Blended Learning Session II - Part 2

Enhancing Higher Education

Capacity for An Inter-disciplinary
Cybersecurity Study Program

Center for Digital Society

Universitas Gadjah Mada

Data Research Center

University of Groningen

This project is funded by

the Netherlands' Ministry of Foreign Affairs
and managed by Nuffic Neso.
Table of Contents

Privacy, Security and Data

3 Protection in Smart Cities:
A Critical EU Law

Governing The Internet of

35
Everything

Center for Digital Society | Data Research Center

Privacy, Security and Data
Protection in Smart Cities:
A Critical EU Law

3
28 1 Privacy, Security and Data Protection in Smart Cities EDPL 112016

Privacy, Security and Data Protection in Smart

Cities:
A Critical EU Law Perspective
Lilian Edwards*

'Smart cities' are a buzzword of the moment. However, a growing backlashfrom the priva-
cy and surveillancesectors warns of the potential threat to personalprivacy posed by smart
cities. Key issues include the lack of opportunity in an ambient or smart city environment
for the giving of meaningful consent to processing of personal data; the degree to which
smart cities collect private data from inevitable public interactions;the 'privatisation'of
ownership of both infrastructureand data; the repurposing of'big data' drawn from IoT in
smart cities; and the storage of that data in the Cloud. This paper argues that smart cities
thus combine the three greatest current threats to personal privacy, with which regulation
has sofarfailed to deal effectively; the Internet of Things (JoT) or 'ubiquitous computing';
'Big Data';and the Cloud.I will discuss how and if EU data protection law controls possible
threats to personal privacyfrom smart cities and given legal inadequacy,suggestfurtherre-
search on a number of solutions.

I. Introduction al privacy posed by smart cities 3. A key issue is the

lack of opportunity in an ambient or smart city en
'Smart cities' are a buzzword of the moment. Al vironment for the giving of meaningful consent to
though legal interest is growing, most academic re processing of personal data; other crucial issues in
sponses at least in the EU, are still from the techno clude the degree to which smart cities collect private
logical, urban studies, environmental and sociologi data from inevitable public interactions, the 'privati
cal rather than legal, sectors1 and have primarily laid sation' of ownership of both infrastructure and data,
emphasis on the social, urban, policing and environ the repurposing of'big data' drawn from IoT in smart
mental benefits of smart cities, rather than their chal cities and the storage of that data in the Cloud.
lenges, in often a rather uncritical fashion2. Howev This paper, drawing on author engagement with
er a growing backlash from the privacy and surveil smart city development in Glasgow as well as the re
lance sectors warns of the potential threat to person sults of an international conference in the area curat

Professor of E-Governance, University of Strathclyde, Glasgow. My smart cities; and particularly to Francesco Sindico (also of Strath-
thanks to Anastasia Gubanova, LLM candidate at the University of clyde) who took charge of the environmental and energy side of
Strathclyde, for helpful and timely research assistance; and to the conference. Finally thanks are owed to the participants in the
CREATe and the Horizon Digital Economy Hub at Nottingham for Amsterdam Privacy Law Scholars Conference 2015 where this
helping sponsor the international conference, Designing Smart paper was workshopped, especially Bert-Jan Koops and Eleni
Cities? Opportunities and Regulatory Challenges, Strathclyde, April Kosta, and to Daithi MacSithigh for helpful reading and comments.
2015 from which many insights were drawn for this paper. A full
web resource of the conference can be found at http://www.cre- See discusion in Annalisa Cocchia, Smart and Digital City: A
ate.ac.uk/blog/2014/11/06/designing-smart-cities/ and papers from Systematic Literature Review ( Springer 2014); also overview in
the conference were published as a special edition of the journal the leading text Anthony Townsend, A Smart cities : big data,
of Society for Computers and Law (SCL Journal, vol 26, issue 2, civic hackers, and the quest for a new utopia (W W Norton and
June 2015/July 2015 (http://www.scl.org/site.aspx?i-is43131 ) Co 2014).
some of which are referred to below. My thanks also to Lachlan 2 Rob Kitchin's Programmable City project (n 105) and Adam
Urquart (doctoral candidate, Horizon) who provided enormously Greenfield (n 26) are outstanding counter-examples however.
useful research assistance for the conference, and editorship for
the special edition; to all the speakers at the conference, whose 3 See, eg David Murakami Wood's surveillance studies Ubicity
expertise has helped me accelerate up my learning curve about project at Queens Ontario (n 105).

4
EDPL 112016 Privacy, Security and Data Protection in Smart Cities I 29

ed by the author, argues that smart cities combine traditionally privacy laws such as art 8 of the Euro
the three greatest current threats to personal priva pean Convention on Human Rights (ECHR) and US
cy, with which regulation has so far failed to deal ef privacy torts have applied to private 'bubbles' or
fectively; the Internet of Things (IoT) or 'ubiquitous zones focused on the body, the home and private com
computing'; 'Big Data'; and the Cloud. While these munications. Drawing on ECHR case law as well as
three phenomena have been examined extensively attitudinal research, I argue reasonable expectations
in much privacy literature (particularly the last two), of privacy even in public spaces, as in smart cities,
both in the US and EU, the combination is under ex are now both recognised by European law and need
plored. Furthermore, US legal literature and solu ed by urban dwellers.
tions (if any) are not simply transferable to the EU Fourthly, in the most crucial section of the paper,
because of the US's lack of an omnibus data protec I address in some detail the three key threats to pri
tion (DP) law. I will discuss how and if EU DP law vacy and DP already identified the IoT, Big Data
controls possible threats to personal privacy from and the Cloud and outline how each problem man
smart cities and suggest further research on two pos ifests itself to endanger the privacy of smart city res
sible solutions: one, a mandatory holistic privacy im idents and users. In each sub section I then trybriefly
pact assessment (PIA) exercise for smart cities: two, to analyse how, and how well, EU DP law currently
code solutions for flagging the need for, and conse deals with regulating, preventing or solving these
quences of, giving consent to collection of data in am threats.
bient environments. This section concludes pessimistically. Despite the
The paper falls into five main sections. many recent rhetorical assertions, politically re
First, I sketch the rise of smart cities globally, both quired by the lobbying wars of the draft General DP
in the West and East and the less developed South, Regulation (GDPR) and the Silicon Valley ideological
and discuss the key technological, economic and po thrust towards 'permissionless innovation'4 , that DP
litical drivers which have made them an unstoppable law remains fit for purpose in principle, and merely
part of the future urban living conditions of much needs tweaked in its detail to address technological
of the global population. Rather than giving one for challenge, in fact, a number of key challenges so far
malistic definition of smart cities which will in appear relatively insuperable by legal regulation
evitably be a moving target and may not aid legal alone. Notable amongst these is the issue of how to
analysis, I try to sketch their key characteristics, fo obtain meaningful prior consent in Internet of
cusing on two which are clearly problematic from a Things systems, especially where data is collected in
privacy frame: first, their dependence on technolog public, as eg in smart road or smart transport sys
ical infrastructures, big data, the IoT and the Cloud; tems. A second key issue identified is how ordinary
and second, their financing and hence 'ownership' users can have any feeling of control over the pro
in almost all cases by public private partnerships cessing of their data when 'big data' drives a coach
(PPP). and horses through the notion of purpose limitation
Second, I lay out the well known vulnerability of and data minimisation, and the algorithms used to
smart cities, along with other venues for embedded create inferences from it are capricious and opaque
IoT systems, to security threats and how this is ap to them. Finally I note that in a post Schrems and
proached by the law in the EU. This section covers Snowden world, the dependence of smart cities on
well trodden ground and is therefore relatively short. Cloud infrastructure which may be located anywhere
It should be noted that considerations of 'privacy' in the world also makes them highly dubious from
(wrongly so named and limited) in smart cities often an EU DP point of view.
stop here. Thus, in the fifth section, I turn to some solutions
Thirdly, I turn to broader issues of conceptual pri drawn not from law, but from 'code' in the Lessigian
vacy law frameworks, and lay out what may be per sense, and discuss Privacy by Design (PbD). Three
ceived as a basic underlying theoretical problem, ie, particular avenues for further promising investiga
that smart cities are, in essence, public places while tion are identified: (i) exploring the development of
a holistic privacy impact assessment (PIA) for smart
city data flows; (ii) finding new means for obtaining
4 Infra, n 204. some kind of standing or 'sticky' consent to data pro

5
30 1 Privacy, Security and Data Protection in Smart Cities EDPL 112016

cessing decoupled in time from when the data is ac isation process has become so prominent that in
tually pervasively collected via the IoT; (iii) imple some states (eg, South Korea) the capital city gener
menting a legal right to algorithmic transparency and ates as much as half of the country's gross domestic
finding ways of making this knowledge useful to or product (GDP) 6 : cities are thus sometimes becoming
dinary users. regarded as more important than the countries in
In conclusion however, the paper reverts to pes which they are located 7. National governments often
simism with the view that to preserve privacy in now establish ministries for cities (eg, in Brazil, In
smart cities we may need to move away from the lib dia, UK)8 while local city mayors, spearheading city
eral notion of 'notice and choice' or, in European redevelopment and expansion, have acquired signif
terms, 'consent' and informed specific control over icant standing and global reputations in cities like
processing, entirely, and look instead to an 'environ London, New York, Barcelona and Rio9 .
mental' model of toxic processes which should be But cities bring with them serious challenges.
banned or restricted notwithstanding user permis Globally, high urban density seems inevitably to lead
sion or substitute grounds for processing. This view, to problems including traffic congestion, energy sup
which is only tentiavely introduced here, will be jus ply and consumption issues, escalation of green
tified further in future work. house gases emissions10 , unplanned development,
lack of basic services, dramatic increase in waste dis
posal needs, and increases in crime and antisocial be
II.The Rise of Smart Cities haviour11 . The political and social need to combat
these problems (in particular, the rise of environmen
Increasingly, we live in cities. In the last two decades, tal concerns, as climate change worries become ever
urban centres have become the destination of choice present), combined with the obvious potential for a
for citizens and businesses seeking prosperity, stabil lucrative market for technology and telecommunica
ity and social and educational facilities, leading to tions companies developing digital and networked
the progressive abandonment of rural areas and the solutions (eg IBM 12 , Cisco 13 , Vodafone14 ), has given
rising concentration of population within metropol rise to the buzzword concept of smart cities15 . This
itan areas. Over half the world's population already idea has been subsequently eagerly leapt on by na
lives in cities: by 205o, 66% of the world's popula tional and municipal political leaders, major global
tion are expected to live in urban areas, with nearly tech corporations, and international institutions and
9o% of that increase in Asia and Africa.5 This urban organizations alike (eg European Commission 16

