.

>> MAARTEN BOTTERMAN: Thank you very much.

There is one more question coming. And then a question in the middle. And then it's really back to the panel.

>> AUDIENCE: Thanks, Maarten. Robin Wilson from the Internet Society.

I wanted to put forward a couple of points for the panel to think about. The first one is about the effect of the Internet of Things on the amount of data that is generated about all of us. We already know that much of what happens on the Internet is fueled by personal data, which is monetized. And that is an economic force that powers much of what happens on the Internet. And often that is to the detriment of privacy.

To my mind, the Internet of Things represents a huge increase in the amount of data that is generated about us, with or without our awareness. And I'd like the panelists' views about the impact of that on personal privacy.

And then just one quick point about identity. I think IoT radically changes the way in which we think about personal identity in this sense: That if I'm surrounded by a Cloud of intelligent or connected devices, it creates a pattern about me, about me uniquely, from which it's almost impossible for me to escape. So what are the prospects for anonymity and pseudonymity when we are surrounded by that Cloud of connected things?

Thank you.

>> MAARTEN BOTTERMAN: Thank you very much. Interesting questions.


>> AUDIENCE: Hello. My name is Yanni Simpson. I'm an academic at the University of Salford in Manchester and a colleague of Alison's on the project on technical standards for Internet governance.

My concern in that project is spectrum. And my question to the panel concerns capacity for the Internet of Things going forward. We have been told for many years the future is mobile. I guess the present is mobile. It seems that a lot of Internet of Things of things will require or rely on microwave technology to at least some extent. But we are also told that spectrum is scarce. And recently it's about spectrum at the global level have highlighted tensions betwee the desire of the mobile communications business to have more spectrum and the resistance to lose of particular parts of the spectrum by broadcasters in particular that underscore the public interest dimension of their ownership of the spectrum.

So my particular question is: Into the future, to what extent is there going to be sufficient spectrum capacity particularly at the local level to deliver the Internet of things in a well-functioning, broadly accessible way?

And to what extent might that put pressure on the idea of spectrum as a public resource that could be used for purposes of an experimental nature or a Civil Society nature?

In other words, are we going to see an increasing proprietization of spectrum by the private sector in the interests of the delivery of the Internet of Things?

>> MAARTEN BOTTERMAN: Thank you for that quite different but very appropriate question as well.

Just grouping it, we have some questions on the security, on ethics and data protection, and the more technical questions on IPv6, identifiers on one side and spectrum on the other side. And, obviously, the data subject must be aware, from Ian, which is like: Can we opt out in the IoT space?

I think if we want to do anything with this, systems need to be secure. And I recognize very much that there is a difference between the gadgets, the environments, the cyber physical systems, and if you go to the consumer side or go to the industrial side.

I think you've also been involved in that, you're aware of the industrial security report?

>> So, personally, I've been super involved in the industrial Internet efforts and the multiple. But I have a general observation to make, which is that since I worked with industrial use cases, and some enterprise use cases, and compared that with consumer market situations, and there is one very clear thing: Like these people, you have a factory to run or you have an industry to do or you have a company that you care for, you actually have people to think about stuff and set requirements. And they do think about these kinds of things, privacy, and do we have security, do we access the data forever and as long as the other company or service providers are available?

So -- and they usually demand more than the consumers. So they say we need -- that's a nice solution, but we need the data here under our control. Now they might outsource their data centre also, again, somewhere else, but usually they want things under their control. And that's primarily I think a difference of -- of course the requirements may be harder, but it's a difference of knowledge and time to think about stuff. And being in a market position where you can demand more things. Because if you buy millions of Euros worth of equipment, you can set some ground rules. Whereas if you are a consumer, you cannot buy that thing or buy that thing. Those are pretty much the options.

>> MAARTEN BOTTERMAN: Yes. Unfortunately, we often see that consumers are not aware of the costs of security or lack of security, and industry is more aware.

>> Right.

>> MAARTEN BOTTERMAN: So with that, Pearse, I know this will be your last remark. So please start on this, but if you have any remarks on the other aspects, do that as well. And I appreciate your opinion here.

>> PEARSE O'DONOHUE: Well, thank you. And I'm sorry for disrupting the discussion. I would really like to stay. But, unfortunately, somebody else's diary didn't fit that way.

