You are on page 1of 18


The Internet of (Whose) Things:

Business Models, Computer Architectures, and Privacy

Allan Friedman
Lance J. Hoffman
Cyber Security Policy and Research Institute
The George Washington University
Washington, DC

July 8, 2014

Report GW-CSPRI-2014-3


The emeiging woilu of uiveise, connecteu smait uevices anu sensois known as the
Inteinet of Things has the powei to tiansfoim society, but also intiouuces oi
aggiavates veiy ieal piivacy anu secuiity iisks. While tiauitional uiscussions of
piivacy anu secuiity aie often linkeu, we see a maikeu sepeiation in the IoT
context.Secuiity expeits focus on uevices while the piivacy community has been
piimaiily conceineu with aggiegateu uata helu on the clouu. We attempt to integiate
these two uiscussions by piesenting an aichitectuial peispective of how the uiffeient
components of enu-points, uevices anu links might fit togethei.
Compaiing this geneializeu aichitectuie fiamewoik to what is cuiiently offeieu by the
maiket leaus to an inteiesting obseivation: much of what is cuiiently calleu an
Inteinet of Things iesembles a veiy simple aichitectuie, the client-seivei ielationship.
This one-to-many stiuctuie with centializeu contiol makes secuiity easiei, but
concentiates uata foi gieatei potential haims. While theie aie goou ieasons foi eaily
IoT applications to follow this basic mouel, how can we unueistanu iisk anu contiol of
futuie instantiations of IoT.
We use the aichitectuial fiamewoik that emphasizes links in the netwoik to exploie
contiol points, wheie engineeis might builu in secuiity oi piivacy tools. Contiol points
can iely on both technical anu human-level piotections, but theii flexibility also
intiouuces too much ambiguityin an open-enueu netwoik stiuctuie, contiol points
might be inseiteu anywheie. This can leau to eithei ovei- oi unuei-piotection of uata
anu systems. We use a business-case analysis to limit the set of possible netwoik
configuiations foi futuie IoT applications, anu suggest how contiol points might be
useu in these cases. The papei concluues with some geneial iules foi engineeiing
secuiity anu piivacy into IoT.

The Inteinet of (Whose) Things:
Business Nouels, Computei Aichitectuies, anu Piivacy

Allan Fiieuman
Lance }. Boffman
Cybei Secuiity Policy anu Reseaich Institute
The ueoige Washington 0niveisity
Washington, BC

The Inteinet has been constantly giowing anu evolving at in incieuible pace ovei its
almost Su yeai histoiy. Foi at least the last 1S yeais, the next stage in its evolution
has been pieuicteu to be a spillovei fiom cybeispace into the woilu aiounu us: the
Inteinet of Things (IoT). The bluiiing of the lines between the uigital iealm anu the
"ieal" woilu is a function of a numbei of tienus. The numbei of uevices connecteu to
the Inteinet has exploueu, with estimates as high as Su billion by the enu of the
Sensois aie cheap, anu can be placeu into anything, anu connectivity has
giown anu taken on many new foims, fiom stanuaiuizeu mobile netwoiks to the
potential of newly fieeu open spectium. The iise of clouu computing has enableu
these new seivices anu applications to take auvantage of iemote stoiage anu
piocessing. We've maue piogiess in taking auvantage of the massive amount of
uigital uata geneiateu eveiyuay by oiuinaiy tiansactions. When these uata compiise
infoimation captuieu by oui !"#$$ as well, the potential pioviue consumeis with an
unpieceuenteu aiiay of smait applications anu seivices seems limitless.

This gianu vision of a woilu of woilu of netwoikeu intelligent objects also biings
with it specteis of iisk. In a woilu that has yet to unueistanu the iisks of 'classic' uata
collection anu analysis, expanuing the powei anu ieach of uata collection to eveiy
coinei of oui lives have sounueu louu, cleai alaims among scholais in the acauemy,

activists in the piivacy community, anu policymakeis in Washington.
Secuiity is
also a significant concein, as uata geneiation anu collection becomes even less
centializeu, anu alieauy shaky tiust mouels anu secuiity piactices such as the
ceitificate system come unuei even fuithei stiain.

A gieat ueal of woik has gone into chaiacteiizing the natuie of the iisks this new eia
of the Inteinet piesents. Nuch of it has focuseu on the uata itself, the qualitative

Cisco White Papei.
A faiily compiehensive suivey can be founu in Button, W., et al. (2u1S), 'A Roaumap foi
Inteiuisciplinaiy Reseaich on the Inteinet of Things: Social Sciences', auuenuum to Inteinet of Things
Special Inteiest uioup, A Roaumap foi Inteiuisciplinaiy Reseaich on the Inteinet of Things. Lonuon:
FTC Public Woikshop on Inteinet of Things --- Piivacy anu Secuiity in a Connecteu Woilu. Novembei
19, 2u1S. http:www.ftc.govnews---eventsevents---calenuai2u1S11inteinet---things---piivacy---
uiffeiences in its souice anu the potential foi tiansfoimative impacts following its
analysis anu use.
While these aie key questions, they uo not tell the full stoiy of IoT.
Bespite yeais of hype anu investment, we iemain quite fai fiom tiuly ubiquitous
computing anu connectivity. Yet the fact that we aie still in the initial stages of this
ievolution allows us to seiiously consiuei that most lauuable goal of the piivacy
woilu: piivacy by uesign.
This papei exploies the piivacy anu secuiity conceins
suiiounuing IoT fiom the peispective of infoimation aichitectuie. We look, not at the
uata itself, but how it will be geneiateu anu flow to unueistanu the secuiity anu
piivacy iisks inheient in new foims of netwoiking.

