Spotlight

Ethical Considerations In IoT Software Development

As smart devices become more prevalent and part of our everyday lives, developers of this technology should strive to follow the Golden Rule
Justin Courtright Featured Team Member
Justin Courtright | Jul 28 2021
2 min read

Ethical Considerations In IoT Software Development

As smart devices become more prevalent and part of our everyday lives, developers of this technology should strive to follow the Golden Rule

Smart devices are everywhere nowadays: Your phone navigates you to the store, taking into consideration your fear of highways and avoiding traffic at the same time. When you get home from work, your smart thermostat kicks on the AC to a comfortable 65F in the summer, and a cozy 72F in the winter. At your cookout, you pull out your smartphone to fire up your smart grill and tell Alexa to fill you a pot of water to boil the vegetables. This technology has no doubt made people’s lives much easier, and for some, incorporating these devices into their lives has become a part of their identity.

Software developers in this space have an enormous amount of responsibility to the consumer. People have become dependent on smart devices, and when they don’t work properly it can disrupt people’s daily routines significantly. This responsibility is taken seriously by most, as the success of a smart device producer directly depends on the products they create functioning as advertised. However, there is another component to a smart device that needs just as much attention and consideration: how the device collects and transmits data, and what that data is used for behind the scenes.

Data is the lifeblood of an IoT device. The sensors onboard collect data on its environment, and transmit that to the cloud. That data is then stored and processed, which provides the basis for everything that shows up on the mobile app or website associated with managing the device. From a development perspective, there are ethical considerations to be made about when data is transmitted, how it is stored, and how it is used once in the cloud.

Collection and Transmission of Data

The collection and transmission of data from a smart device to the cloud is something that most consumers don’t think about very deeply. Sure, the data gets sent to the cloud so it shows up on the app. But what data is actually being sent? How often is it sent? How is it protected in transit? There are numerous examples of devices that collect much more data than one would expect. Many smart TV’s have embedded microphones and cameras that consumers are not aware of. That long legal document that you scroll to the bottom of quickly and sign while setting it up gives the manufacturer permission to collect voice and video recordings for unspecified purposes, potentially including the sale of that data to third parties. Most smart devices have environmental monitors like passive infrared sensors (PIR) that can detect motion and calculate human proximity to the device. Photoresistors can tell if the lights are on, dimmed, or off. Thermistors can detect the ambient temperature of your home.

After the data is collected by the device, the manufacturer has a responsibility to make sure it gets from the device to the cloud securely. Different strategies can be used to make this happen. AWS offers great guidance on strategies to load a certificate onto your device during manufacturing which can be used to securely transmit data over MQTT to IoT core. (https://docs.aws.amazon.com/iot/latest/developerguide/iot-provision.html)

While collecting all this data can open up a world of possibilities for the manufacturer (which will be discussed later), some ethical considerations can be made, starting with the Golden Rule:

  • For each piece of data being collected, can you name a specific functional purpose it serves? Would the device work as advertised without collecting this specific piece of data?
  • When is the data being collected? Only when the device is being used, or all the time?
  • If data is being collected when the device is not being used, what purpose is that serving for the functionality of your product?
  • Is the data being encrypted before transmission to the cloud?
  • What methods are being used to encrypt the data?

Storage of Data

Once data is sent to the cloud, it will be stored for future use. The collected data will usually reside in bulk storage, a document store, a relational database, a digital device representation, or some combination of these. The security of this data is another ethics consideration developers must take into account. A breach of this data could expose data that most customers would expect to be private to the world, which can have a massive impact on their lives. Some questions to ask when designing the data storage system for your smart device are:

  • Is the data encrypted at rest?
  • Is there any public access to this data?
  • Are internal users blocked from accessing this data if they don’t need access for job purposes?
  • Is the data anonymized where applicable?
  • Is the data lifecycle implemented in a way where the data exists for the shortest necessary time?

Luckily, when developing on AWS, many of these concerns can be addressed very quickly. You can use lifecycle management on S3 and TTL on DynamoDB to move data through a lifecycle. Cognito authentication can federate an identity which makes it harder to link back to a person’s name, address or other PII. Encryption on data stores can be enabled by adding a few lines to the Cloudformation template that defines the storage resource. Finally, IAM groups and bucket policies can restrict access to data to only those that need to see it.

Usage and Analysis of Data

The usage and analysis of data collected by a smart device is where most of the ethical decisions need to be made. Most consumers who use a smart product are not thinking of all the inferences that can be made about them, their household, and their daily routines based on data that their smart devices provide. In most cases, data is analyzed by a smart device manufacturer in order to sell the consumer more products. Perhaps a smart grill has a pressure sensor on the gas inlet valve that keeps track of the gas level in the propane tank, and when the pressure drops off past a certain threshold, a push notification is sent to the owner advertising a discount on the manufacturer’s replacement propane tank. This use of data can be convenient and helpful to the consumer, and would likely not raise any ethical concerns. But smart device data can be used in more insidious ways that has the potential to be abused or give insights that most consumers would find intrusive. For example, imagine the insights that could be gleaned from data provided by a smart power meter that are routinely installed on new homes. By simply measuring electric current over time and feeding it into a machine learning algorithm, you could infer:

  • What type of appliances a home has
  • How many people live in the home (based on total power usage)
  • When occupants of the house go to bed and when they wake up
  • When occupants of the house are on vacation
  • Whether occupants of the house are environmentally conscious (if you can infer that they use energy efficient appliances)

These inferences can either be used to benefit the consumer or harm the consumer. Someone who has access to a long enough series of this data could theoretically be able to see that the owners of the home always go on vacation from June 1st to 10th every year. This visibility into a consumer’s activity patterns could be exploited by malicious actors, be it governments or corporations, for nefarious purposes. It could also be used to pre-empt the user to arm their security system before they go out of town. That choice is ultimately up to those who have access to the data. Ethical considerations around how the data is analyzed and the inferences are used should also follow the Golden Rule:

  • Would I want someone to draw this specific conclusion about me based on how I use a product?
  • Are the inferences drawn from data analysis being used to harm, punish, or benefit the consumer?

The IoT space is so exciting because of all the possibilities it presents. Decisions made by developers and manufacturers today have the potential to guide the industry in a way that greatly enhances the lives of consumers, or to go in a direction that creates a panopticon of surveillance similar to George Orwell’s 1984. The direction the industry heads is still being decided, and it is up to ethical developers and manufacturers to ensure that consumers are protected and their lives improve as a result of the devices we make.

Author
Justin Courtright Featured Team Member
Justin Courtright

"I worked exclusively on IoT products hosted on AWS for the past 2 years and found a software niche where I feel most at home."