I think on the question of the industrial Internet, the Commission is strongly supporting the development of the industrial Internet. The Commission is putting money into helping industry to develop the platforms that you're speaking about. You have absolutely no embarrassment about that. And it's no surprise that they don't first of all think about human rights.

So let's not -- I know that you were not trying to do so, but there is a risk of the discussion of being polarized. What we can do, as is so often the case, is benefit from the investment and thinking that industry has done. And say well, that technology will work for protecting the individual as well.

One issue about the Internet of Things, which goes back to the digital divide, however, is that of course because this data is worth money to them, these processes are worth money to them, these processes are worth money to them, they will spend more on the devices. They will spend more on system security and even on the quality of the individual device.

And to have the Internet of Things benefiting everybody, we have to find ways of -- well, how, through mass market but also through common action do we drive down the cost? Because many individuals will buy the cheapest model in the bulk retailer, and that is the one probably with the lowest security profile. And that's the way the market works, so there is a role for regulation. But we cannot force it, because somebody will always want to meet that price point which is lower and cut corners to get there.

And just about the IoT environment, yes, I think it is realistically not possible to cut yourself off anymore from this environment. But that's why the General Data Protection Regulation and the security rules must apply.

Consent is crucial, but as those who are less well educated or who are in a less favorable social environment or economic environment come into the Internet, they must be given the tools. And that's where we have a Social Policy objective.

Two really going to throw two more answers now. One on IPv6. Simply, the Commission feels that we must move to IPv6 and that IoT will not develop properly. I'll stop there, because it's a discussion in itself.

On spectrum, I would say that the problem is not any longer the broadcasters. It's already moved on. It's too late for them. They realized that. And some of the broadcasters are very proactively working for wireless and mobile approaches to their work.

For IoT, we will need a strong mixture of licensed and unlicensed spectrum. We have to go more towards spectrum sharing, which is something which we have been doing already for some years, where there are clear examples of how that will work. And again, whether it's low power or low data rate, huge numbers of these IoT devices do not have to be always on with low latency or high debits. They might be signaling quite intermittently. So that kind of usage pattern means that with modern technologies, but also with clever spectrum planning, we can actually accommodate all of the uses, and this is something that we do have a role with the Member States.

So allowing an individual undertaking to own a huge amount of spectrum is not actually going to help, because it does use up. But there are many other technologies which actually pushes in the other direction, which is why those who do own exclusive use spectrum are being forced more and more to justify that and to actually in some cases even allow low power localized applications to actually run below a certain DB on spectrum, which they are using for high power, cellular technologies.

So all of this is happening. The biggest problem that we see is resistance from Member States who still see spectrum as a cash cow for their exchequer and who do not actually realise that if they were to free up spectrum, to lower the price of spectrum, they would be creating growth in their own economies.

And I apologize for leaving.

>> MAARTEN BOTTERMAN: Thank you very much for your contributions. And it's very good and clear to hear that also the social, the privacy, and even the policy accounts are very much at the core of the work the Commission is leading on IoT.

So thank you very much for your contributions.


Peter, please fill that other Chair. Otherwise it looks like a gap there.

So Peter on this?

>> PETER KIMPIAN: Yes. Several issues were raised, so I tried to give some of the answers our Committee would have or found out during its work. Because those questions have been popped up in our work regularly.

So ethics. Yes, I mean, with the pace of the development of this technology, ethics is becoming more and more important. And I think in this ethical Council, there are in European countries, there are national ethical Councils who can play a very important role in this. We should -- what kind of use of the new technology can they or cannot they undertake.

And there are International fora as well for this. For instance, there is the Council of Europe, the DH bio, which is the Bioethics Committee who is actually presenting a whitepaper on the use of new technology in nanotechnology, genomics, BMX, and all these fields.

So I think the ethical questions become -- are becoming more and more important, and national and International bodies have to play a role in deciding or in giving guidance on the use of this type of technology.

And anonymization. Well, I think this is one of the -- the major change in data protection or in privacy that of course the texts, the legal texts are speaking about anonymization as a desired result. And it's speaking as a technically neutral way. And it is right to do so. But in a practice a lot of practitioners find out that anonymization is not possible anymore and it is not effective anymore. Doing anonymization is even less effective.