We begin by claiifying the scope of oui inquiiy, not ie---uefining IoT, but highlighting
what is genuinely new about the issue. We then intiouuce an aichitectuial
peispective of IoT, builuing a geneializeu mouel of how uata can be collecteu,
tiansmitteu, anu useu. We then use this aichitectuie to unueistanu the impoitance
anu challenges in contiolling the flow of uata. While oui mouel is geneial, the futuie
is not one of infinite potential paths. The shape of the netwoik will be uiiven by
business mouels %&' aichitectuie, since it is inextiicably bounu into how the
technology will be useu, anu who will be tiying to use it. We concluue with a seiies
of obseivations about how uiffeient business mouels will enable uiffeient types of
contiol ovei the flow of uata, which will, in tuin, enable uiffeient iesponses to
piivacy anu secuiity iisks.

+,-)")". /"& 0(%1)". #2, !33',
Theie have been a numbei of attempts to uefine the Inteinet of Things, foi a vaiiety
of ieasons, in a numbei of contexts.
Foi oui puiposes, the actual uefinition is less
impoitant than the acknowleugement that we aie still veiy fai in ieal life fiom any
pievious vision of ubiquitous computing anu connectivity, howevei it might be
conceiveu. Theie aie some inteiesting uevices anu applications that aie embeuueu
in oui lives touay, but they aie ielatively small, existing in naiiow veiticals that
quickly veei back into the uigital iealm.

We also want to set asiue two key issues as outsiue the scope of this inquiiy.
Locational infoimation, anu the piivacy anu secuiity conceins it biings, have been a
key focus of many of the uiscussions aiounu IoT. While it is tiue that locational uata
can be veiy useful, anu intiouuce a gieat many iisks, we aie alieauy well on oui way
to a woilu with shaiable location infoimation )*"+,#" staiting up the steep S---cuive
of IoT uiffusion. The mobile ievolution is fuithei along, anu piognostications about
it shoulu be tieateu as uistinct (although not completely inuepenuent) fiom those
about the futuie of IoT. Similaily, just auuing a uPS tiansponuei to, say, a cai iaises
a set of issues that aie still somewhat uistinct fiom an open enueu set of uata

Button et al.
Langheiniich, Naic. "Piivacy by uesignpiinciples of piivacy---awaie ubiquitous systems." 0bicomp
2uu1: 0biquitous Computing. Spiingei Beilin Beiuelbeig, 2uu1.
See, e.g. Atzoii, Luigi, Antonio Ieia, anu uiacomo Noiabito. "The inteinet of things: A suivey."
Computei netwoiks S4.1S (2u1u): 2787---28uS.
collection tools anu communication pathways. Foi the puiposes of this papei, we
aie looking past location infoimation.

Seconu, we caive out foi exclusion the paiauigm of the "Inuustiial Inteinet,"
although we biiefly ievisit it at the enu of the papei. While this is a maiketing teim
coineu by uE, it captuies the uistinction between an open, geneiative vision of IoT,
anu a no less poweiful but much moie contiolleu vision of smaitei manufactuiing
anu business opeiations. This paiauigm exists within a ielatively closeu veitical,
wheie the value fiom the investment will be captuieu by the fiim oi fiims making
the investment. Anu while we pick up this question biiefly below, most of the
Things in the Inuustiial Inteinet will iemain within the confines of coipoiations anu
supplieis, iathei than the consumei.

A useful analogy might be the iecent evolution of Softwaie---Befineu Netwoiking
SBN is a ielatively new, poweiful innovation in netwoiking that essentially
viitualizes netwoik management anu iesouices, uoing foi the switch anu the N0C
what seivei viitualization uiu foi clouu computing anu uata centeis. Inventeu in
2uu8, this technology has begun to ievolutionize management of uata centeis anu
laige netwoiks. It coulu also, eventually, suppoit the management of inuiviuual
tiaffic flows all the way uown the consumei. By making netwoik management a
softwaie issue, it coulu potentially enable peifect uisciimination uown to not only
the inuiviuual but the inuiviuual anu the application. This coulu potentially pose
seiious issues to those conceineu with netwoik neutiality anu Inteinet fieeuom. Yet
befoie activists stoim Stanfoiu's netwoiking ieseaich gioup anu the R&B
uepaitments of netwoiking manufactuieis, we have to unueistanu what has to
happen befoie this is a ieal concein. The technology has been ueployeu upstieam
but is fai fiom ieaching the consumei. Costs will have to be biought uown
uiamatically, anu technology anu business mouels will neeu to be uevelopeu befoie
this technology will touch the consumei space.

Compaiing the evolution of IoT to the evolution of Inteinet technologies actually
helps us unueistanu wheie we aie at the moment, anu why we neeu a systemic,
aichitectuial peispective. The IoT woilu touay exists as a hanuful of small islanus,
anu the connectivity between them iequiies tiaveisal of piopiietaiy netwoiks,
uiffeient uata stanuaius, anu uomains with uiffeient expectations of behavioi anu
contiol. In many ways, this is akin to the point in Inteinet histoiy when the majoiity
of tiaffic was insiue specific applications on local aiea netwoiks, with only a small
amount of uata spilling out into the Inteinet.

}ust as the Inteinet is a netwoik of netwoiks, the tiansfoimative vision of IoT iests
on inteiactivity anu inteiopeiability. Wiuespieau inteiopeiability of uiffeient types

The "Inuustiial Inteinet" is a maiketing teim coineu by uE that auuiesses the integiation of sensois
anu piocessing powei with tiauitional inuustiial equipment, suppoiteu by uata analytics.

of smait uevices anu sensois will leau -.-/0-&1-.
Applications not possible in
extant uistinct silos can be cieateu by biinging uiffeient pieces of the netwoik
togethei. While we uon't claim to be able to pieuict the futuie of IoT innovation, we
can look at the iaw components available touay to tiy to unueistanu the builuing
blocks to this new woilu, anu how they coulu fit togethei.