5 See UN Department of Economic and Social Affairs, 'World Cities' <http://www.unep.org/resourceefficiency/Policy/

Urbanisation Prospects' (United Nations 2014 revision), 1 <http:// ResourceEfficientCities/Activities/GIREC/tabid/771769/Default
esa.un.org/unpd/wup/Highlights/WUP2014-Highlights.pdf> ac- .aspx> accessed 11 February 2016.
cessed 11 February 2016.
11 See Edward L Glaeser and Bruce Sacerdote, 'Why Is There More
6 According to Frost and Sullivan, Seoul accounts for approximate- Crime in Cities?' (December 1999) 107(6), part 2 Journal of
ly 50% of the country's GDP; in Hungary and Belgium, Budapest Political Economy, 225.
and Brussels each account for 45%. See Frost and Sullivan, Sense 12 See at <http://www.cisco.com/web/strategy/smart-connected
and the City. The application of Internet of things technologies for
_communities.html> accessed 11 February 2016.
a more sensible city (2014), 2 <http://www.frost.com/c/481418/
sublib/display-market-insight.do?id-291820991> accessed 11 13 See IBM, 'Smarter Cities' <http://www.ibm.com/smarterplanet/us/
February 2016. en/smarter-cities/overview/> accessed 11 March 2016.
7 See Sarwant Singh, "Smart Cities -A $1.5 Trillion Market Oppor- 14 See, eg Vodafone's offer to let you design your own smart city a a
tunity". Forbes / Business (June 20, 2014), at <http://www.forbes game at <http://www.designyourqatar.qa/> accessed 11 February
.com/sites/sarwantsingh/2014/06/19/smart-cities-a-1 -5-trillion 2016.
-market-opportunity/> accessed 11 February 2016. 15 The first study concerning the concept of smart cities is believed
8 See Emily Moir, Tim Moonen and Greg Clark, 'The future of cities: to date back to 1994. See, eg R P Dameri and A Cocchia, 'Smart
what is the global agenda?' The Business of Cities (2014), 5 City and Digital City: Twenty Years of Terminology Evolution'
< https://www.gov.u k/govern men t/u ploads/system/u pl oads/ (ITAIS Italian Conference of Information Systems 2013), 4
attachment data/file/429125/future-cities-global -agenda.pdf> ac- <http://www.cersi.it/itais20l3/pdf/1 19.pdf> accessed 11 February
cessed 3 September 2015. 2016. The current leading academic non-vendor text is perhaps
Townsend (n 2).
9 Francesco Sindico, paper given at Designing Smart Cities (n 1).
16 See, eg European Commission, 'Europe 2020: A strategy for
10 Cities produce 50% of global waste and account for 60-80% of smart, sustainable and inclusive growth' (3 March 2010)
global greenhouse emissions. See UNEP (United Nations Environ- COM42010/2020 FIN <http://eur-lex.europa.eu/legal-content/EN/
ment Programme), 'The Global Initiative for Resource Efficient ALL/?uri-CELEX:5201 0DC2020> accessed 11 February 2016.

6
EDPL 112016 Privacy, Security and Data Protection in Smart Cities I 31

OECD 17 , ISO 18 ). Kitchin describes smart cities as an mestic appliances and human medical implants
attempt to solve the fundamental conundrum of which connect these objects to digital networks
cities reducing costs and creating economic growth, (the 'Internet of Things' (IoT)24 , 'ubiquitous com
while at the same time producing sustainability, par puting' or ubicomp, or as Greenfield calls it, 'Every
ticipation, an acceptable standard of civic services ware'25). These IoT networks generate data in par
and quality of life but warns that there are many ticularly huge amounts known colloquially as 'big
different conceptions of smart cities and that a neo data' (see below).
liberal, market led, technocratic perspective tends to networks of digital communications enabling re
dominate, as opposed to an alternative paradigm, al time data streams which can be combined with
which is to see smart cities as 'citizen centric', foster each other and other and then be mined and re
ing social innovation, justice and engagement in purposed for useful results;
what he terms a 'smart society' 19. Such dominance high capacity, often cloud based, infrastructure
by the pure economic gain perspective may be dam which can support and provide storage for this in
aging for consideration of both social needs and ap terconnection of data, applications, things and
propriate legal regulation, something which is begin people.
ning to trickle through as a concern in European pol
icy circles, despite the general 'relentlessly positive'20 The claims made for smart cities in their advertising
discourse around smart cities 21. and similar hype vehicles are important both in their
There is currently no single accepted definition of perception and execution. Smart cities are said to 'in
a 'smart city' 22 and much depends on who is supply terconnect people, data, things, and processes under
ing the characteristics: industry, politicians, civil so a dynamic global infrastructure'26 . Smart cities then
ciety and citizens/users are four immediately and ob utilise this networked infrastructure in order 'to im
viously disparate sets of stakeholders. It is easier per prove economic, resource and political efficiency
haps not to define smart cities but to elaborate their while enabling social, cultural and ... urban develop
key features. The interlocking key infrastructure that ment.'27 As Bob Pepper, VP of Global Technology Pol
is most often mentioned as making cities 'smart' in icy for Cisco (a leading smart city vendor) put it:
cludes: 'What makes a city smart is that it recognises the cen
networks of sensors attached to realworld objects trality of technology and information to improve its
such as roads, cars, fridges 23 , electricity meters, do processes ' 28.

17 See, eg OECD, 'Science, Technology and Industry Outlook 2014' 2014) Munich Personal RePEc Archive Paper no 54536, 3-6
<http://www.oecd.org/sti/oecd-science-technology-and-industry <https://mpra.ub.uni-muenchen.de/54536/1/MPRA-paper-54536
-outlook-19991428.htm> accessed 11 February 2016. .pdf> accessed 11 February 2016.
18 See, eg ISO (International Organisation for Standardisation), 23 The iconic dream of the smart connected fridge has finally
Smart Cities. Preliminary report 2014, ISO/IEC JTC 1 Information entered the mass market via Amazon Dash see "Amazon makes
technology (2015) <http://www.iso.org/iso/smart-cities-report a Dash to take lead in the internet of things", Financial Times (5
-jtc .pdf> accessed 11 February 2016. October 2015) <http://www.ft.com/cms/s/O/721 c3c98-6a91-11 e5
19 Rob Kitchin 'The Promises and Perils of Smart Cities', in SCL -aca9-d87542bf8673.htmlgaxzz3ntnpveRW> accessed 11 Febru-
special edition ( n 1) <http://www.scl.org/site.aspx?i-ed42789> ary 2016.
accessed 11 February 2016. 24 Discussed and defined in full in section V.1 below.
20 See David Murakami Wood, 'Smart City, Surveillance City' in SCL 25 Adam Greenfield, Everyware: the dawning age of uniquitous
special edition ( n 1) <http://www.scl.org/site.aspx?i-ed43113> computing (New Riders 2006).
accessed 11 February 2016.
26 See Roberto De Bonis and Enrico Vinciarelli, 'From Smart Meter-
21 See notably the statement in the recent European Parliament ing to Smart City Infrastructure. Could the AM[ Become the
report on Big Data and Smart Devices and their Impact on priva- Backbone of the Smart City?' (Smart 2014: The Third International
cy (Study for the LIBE Committee, September 2015) Conference on Smart Systems, Devices and Technologies, Paris,
http://www.statewatch.org/news/2015/sep/ep-study-big-data.pdf
July 2014).
that 'the European Commission perspective [on the Digital Single
Market] is very much commercially and economically driven, 27 United Nations, Bureau International des Expositions, Shanghai
with little attention paid to the key social and legal challenges 2010 World Exposition Executive Committee. Shanghai Manual-
regarding privacy and data protection.' Coming as it did as an A Guide for Sustainable Urban Development of the 21 Century
intervention from one EU institution to another as the GDPR went (2010), 2, ch 8.
into trialogue negotiations, this is an extremely barbed statement.
28 Quoted in Ellen P Goodman (ed), The Atomic Age of Data
h
22 See comparison of terminologies for smart cities in Cochia (n 1) Policies for the Internet of Things (Report of the 281 Annual
18-19; see also Roberta De Santis, Alessandra Fasano, Nadia Aspen Institute Conference on Communications Policy, Washing-
Mignoll and Anna Villa, 'Smart city: fact and fiction' (15 March ton DC, 2015).

7
32 1 Privacy, Security and Data Protection in Smart Cities EDPL 112016

Scanning through numerous smart city projects and used the funds, building on some existing infra
and initiatives currently undertaken, eight key activ structure, to develop a series of initiatives, including
ities can be identified that often define a smart intelligent street lights that brighten when pedestri
city, ie, ans and cyclists are near and dim if there is less ac
smart governance; tivity; a network of sensors installed under roads gen
smart infrastructure; erating data which allows adjustable traffic lights to
smart building; reduce traffic jams; a state of the art 'smart CCTV'
smart connectivity; control centre; and a 'data repository' of open civic
smart healthcare; data which can be exploited by academic re
smart energy; searchers. 36 As a result it was claimed that 'interna
smart mobility; and
29
tional acclaim' came in the form of a Geospatial
smart citizens. World Excellence Award 'for providing leadership in
demonstrating how older, more established cities can
These aspects are often used in comparative studies be transformed into Smart Cities of the future'
as indicators describing how 'smart' urban areas are, Smart cities are thus not just a matter of producing
for the purpose of ranking cities, often in a funding less polluted or more efficient cities, but generate
context.3 0 For instance, according to the 2015 Juniper considerable political capital and big business oppor
Research Report, Barcelona is currently at the top of tunities along with a large potential export market 38.
the list of 'smart cities', due to its all encompassing
use of new technologies, including a smart traffic
light system that sets the lights at green until fire en
29 See, eg Frost and Sullivan (n 7) 3; see also Rudolf Giffinger, Hans
gines have passed, emergency response devices in Kramar, Nataga Pichler-Milanovic and Florian Strohmayer, 'Smart
stalled in the individual's home and connected City Profiles. Deliverable 2.1. Part 1' (PLEEC, May 2014), 5
<http://www.pleecproject.eu/downloads/Reports/Work
through a (land or mobile) telephone line to a Call %20Package%202/Smart%2oCity%2oProfiles/pleec-d2I 1smart
_city-profiles-introduction.pdf> accessed 11 February 2016.
Centre, which can be contacted at the simple press
30 See, eg Rudolf Giffinger, Gudrun Haindlmaier and Hans Kramar,
of a button, and other innovations3 1 . New York City, 'The Role of ranking in growing city competition' (25 November
London, Nice and Singapore3 2 currently round out 2010) 3(3) Urban Research and Practice 299-312.
the top five. 33 This ranking, has become critically im 31 See Ajuntament de Barcelona, 'BCN Smart City' <http://smartcity
.bcn.cat/en> accessed 11 February 2016.
portant in recent years in driving future city devel
32 See Melissa Low, 'Many Smart Cities, One Smart Nation Singa-
opments and investments by both government and pore's Smart Nation Vision' (SCL special edition, June 2015)
industry 4 ; 'smartness' has become a competitive in http://www.scl.org/site.aspx?i-ed42881 accessed 11 February
2016.
dex among cities for attention, funding and inward
33 See Sam Smith, 'Barcelona named "Global Smart City
investment. 201 5"'Juniper Research, 17 February 2015) <http://www
.juniperresearch.com/press/press-releases/barcelona-named
Smart cities are, accordingly, a global social, eco -global-smart-city-2015> accessed 11 February 2016.
nomic and political, as well as technological phenom 34 See Rudolf Giffinger, Gudrun Haindlmaier, 'Smart Cities Ranking:
enon. In the developed north, cities tend to be 'retro An Effective Instrument for the Positioning of Cities?' (25 February
2010) 4(12) ACE: Architecture, City and Environment 7.
fitted', or retrospectively reconsidered as 'smart', to
35 See BIS press release, 'UK set to lead the way for smart cities' (18
meet environmental, social, political or business tar December 2013) <https://www.gov.uk/government/news/uk-set-to
gets. In the UK, smart cities are being actively pro -lead-the-way-for-smart-cities> accessed 11 February 2016.