So now we are tending to measure this as how much effort it takes to re-identify the person and have this kind of meter or have this kind of parameters to decide whether if it's lawful or if it not lawful.

So if it takes too much effort to re-identify a person, then maybe it will not pose legally problems. But if it's very easily it can be done, it can be done very easily by the combination of very easily uptaking of all results or methods, then it might pose problems.

Information and right to information. This is one of the core principles when it comes to data protection and privacy. As I said, the data subject has to be aware of the whole lifecycle of its data. And while we of course we are departing from the principle that the data processing has to happen for legitimate purposes, and if the purpose is legitimate and the data controller is bona fide, it has to inform the data subject on what is he or she doing with his or her data. And if it -- well, if it's not happening in an understandable simple way, well it is clearly illegal, at least under European Regulation.

I will stop.

>> MAARTEN BOTTERMAN: Thank you. It's very clear that, as you said, the concern with data is can you anonymize them in a world where big data is brought together in all kinds of algorithms and analyzed in context of other data that were never intended to be combined before. So it's a very good question.

At the other side, we also see in Europe the recognition that data are also valuable, not only to businesses but also to society. So how can we make use of that, how can we use open data in a useful way? These are very relevant questions. They go beyond a little bit the IoT subject, so we will take this to the 2 o'clock session in this room, which is more about data.

And if you go back to this session, at one point I wanted to ask your attention, I don't know whether it fits in what you have in your mind right now, but what we also see in the Internet of Things is, from the gadgets and talking about the different parts, we look more and more to what is referred to as cyber physical systems. For instance, because a project, it's looking at specifically that, as that changes the context of the discussion, it changes the context of the spectrum discussion. It changes the context of their localized data. The cyber physical system is a system that contains a lot of IoT. It could be your car, it could be your house, it could be a plane. In a way, it could logically be a city. So where do you keep the data and how do you secure the data is different there, too.

So is that helping us to start thinking in this kind of concept, and in what way?

Yari, I saw your hand. And, you know, you can always give the answer you planned, rather than the question, Yari.

>> JARI ARKKO: Yes, I had a set of things in my mind from the questions and discussions.

The first thing on my mind was that we talked about -- naturally, we're here. We talk about EU things. But I want to point out that the world it global and a lot of companies, I know my employer is on that mode, so we want global solutions and we want to go to the global market and the standards are global. So let's keep that also in mind. That this is where we have to have an effect. It's not enough to have an effect on our own continent. So I just wanted to get that out of the way.

And Pearse already answered the questions on IPv6 and spectrum, I think, more or less perfectly. I just wanted to add a couple small things there. Obviously it's possible to do things in multiple ways. I think that IPv6 is the future and today's reality, also, in many cases, and that is the right way to do things.

It's possible to tweak systems so that you can do things with IPv4, but it costs more and it will use more power. And it's not the desirable state of things. Particularly for things where you need to contact or act with it and expect to do that in a quick time scale.

Spectrum, he already answered pretty much this. But I just wanted to add that there are some trends in terms of making the cell sizes smaller and the ranges smaller. So it's a denser architecture. And then you have beam forming techniques in 5G. So some of this works against the trend of having more and more gadgets and devices using this. So it's this balancing part, and I'm personally optimistic about the spectrum parts.

And then back to the cyber systems, I think it is a helpful way to think about stuff. And you can't have like this, here is a car and here is IT stuff to go along with it, but we're not responsible for the IT stuff in any manner. That doesn't really cut it. Like you have to think about it as a whole. This is the service and the product that we're offering. These are the rules. And we are responsible for these parts. And in the warranty, you as the consumer are responsible for the other thing.

That's the way to think about the whole. I mean, it's not along the axis of technology somehow.


>> ALISON HARCOURT: I think you were getting it --

>> MAARTEN BOTTERMAN: I was told to keep it above your heart and not cover the antenna.

>> ALISON HARCOURT: Okay. I was thinking about, you were getting at data localization attempts. Because a lot of European States in particular are pushing for data localization, particularly financial data.

And the verdict is not really out on consent and definitions of concent. A lot of people are referring to the General Data Protection Regulation. But we have coming up the revision of the e-Privacy Directive now at the European level. And IPv6 is very important in this and the Internet of Things because, of course, identifiers and devices can be identified as well as people.