4$(2)#,(#'$,3 %- 52)".3
What is an aichitectuial unueistanuing of IoT. It is an abstiaction that focuses on
the flow of infoimation. We ietuin to the 'net' in the Inteinet of Things to consiuei
the issue as the flow of uata between noues. We thus neeu to chaiacteiize what
these noues aie, anu how they aie ielateu. By abstiacting past specific
implementations, we can gain a moie systematic unueistanuing of the ecosystem.
0nce we fully unueistanu this, we can begin to fill in many of the othei piopeities
also essential to unueistanuing technology policy, such as why people
want infoimation anu what will be uone with it. But we aigue that a key step
to builuing out long teim unueistanuing anu solutions lies in seeing IoT as a
netwoik, enabling a holistic view iathei than focusing immeuiately on specific
questions of piivacy oi secuiity.

What aie the meiits of this appioach. Fiist, it foices us to think about the Things in
teims of infoimation collection, piocessing, anu action. We can apply moie nuanceu
components such as peisonal piefeiences anu uata sensitivity lateithe key is to
unueistanu how many uiffeient geneiic types of Things we might have to ueal with.
Bow is a Nest
like a Fitbit
. Bow is it uiffeient. We can uefine noue piopeities,
focusing on theii technical capabilities to ueal with infoimation. By focusing on
infoimation flow, we abstiact to a level highei than counting gates on an integiateu
ciicuits, oi calculating powei iequiiements. Insteau, we can uefine a seiies of
technical capabilities we'ie inteiesteu inpeimanent memoiy, connectivity,
bioaucast iange, etc. This focus on object capacity will also be useful in the next
section, wheie we exploie how to manage this flow of infoimation thiough inseit
contiol points.

An aichitectuial peispective also allows us to make stiong statements about the
links between objects. Is the connectivity uiiect, meuiateu thiough a local uevice, oi
uoes it pass thiough a laigei netwoik. In many visions of IoT, eveiything may be
able to talk to eveiything else, but theie aie no guaiantees that this connection will
be uiiect. A small theimocouple, oi tempeiatuie sensoi, with a tiny powei souice
anu iauio antenna piobably won't have the technical capacity to manage a TCPIP
stack, so the smallei uevices will uepenu on inteimeuiaiy uevices.

Palfiey, }ohn uoiham, anu 0is uassei. Inteiop: The piomise anu peiils of highly inteiconnecteu
systems. Basic Books, 2u12.
4 6,",$/7)8,& 4$(2)#,(#'$,

By sketching out the set of potential ielationships, we can thus uefine the supeiset
of all netwoik ielationship types, a geneializeu aichitectuie. The applications
uiscusseu above aie thus instantiations of some of the elements of this aichitectuie.
The geneializeu aichitectuie will allow us to compaie uiffeient application oi
paiauigm---specific aichitectuies. But we fiist hope to uefine all potential
ielationships between uiffeient types of noues, anu theii potential connections.

)*+,%- . /// ! 0-1-%&2*3-4 !%'5*$-'$,%- &14 '677,1*'&$*61 2*18# 1-$96%8# *1 $5- :1$-%1-$ 6; <5*1+#

Figuie 1 captuies this geneializeu aichitectuial view of IoT. The nexus of this mouel
is the Inteinet as we cuiiently unueistanu it: a uecentializeu, public packet---
switcheu netwoik. This is ceitainly not necessaiily the focal point of eveiy IoT
application oi instantiation, but we imagine it will play a iole in many aichitectuies.

We can then uefine a set of noues. We fiist uiffeientiate between technical noues
Thingsanu human nouesuseis oi oiganizations. Theie will be some flows that
will enable machine---to---machine communication which chaiacteiizes much of the
uiscussion aiounu IoT,
anu otheis wheie we have to consiuei the potential foi
an explicit usei oi oiganization as a link in the chain.

Atzoii, Luigi, Antonio Ieia, anu uiacomo Noiabito. "The inteinet of things: A suivey." Computei
netwoiks S4.1S (2u1u): 2787---28uS.

The technical noues can be fuithei uelineateu by theii iole in the infoSmation flow.
Simple Sensois aie the leaves of oui netwoikeu tieethey can only collect uata
fiom the enviionment as inputs to the netwoik. Examples of simple sensois incluue
cameia, chemical uetectois, anu acceleiometeis. But theie aie othei leaves on this
tiee that also only input infoimation, without piocessing oi iouting. Simple RFIB
tags, foi example, aie not aichitectuially uiffeient fiom a theimometei, except the
uata ietuineu is pieset oi algoiithmically ueteimineu, a function of Nan iathei than
Natuie. 2+- '-$*&*&0 1+%/%1"-/*!"*1 *! "+- *&!-/"*,& ,$ '%"% $/,. "+- 3+4!*1%5 ),/5'
*&", "+- '*0*"%5 ),/5'.

We uiffeientiate these enupoint Sensois fiom Bevices, which aie chaiacteiizeu by
theii inputs anu outputs, as well as othei featuies. Bevices allow us a small amount
of flexibility to be technology neutialwe can think of them as applications oi
physical uevices with abstiacteu softwaie, uepenuing on the context. Sometimes, it
is necessaiy to tieat uiffeient pieces of softwaie iunning on a shaieu opeiating
system as (iueally!) sepaiate, while theie aie othei times it is useful to consiuei the
haiuwaie anu the application as a single unit. Bevices can be fuithei chaiacteiizeu
by theii technical attiibutes, such as piocessing capacity, memoiy, anu batteiy.
Although the iapiu pace of technical innovation can make it tempting foi us to tieat
these, to a fiist appioximation, as unlimiteu iesouices, this is not always the case.
Low powei meuical uevices, foi example, monitoi sensois via simple algoiithms, but
must be uistinguisheu fiom the smait phones we caiiy in oui pockets. Phones may
have the capacity to uo this as well, but biing the costs, complexities, anu iisks of a
geneial puipose computing uevice.