moted by the state via investment in 'smart city 36 See Hamish Camdonell, 'Glasgow: the making of a smart city'
The Guardian (21 April 2015) <http://www.theguardian.com/
demonstrators' placed in various cities, and via agen publ ic-leaders-network/2015/apr/21/glasgow-the-making-of-a
-smart-city> accessed 11 February 2016. See further <http://
cies such as Innovate UK (formerly NESTA), BIS (the futurecity.glasgow.gov.uk/>.
government ministry for trade and industry), a state 37 See James Perkins, 'Future City Glasgow project recognized with
sponsored 'digital catapult' worth [50 million, and a two awards' Default News (2 July 2015) <http://www
.digitalbydefau Itnews.co.uk/2015/07/02/future-city-glasgow
2015 [40 million IoT initiative all justified by the -project-recognised-with-two-awards/> accessed 11 February
hope that the UK will become a world leader in this 2016.

field, able 'to take advantage of up to a $40 billion 38 Within the academic economy, smart cities are also seen as a
tempting opportunity to attract funding and kudos: major centres
share of the [[4oo billion global] market place [for of research have been established (to name a few) at Fordham
smart cities] by 2020' 3 5 . In 2013, Glasgow, Scotland University (US), University College London (UK), Strathclyde
Future Cities Unit (Scotland) and the Universitat Politecnica de
won a [24 million grant as smart city demonstrator, Catalunya (Spain).

8
EDPL 112016 Privacy, Security and Data Protection in Smart Cities I 33

In the developing world, smart cities are equally and 2016 Olympic Games. 45 Rio was regarded as one
politicised but often play a different role, of enabling of the most dangerous cities on earth and there was
modernisation and development, responding to felt to be a need to somehow reassure the influx of
problems arising from population pressure, climate global visitors expected for the Olympics and World
change, migration and rural to urban transition. Non Cup. Hundreds of cameras and countless other sen
Western smart cities are often created from scratch sors and devices placed throughout the city live
'top down' rather than retrofitted3 9 . India for exam stream data onto a giant video wall of the Centre for
ple has vowed to create loo new smart cities, allocat 24/7 monitoring, allowing city operators to immedi
ing -76o million to the project40 . Most such develop ately respond to crime, accidents, power outages, tor
ments are inspired by the 'global east' (eg Japan, Sin rential storms and other occurrences. The Centre's
gapore, Korea): Africa is as yet not really on the smart citywide system, integrating data from some 30
cities map, though there are developments in, eg, agencies, was described by Anne Altman, general
South Africa 41 . Developing countries smart cities at manager for IBM's Global Public Sector, as an
tract a different set of criticisms, that they are vehi all seeing eye that can 'accurately gather, analyse,
cles for creating gated smart enclaves of privilege, in and act on information about city systems and ser
a sea of millions of technology deprived poor, and vices' and 'recognizes the behaviour of the city as a
46
are often established by compulsory and controver whole.'
sial land acquisition policies42 . Such an example raises pointedly the question of
Smart city funding is significant. Historically, par who (if anyone) owns the data that smart cities pro
ticularly in Europe, financial support from the cash duce and process in such vast amounts. Policing, sur
stricken post recession public sector, at either nation veillance, crowd control, emergency response, are all
al or municipal level, has not generally been suffi historically state functions, and citizens might expect
cient to finance the radical technological deploy the very sensitive data involved to be held by the
ments involved. Instead financing tends to be by state. Yet the likelihood in a PPP built city is that that
Public Private Partnership (PPP) 43, which can be de data finds itself (at least partially or non exclusive
fined as 'agreements between a public agency (fed 1y47) in private control. Balabanovic and Galwas, who
eral, state or local) and a private sector entity that us work at the centre of the UK smart cities industry,
es the specific skills and assets of each sector for the nonchalantly mention that 'City governments as
delivery of a service for the general public.' 44 A vaunt sume they will control smart city services, but we
ed successful example of PPP funding is the Intelli predict the E2C ['Environment to Citizen'] market
gence Operations Centre in Rio de Janeiro which was will inevitably be dominated by global consumer ser
built by IBM in preparation for the 2014 World Cup vices', and cite the dominance over public sector of

39 An exception is Stellenbosch in South Africa which aspires to be a -cities-financing-guide> and Smart Cities Stakeholder Platform,
'smart town' enabled by proximity to major universities: see (n 42). Financing models for smart cities (November 2013) <https://eu
-smartcities.eu/sites/all /files/Guideline-%20Financing%20Models
40 See Shruti Ravindran, 'Is India's 100 smart cities project a recipe
%20for%20smart%20cities-january.pdf> accessed 11 February
for social apartheid?' The Guardian (7 May 2015) <http://www
2016.
.theguardian.com/cities/2015/may/07/india-100-smart-cities
-project-social-apartheid> accessed 11 February 2016: 'India is 44 ibid, Smart Cities Council, 48.
going to see a huge urbanisation, the latest McKinsey study says
by the year 2030 we will have 350 million [more] Indians getting 45 See Department for Business & Innovation Skills, 'Global Innova-
into the process of urbanisation, by 2050, 700 million'. tors: International Case Studies on Smart Cities' (BIS Research
Paper no 135, ARUP, London, October 2013), 13-17 <https://
41 See Tim Smedley, 'Smart cities: adapting the concept for the
www.gvuk/government/u plads/system/u plads/attachment
global south' The Guardian (21 November 2013) <http://www
data/file/249397/bis- 13-1216-global-innovators-international
.theguardian.com/global-development-professionals-network/
-smart-cities.pdf> accessed 11 February 2016 (BIS Research
2013/nov/21/smart-cities-relevant-developing-world> accessed
Paper no 135).
11 February 2016.
42 See the furore round the Indian Land Acquisition Act 2013 as 46 National Building Museum, Interview with Anne Altman on
amended, eg in Usha Ramanathan, 'The Questions We Should Be Intelligence Cities Forum (6 June 2011) <http://www.nbm.org/
Asking Frequently About the Land Acquisition Act' Grist Media media/video/intelligent-cities/forum/intelligent-cities-forum
(30 January 2015) <https://in.news.yahoo.com/the-questions-we -altman.html> accessed 11 February 2016. See also BIS Research
-should-be-asking-frequently-about-the-land-acquisition-act Paper no 135 (n 45) s 3.
-060820434.html> accessed 11 February 2016. 3
47 Rio claimed they received about 5% of municipal 'smart' spend-
43 See Smart Cities Council, Smart Cities Financing Guide (24 ing from private companies (see BIS Research Paper no 135 (n
August 2015) <http://smartcitiescouncil.com/resources/smart 46)).

9
34 1 Privacy, Security and Data Protection in Smart Cities EDPL 112016

ferings of existing private sector consumer applica Accordingly at this stage this paper echoes, but
tions in sectors such as maps, taxis, transport plan with perhaps more concern, the conclusion of Good
ning and fitness tracking; and the tendency of these man , who emphasises that conceptions of smart
markets to winner takes all network effects 48 cities all share two features: 'They emphasise pub
The lack of universal open or proprietary stan lic private partnerships and place information and
dards for exchange of data is another key issue dri communications technologies (ICT) at the core of
ving data into private silos. The EU is attempting to smart city operation'. Expanding on the latter part,
mitigate this with by funding attempts to build in smart cities, we have seen, are crucially dependent
teroperable protocols for private tech suppliers oper on three sets of technological phenomenon: the IoT;
ating in smart cities, particularly in fields like ener big data; and the Cloud. As will be discussed further
gy and, generally, IoT systems49 . Open data is often below, serious privacy regulatory problems are asso
mentioned as a key matter for citizen engagement in ciated with all three features, and smart cities, as the
smart cities, eg the Glasgow data repository noted unholy union of all three, represent an interesting
above is open to researchers; Rio also made a data Iuse case' for privacy scholars. Finally, I have estab
portal open to the public with key datasets ° . But as lished that political and economic drivers for smart
a worst case, a smart city may become the private da cities will not easily be derailed by quibbles about
ta fiefdom of a monopoly technology or telecoms privacy and fundamental rights, and that academic
provider. Sadowski, an Arizona University re literature has a role here to intercede for the public
searcher on the future of cities, suggests that a para interest between political objectives and industry
digm example of a 'top down' smart city, Songdo in gain 55
South Korea, 'is as much Cisco Systems city as it is It would be remiss not to say in this introductory
South Korea's, because they have most of the con section, as may already be apparent from some of the
tracts for the hardware and software that power it' 1 . above, that smart cities are also quite easy to dismiss
In the EU these questions form a part of ongoing as a creation of the much noted technology 'hype cy
worries and uncertainties about who owns and how cle' 56 which also brought us the dot.com bubble, 'Web
to control 'big data'5 2 , and suppliers too are sensi 2.0' and many other technowaves of enthusiasm. On
tised to the issue as problematic for both cities and this well known scale, smart cities may be at the top
citizens: for example, one industry speaker allowing of the 'peak of inflated expectations' just before the
that 'what we do with the information we collect and 'trough of disillusionment'. Goodman tactfully sug
who owns it are the key questions facing smart gests that 'the literature on smart cities can be decid
53
cities.' edly utopian' 57 . However given the volume of nation