And they are looking at MAC addresses as identifiers as to whether they should be identifiers or not. And then also more regulation on cookies.

So the verdict is an add on concent and also there is pressure because the Cloud is regulated in the point where the server is located, and where the server should be located and regulated, and whether they should be subjected to Europe law or not.

>> MAARTEN BOTTERMAN: Thank you very much.

I would like to ask are there remote questions?

>> AUDIENCE: (Off microphone)

>> MAARTEN BOTTERMAN: Okay. It's you first and then it's Rachel. Please introduce yourself.

>> AUDIENCE: I'm Annette from the Internet user organisation of ICANN, the European organisation.

I think, Alison, your question has not been answered yet. Can devices be locally managed? I'd really like to have an answer to that. Because I like the idea also of having a server in the basement. So that is one thing.

The other question is, listening to all of that, it seems that data ownership is really central. And what we discussed here right now looks like a huge disappropriation. I looked that up with the help of my friend over here, an Ichon (sp) in German. Having had a socialist country in the past, this does not really sound like a nice work to us, appropriation. So taking away the ownership of your property via technology, especially as in agriculture, for example, or in many other places where the person does not own the data anymore on its soil. I don't like that idea.

And if we listen to my neighbor here who says we look at industry and there they make money and so they really care about security. So is security depending on the costs and the profits you make? And what does that mean for the security when I'm the owner of the data, and is it still secure?

>> MAARTEN BOTTERMAN: Thank you. Can you give the microphone to Rachel.

>> RACHEL POLLACK: We don't have any remote questions. But as I said, I have a question. Rachel Pollack from UNESCO.

I want to go deeper into the discussion of impacts on human rights. Of course we all think about privacy and data protection. But I wonder if in your work and discussions you've come across any examples of impacts on other human rights of Freedom of Expression or association, or socio and economic and cultural rights? Like the right to an education. Does IoT only offer potential negative impacts on human rights, or are there any examples where you actually think that it can help achieve human rights?


>> MAARTEN BOTTERMAN: Thank you very much for these questions. One thing on price. It's also are consumers willing to pay for privacy? And so far commercial companies find they are not. They are going for the cheapest, not for the safest.

>> Is it the responsibility of the states -- (off microphone)

>> MAARTEN BOTTERMAN: Where you put the responsibility and liability is a good question. Can you internalize it in the price, basically.

And then Rachel, for sure. Obviously one of the human rights is to be fed, to have enough food, eradicate hunger is one of the things. This is not a problem in Europe, but indeed if you take it to a higher, global level, I can see that we need IoT for these kinds of things. To be safe. Like the tsunami warning system now gives a head warning that a tsunami would arrive, enabled by the Internet of Things. There's clearly examples there, too.

And I wish that I would ask you, there is a clear data question here, data ownership is a concept that is often misunderstood. Can you explain that and bring also your perspective on how to deal best with that?

And then the other question of course also about the local management, which is a slightly more technical question, but I can see the value of that, also, in this context.

Robin, I'm not sure that we will be able to get to your intelligent cybernetics question. I just wanted to point out that it's really important for the future. But we will take that, if we manage to do this in three minutes.


>> PETER KIMPIAN: Generally speaking, there are two -- the right to information. I'll start by this, and then we will come to data ownership.

Right to information usually is a twofold obligation. It's a general obligation for the data controller to inform, in general, what kind of data processing is undertaken.

And there is specific obligation when it comes to a request for information from a data subject on his or her specific data. And this is where the two rights are interlinked. The right to control the data and to be in control of the data. And the right to information. They are interdependent. So they cannot live or exist one without the other. So this is why equally, they are equally important.

Our solution or our suggestion is to, in our very rapidly changing world and in a very complex data processing activities which are going on, is to make sequences of the data processing activity by the controller. And to contact or to inform in advance and to have the consent, contractual agreement, or other legal base for data processing, and to have for each sequence of the data processing. We know that it is cumbersome and it requires more energy from data controller, but there is -- we think there is no other way around.

>> MAARTEN BOTTERMAN: And ownership? Data ownership, you were going to say something?

