Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Can we ensure consumer IoT privacy while enabling the data marketplace?

The internet of things promises huge potential benefits for both consumers, who will gain access to better and more personalized services through smart devices, and businesses, for which the proliferation of connected devices and touchpoints will open up lucrative new revenue streams.

One of these new revenue streams could be the data marketplace, where companies would trade non-sensitive data sets and data streams from connected devices. Accenture estimated that the IoT data marketplace will unlock $3.6 trillion in value by 2030.

However, in the current climate of heightened privacy awareness — where stories like Google’s recent nearly $57 million GDPR fine frequently hit the headlines — the idea of buying and selling any data without the proper consent is increasingly problematic.

The question is therefore: Is it possible to create an internet of things that is both trusted to protect individuals’ data privacy rights while also taking advantage of the business opportunities that a data marketplace would bring?

The sharing of non-sensitive data is a no-brainer

To illustrate the potential advantages of an IoT-enabled data marketplace, it is helpful to consider a real-world example. Let’s look at how this might work for one of the most high-profile IoT use cases: the connected vehicle.

At CES this year, a recurring theme was the growing potential for a data marketplace in the automotive industry — namely, through the connected vehicle. One thing was clear: While user data provides a huge opportunity for the provision of intelligent and personalized digital services within the car, the potential benefits extend far beyond the individual consumer’s experience. A manufacturer will also have sensors on a vehicle that it wants to share — and sell — non-sensitive data from, decoupled from the identity of the user.

Such data could include live diagnostics on engine performance; tire wear and tear; aerodynamic diagnostics in various weather conditions; ride-height relative to different loads; and the quality and safety of the road itself. A perfect example is a smart municipal bus, which could transmit information — such as vehicle diagnostics, the number of people onboard, congestion on the road, etcetera — to inform service updates and help ensure mechanical reliability.

Not only would this data be valuable for manufacturers and designers, it could also be traded with third parties, such as research firms, other manufacturers or even local governments, as with the bus example above. It ultimately comes down to the sharing of knowledge that, as well as providing an extra source of revenue for manufacturers and service providers, would ultimately benefit the end user as it gets put to use tuning products, services and infrastructure.

Bumps in the road…

In order to make this kind of data marketplace a viable reality, manufacturers need to make sure they can be trusted to keep data secure and private.

The need for security is obvious: IoT data streams will originate from a wide variety of devices and sensors that control critical processes, infrastructure and sensitive information, making them an extremely tempting target for hackers.

The question of privacy is equally important, and getting it right will require a highly sophisticated and granular way of handling personal and non-personal data. Think of the scenario: To trade on the data marketplace, device manufacturers will need to be able to grant access to certain data streams to specific people or organizations, under certain circumstances, without exposing sensitive personal data that might also be captured by the same set of devices or linked within data streams. They need to be able to authenticate requests to access data from paying customers and refuse access from unauthorized or malicious parties, and they need to be able to group (and ungroup) devices, data sets and identities seamlessly. And they need to do all of this in a way that builds and maintains the trust of the end user. Transparency will be key here — companies need to clearly explain how they use the data they collect, as well as the steps they take to ensure privacy and compliance with all relevant regulations, such as GDPR.

A complex web of relationships

To achieve all of the above, each connected device needs a stable digital identity that helps define who and what gets access to its data, under what circumstances.

This is far from simple, due to the sheer complexity of relationships and context-based decisions that will underpin real-world use cases. To take our example of the connected car or bus, the vehicle has to connect to the external infrastructure it’s operating within — incorporating many different cloud services, software providers and hardware — creating a series of relationships that each require varying levels of trust and security. It doesn’t end there, however, as this complexity also exists within the vehicle too, with each sensor in the network requiring a way of fitting into the wider hierarchy of devices.

What establishes a stable digital identity in IoT? First, both people and things need digital identities. And beyond the identity itself — the unique information that differentiates a device or person from another — reliable credentials are needed to provide a trusted way of confirming that identity is genuine, as well as strong authentication and authorization protocols defining access to the device’s data.

Only once there is a formal system defining how each device fits into the puzzle can a manufacturer then give the user transparent control for granting or restricting access to the information on those devices from a higher level. This is crucial to ensuring the data sharing from the device is trustworthy and compliant.

Access controls should be delegated to the data owner and designed so that they can be managed from a single dashboard to streamline the process and give the clearest view of what information is — and what information isn’t — allowed to be shared. The User-Managed Access protocol is the ideal candidate to support this system, as it provides such a transparent and secure dashboard.

Digital identity is the key to the data marketplace

And so we return to our original question: Is it possible to create an IoT that is trusted to protect individuals’ data privacy rights while also providing the potential business opportunities that the data marketplace could provide?

The short answer is yes, if you are able to establish a smart and nuanced approach to digital identity — one that covers both people and things and that allows manufacturers and service providers to build their IoT strategy on a foundation of trust.

Only once users are given full, transparent control of the data that’s on their devices will they then trust companies to securely and responsibly share non-sensitive information on the data marketplace. A robust digital identity protocol is also the key enabler for companies that need to securely authenticate requests to access non-sensitive data from paying customers while refusing access from unauthorized or malicious parties. Put simply, without digital identity, the data marketplace won’t leave the garage!

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.