48 See Marco Balabanovic and Paul Galwas, 'Whose Smart City is it 54 Goodman (n 28), 43 et seq.
Anyway?' (SCL special edition, n 1) <http://www.scl.org/site.aspx
55 Not all academic literature of course sees smart cities and the loT
?i-ed42880> accessed 11 February 2016.
as problematic for privacy, at least not in the same ways as this
49 See, eg Gregor Schiele, John Soldatos and Nathalie Mitton, article does. See eg McKay Cunningham,'Next Generation Priva-
'Moving Towards Interoperable Internet-of-Things Deployments in cy: The Internet of Things, Data Exhaust, and Reforming Regula-
Smart Cities' (2014) <http://ercim-news.ercim.eu/en98/special/ tion by Risk of Harm' (2014) 2/2 Groningen Journal of Interna-
moving-towards-interoperable-internet-of-things-deployments-in tional Law who sees the loT and smart cities as use cases indicat-
-smart-cities> accessed 11 February 2016. ing the need for reform of data protection law as an over inclusive
and ungraduated failure; Gilad Rosner, 'No, the loT does not
50 BIS Research Paper no 135 (n 45) 3.3.2.
need strong privacy and security to flourish' (O'Reilly report,
51 Hieroglyph, Interview with Jonathan Sadowski on the Future of September 2015) summary available at Radar (25 September
Cities (14 October 2014). 2015) <http://radar.oreilly.com/2015/09/no-the-iot-does-not-need
-strong-privacy-and-security-to-flourish.html> accessed 11 Febru-
52 See inter alia, EU EDPS, 'Opinion on privacy and competitiveness
ary 2016.
in the age of big data' (26 March 2014);
CO (UK), 'Big data and data protection' duly 2014); Article 29 56 See Gartner, 'Gartner Hype Cycle' <http://www.gartner.com/
Working Party, 'Statement on Big data' (September 2014) 14/EN technology/research/methodologies/hype-cycle.jsp> accessed 11
WP 221; Big Data and Smart Devices and Their Impact on our February 2016.
Privacy (n 21 ).
57 Goodman (n 28) 45. Although it 'also has a dystopian thread' in
53 Vinnett Taylor, head of M2M, quoted in Emma Wright and its narratives of 24/7 surveillance and security vulnerability. See
Dianne Devlin 'Smart Cities Power to the Citizens?' (Computers further below and Murakami Wood (n 20). A notable early oppo-
and Law, 16 April 2015) <http://www.bonddickinson.com/ nent of the smart mythos from a sociological perspective is Adam
insights/publications-and-briefings/smart-cities-power-citizens> Greenfield: see Against Smart Cities (Amazon Kindle Publisher
accessed 11 February 2016. 2013).

10
EDPL 112016 Privacy, Security and Data Protection in Smart Cities I 35

al pride, money and infrastructure that is being rope in understanding how quasi academic discourse
pumped into the smart cities paradigm, alongside can help support the claims of more obvious outright
what is generally cursory legal analysis if any, this lobbying. Yet the yawning cavern between EU and
writer maintains the phenomenon is worth examin US conceptions of privacy, and their different ap
ing further. proaches to how to legally regulate such (or whether
A second awkward question which should be to at all), especially in hot button areas such as big
raised, is why discuss privacy and smart cities? Why data, ubiquitous computing and private/commercial
not privacy and the IoT, or privacy and big data, or versus public interests, has been the privacy story of
even privacy and the collapse of the private/public the millennium so far. A literature is needed which
spaces demarcation? Each of these now has a steadi examines smart cities and privacy in terms of the EU
ly growing literature. There are a number of answers social context and the mandatory rules of EU law,
to this. First, smart cities represent the synthesis of however vague, conflicted and about to be reformed
all of these problems. In this sense they are a unique (for the last three years and counting) they are. Ar
and important use case, which deserves special, be guably, a pragmatic and multidisciplinary academic
spoke attention. Second, as I have tried to demon literature is also needed to mediate between the pre
strate above, smart cities are important. In the future, cise and legally impeccable but sometimes over per
the majority of us will be living in cities, and perhaps fect interpretations of the A2 9 Working Party (A2 9
many of us, in 'smart' or at least, not dumb, cities 8 . WP), and the commercial realities of a Europe in re
Investment in smart cities is only going to increase cession, and seeking commercial social solutions
as I wrote this paper, Obama pledged to spend a which involve inevitable compromise with private
further $16o million on smart cities 59 and whatev sector, globally based vendors.
er terminology is used, data driven connected urban Finally,we need to discuss privacy and smart cities
ism is not going away 60 now, not at some indeterminate time later when we
Thirdly, in each of the privacy literatures men have worked through all the building block cate
tioned above, US literature tends to determine how gories of privacy problems involved. In the solutions
the world sees these issues. US literature including section of this paper, it becomes apparent that per
academic papers, conferences and industry and haps the best way forward is privacy by design (PbD):
quango funded reports is in a better position to dom the idea of building privacy into the 'code', ie, the ar
inate the literature mainly because it is larger and chitecture (within cities, in its real, materials sense,
better funded than its European equivalent, but also not merely using the term as Lessig does 6 1 as a
because US industry has in general been ahead of Eu metaphor for hardware and software). If we are build
ing smart cities now, then we need to work out what
PbD can do for society before, or at least as, we de
58 Or in smart towns or even villages: see Branka Dimitrijevic, 'From
Transition Towns to Smart Cities: Opportunities and Challenges'
sign and build them.
(SCL special edition (n 1)) http://www.scl.org/site.aspx?i-ed431 14,
citing Linlithgow, between Glasgow and Edinburgh as a town
utilising 'big data' for decision making and social innovation.
59 See Office of the Press Secretary of The White House, 'FACT III. Smart Cities: Security and Privacy
SHEET: Administration Announces New "Smart Cities" Initiative
to Help Communities Tackle Local Challenges and Improve City
Services' (14 September 2015) <https://www.whitehouse.gov/the Smart cities are not a panacea for all ills, and they
-press-office/2015/09/14/fact-sheet-administration-announces
-new-smart-cities-initiative-help> accessed 11 February 2016. See
bring their own problems. Some, as already noted,
on EU funding of smart cities, both directly and via research revolve around practical issues such as funding, ca
programmes such as FP7, T H A Wisman, 'Purpose and function
creep by design: Transforming the face of surveillance through the
pacity, access to relevant technologies, interoperabil
Internet of Things' (2013) 4(2) European Journal of Technology, ity of data, technical standardisation, etc. Others are
2.1. See also Sophie Curtis, 'Who will pay for the Internet of
Things?' The Telegraph (30 January 2015) <http://www.telegraph political: buy in by the national and local politicians,
.co.uk/technology/internet/1 1377083/Who-will -pay-for-the the energy companies, and the citizens themselves
-Internet-of-Things.html> accessed 11 February 2016.
a recent NESTA report, surveying numerous cities,
60 See Kitchin (n 19).
points that many smart cities 'have failed to deliver
61 Lawrence Lessig, Code 2.0 (Basic Books 2006). See also Rob
Kitchin, 'From a Single Line of Code to an Entire City: Refraining on their promise, delivering high costs and low re
Thinking on Code and the City' (November 2014) Programmable
City Working Paper no 4 <http://papers.ssrn.com/sol3/papers.cfm
turns ...'Smart cities' offer sensors, 'big data' and ad
?abstract id-2520435> accessed 11 February 2016. vanced computing as answers to these challenges,

11
36 1 Privacy, Security and Data Protection in Smart Cities EDPL 112016

but they have often faced criticism for being too con known lack of security and trustworthiness of the
cerned with hardware rather than with people'62 . IoT in general. The FTC in its influential 2015 report
Two further issues are particularly germane to this on the IoT, notes security risks as its greatest worry,
paper situated as it is in law: security, by which I both in terms of vulnerability of IoT devices them
mean the susceptibility of data to either accidental selves, leading to their compromise or failure, and
or deliberate breaches as a result of technical or or their potential use to spread vulnerabilities through
ganisational failures; and privacy, in which I include networks and to other systems (the 'zombie' prob
the European dataprotection (DP) sense of the right lem)66 . For example, potentially, your smart, Inter
of individuals to control the collection and process net connected, fridge might be hijacked to send
ing, including further re uses, of their personal data. spam 67. The FTC has already taken its first enforce
Privacy is also strongly governed in Europe by art 8 ment action against a vulnerable consumer IoT im
of the European Convention on Human Rights which plementation: a company making baby monitors at
acts as a benchmark against which both EU DP rules tached to the Internet, thus allowing parents to view
and nation state laws can be judged. live feeds of their infants from a distance, had its
feeds 'hacked' in nearly 7oo cases 68 . Connected cars
(or 'autonomous vehicles') are another significant
1. Security and Vulnerabilities IoT use case where vulnerability to outsider hacking
has already been demonstrated: eg, Wired reported
Cities and their infrastructure are already the most in June 2015 how jeep Cherokees could reliably be
complex structures ever created by men, and inter 'hijacked' by external hackers while on the road69 .
weaving them with equally complex smart cities so Brown, in a 2015 report for the ITU, notes that 'elec
lutions, reliant on wireless sensor networks and in tronic attacks can ... lead to threats to physical safe
tegrated communications systems, makes them ex ty' citing possible targets such as medical pacemak
tremely vulnerable to power failure, software errors ers, insulin pumps and car brakes, and noting the
and cyber attacks. 63 Even a simple bug can have a possibilities for burglars to spot 'smart metered'
64
huge impact on urban infrastructure. premises as currently unoccupied 70 . These worries
The insecurity and vulnerability of smart city sys only expand as the number of connected smart ob
tems is a commonly acknowledged phenomenon 655, jects grows. Cisco, eg predicts that there will be 50
which echoes, and largely derives from, the well billion devices connected to the Internet by 2020.71

