It’s like we have two separate brains, and only one of them can be on at a time.
In one brain, we deal with desktop and laptop computers. These are machines we use to do work. (Well, they used to be until content consumption via tablets looked tempting, and then all computers had to be that, making it harder to do actual work. But that’s a separate topic.)
The work we do on our own computers is considered to be our private business. We connect the computers to the internet in order to get information or talk to other computers or buy stuff or whatever. Historically, it was an “option” to connect, but these days, it’s pretty much only black networks that have no outside access. For the most part, all desk- and laptops are connected.
These connections are intended to be outgoing unless some external party is explicitly invited in. But being connected opens the risk that someone from the outside could get in uninvited. We talk about these kinds of invaders using the language of violation: intrusion, malware, hacker/cracker, spy. The goal is that none should get in; we more or less live with the fact that, despite our best defensive efforts, some may make it through, so we install protective software to neutralize any such attack.
One thing you might not think twice about is this: your laptop manufacturer – Sony, Lenovo, Dell, whoever – does not get to ride along with you for your computing ride. You buy your computer from them and, unless you want customer support of some kind, they’re out of the picture. In fact, if you do want customer support – from your manufacturer or from the purveyor of any other software or service that’s not behaving as expected – there are tools that let them into your computer so that they can help to debug the issue. Such tools are used cautiously, and, critically, you, as computer owner, have to give your permission for them to enter.
OK, so that’s one brain. Computing engine is private, access is limited to your invited guests, and anyone else is considered an intruder.
Let’s shut that brain down and go to the other one. In this brain, we have cell phones. These evolved conceptually from landlines, so, as a communication device (not a computing device), it makes no sense for them to be disconnected. Yeah, the mobile guys took advantage of lax oversight to extract more money by including ring time in billing as well as charging both parties, practices that never happened with landlines, but, more or less, the model is that you use the communication device, they monitor your calls, and then they bill you according to usage. Just like ol’ Ma Bell.
In this model, as a communication device, it’s natural that the phone company be able to see the calls you’re making – that’s how they know how much to charge. In the old landline days, you didn’t even own the equipment (although you might rent it). Today you do own the equipment, although in the cell case, it may be heavily subsidized in order to attract those lucrative calls.
But what I’ve described here is an old cell phone – maybe a “feature phone.” Not a smartphone. A smartphone is all about apps and services. The phone calls are almost secondary. To the point where there are predictions that, plugged into a docking station that connects a full-size keyboard and monitor, these smartphones will evolve to replace the desktops and laptops.
But the whole access scenario is completely different with phones – and we seem completely happy with it. (Well, some of us, anyway.) When you download an app, that app gets access to data in a way that would never be tolerated on a desktop machine. Heck, it took a lot of pressure before phone users were even allowed to see what privacy they were giving up and could approve or block an installation based on that information.
“Hey, our new dictionary app will make it a snap for you to look up foreign words in restaurants. Of course, in order to do this, we’ll need access to all your contacts, your calendar, and your emails, thank you.” These days it’s an all-or-nothing game. You can’t limit some of the access: if you want the app or the service, you have no choice but to concede to their demands.
Ever looked at the Facebook app access expectations? This is where the difference between phone and desktop is particularly visible. On a desktop, my contacts are safely stored on my hard drive in an Outlook file. As is my calendar, and as are my emails. Anything gaining access to that under color of some other activity would be considered way out of bounds. So when I view Facebook on my computer, it’s simply my browser taking me to the Facebook servers. Facebook can’t (or isn’t supposed to) root around on my hard drive to get other information.
But with the Facebook phone app, you can’t install it unless you agree to let them root around in your phone. All those contacts and events and emails that they can’t get to on my desktop? They can get to them on my phone. (Which is why I abandoned the installation.)
So in one brain, we build all kinds of defenses against others prying into our private data. In the other brain, we seem to have no problem letting those same guys pry into that same private data. There are two completely different ecosystems built around the two different models: McAfee and Symantec and the like enforce the No Trespassing rules of desktops, while the giant app industry runs rampant on our phones.
And no one seems to notice the conflict.