At the othei enu of infoimation flows aie infoimation sinks that use uata without
geneiating anything fuithei. Actuatois ieceive infoimation anu tianslate this back
into the physical woilu. We uiaw a uistinction between opeiations that impact the
physical woilu as an enupoint in the netwoik without fuithei flow anu those that
enable futuie action. Enteiing bits on a uiive, oi uisplaying textual output shoulu be
thought of as a flow, iathei than an output.

Finally, we uepait fiom a puiely technical aichitectuie to explicitly incoipoiate the
human element. The human usei is ciitical, of couise, but we focus on moueling this
inuiviuual meiely as an agent, iathei than assuming explicit ioles of "ownei"
oi "uata subject." Similaily, we uefine a class of Thiiu Paities quite bioauly to avoiu
builuing noimative values into the infoimation flow. Eithei uata can be iouteu to a
thiiu paity, oi it can't. Fiom a netwoik flow peispective, it's impoitant to uiaw a
uistinction between two types of Thiiu Paities. A uevice may senu uata to anothei
uevice oi web seivice that it knows, a countei paity. If this countei paity senus uata
to anothei noue without an explicit ielationship, that is a iouteu thiiu paity. Thiiu
Paities can also be a single hop away by inteicepting the signals uiiectly.
9%"#$%7 :%)"#3 ; <%= =, .,# 3,('$)#> /"& 1$)?/(>
The geneializeu IoT aichitectuie in Figuie 1 illustiates the myiiau of ways that uata
can flow. Biffeient netwoiks can layei on top of each othei, anu inteiact oi opeiate
inuepenuently. Fiom a geneiativity peispective, this seems to piesent the
oppoitunity foi piactically limitless innovation.
We aie just at the veiy beginning
of this technical eia, anu expeiimentation anu flexibility coulu enable the next Big
Thing. But the completely open natuie ieflects a woilu wheie the flow of uata is
ueteimineu by whichevei noue contiols it at any given time. Yet this vision is both
uniealistic anu uangeious. The Inteinet as we know it touay is not such a iule---fiee
place. We have uevelopeu a iange of mechanisms to help check the flow of uata
baseu on pieuictable secuiity policies.

In the geneializeu aichitectuie in Figuie 2, we supeiimpose Contiol Points to ensuie
that uata only flows as it is supposeu to. By continuing to use the geneializeu foim,
we uo not yet have to specify what "supposeu to" means, only to unueistanu the
potential foi contiol. Bow can contiol be exeiciseu on the flow of infoimation. They
take the foim of functions such as

a. authentication of inuiviuuals oi piogiams (oi things)

These incluue passwoius, passphiases
, biometiics
, physical tokens, anu
computei iuentification numbeis. (Note that a computei can be as small as a mobile

b. authoiization of inuiviuuals oi piogiams (oi things)

This is typically uone by maintaining one oi moie tables of authoiizeu entities anu
the items they aie authoiizeu to access (anu what types of access aie peimitteu).
But othei methous have been useu in the past incluuing the shaiing of capabilities
among useis, incluuing, foi example, softwaie oi haiuwaie piotection iings of
layeis of a(n opeiating) system,.

c. iuentification of inuiviuuals oi piogiams

This is typically a usei name, but can also be a numbei anu in some cases a

u. enciyption of uata flowing among uevices oi between useis oi on the
Inteinet oi a local netwoik

Thieiei, Auam. "Peimissionless Innovation." Neicatus Centei, 2u14
Neil }. Rubenking, "Foiget Passwoius, use passphiases foi extia secuiity"
PC Nagazine, Nay 2S, 2u1S, http:www.pcmag.comaiticle2u,2817,2419274,uu.asp
Ross }. Nicheals, Kevin Nangolu, Natt Aionoff anu Kayee KwongSpecification foi WS---Biometiic
Bevices (WS---BB) veision 1: Recommenuations of the National Institute of Stanuaius, (}un Su, 2u12)

Theie aie numeious enciyption tools anu stanuaius available
. They have to be
useu piopeily (an example of wheie this was not uone is the iecent 0pen SSL
) anu usually one has to iely on a stanuaius bouy such as the National
Institute of Stanuaius anu Technology oi othei tiusteu souice to vouch foi the
(ielative) secuiity of the methous useu.

e. logging some oi all tiansactions that take place

This allows foi latei ieplay anu analysis, signatuie (coue) analysis
, (neai) ieal---
time ueep packet inspection
, anu even social netwoik analysis
, a uouble---eugeu
swoiu, both a piivacy (---invauing) mechanism anu a secuiity mechanism, uepenuing
on whose eyeglasses one is looking thiough.

All these mechanisms can be tools in the seivice of secuiity checks instituteu at
Contiol Points aftei, iueally, a complete iisk analysis
of the system to be piotecteu
is caiiieu out. Nany such mechanisms have been aiounu foi many yeais, but aie
often not put into place since useis oi auministiatois haven't expeiienceu such an
attack anu uon't think it will happen to them, anu also haven't botheieu to uo a iisk
analysis that will in many cases (but not all) make a business case foi instituting
them. Also, the cost to change systems in place, iathei than to limp along with
insecuie systems, can be quite high. Still, that cost has to be weigheu against the
legal, auministiative, technical, anu ieputational cost of iesponuing to a uata
secuiity inciuent.