62 See further Tom Saunders and Peter Baek, 'Rethinking Smart Consumers' Privacy' (4 September 2013) <https://www.ftc.gov/
Cities From The Ground Up' (Nesta, June 2015) <http://www news-events/press-releases/2013/09/marketer-internet-connected
.nesta.org.uk/sites/default/files/rethinkingsmartcities from the -home-security-video-cameras-settles> accessed 11 February
_ground-up_201 5.pdf> accessed 11 February 2016. 2016.
63 See A Townsend, 'Smart Cities' (October 2013) Places Journal 69 See Andy Greenberg, 'Hackers Remotely Kill a Jeep on the High-
<https://placesjournal.org/article/smart-cities/> last accessed 11 way - With Me in It' (Wired, 21 July 2015) <http://www.wired.com/
February 2016. 2015/07/hackers-remotely-kill-jeep-highway/> accessed 11 Febru-
ary 2016. Another area of considerable worry is hacking of medical
64 See, eg the San Francisco Bay Area Rapid Transport bug of Novem- devices, both external (eg, connected MR[ machines see 'Medical
ber 2013, in Cesar Cerrudo, 'An Emerging US (and World) Threat: devices vulnerable to hackers' BBC News (29 September 2015)
Cities Wide Open to Cyber Attacks' (2015) White Paper, IOActive, <http://www.bbc.co.uk/news/technology-34390165> accessed 11
Inc, 10 <http://www.ioactive.com/pdfs/lOActiveHackingCitiesPaper February 2016) and implanted in human bodies (eg pacemakers, as
_CesarCerrudo.pdf> accessed 11 February 2016. famously shown in an episode of Homeland. Even automated
65 See inter alia Townsend (n 1) and Goodman (n 28). carwashers have their worries: see Kelly Jackson Higgins, 'Hacking
at the carwash, yeh' (Information Week DarkReading, 19 February
66 See FTC Staff Report, 'Internet of Things: Privacy and Security in a 2015) <http://www.darkreading.com/vulnerabilities ---threats/hackin
Connected World' (January 2015) <https://www.ftc.gov/system/ -at-the-car-wash-yeah/d/d-id/1319156> accessed 11 February 2016.
files/documents/reports/federal-trade-commission-staff-report
-november-2013-workshop-entitled-internet-things-privacy/ 70 See [an Brown, 'GSR discussion paper. Regulation and the
150127iotrpt.pdf> accessed 11 February 2016 (FTC 2015). Internet of Things' (ITU, 2015 ) (draft issued for discussion)
<http://www.itu.int/en/[TU-D/Conferences/GSR/Documents/
67 See Paul Thomas, 'Despite the news, your refridgerator is not yet GSR201 5/Discussion-papers and Presentations/GSR
sending spam' (Symantec Official Blog, 23 January 2013) <http:// _DiscussionPaperIoT.pdf> accessed 11 February 2016.
www.symantec.com/connect/blogs/despite-news-your-refrigerator
-not-yet-sending-spar> accessed 11 February 2016. 71 See Dave Evans, 'The Internet of Things. How the Next Evolution
of the Internet is Changing Everything' (2011) Cisco White Paper,
68 FTC 2015 (n 66) and FTC, 'Marketer of Internet-Connected Home 3 <http://www.cisco.com/c/dam/en-us/about/ac79/docs/innov/[oT
Security Video Cameras Settles FTC Charges It Failed to Protect _IBSG 0411 FINAL.pdf> accessed 11 February 2016.

12
EDPL 112016 Privacy, Security and Data Protection in Smart Cities I 37

Why is the IoT so insecure? IoT devices, being, en links to older public and private sector systems.
usually, small, very cheap, without independent pow Vulnerabilities in embedded architectures cannot be
er source and churned out in their millions, and his as simply patched digitally as conventional software,
torically for industrial not consumer use, are routine leading to a possible future of the 'Internet of Junk'77 .
ly designed with poor encryption strength and a lack In short, smart cities are a security disaster waiting
of other security features 72 . The IoT heavily relies on to happen.
wireless communications protocols or APIs that, due
to the lack of mandatory technical and security stan
dards, are usually 'only secured as an afterthought, 2. Solutions
or worse, not secured at all, transmitting data in the
clear.' 73 The FTC report on IoT notes that companies The application of DP law, including the PECD, to the
making IoT devices may not have experience in deal security of the IoT is discussed in detail below
ing with security issues; that they have often been (section Vi) as part of its general privacy problem
conceived as disposable; that patching of vulnerabil set. A particular solution to the security issue, which
ities may not have been envisaged or be possible to has already been partly implemented, is to mandate
add; and that consumers in general have little or no security breach disclosure. Currently this only ap
idea about IoT security 74 . As a result default pass plies to telecoms providers under Article 4(2) of the
words are often installed in household appliances, Privacy and Electronic Communications Directive
never changed and routinely compromised: eg one (PECD) 78 but will probably be extended to all data
website claimed that 73,000 webcams had been in controllers by the GDPR 79 when it passes and is trans
stalled and were accessible over the Internet using a posed. Data breaches of a certain level of severity will
single, default, known password75 . have to be reported to privacy regulators, although
For smart cities, these problems carryover and will data controllers may have a defense if they have
be multiplied by the complexities involved in multi adopted adequate security measures.80
ple vendors and interoperating systems; and the ef An obvious problem is the lack of global harmon
fects may be far more devastating. Cerrudo asserts isation on security legal standards, in a world of glob
that most cities are implementing new technologies al procurement. The Budapest Cybercrime Conven
with little or no cyber security testing, meaning that, tion provides a bare minimum of international har
eg traffic control sensors installed in Washington DC, monisation on security regulation but is principally
New York, London, Lyon and other cities can be eas aimed at enabling global law enforcement in crimi
ily attacked with a simple exploit programmed on nal matters, not at promoting higher security stan
cheap hardware. 76 Brown adds that smart city vul dards for industry. It does not mandate civil liability
nerabilities will be particularly hard to address giv (though Article 13 allows for such to exist). It would

72 According to the HP Fortify report, 70% of most commonly used .ioactive.com/2014/04/hacking-us-and-uk-australia-france-etc

loT devices contain security vulnerabilities, including password .html> accessed 12 February 2016.
security, encryption and general lack of granular user access
77 The term seems to originate from security researcher Tod Beards-
permissions. See Hewlet Packard Enterprise, 'Internet of Things
ley. See <http://panelpicker.sxsw.com/vote/54858>. More polite-
Research Study. 2015 Report' (November 2015), 5 <http://
ly, Townsend predicts that smart cities may be 'buggy, brittle and
h20195.www2.hp.comV2/GetDocument.aspx?docname-4AA5
bugged': see Townsend (n 1) ch 9.
-4759ENW&cc-us&lc-en> accessed 11 February 2016.
78 Directive 2002/58/EC concerning the processing of personal
73 David Belson (ed), 'Akamai's [state of the internet] report' (2014),
data and the protection of privacy in the electronic communica-
1 <https://www.antel.com.uy/wps/wcm/connect/
tions sector (Directive on privacy and electronic communications)
2e38bd0047ad6c9682d3e7af6890d81 0/q3-2014-state-of-the
(2002) OJ L 201.
-internet-report+(2).pdf?MOD-AJPERES> accessed 11 February
2016. 79 See European Commission, 'Proposal for a Regulation of the
European Parliament and of the Council on the protection of
74 FTC 2015 (n 6) 13.
individuals with regard to the processing of personal data and on
75 See Kevin Tofel, 'Got an IP webcam? Here are 73,000 reasons to the free movement of such data' (hereafter, General Data Protec-
change the password' (GigaOm Research, 7 November 2014) tion Regulation or GDPR) COM(2012) 11 final, 2012/0011
<https://gigaom.com/2014/11/07/got-an-ip-webcam-here-are (COD). The GDPR is expected to be passed by summer 2016 and
-73000-reasons-to-change-from-the-default-password/> accessed thereafter will probably have a two year transition period for
11 February 2016. member states to implement its demands.
76 See Cesar Cerrudo, 'Hacking US (and UK, Australia, France, etc.) 80 See Ricardo Tavares, 'Rise of the machines' (2014) 42(3) Interme-
Traffic Control Systems' (lOActive, 30 April 2014) <http://blog dia 28.

13
38 1 Privacy, Security and Data Protection in Smart Cities EDPL 112016

be interesting, though out of the scope of this article, vate interests have acquire a quasi public character
to investigate if the various provisions being moot akin to town squares or public libraries, places where
ed to protect critical infrastructure from cyberwar at historically rights of speech, access to knowledge or
tacks and cyber insecurity (see, eg the 2008 Directive assembly were traditionally exercised: notably on
on European Critical Infrastructures 2008/114/EC line communities and search engines87 . In 'smart
and the proposed Directive 2013/0027) might extend cities', the reverse paradigm operates: what was his
to smart cities. torically public such as the town squares, the roads,
'Soft law' rather than hard law regulation of IoT the mass transit, the health and policing systems, is
security has been in the ascendance in the EU since very likely now to be privately operated or at least
81
2013 or earlier. Notably, a specialised but non full of privately operated sensors with the data col
mandatory PIA procedure for RFID chip installations lected held in private databases. These parts of cities
(essentially an early subset of the IoT) was developed have now become what might be called 'private pub
by Spiekerman and her team through consultation lic places' (or transmuting MacSithigh, 'pseudo pri
with relevant industries and policymakers8 2. This vate' places.)
forms part of a general regulatory trend towards en The growth of the information society and espe
couraging a proactive rather than retrospective ap cially ubiquitous computing has already recognis
proach to security risks with privacy by design ably undermined this conception of privacy as relat
(PbD) 83 principles. This approach was promoted in ing to a spatially delimited 'bubble' 88 . Koops has ro
the Mauritius Declaration on the Internet of Things bustly deconstructed this notion of natural essential
84
in October 2014 and by the FTC in their IoT report. ist 'boundaries of private spaces', arguing that 'place
In Europe, a PbD requirement, alongside require is no longer a useful proxy to delineate the bound
ments for data protection impact assessments aries of the private sphere'. He points out that nowa
(DPIAs85 ) is expected to be included in the GDPR. All days personal data that would have once have stayed
of these 'code' solutions are discussed in more detail safely at home, is now carried around or stored with
below in section VI. out much, if any,thought outside the home : on smart
A final key extralegal solution may be found in fu
ture in an adequate global cybersecurity insurance
market 86 .This is something which has stalled to date, 81 A 2013 EU Commission consultation on loT regulation found a
diversity of views on whether loT specific regulation was neces-
and is still emergent, but which may be kickstarted sary (see 'Conclusions of the Internet of Things public consulta-
by a global move to mandatory security breach noti tion' (2013) http://ec.europa.eu/digital-agenda/en/news/conclu-
sions-internet-things-public-consultation accessed 12 February
fication. 2016). See further H R Schindler et al, 'Europe's policy options for
a dynamic and trustworthy development of the Internet of Things
SMART 2012/0053' (prepared for the European Commission, DG
Communications Networks, Content and Technology (CON-
IV. Privacy NECT), Brussels, 31 May 2013) <http://www.rand.org/pubs/
research-reports/RR356.html> accessed 12 February 2016.
82 See Sarah Spiekerman, 'The REID PIA Developed by Industry,
1. The New PPP: Private-Public Places Agreed by Regulators' in David Wright and Paul de Hert (eds),
Privacy Impact Assessment : Engaging Stakeholders in protecting
Privacy (Springer 2011), discussed further in n 25 in this text.
Conceptually, privacy in smart cities is an interesting 83 See further below.
h
conundrum. Historically, we have tended to protect 84 See 361 International Conference of Data Protection and Privacy
a zone or 'bubble' of privacy which begins with our Commissioners (14 October 2014) http://www.privacyconfer-
ence20l4.org/media/1 6596/Mauritius-Declaration.pdf accessed
bodies, embraces our homes and then extends to pri 12 February 2016; FTC 2015 (n 66).
vate communications we send out into the world. 85 See below.