OK, so computers and phones are inconsistent, but they’re so yesterday’s technology. What’s new about this? Well, by all reports, the Internet of Things (IoT) is coming. That means that your factories and homes will have practically everything connected to the Cloud.
If you’ve looked at any of the internet platforms, you’ll have seen that they provide obvious critical services for communication between the Things and the Cloud. After all, the whole scheme breaks down if those two can’t communicate. Why do they need to talk? Because, presumably, some important calculations are being done in the Cloud rather than in your Things. You don’t want to have to provision a door lock with a massive computing engine; you want the Cloud (OK, perhaps the Fog – don’t worry for the moment if that makes no sense) to handle that heavy lifting.
So in order for this to work, the Cloud and the Things must be able to communicate regularly. Meanwhile, if you want access yourself, as owner of the Things, you’ll have a phone app or even an enterprise desktop computer program or browser page where you can control your Things or see how operations are going.
But here’s where an industry choice comes in. And let’s take it in a few steps. Many of these platforms provide more than a way for Thing to talk to Cloud and for Owner to talk to Cloud (and Thing via the Cloud). They also provide a portal for the Thing maker – or network maker or service provider – to monitor user activity. On the one hand, this can help with debug if things aren’t going right. On the other hand, we already have a solution for that in desktops: give temporary permission for the provider to get in, and then lock the door shut again afterwards.
Such an open-door policy to Dell or Lenovo or whomever would be unthinkable in a desktop, and yet, if the IoT goes as planned, the desktop may end up being the only device in your home that doesn’t let the manufacturer in whenever he/she wants.
OK, so maybe it’s not so bad if the manufacturer can see your activity. In fact, some business models are evolving that require such monitoring – like cell phone business models (more on that in a future piece). But, taking it one step further, can the manufacturer sell that information to someone else? My guess is that they can and will unless told otherwise. Will there be an opt-out? Or even “informed consent” of the smartphone kind (where you get the product/service only if you agree)?
Let’s take it another step further. Let’s picture that some Things might be purchased from one company, but that another company might have a service that accesses that Thing. This would be loosely analogous to a third-party app on a cell phone. The access in this case isn’t there to provide for Thing debugging (that’s the Thing maker’s job); it’s there to provide some value-added function. Analogous to a dictionary on a phone.
Should that third party have access to all your other Thing data? This isn’t quite as straightforward a question as you might think, because it’s not quite parallel to the cellphone example. With a smartphone, the rummageable data is all on the phone. With IoT Things, most of that data will be in the Cloud. So the third party guy would literally need to access the Thing maker’s database to do the rummaging – something the Thing maker wouldn’t likely allow. Unless they see that as a source of revenue – selling out their users for a few bucks. Or, stated differently, taking advantage of “revenue-producing opportunities.” Depending on how you see things.
It’s not completely settled yet which brain the IoT will inhabit. But my guess is that it will be the smartphone brain. The Big Data thirst is just too great; there are too many dollars looking to profile all of us and sell that profile to whomever wants it – typically an advertiser. (Have you ever noticed that 90% of technology seems ultimately to be used for advertising?)
I have to be honest in saying that I don’t relish the picture of barbarians at the door salivating at the prospect of getting into every aspect of my life (at least those that involve Things – which eventually may not leave much out) with no ability of my own to control it. (The “informed consent” model is no better than a terms-of-use or end-user-license agreement – you either accept it as a whole or you don’t use the product, so that’s not really letting you control how something works.) The IoT will churn up untold amounts of data the likes of which wouldn’t have been imaginable even a couple short decades ago. And, by design, the system is set up to capture and mine all that data.
So the big question remains: who will have access to the data? And who should have access? Should this be run more like a desktop, where rummaging is considered an infringement unless explicitly granted as a privilege, or like a smartphone, where rummaging is considered part of the cost of convenience? There’s still time to address and settle this before IoT systems and networks create a default that may or may not be the best way. It makes me wonder whether anyone else is having this specific conversation. I’m not aware of it, and if, in fact, it’s not happening, then it seems like it would be a good conversation to have.
Eventually, we need to get to one brain instead of the two conflicting ones we have now.