Abstract This paper describes a generic architecture that can be applied to complex, intelligent systems that require provisions for 'Privacy by Design'. It describes the challenges for the designers and users of such system, principles for selecting components and a suggestion for a generic standard interface for controlling access and privacy.
Background: Inspired by the current discussion in Denmark concerning the need for 'welfare technology', i.e. the next generation of what used to be called 'Tele Medicine', aiming primarily at elderly and/or people with chronic diseases living in their own homes, and the recent focus on intelligent homes, 'passiv systems' as described by Colin Calder as well as 'smart grids', it is obvious that all three domains represent variations of the same class of problems. The basic inspiration is actually from the founders of Cybernetics- We are focusing on control systems, whether we are discussing welfare/well being of humans, emission of CO2 from our houses, controlling/optimizing the use of the available amount of electric energy in a grid, water consumption etc. As we are also heavily engaged in the challenges with 'the internet of things', as the Danish technology Council is right now trying to cope with in a national analysis, we know that before long we will have more intelligent gadgets connected on the internet than we have human beings on the surface of the Globe. So we are talking of a complex network of 'gadgets' that each have an address on the IPV6 network (whether this is static or dynamic), and not least we are talking of a man-machine network of dimensions we have not yet seen.
ChallengesSo what are the major challenges and how do we cope with them? First of all the Complexity is huge. There is a need for a simple way for human beings to understand this complexity and make it manageable if not intuitive.
There is also a lack of common standards that will lead to development of fractions of systems that will not easily connect to each other. If this is not solved, we will still be in the situation a hundred years from now that we 'think' we have a firm infrastructure, but in fact are using yesterdays technology far beyond applicability. Components have to be replaced as technology progresses. We can hardly believe that the CONTINUA alliance nor ZIGBEE alliance will be sufficient to include also smart grids systems, intelligent cars etc.
The basic example of this kind of backward thinking is that the distance between the rails of a railroad (in UK, US) is exactly the distance between the wheels of the roman war chariots. These chariots dictated the construction of roads - and that is where the railroads where first laid.
Lack of a standardized, simple user interface:Imagine your own house in 10 years: How many gadgets do you have installed then? Controlling your energy consumption, your heating, your communication with the external world, your car, your dog, your children? Your refrigerator and it's contents? And possibly also your blood pressure, blood sugar, weight, exercise and more if your are elderly, alarm system to warn against intruders, systems to help park your car etc. Now, when your TV got 40 channels, when you connected it to a DVD and later maybe to the internet, you still got the remote control – but where is the standardized remote control for your intelligent house ?
Lack of an intuitive and simple way to control use of your private data.
When all you gadgets, well – most of them – are also connected to the outer World, how do you control that your personal data are not revealed to other than those that you have deliberately chosen as trustworthy partners for those particular data? Your mobile phone today contains Apps that will reveal your whereabouts to a lot of third parties, your car will contain history and log of where you have been, how fast you have been driving, your kids can be located by GPS, your buying habits can be combined with your location – and potentially your insurance company canbe informed, if you have a tendency to forget to close the windows, turn off the water in the bath tub – just to mention a few, before we even touch medical and health data. It is not likely that you will just let go of all this info, leave it to 'big brother' or you benevolent neighbor. But how do you manage all this in a simple way?
Approach – The Basic Control/Feed Back system - Any gadget is either a part of or a complete control/feed back system. It will look like this:
Any type of regulator contains these components: The detector checks the intended target, say room temperature, provides the input to the logic system that decides, according to predefined rules, that it is either too hot or too cold and sends signal to an effector, an actuator, to turn on a heater or turn it off. The result is then measured by the detector etc. The snag here is in the logic and the lag between measuring and controlling, but that's another story. Now, some systems may have only the detector and the logic requiring a human being to act as an effector, but the concept is the same.
The model can then be extended in several ways, the first way is an identifier for each sub-component and an identifier for the system as such. It may or may not be the same as an IPV6 address or it can be linked to the IPV6-address. The purpose of the ID is to keep the system in control and avoid unintended change of components. Yet on the other hand, a component could be exchanged, as it's ID is accepted by the system as such to allow for new technology etc.
Now we need to add something to this model, we need to store program and data, that is produced by the system so we extend the model with 3 types of stored info: 'Rules', PID Data, and Non-PID Data. First we need to have a store for the rules - as we may have to re-program the system - or if we install an 'expert system' that learns from the success of the regulation and changes lags, size of impact, duration of impact etc. Then we need to log data. Either the data is connected with a human being and is personally identifiable or it is 'neutral', for instance concerning environmental data. This is important as we shall see later when we introduce the privacy design in this system.
External partners - Next step is of course to introduce the outer World and the surrounding networks, 'grids', external expert systems, external experts, doctors etc. The simplest case of course is to allow external sources access to non-personal data, as will be the case for intelligent grid systems, where changes in external data like pricing of electricity or availability of water, will allow local appliances to be turned on or off according to the pre- programmed rules. This simple model can be applied to all non-PID items in your house, including your intelligent refrigerator that controls the ordering of fresh milk, expiry dates for meat and eggs etc. as well as your use of dish washing machine at times with low energy costs etc. etc.
In this picture we have added human interven- tion as assistants for the PID-related data.
(One might of course have automatic response systems for some PID-items).
The idea is here that the access rights as well as the data transmission are controlled by an ACL – a so-called Access Control List, which is
a list controlled by the user in exactly the same way as you control which individuals among your friends that belong to which specific group of trusted partners. This is a role based access mechanism, and by using the Facebook/Google+ type of management, it is intuitive for each user, that your house doctor has a need to know about your heart condition, while your neighbor is only allowed to know if you are out of house.
Privacy by Design
Whenever a gadget is installed, it is either immediately configured with access controls defining a 'role' of supporters, that are allowed access, or you are asked to define, which role of supporter you will allow access to this particular class of PID. In a different set up – 'Facebook-like' – you can then maintain the coupling between the actual persons by their digital identity credentials for the persons that should be allowed access acting in the particular role.
In the example above there are more than one home nurse that will visit you, so each is granted data access under the role of home nurse. In some cases – for instance if your life sign indicator signals that you haven't moved or breathed for a defined (short!) period, an alarm immediately goes off at the same time with the doctor and at the alarm centre. Some data are irrelevant for some roles, your therapist may only be interested in your weight, and in some cases the data are not actually sent as an alarm but may be retrieved by a defined role in case of emergency.
Conclusion- By applying basic concepts of control system mechanism and straight forward, Facebook-inspired control of identities (=friends) belonging to a specific group = role, the user can control sharing of personal data, also in complex systems. The components of the total system can be changed if the interfaces are constructed according to defined standards, and all components are equipped with specific identities to ensure tracking and maintenance.
Of course a lot of other considerations has to be added depending on the detailed functions of the gadgets, and also the decision modules, rules, detailed function of expert systems will have to be specified. But the basic architecture, thanks to Norbert Wiener, need not be too complicated.