This is seen in the European Convention on Human 86 See World Economic Forum (2014), 33. Price Waterhouse Cooper
argue the change to mandatory security breach notification 'may
Rights (ECHR) where Article 8 famously demands well be the catalyst to change the cyber liability insurance land-
respect for our 'private and family life, home and cor scape in the UK' (see PWC and HM Government, 'Information
Security Breaches Survey' (2015), 29 <http://www.pwc.co.uk/
respondence'. By contrast, cities seem quintessential assets/pdf/2015-isbs-technical-report-blue-digital.pdf> accessed
ly a public space, where expectations of privacy (ex 12 February 2016).

cept by obscurity) have historically been low to zero. 87 See Daithi MacSithigh, 'Virtual walls? The law of pseudo-public
spaces' (2012) 8(3) International Journal of Law in Context 394.
But as MacSithigh has cogently noted, in the infor
88 See Colin Bennett, 'In Defense of Privacy' (2011) 8(4) Surveil-
mation society many virtual spaces controlled by pri lance and Society 485.

14
EDPL 112016 Privacy, Security and Data Protection in Smart Cities I 39

phones or other portable devices; on webmail How should we approach privacy regulation in
servers; or in the cloud generally. Furthermore data such a domain? If your personal data is easily acces
that would have been opaquely safe at home is now sible in the 'public' areas of a smart city, then should
often transparent to the world: for example, homes the same privacy protections apply as in a private
equipped with smart meters reveal finely grained de dwelling? If you travel on a smart road or a smart
tail of energy consumption and powered applica connected public transport system, should these be
tions, and can have their occupancy and activities part of the same 'privacy bubble' as the home you oc
minutely observed from without89 . Heat sensors, di cupy? What about a driverless 'connected car', quite
rectional microphones and tiny surveillance drones likely not owned by you, directed by a mixture of ex
can also breach the domestic wall. Finally, even in ternal sensor data, internal control and car to car
public spaces, where once people relied on 'practical communications and shared physically with others?
obscurity' for privacy protection (hence, arguably, These are ideas that Koops points out are already
not needing legal protection), the prevalence of sur showing up as problems in fields such as criminal
veillance via inter alia smart CCTV systems, ANPR procedure and evidence eg should my smartphone
(number plate) recognition, GPS and wifi network be protected from search in my home but not when
tracking and cheap, reliable facial recognition soft I am arrested by the police? What about my laptop?
ware means that obscurity in public is pretty much What about the location data from my new BMW's
at an end. Given this combination of 'evaporating GPS? 9o but their full impact may be felt in smart
homes' and 'ubiquitous trackability', Koops argues cities, where we live, work, commute and play all in
we have moved towards an age of 'ubiquitous data' the full glare of pervasive data collection: an urban
in which private/place distinctions lose relevance. In Panopticon, which Finch and Tene have inventively
smart cities, like the bar in Cheers, everyone knows christened the 'Metropticon 91 '.
your name. A key point in the 'publicness' of smart cities is
that data disclosures by residents in a 'smart' city sim-
ply cannot be avoided. Finch and Tene point out that,
89 See Bert-Jan Koops, 'On Legal Boundaries, Technologies, and unlike when choosing an online entertainment
Collapsing Dimensions of Privacy' (2014) 3(2) Politica e Societa provider social network, a shopping site or a search
247-264. See also [an Brown, 'Britain's Smart Meter Programme:
a case study in privacy by design' (2013) 28 Int Rev LCT 172 on engine (say), 'urban residents of smart cities have few
the number of things an outsider can find out from a smart alternatives to the government operated sensors and
homes energy emissions including 'Do you typically arrive
home after the bars shut?', 'Do you climb stairs when you are surveillance technologies ... deployed throughout the
registered disabled?' and 'If you have type 2 diabetes, why environs... They will only have one smart grid, one
haven't you used the treadmill in your living room in the fortnight
and instead watched 480 hours of TV?' (slightly paraphrased by subway system.' 92 This is particularly true when it
Edwards). comes to essential services such as health, emergency
90 See Riley v California (2014) US Supreme Court, in which the US
Supreme Court for first time decided that police needed warrants
response and policing. Even despite the onslaught of
to search cellphones outside the home. Commentators noted the market deregulation, most of us do not still have the
ruling almost certainly also applied to laptops etc: see Adam
Liptak, 'Major Ruling Shields Privacy of Cellphones' Washington opportunity (or desire) to shop around for our fire
Post (Washington, 25 June 2014) <http://www.nytimes.com/2014/ service or bin lorry. Interestingly, Finch and Tene see
06/26/us/supreme-court-cellphones-search-privacy.html?_r-0>
accessed 12 February 2016. this as worrying because they fear the extra power it
91 See Kelsey Finch and Omar Tene, 'Welcome to the Metropticon may give a paternalistic government, eg to demand
Protecting Privacy in a Hyperconnected Town' (2013-2014) 41 an obese citizen walks rather than takes the (smart,
Fordham Urb L 1581. The implications of a 'Panopticon' may in
fact be inappropriate to smart cities which are as much about connected) bus to work, 'thus saving lives and health
peer to peer equiveillance and indeed sousveillance as traditional
surveillance. The coinage is however arresting. See also Wisman's care dollars'. For a European, the likelier danger
reference (n 59). seems to be that such data will fall via PPPs into the
92 ibid, Finch and Tene, 1596. hands of private providers and from there to the open
93 Life insurance companies have already started to offer better market, with negative impacts if it reaches (say) in
terms to customers who agree to wear FitBit-like personal health
trackers and share the data. Fascinatingly, an app has already surers93 , employers or law enforcers. Finch and Tene
been created called 'unfit Bits' which spoofs a stream of such argue the private marketplace has competition incen
data to fool the insurance company. 'Now you can play video
games and harvest insurance perks, as your fitness monitor duti- tives to provide privacy which do not impact on gov
fully logs fake calories while strapped to your golden retriever or ernments. Yet this seems disingenuous: the history
metronome.' (see Olga Khazan, 'How to fake your workout' The
Atlantic (28 September 2015)). of private commercial Internet corporations has been

15
40 1 Privacy, Security and Data Protection in Smart Cities EDPL 112016

one of a distinct lack of competition, where almost element of privacy and thus not generally needing
every company relies on standard privacy policies to any police warrant or authorisation before it can be
take as much personal data as possible, relying on monitored, collected and data mined: even though
consumer ignorance and inertia 94 , lack of transparen such monitoring may contribute to profiling which
cy and the 'lock in' effect of network effects in indus in its turn may have substantial impact on individu
tries such as social networking, to restrict pushback als99 . Similarly, the English Supreme Court recently
by consumers 95 held that a boy whose picture was captured on CCTV
Privacy law, as a sub branch of human rights law, in the course of breaking the law as a rioter, had no
has of course moved on somewhat from the days rights to stop the police publicly spreading the im
when privacy in public was a blatant contradiction in age100 . In both these cases, of course, it could be ar
terms. In Europe, the seminal Strasbourg case of von gued that the public interest in preventing crime and
Hannover96 has required states to protect minimum terror would (and did, in the latter case) outweigh any
reasonable expectations of privacy in public, even for individual expectations of privacy 101
public figures such as celebrity princesses. In the US, Data protection law, by contrast, does not make
however, despite the shift towards privacy favourable any crucial private/public distinction except in the
decisions in the criminal law concerning searches in exemption it gives to purely domestic or 'household'
public of smartphones, and the legitimacy of track processing of data 0 2 . Its category distinctions re
ers placed on cars97 , in civil law it is still extremely volve around whether 'personal data' data relating
10 3
difficult to establish a privacy cause of action relat to you which makes you 'identified or identifiable'
ing to actions done, or data exposed in public98. Even is processed, not where that processing happens.
in the UK, it is very difficult to convince a court that For this reason, and because of its EU rather than
what goes on, or is said in public has any expectations global focus, the rest of this paper focuses on DP law
of privacy attached in circumstances not involving not on general privacy law.
obvious harassment by paparazzi. Surveillance and It might be useful to ask at this point what expec
data mining of 'open' social media intelligence tations (if any) the public have of privacy protection
('SOCMINT') for example, is regarded as lacking any in smart cities, or failing data on that10 4 , in their in

94 See Arnold, Hillebrand, and M Waldburge, 'Personal Data and 102 Which is indeed space-dependent but controversially so: cf the
Privacy - Final Report - Study for Ofcom'(WK-Consult May CJEU decision in C-101/01 Lindqvist Case (6 November 2003)
2015), 60 <http://stakeholders.ofcom.org.uk/binaries/internet/ I-12971 that just because a website was accessible to an indefi-
personal -data-and-privacy/Personal Data and Privacy.pdf> ac- nite number of people in cyberspace, its highly localised con-
cessed 12 February 2016. tents were not purely domestic or personal; similarly the more
recent decision in C-212/13 Rynes Case (1 December 2014) that
95 See further in L Edwards, 'Privacy, Law, Code and Social Net- if a CCTV camera placed to protect a family home records im-
working Sites' in I Brown (ed), Research Handbook On Gover- ages of the public street beyond, it must be more than a purely
nance Of The Internet (Edward Elgar 2013). personal or domestic activity and thus caught by DP law. The
96 Von Hannover v Germany App no 59320/00 (ECtHR, 24 June CJEU rejected the idea in Lindqvist that any non-commercial
2004). processing was purely personal. A strong view exists that this
exemption should be more a de minimis principle and less a
97 See Koops (n 89); also United States v ]ones 132 (2012) Supreme spatial one.
Court 945. 103 See DPD, art 2. I consider below the issue of when personal
98 See further Daniel Solove, The Future of Reputation (Yale UP data is rendered non-identifying or anonymised.
2007), ch 7. 104 This writer is not aware of any empirical survey work on attitudes
to privacy in smart cities (she intends to carry some out as Re-
99 See Jamie Bartlett et al, 'Policing in an Information Age' (CASM
searcher in Residence at the Digital Catapult in 2016), and there is
policy paper, Demos, 2013) http://www.demos.co.uk/files/DE- only the very beginnings of an academic literature on smart cities
MOS Policingjin an InformationAgevl.pdf?1364295365 ac- and privacy, with very little of it coming from legal, as opposed to
cessed 12 February 2016; Lilian Edwards and Lachlan Urquart, information sciences, scholars. For the former, as well as Finch and
'Privacy in Public A Reasonable Expectation? The Legality of Tene (n 79), which falls within a published 'smart law' symposium,
Police Surveillance of Social Media', forthcoming 2016, IJLIT.
see Julia Lane et al (eds), Privacy, Big Data and the Public Good
100 See In the matter of an application by ]R38 for JudicialReview (CUP 2014) and parts of Wisman (n 59). In criminology, interest is
(Northern Ireland) [2015] UKSC 42 . emerging in the privacy and surveillance aspects of smart cities
see notably Kitchin's work already cited and continuing at The
101 See observation in Wood v Metropolitan Police Commissioner Programmable City, Maynooth University, Dublin <http://www
[2008] EWHC 1105 (Admin): [the English courts have] 'adopted a .maynoothuniversity.ie/progcity/> accessed 12 February 2016 and
very robust approach to questions of interference with rights Murakami-Wood's ongoing study of global smart cities and sur-
under Article 8(1) in relation to the taking of photographs in veillance at Queens University, Ontario, Canada <http://ubicity
public places... in assisting in the detection of crime'. .ca/about;sthash.XDIX[tKK.dpbs> accessed 12 February 2016.