9%"#$%7 :%)"# 92/77,".,3
0f couise, it's not enough to simply lay out a set of tools anu ueclaie that they coulu
go anywheie on the netwoik. The iight tool has to be useu foi the iight Contiol
Point, anu uiffeient mechanisms biing theii own challenges. Foi example,
authentication anu authoiization can be conflateu which coulu leau to a contiol
failuie if the authoiization step occuis befoie authentication. 0thei mechanisms
offei theii own challenges. Enciyption is a veiy poweiful tool, but intiouuces auueu
complexity. If two noues wish to secuiely exchange infoimation without having an

IEEE Secuiity & Piivacy, Special issue on Key Tienus in Ciyptogiaphy, }anuaiyFebiuaiy 2u1S, to
Nicole Peilioth, Expeits Finu a Booi Ajai in an Inteinet Secuiity Nethou Thought Safe, New Yoik
Times, Apiil 8, 2u14,
"Signatuie Biscoveiy anu Thieat Betection", Pacific Noithwest National Laboiatoiy,
"What is Beep Packet Inspection.", PC Woilu,
Banneman, Robeit A. anu Naik Riuule. 2uuS. Intiouuction to social netwoik methous. Riveisiue,
CA: 0niveisity of Califoinia, Riveisiue ( publisheu in uigital foim
at http:faculty.uci.euu~hanneman )
Teouoi Sommestau
, Nathias Eksteut , Pontus }ohnson, "A piobabilistic ielational mouel foi
secuiity iisk analysis", http:ux.uoi.oig1u.1u16j.cose.2u1u.u2.uu2, Computeis & Secuiity, volume
29, Issue 6, Septembei 2u1u, Pages 6S9-679
establisheu tiusteu ielationship, they will neeu to use a mechanism like public key
ciyptogiaphy, which imposes an auueu challenge of key management. As one
secuiity expeit notes, "Enciyption is Easy. Key Nanagement is Baiu."
logging uata flows is faiily useless if the auuiting mechanism isn't efficient at
uistinguishing between legitimate anu illegitimate uata behavioi.

The iight mechanism has to be useu in the iight place. What helps ueteimine
effective placement. Questions such as cost anu iisk moueling aie not unique to IoT,
but theie aie some issues that aie. Nany of the Things in oui ecosystem uon't have
much in the way of powei, computation, oi usei inteiface. A full ciyptogiaphic
hanushake coulu be out of the question, as coulu any foim of usei---geneiateu
authenticating passwoiu. If a component cannot assume to be connecteu to the
netwoik all the time, then an attackei must be assumeu to have offline attack

Take, foi example, the challenge of paiiing a ielatively unsophisticateu uevice with a
smait phone. This link may iequiie authentication (the uevice knows that it is
talking to this phone, anu not that one) by tiansmitting a coue, oi just use the
pioximity of the two uevices, anu iely on the lowei powei of the tiansmission to
limit iange, anu the usei to uetect some one attempting to eavesuiop physically.

The choice anu location of contiol points shoulu ieflect the ielative impoitance of
uynamic vs. static policies. Will anyone neeu to change the contiol policies at some
point uown the ioau. If theie is an evolution in the uemanus of the netwoik oi usei
piefeiences, can the contiol points evolve. If theie is a mistake in the coue, can the
uevices be patcheu. If they can be patcheu, who's iesponsibility is it to make suie
that components in the netwoik have the upuateu secuie coue, anu how will
counteipaities know. Even in the smaitphone maiket touay, theie is a misalignment
in iesponsibilities between hanuset manufactuieis, softwaie uevelopeis anu the
telephone caiiieis, leauing fai too many Ameiicans with phones that aie not
suppoiteu anu patcheu.

But all evolution in policy uoesn't necessaiily iequiie secuiity anu contiol to be
auueu. As technology (anu business mouels) evolve, it may make moie sense to shift
contiol to anothei point in the aichitectuie, anu the netwoik coulu opeiate moie
efficiently if contiol was looseneu at the euge.

This highlights the biggest challenge in mapping contiol points to an IoT
aichitectuie. We uo not want too little contiol, but we also uo not want too much.
The actual amount of uesiieu contiol is, in pait, a political question about society's

Anton Chuvakin anu Bianuen Williams. PCI Compliance. Elseviei Piess 2u12. P. 127.
Petei Singei anu Allan Fiieuman. 647-/!-1#/*"4 %&' 647-/)%/8 9+%" :;-/4,&- <--'! ", =&,)>
0xfoiu Piess, 2u14. p. 218
toleiance foi iisk.
We also have to consiuei how the uecision to intiouuce contiol
points is maue. A laissez---faiie woilu woulu make that uecision in a puiely
uecentializeu fashion. This local view may not allow even a well---intentioneu
uecision---makei to unueistanu the impoitance of theii iole in the global flow of uata.

Some contiol points lenu themselves to aiuing in a global view of uata flow. In an
electionic meuical iecoiu enviionment, foi example, with many uevices feeuing into
iecoius, we may wish to limit who has access to most uata, even insiue a hospital.
But given the complexities of ioles anu iesponsibilities in a mouein healthcaie
oiganization with thousanus of employees, allowing uata to be accesseu in a bieak---
glass mouel with an auuit is wiuely iecognizeu as supeiioi to any foim of uelayeu oi
foibiuuen access.
0n the othei hanu, a contiol mechanism in a consumei's smait
giiu solai aiiay that ueteimines how powei flows into oi out of the public giiu
shoulu piobably be piotecteu. We might even aigue in favoi of ieuunuant piotection,
with stiong authentication aiounu the contiollei, anu cleai bounuaiy--- conuition
checking at the actuatoi level to make suie that no action coulu oveiwhelm the
physical layei.

Baving laiu out the geneializeu aichitectuie above anu uiscusseu the challenges of
geneial---puipose contiols foi piivacy anu secuiity, we now consiuei how to apply
them to specific instantiations. Theie exist uiffeient appioaches, visions, oi
applications of IoT. The flow of infoimation with Nest, foi example, is uiffeient than
a seiies of small weaiable uevices that communicate thiough a smait phone.