>> PETER KIMPIAN: Well, it's about data -- who owns the data?


>> PETER KIMPIAN: Well, I think -- they -- I pass this.

>> MAARTEN BOTTERMAN: That's fine then. No problem. Thank you for this clarity about consent are at the legal base, basically.

>> (Off microphone)


>> ALISON HARCOURT: I have no answer.

>> MAARTEN BOTTERMAN: And Yari, there are two questions here. One was whether also local management would help. It was a very specific question.

>> JARI ARKKO: Yes. So the local management, I think we have different kinds of systems or applications. And certainly you can have local management, local services under your full control, and we should actually do more of that. As I mentioned earlier, there is some work at the IETF going on to do some of that.

But I do want to point out that there are distinctions between different types of applications. So you can have something like the light control in a house or whatever inside, sort of inward facing things. But there's also outward facing things or applications. And typically if you allow other people to connect to you or your resources in some manner, then that probably implies some kind of a rendezvous function in the infrastructure or globally accessible rendezvous function. Now that could be in one central point in the Cloud or it could be more distributed.

But there is distinction between the different types of applications, that some can be totally localized, and some just by their nature that they are global, that you have to allow people from the other side of the planet to connect. And that cannot be done.

So, you know, merely from your basement and no connections anywhere, and so forth. So there is probably going to be some infrastructure, and how you do that is maybe the question mark.

But I just wanted to point out that difference.

>> MAARTEN BOTTERMAN: Yes. Thank you very much. Well, thank you for that.

I think, if you take into account that this world is changing, and that will continue, whatever we do, it's debates like this that make us more aware of the issues that really touch upon our lives deeply and how we want to go about it that are important.

This is also why in the IGF IoT is one of the global points, one of the Dynamic Coalitions. And what we say here will be taken to the global IGF as well. It's important to take.

And then I think we can -- we have two minutes left. So a little bit look through to the artificial intelligence question. But basically, we see that IoT is permeating our environment. Our world is becoming increasingly digitized, which makes the digital world very close to the analog world, in a way, in observation. But that world can access well.

I'm still wondering what happens if the world around me decides what is good for me, without me having anything to do about it. When we talked about this last year at the IGF in Guadalajara, Vint Serf was there. And in my innocence I suggested to go back to Asimov and adopt his three laws for robotics for our environment. That in the first place you have to protect human beings. Second place to protect itself unless it causes harm to beings, et cetera. And then Vint looked at me and he said: But there is also a zero law. And that is the interest of humanity. And I took that literally. It made me realize that my existence in this world may be at the cost of humanity. And higher intelligence, based by endless data streams finds that out and decides to act on it, I'm not sure I would like it, even if it is better for humanity as a whole.

But this shows that it's important to keep understanding what is happening around us. And maybe that if things like local management of data, thinking in terms of cyber physical systems rather than in light optics and connector Y, will help us to do it.

But it also means that we really need to look at security from the outset. And a comforting thought there was that there was a Phillips inventor, or Phillips Hewey. Who knows what Phillips Hewey is? I didn't know, either. I thought it was his name. But I knew better because he introduced himself. But Phillips Hewey is the name of an intelligent lighting system where you can influence -- with your phone of course. Your interface with everything. The intensity of lighting, the color of lighting, on, off, et cetera. And he said even for the light bulb, we consider the security aspects. And we invite hackers to try to hack it and work with it.

Open source is where they move towards. And it's an interesting thought, because being a little bit of IETF, although I'm not an IETF engineer, whenever they think of how to solve something, there is an obligatory paragraph in the report -- at least correct me if I'm wrong -- which is about the security aspect. It's not good enough to say security you solve in other ways. You have to explain the risks and how that works.

With that, I think we come to a good fundamental management of our environment, as much as we can, context, that we're beginning to understand better and better. And that doesn't mean all the solutions are there, because all of the stuff that they have been installing over the decades and will continue to be installed may be designed from entirely different principles. And it will be in our environment, too, and it will be sharing data.

So with that, I'd like to thank you really for your contributions, for your thoughts to the process. I'd like to thank you for your participation, your good questions, and I wish you a tremendous rest of your day.

If you want to talk about data, back in this room at 2 o'clock. And, as you know, there are other things on the programme as well. So thank you very much.


This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.