16
EDPL 112016 Privacy, Security and Data Protection in Smart Cities I 41

teraction with the IoT. Public trust and confidence in surveys are probably untrustworthy in methodology
technologies are generally regarded as vital to their but they do give a flavour of the crisis of confidence
uptake, and doubt has already been recorded about about privacy and trust in IoT environments, includ
public trust in IoT 05 , partly because of the security ing smart cities.
threats already discussed and partly because of gen
eral feelings among ordinary users of loss of control
over personal data to third parties, most often seen V. Privacy Threats: Smart Cities and
in contexts such as social networks, search engines Dumb Laws?
and targeted advertising 10 6. A recent European Coin
10 7
mission survey on Internet of Things Governance Much has been written about the potential demise
found that 67% of respondents agreed 'Internet of of privacy as a result of the technological society we
Things applications pose threats to the protection of now inhabit. In this section, I will discuss three lead
an individual's identity' and 81% were concerned ing sources of technological threat to privacy, and ar
about how data acquired from the IoT would be 'used, gue that the smart city, as noted above, is the loca
stored, and accessed by whom.' tion for a 'perfect storm' conjunction of these threats.
A 2014 US based Pew Internet research project in I will attempt in each case to focus on what the key
terestingly canvassed around 17oo experts for their problems posed for European DP law are by each
predictions about the IoT. Some responses were ex threat, especially in the context of smart cities. This
treme: 'There will be absolutely no privacy, not even discussion is necessarily abbreviated; at least a book
in the jungle away from civilisation'. Others were re could be (and often has been) written on each prob
signed: 'We might as well inject ourselves into the lem below. In the next section, I canvas and critique
Internet of Things. By 2015 we will long ago have giv some novel solutions to these problems drawn from
en up our privacy. The Internet of things will demand both law and code.
and we will willingly give our souls...' 10 8 These

1. The Internet of Things

105 See, eg the UK's investment of 10m to build a 'Commitment to

The Internet of Things (IoT), also known as ubiqui
Privacy and Trust in the Internet of Things Research Hub (ComPa- tous computing (ubicomp), ambient intelligence or
TRIoTs)' following the Blackett Review's conclusion that develop-
ing the loT must be informed by appropriate security, trust, ethics pervasive computing has a long history in computer
and privacy guarantees. See Blackett Review, 'The Internet of science but has only fairly recently come to the at
Things: making the most of the second digital revolution' (2014)
< https://www.gov. u k/govern men t'u ploads/system/u pl oads/ tention of lawyers. The Pew Research Centre10 9 de
attachment data/file/409774/14-1230-internet-of-things-review fines the IoT as 'a global, immersive, invisible, ambi
.pdf> accessed 12 February 2016.
106 See general discussion in Lilian Edwards and Charlotte Waelde
ent networked computing environment built
(eds), Law and the Internet (Hart Publishing 2009) chs 14, 15 and through the continued proliferation of smart sensors,
16; Eurobarometer attitudes to privacy survey, June 2015, summa-
ry at <http://ec.europa.eu/justice/data-protection/files/factsheets/ cameras, software, databases, and massive data cen
factsheet data-protection-eurobarometer 240615_en.pdf> ac- tres in a world spanning information fabric'. It is now
cessed 12 February 2016.
over six years since the number of 'things' connect
107 European Commission, 'Conclusions of the Internet of Things
public consultation' (February 2013) <http://ec.europa.eu/digital ed to the Internet exceeded the number of people1 10.
-agenda/en/news/conclusions-internet-things-public-consultation Predictions in 2013/14 for the number of things that
> accessed 12 February 2016.
108 See Pew Research Center, 'The Internet of Things will thrive by
will be connected to the Internet by 2020 vary signif
2025' (14 May 2014) <http://www.pewinternet.org/2014/05/14/ icantly, with Gartner predicting 25 billion 1 11 and Cis
internet-of-things/> accessed 12 February 2016.
co quoting 5o billion1 12 but there is general agree
109 ibid.
ment that the IoT will be a vastly significant feature
110 FTC 2015 (n 66) i.
of future societies. According to Gartner, smart cities
111 See <http://www.gartner.com/newsroom/id/2905717> accessed
12 February 2016. are one of the key sectors for attracting investment
112 See Evans (n 71). in the IoT space113 .
113 See Alfonso Velosa, W Roy Schulte and Benoit J Lheureux, 'Hype There is a growing literature on the potential
Cycle for the Internet of Things' (Gartner 2015) <https://www threat the IoT poses to privacy and increasing pub
.gartner.com/doc/3098434/hype-cycle-internet-things-> accessed
12 February 2016. lic awareness of the IoT, especially in the smart city

17
42 I Privacy, Security and Data Protection in Smart Cities EDPL 112016

context1 14, as a tool for pervasive surveillance. To give to give or withhold our consent to data collection, be
a flavour, the Guardian ran a series of articles on fore we start to use the service (even if in reality our
smart cities and privacy in 2015, which at one point main option is either to take or entirely reject the ser
opined: vice). In the IoT, such notice and opportunity are pre
We may find ourselves interacting with thousands dominantly absent by design. Even where unobtru
of little objects around us on a daily basis, each siveness is not a function specification, IoT devices
collecting seemingly innocuous bits of data 24/7, simply do not usually have means to display privacy
information these things will report to the cloud, notices and/or to 'provide fine tuned consent in line
where it will be processed, correlated, and re with the preferences expressed by individuals,' as de
viewed. Your smart watch will reveal your lack of vices are usually small, screenless or lack an input
exercise to your health insurance company, your mechanism (a keyboard or a touch screen)11 9 . The
car will tell your insurer of your frequent speed problem is bad in domestic homes, and gets worse
ing, and your dustbin will tell your local council in the public places of smart cities. While consumers
that you are not following local recycling regula may at least have theoretically had a chance to read
tions. This is the 'internet of stool pigeons', and the privacy policy of their Nest thermostat before
though it may sound far fetched, it's already hap signing the contract, they will have no such opportu
15
pening. nity in any real sense when their data is collected by
the smart road or smart tram they go to work on, or
The key problem of the IoT, for privacy purposes, is as they pass the smart dustbin 120 in the street.
that its devices were explicitly designed to be unob It is easy to see that in such systems, the conven
trusive and seamless as a user experience ; as Weis tional safeguards of consent in European DP law, or
er puts it, to weave themselves 'into the fabric of dai 'notice and choice' in the American Fair Information
ly life until they are indistinguishable from it'1 16 IoT Processing Principles121 , will fail to operate as safe
systems, such as smart ambient lighting in a living guards for consumer privacy. As Cas stated in an ear
room, or smart thermostats, such as NEST 1 17 are of ly paper, there is thus every possibility that 'ubiqui
ten designed to be contextually aware of the needs tous computing will erode all central pillars of cur
and desires of the user, collecting information about rent privacy protection'. 22
their daily practices and routines, whilst remaining
'invisible in use' and 'unremarkable' to users. 1 a. EU Law
To contrast, when we share personal data in the
online digital world for example on Facebook, EU law demands in Article 7 of the Data Protection
Google, Amazon or eBay we are, even if dimly, aware Directive (DPD) that data controllers have a lawful
of crossing a threshold into the domain of that plat ground for processing of personal data123 , with con
form, and usually have an opportunity, at least once, sent being only one such ground among several 124 .

114 See Weber and Weber (n 214); Gutwirth et al (n 122); Wisman, .europa.eu/justice/data-protection/article-29/docu mentation/
A29, Brown for ITU, FTC, Goodman (n 28), Peppet (n 139). opinion-recommendation/files/2014/wp223_en.pdf> accessed 12
February 2016 (A29 WP loT).
115 Marc Goodman, 'Hacked dog, a car that snoops on you and a
fridge full of adverts: the perils of the internet of things' The 120 See Joe Miller, 'City of London calls halt to smartphone tracking
Guardian (11 March 2015) <http://www.theguardian.com/ bins' BBC News (12 August 2013) <http://www.bbc.com/news/
technology/2015/mar/ 11/internet-of-things-hacked-online-perils technology-23665490> accessed 12 February 2016.
-future> accessed 12 February 2016.
121 See Robert Gellman, 'Fair Information Practices: A Basic History'
116 Mark Weiser, 'The Computer for the 21st Century' (September (Version 2.13, 11 February 2015), 11 <http://bobgellman.com/rg
1991) 265(3) Scientific American 1.
-docs/rg-FlPShistory.pdf> accessed 12 February 2016.
117 See 'What Google can really do with Nest, or really, Nest's
data'(Ars technica, 16 January 2014) <http://arstechn ica.com/ 122 J Cas, 'Ubiquitous Computing, Privacy and Data Protection' in S
business/2014/01/what-google-can-really-do-with-nest-or-really Gutwirth et al, Computers, Privacy and Data Protection- An
-nests-data/> accessed 12 February 2016. Element of Choice (Springer 2009), 167.

118 Peter Tolmie et al, 'Unremarkable computing' (Proceedings of the 123 Directive 95/46/EC of the European Parliament and of the Council
SIGCHI Conference on Human Factors in Computing Systems, of 24 October 1995 on the protection of individuals with regard
Minneapolis, 2002), 399-406. to the processing of personal data and on the free movement of
such data (hereafter, Data Protection Directive or 'DPD').
119 Article 29 Working Party, Opinion 812014 on the Recent devel-
opments on the Internet of Things (2014) WP 223, 7 <http://ec 124 ibid art 7(a).