@'3)",33 A%&,73 /3 9%"3#$/)"#3
Above, we uesciibe a numbei of uiffeient potential instantiations of the Inteinet of
Things. Which might actually emeige. We can ueiive some infoimation fiom the
eaily foiays into the space but, as we uesciibe above, the moie complete vision has
not yet aiiiveu. Biffeient appioaches will be tiieu, anu expeiimentation has been
going on in the ieseaich community foi uecaues. Yet society---wiue integiation of an
IoT ecosystem will iequiie massive investment. We focus on the incentives foi this
investment, anu aigue that the business mouel is one of the most impoitant things
to consiuei.

Fiist, these aichitectuies aie expensive. Compaieu to tiansfoimative web seivices
that have uefineu the initial web explosion anu the iise of an inteiactive Inteinet

Compaie, foi example, to iecent public comments to the FTC on IoT Piivacy, one stiongly uiging
iegulatoiy vigilance anu piotection
anu the othei uemanuing a lightei touch in iegulation
Bieak---glass: An appioach to gianting emeigency access to healthcaie systems. White papei, }oint
NENAC0CIR}IRA Secuiity anu Piivacy Committee (SPC), 2uu4.
ovei the past uecaue, the IoT ievolution will be moie expensive. These eailiei
ievolutions have not been fiee, of couise. Infiastiuctuie such as seiveis anu uata
centeis anu innovations in viitualization anu novel piogiamming piactices weien't
fiee. But fiom a maiginal cost peispective, two key featuies will uiive cost as a
close---to---lineai function of the auoption iate. The "Things" uiscusseu above will have
ieal pei---uevice costs to manufactuie anu uistiibute. Sensois maybe getting cheapei
all the time, but still have a non---tiivial cost. The heioic assumptions about the
uiastic ieuuctions in RFIB tags, foi example, have not come to complete fiuition. At
the same time, some sensois might be integiateu into existing uevices. The binuing
constiaint foi inclusion into a smait phone, foi example, might be one of space anu
powei, since the haiuwaie will be ielatively cheap compaieu to the entiie uevice.
Who will pay foi the Things. 0nce we have a woilu of things, uata has to get into
anu out of these things. The long teim uieam may be of ubiquitous uata
connectivity, but we cannot assume that this will be fiee without also making othei
assumptions. Noieovei, even if we have uevices anu connectivity, the challenges of
iouting iequiie some cooiuination. A system that assumes that the expanueu IPv6
oi IPv8 auuiess space will suffice, foi example, limits us to an IoT with the piimaiy
link thiough the global inteinet.

Against these costs, we have to sketch out the space of value. As uiscusseu above,
we've seen the gieatest iecent auvances in uevelopment anu ueployment in the
"Inuustiial Inteinet" space, wheie the value can be captuieu by the inuustiial
veitical. Theie have been instances wheie the value acciues uownstieam to the
investing paitythe emeigence of the 0PC baicoue is a notable examplebut that
iequiieu substantial cooiuination anu cioss---subsiuization. The two---uimensional bai
coue, such as a QR coue, has been uevelopeu but iemaineu on the ielative fiinges of
oui infoimation society. (Although a hanuful of countiies, such as }apan, make moie
use of it than otheis.) The technical investment is a one---time cost, but the value has
to match the costs of ueployeu infiastiuctuie.

These benefits coulu all flow to one actoi, a seiies of actois competing in a given
space, oi the value coulu acciue to uiffeient actois at uiffeient points in the
aichitectuie. In a mobile uevice, foi example, connectivity has tiauitionally been
seen as a sepaiate value seivice than the uevice itself, but this isn't always the case.
Amazon subsiuizeu limiteu Su connectivity to some of theii Kinule ebook ieaueis to
uiive tiaffic to theii stoie. 0ne of the most uiscusseu (anu feaieu) IoT value
piopositions is the commeicial value of veiy iich, uetaileu uata about inuiviuuals oi
Things collecteu automatically, anu iefineu into useful infoimation, oi passeu along
to thiiu paities who can extiact value.

Still, we can make some obseivations about how benefits acciue in netwoikeu
systems. The above uiscussion on the impoitance of inteiopeiability stiesses the
impoitance of stanuaius. In uigital ecosystems, paiticulaily in netwoikeu
ecosystems, the value is a function of how many otheis can use it. This has leu to a
ielative iise of winnei---take---all competition in the uigital economy.
This type of
competition, in tuin, shapes how anu when actois will choose to entei the maiket.
When the entiy costs aie moie expensive than the web---woilu uesciibeu above,
actois may uelay, oi fight viciously ovei a space anu uetei othei complementaiy
entiies because of unceitainty in the maiketplace. 0ften, oiuei is iestoieu by a
stanuaiuizeu platfoim, anu completion can occui above oi below these platfoims.
Niciosoft's massive maiket shaie in the PC woilu piomoteu an explosion of
softwaie uevelopment on the common opeiating system platfoim. The lack of a
common stanuaiu of usable anu ieliable Inteinet iuentity has helu back innovation,
anu uiiven the 0S goveinment to woik to encouiage piivate sectoi coopeiation anu
cooiuination to auuiess this issue.
At the same time, we shoulun't expect a single
stanuaiu, but shoulu also consiuei the potential foi a seiies of stanuaiuizeu
inteifaces acioss the ecosystem.

So what aie these business mouels. We piesent foui aichetypes of business mouels
below, anu offei a few examples baseu on what we see in the maiket touay. The goal
heie is to illustiate the uiveisity of potential costs to the fiim oi fiims, a uiffeient
set of values offeieu to the usei, anu uiffeient means of ievenue. We also uesciibe a
pathway to ubiquitous ueployment. Each mouel suggests some means by which
eaily auopteis woulu entei the space, anu the IoT ecosystem coulu giow oiganically.

<%= =,B77 .,# #% #2, -'#'$,C !%5 @'3)",33 A%&,73
?"%&'@@@A5,&- 6,&&-1"-' B-;*1- - We see a giowing numbei of existing uevices being
tiansfoimeu by making them a little smaitei, anu connecting them to the Inteinet. A
vCR with a bit moie biains anu a lot moie stoiage becomes a BvR. A theimostat that
can leain, anu allow iemote monitoiing becomes smait theimostat like Nest, oi
ecobee. These uevices aie solu as uevices, anu can be piiceu baseu on theii
haiuwaie components (the Theimostat) oi thiough seivice fees. The value foi the
usei tenus to emeige fiom what they ', iathei than the uata geneiateu, although
innovative use of uata to suppoit the coie function can be maiket uiffeientiatoi.
0vei time, we may expect to see some cioss---integiation between uiffeient stanu---
alone uevices, but these pieuictions often feel a little foiceu: "imagine youi
iefiigeiatoi talking to youi toastei!" The path towaius auoption will come fiom the
immeuiate utility of the uevice, anu competition shoulu stay in the application's
uomain. Theimostats anu BvRs compete with themselves foi maiket shaie, but not
with each othei.

C-/"*1%554 D&"-0/%"-' B%"% :1,!4!"-. E A maiket actoi with an establisheu usei base
may seek to extenu the value of this space into the physical iealm. The above
example about a smait weaiable uevice integiating face anu object iecognition

Schilling, Nelissa A. "Technology success anu failuie in winnei---take---all maikets: The impact of
leaining oiientation, timing, anu netwoik exteinalities." Acauemy of Nanagement }ouinal 4S.2
(2uu2): S87---S98.
Camp, }ean. "Iuentity Nanagement's Nisaligneu Incentives." IEEE Secuiity & Piivacy 8.6 (2u1u):
capacity, foi example, fits neatly into a possible uiiection foi uoogle ulass. This plays
to the Inteinet giant's stiengths: iapiu uata queiies, piocessing anu online stoiage.
The usei alieauy has a ielationship with an existing set of tools, anu this extenus
that ielationship into a new uomain. value foi the customei coulu initially be built
on existing uata anu applications, with new capacity auueu ovei time. Imagine, foi
example, smait confeience bauges uiiectly linkeu to LinkeuIn, that can not only
tiack new contacts, but measuie social cues anu pieuict success of futuie
Foi the fiim, value comes fiom the potential foi fuithei giowth, as
well as the ability to heau off uisiuptive competitois. These aie also likely to be
enviionments wheie uata is alieauy being mineu to geneiate value, so new souices
can be integiateu into that value stieam.

6/,!!@@@%335*1%"*,& F,55*&%"*,& E The uevices on anu in oui peison have been giowing
piogiessively smaitei anu moie capable, but they have laigely been uevelopeu in
isolateu silos. A few applications oi uevices coulu giow to a laige enough size that
othei uevices anu applications builu on top of them as uata platfoims oi
communication links. These populai venuois shaie APIs to suppoit this innovation.
Foi example, imagine a iauio---enableu bloou---sugai monitoi that coulu notify a
weaiable exeicise monitoi like the Fitbit when exeicise might be helpful. The Fitbit
coulu then ueteimine whethei it hau been a while since you took a walk, anu vibiate
to ieminu you to engage in healthy metabolic activity. The Fitbit coulu also hanule
the tasks to passing the sensoi's uata on to an app on a smait phone, which then
uploau it to that app's clouu---baseu seiveis. New uevices anu applications can be
uevelopeu moie cheaply by piggybacking on existing local uevices, seivices oi uata,
while still uemonstiating theii unique value to the customei. Being a shaieu platfoim
confeis a maiket auvantage to nexus uevices by offeiing laigei suites of
complementaiy uevices anu seivices. The nexus may also have access to a laigei
amount of local uata, which coulu then be exploiteu foi piofit. This local aiea
netwoik coulu be tightly integiateu oi quite uecentializeu uepenuing on the
context. Piicing woulu be a function of the uevices oi uata seivices. It is haiu to
pieuict any specific winnei in this space, but complementaiy netwoikeu goous tenu
to follow a tipping point appioach.

D&'#!"/*%5 D&"-/&-" ?3*55,;-/ E The Inuustiial Inteinet tienu uiscusseu above coulu
also be a pathway foi uiffusion into the bioauei commeicial space. We have
assumeu the uefining aspect of the Inuustiial Inteinet is that theie aie sufficient
ietuins fiom IoT investment outsiue the consumei space. Yet the infiastiuctuie
coulu still emeige out beyonu the contiol of the inuustiial veitical. Imagine RFIB
tags staying on some piouucts anu useu uownstieam, oi smait enviionmental

Wu, L., Wabei, B., Aial, S., Biynjolfsson, E., anu Pentlanu, A. (2uu8) Nining Face---to---Face Inteiaction
Netwoiks using Sociometiic Bauges: Pieuicting Piouuctivity in an IT Configuiation Task , Pioc. Int'l
Conf on Infoimation Systems. Paiis, Fiance. Becembei 14---17 2uu8.
sensois being ieau by public inteiest oiganizations as pait of an open uata
movement. Auto fleet tiansponueis coulu be ieau by uiban planneis, anu uata
fiom a sophisticateu RFIB lookup uatabase coulu help consumei piotection
oiganizations uetect counteifeit piouucts. This cieates new stakeholueis foi
existing sensois, foi any numbei of ieasons. The ielationship between these
stakeholueis, anu the uesigneis of the IoT ecosystem coulu be goou with a positive
feeuback foi innovation anu value cieation, bau with an iteiative game of uisiuption
anu auaptation, oi non---existent. Since this mouel is highly uepenuent on emeigent
piopeities of unintentional ueployment, builuing value acioss specific ueployeu
infiastiuctuie is paiticulaily haiu to pieuict, anu seems iathei unlikely.

@'3)",33 A%&,73 /"& !"-%$D/#)%" 4$(2)#,(#'$,3
The business mouels above illustiate the uiffeient appioaches to value geneiation,
anu uiffeient paths to a wiuely auopteu ecosystem. Each business mouel also
collects anu uses uata uiffeiently. Bow tightly coupleu aie the applications, business
mouels anu aichitectuies. We aigue that each of the above visions woulu leau to a
uiffeient aichitectuie, with uiffeient contiol points.

?"%&'@@@%5,&- B-;*1-! only uemanu simple aichitectuie. Each uevice exists faiily self---
sufficiently as a collection of sensois, actuatois, stoiage, anu piocessing, with a
connection to a seivice---specific seivei thiough the Inteinet. This connection may go
thiough a local netwoik oi some othei fiist---hop on its ioute, but the connection is
quite simple. Bata can be piocesseu locally, oi it can all be collecteu, stoieu, anu
accesseu in the clouu.

This pieuictable ielationship gives us a faiily stiaightfoiwaiu set of contiol points.
We neeu to woiiy about the secuiity uuiing the initial path set up. The ielationship
with the seivice pioviuei is a key point of tiust, but the uata collecteu shoulu be
obseivable anu pieuictable enough to allow a usei oi iegulatoi to unueistanu the
piivacy iisks involveu.

In a ;-/"*1%554 *&"-0/%"-' -1,!4!"-., the uata will also flow thiough ielatively
pieuicable paths. Sensois will collect uata, anu the inteipietation will be uone
locally oi iemotely, with iesults sent back to the usei.

As in the fiist case, the uata will flow into a seivei, but now we cannot so easily
pieuict the value of infoimation collecteu. The Inteinet links must be secuie, anu
contiol points may be inseiteu into uiiectly onto the uevice. In the ulass example,
we might imagine an inteiactive set of policies about what infoimation might be
shaieu. In the smait name bauge example, oi with a cheap RFIB ieauei tieu to a
laige lookup uataset, the inteiface may lack the sophistication, so the contiol woulu
have to be bakeu into the uevice. As fai as the iisks fiom infoimation piocessing,
that vaiies as well. Bepenuing on the size anu scope of the uata ecosystem, this new
uata coulu unlock a vast new set of infeiences as uata is combineu anu mineu in new
ways. Baseu on the expeiience of existing infoimation ecosystems, we might expect
this uata to be both veiy useful, anu the usei to have ielatively little contiol absent
some outsiue inteivention.

The uynamics of the infoimation flow in the 6/,!!@@@%335*1%"*,& 3,55*&%"*,& scenaiio
aie paiticulaily unpieuictable, because the local netwoik stiuctuie coulu take so
many uiffeient foims. 0ne key point of aichitectuial uesign is the ielative
centialization oi uecentialization of each application anu uevice fiom the smait
mobile platfoim. If it is a wheel---anu---spoke uesign, each sensoi, uevice oi app eithei
uiiectly anu exclusively connecteu to the smait platfoim, oi even iesiuent on it.
Alteinatively, if coulu be moie complex, with uevices talking uiiectly to each othei
without any inteimeuiation. If these aie low poweieu uevices with limiteu
piocessing powei, then the iouting will be simple anu local uata piocessing will be
minimal, but it will be haiuei to impose a uefineu iouting pattein locally while still
keeping the enviionment open foi new uevices anu applications.

A natuial contiol point is the mobile uevice anu its applications that connect the local
applications uevices to the Inteinet. But this woulu be insufficient in some
aichitectuies to iely on this inteiface if the feeus in aie not pieuictable anu
contiollable. This is an aichitectuie wheie contiol points may have to be ueployeu
libeially, since the patteins of uata shaiing aie less pieuictable. 0n the othei hanu,
because the initial giowth hooks on a few killei apps oi uevices, it might be oveily
cautious to builu contiols against all possible uata flow. The contiol patteins coulu
ieflect the initial context (healthcaie uata, oi peisonal habit monitoiing, oi weaiable
enviionmental sensois). While this piesents a ieal iisk of the ecosystem evolving
anu spilling ovei into othei contexts, that tiansition woulu piobably be visible. This
uynamic suggests a goou oppoitunity to implement context---baseu piivacy piactices,
eithei voluntaiily oi thiough some othei accountability mechanism.

Theie aie many useful anu impoitant appioaches to thinking about IoT piivacy anu
secuiity. If we want to unueistanu how uiffeient pieces of uata will change what is
known about us, foi example, then focusing on uata collection anu analysis is key.
This papei took a uiffeient appioach, following the paiauigm of builuing piivacy
anu secuiity into a nascent technology. To uo this, we focuseu on the flow of uata
thiough the aichitectuie of netwoiks, sensois, uevices, anu seiveis.

This focus on the flow of uata leu to an appieciation of the impoitance of contiol
points, anu the veiy ieal challenges of unueistanuing what types of contiols to put
wheie in the netwoik. Yet the analysis above illustiates a key point: that we uon't
have to solve the geneial foimula foi eveiy conceivable aichitectuie. The IoT futuie
will not emeige out of whole cloth. Biffeient, potentially paiallel veisions will have
to evolve. This evolutionaiy consiueiation is necessaiy, since an IoT netwoik woulu
be too expensive to ueploy without value to eaily auopteis touay. Evolution anu
uiffusion of technology, as in biology, follows a seiies of fitness functions. With the
ability to anticipate some aspects of the netwoik aichitectuie, we can ueiive
insights into the placement anu attiibutes of contiol points.

This exeicise combineu a technical analysis of netwoik aichitectuie with the
oiganizational anu economic analysis aiounu the pathways to technical ueployment
anu uiffusion. The technical analysis infoims the business siue, anu vice veisa.
Togethei, they infoim the bioauei goveinance questions of iesponsibility anu
contiol. 0nueistanuing how Things inteiact in a netwoik of netwoiks iequiies
unueistanuing whose things they aie, anu how they will fit togethei.