18
EDPL 112016 Privacy, Security and Data Protection in Smart Cities I 43

Indubitably, many or most IoT systems in smart cities terest' can also sidestep any need for consent. But for
will process personal data, unless steps have been most commercial systems, what we might expect to
taken to effectively anonymise it (see below). Con come to see is a heavy reliance on the 'legitimate in
sent is defined in Article 2 of the DPD as a 'freely giv terests' ground of Article 7(f), which would be a wor
en, specific and informed indication of his wishes by ryingly easy way to avoid any semblance of user con
which the data subject signifies his agreement to per trol. This is especially plausible given the likelihood
sonal data relating to him being processed'. This de of this ground emerging watered down still further
finition is, as we have seen, considerably troubled by in the final thrashout of negotiations in the GDPR 126.
the features of the IoT environment. In Europe, the The Art 29 WP clearly shares these concerns and goes
Article 29 Working Party 125 has raised a significant out of its way in its 2014 Opinion to stress that, fol
number of issues about consent in addition to the lowing Google Spain127 , it is unlikely processing of
sheer difficulty of giving it, including the fact that data via IoT revealing the 'individual state of health,
data may be shared automatically machine to ma home or intimacy, his/her location and ...his/her pri
chine, with no transparency to the user or opportu vate life' will 'be justified by merely the economic in
nity to review; and that the quality of any user con terest' of an IoT stakeholder, given the need to bal
sent may be poor. Crucially, they state that 'the pos ance this against the fundamental rights of the data
sibility to renounce certain services or features of an subject1 28.
IoT device is more a theoretical concept than a real Article 7 of the DPD may furthermore be read as
alternative ... such situations lead to the question of overlaid by Article 5 (3) of the PECD, which requires,
whether the users consent to the underlying data pro since its revision in 2009, that where 'information'
cessing can then be considered as free, hence valid is stored on the 'terminal equipment 129 of a user',
under EU law.' (or access if given to it when it is already stored
But consent, it should be remembered, is not the there) the user must give consent to such storage,
only ground for lawful processing, nor does it have having been provided with 'clear and comprehen
any particular priority. If consent in EU DP terms is sive information' about the purposes for which that
impossible, expensive or counter productive to ob information will be processed. Consent is the only
tain, data controllers may well choose to avoid it en way such storage can be legitimised; there are no al
tirely. Where IoT systems are used to prevent or de ternative grounds. Consent as noted above must be
tect crime (as with most smart CCTV systems) then 'informed' by prior comprehensive information, but
data protection law may exempts processing from need not be explicit. This provision was originally
Article 7's demands. Where local or national govern intended, in the early days of e commerce, to con
mental agencies gather data for, eg e government sys trol the placing of 'legitimate' cookies on a user's
tems, e health, e welfare, then a ground of 'public in computer without their knowledge and consent, as
a privacy matter, as well as obviously harmful spy
ware or malware. It is now unclear how far this pro
vision applies to data about users collected from sen
sors of various kinds in the 'real world'. Attempts
125 A29 WP loT (n 119). See further on consent, Eleni Kosta, Consent
in European Data Protection Law (Brill /Nijhoff 2013). were made during the passage of the 2oo9 amend
126 The EP Big Data and Smart Devices report notes 'legitimate ments to the PECD to modify Article 5() to give it
interests' as 'the vaguest ground for processing' (n 21), 32. a wider and clearer applicability to many other types
127 , Case C-131/12 (CJEU, 13 May 2014) cited at A29 WP loT (n
119) para 4.2.
of 'devices' than cookies, notably 'rootkits' of the
128 It should also be noticed that if sensitive personal data is
type used in the Sony Mediamax scandal of 200 3 ,
processed as will invariably be the case in a health related loT but for political reasons, these resulted only in a
system such as telemedicine for the aged, then processing can in
most circumstamces only be legitimised by explicit consent and change in the recitals 130. Recital 56 of the PECD now
the 'legitimate interests' ground will not do: DPD, art 8. reads:
129 This phrase is undefined in the PECD. The A29 WP loT suggests When such devices are connected to publicly avail
helpfully it 'be understood in the same manner as that of "equip-
ment" in art 4(1)( c)' (para 4.1). able electronic communications networks or make
130 See Eleni Kosta, 'Peeking into the Cookie Jar; the European use of electronic communications services as a ba
approach towards the regulation of cookies' (2013) 21 IJLIT 380
and Citizens Rights Directive, recital 65 (Directive 2009/136/EC
sic infrastructure, the relevant provisions of Direc
amending Directive 2002/22/EC.) tive 2002/ 5 8/EC... , including those on security,

19
44 1 Privacy, Security and Data Protection in Smart Cities EDPL 112016

traffic and location data and on confidentiality, striction in 2009132 but the alternate proposed for
should apply. mulation that the PECD should apply generally to
'publicly accessible private networks', was unfortu
Our main concern here is if Article 5 (3) applies to in nately not added.
formation collected about users by IoT sensors (such One further 'get out of jail' card for IoT develop
as RFID chips) a question which is predicated on ers here is the exception from Article 5 (3) where stor
(i) whether such information is stored on the 'termi age is 'strictly necessary in order to provide a service
nal equipment of the user' and (ii) if, per recital 56, explicitly requested by the subscriber or user'. It
the networks the IoT sensors are connected to qual seems logically assertable that the location of a con
ify as 'public' enough to fall under the scope of the nected car must be collected for it to work and that
expanded post 2009 PECD. service has been explicitly requested by the passen
When is IoT collected data stored in the 'terminal gers and/or the operator (who is, one assumes, the
13 1
equipment ... of a user'? The A2 9 WP Opinion 'subscriber'?). What is less clear is (a) did they have
gives the example of a smart pedometer (say a Fitbit) any alternative, in which case Article 5(3) is reduced
owned and worn by a user A, and periodically syn to nugatory and (b) if the re use of that location da
chronized via the Internet, which records and shares ta for building a profile to provide targeted ads (say)
the number of steps taken by a user and their loca benefits from the exemption.
tion. This would arguably be information which at One answer to many of the inclarities here would
the point of collection is 'stored in the terminal equip be speedy amendment of Article 5 (3) when the PECD
ment of the user' (even though it is then uploaded to comes up for review after the GDPR is finalised. An
the Fitbit cloud server for further processing) and so other would be for data controllers to avoid the is
under Article 5(N, the consent of A would be re sue entirely by making sure that such information if
quired. But if the same user has their location and collected in public places was effectively de identi
kilometres travelled collected by a smart driverless fied so that it was not personal data at all. However
or 'connected' car, acting as a shared taxi service, is this would sometimes be impossible if the service
the 'user' person A or is it the owner, or the operator was to be delivered and more often would likely make
(who may not be the same person) of the connected it of little added commercial value. We discuss this
car? The A2 9 WP Opinion interprets this as mean below.
ing the consent of A remains required; this writer is
less sure. Article 5() also refers to the equipment of
a 'subscriber' who has the right to alternately give 2. Big Data
the relevant consent which is a clear notion in the
context of a mobile phone but much less so in a smart Big data, like smart cities, is a buzzword which is
IoT public space environment. If we change the ex much mentioned but has no one clear meaning 133 .
ample further to steps counted by a smart path or es It is frequently related to ideas of 'volume, velocity
calator in a shopping mall, say, then it becomes in and variety', with the emphasis on the first 134 . Big
creasingly hard to distort the English language to see data has come to the fore for three reasons: the costs
the escalator as the 'terminal equipment' of A as user, of both storage and processing of data have dramat
rather than of a 'subscriber' who might be the mall
manager or indeed, of no one at all.
A further problem is that the Article 5(3) applies
since 200 9 to where information is collected by de 131 A29WVP [oT m 119).

vices connected to 'publicly available electronic com 132 See the European Data Protection Supervisor's Second Opinion
on the Review of the PECD (9 January 2009) <http://www.edps
munications networks'. If a smart city is 'installed' .europa.eu/> accessed 12 February 2016. See also criticism from
by Cisco and many systems run on their private net the European Commission, 'Radio Frequency Identification (RFID)
in Europe: steps towards a policy framework' (2007) P6 COM96
works, do the rights in Article 5(3) apply? Probably, final 15 March 2007.
as this formulation was intended to extend coverage 133 See inter alia discussions in reports cited at n 52. Big data is so
to private networks connected to the public Internet; overused a term it has in fact been removed from the 'hype
cycle' by Gartner (n 56).
but not with entire certainty The European DP Su 134 See, eg [CO Big data report (n 52) 6, drawing on Gartner Re-
pervisor criticised the failure to amend this scope re search work.

20
EDPL 112016 Privacy, Security and Data Protection in Smart Cities I 45

ically fallen; algorithms for analysing huge amounts heard that] fewer than lo,ooo households ... can gen
of data have improved (hence, 'data analytics' are a erate 150 million discrete data points a day.'1 37 These
key part of the story); and, perhaps most important massive volumes of granular data generated from
ly, the online data industries and now the IoT in IoT systems allow inference of data on a previously
dustries have created incredibly vast pools of data unprecedented scale. Smartphones already allow in
to mine. ferences concerning a user's mood, stress levels, per
Smart cities are consumers and producers of big sonality type, psychological disorders, smoking
data. Kitchin reports that post millennium, the ur habits, demographic characteristics, sleep patterns,
ban data landscape has been transformed, transition happiness and levels of exercise and movement138;
ing from 'small' to 'big' data, as the generation of the full IoT inputs of a smart city on its individual
datasets has become 'continuous, exhaustive ... fine citizens will allow much, much more. As Wisman
grained, relational and flexible'. 'From a position of comments: 'Bentham's Panopticon is child's play
relative data scarcity, the situation is turning to one compared to surveillance in a fully functioning
139
of data deluge' 135. In modern urbanity, data gener foT.

ated within traditional city infrastructure and utili Smart cities thus both generate big data sets and
ties, eg transportation, gas, electricity and water, have function by processing them. In both cases, big data
not only become digital flows, but are also now com- need not involve personal data, but almost invariably
plemented by and combined with big data generat will do so. Even where data is generated with appar
ed by commercial private companies (eg mobile ent anonymity eg watching footfall in public
phone operators, social media, website owners, of squares the relative ease of associating two large
ten via commercial data brokers) and crowdsourced databases say a football database and a CCTV data
140° .
open data (eg citizen science initiatives). At present base to identify persons, is by now well known
much of this data lives in silos; but increasingly it The EDPS noted firmly in 2014 that 'it is now rare
will be combined by public city managers and pri for data generated by user activity to be completely
vate service providers alike., as is already the case in and irrevocably anonymised'1 4 1. Datamining across
some smart city applications, eg the centralised con more than one dataset to put together an identity of
trol rooms for city monitoring found in Rio de a known person from disparate sources, even where
Janeiro 13 6. there have been attempts at deidentification, is some
IoT applications are particularly prodigal in their times called the 'mosaic effect 142'. User pictures, re
creation of big data. The FTC in their IoT report not al names or online nicknames can also often be used
ed that 'the sheer volume of data that even a small as unique or near unique identifiers across multiple
number of devices can generate is stunning ... [we databases. In privacy circles143 , the key worries
around 'big data' thus lie in:
(i) the potential for reidentification of allegedly
135 Rob Kitchin, 'Data driven, networked urbanism' (The Programma-
ble City WP 14, 10 August 2015) <http://www.spatialcomplexity
anonymised or pseudonymised data;
.info/files/2015/08/SSRN-id2641802.pdf> accessed 12 February (ii) the repurposing of 'big data' collected for purpos
2016.
es different from the original;
136 See discussion above (n 46).
(iii) the lack of transparency as to how results are de
137 FTC 2015(n 66) 14.
rived from big data, in particular where mere cor
138 [bid, drawing on Scott Peppet, 'Regulating the Internet of Things:
First Steps Toward Managing Discrimination, Privacy, Security relation (eg 'young black men are more often in
and Consent' (2014) Texas Law Review, forthcoming, 66-67
<http://papers.ssrn.com/sol3/papers.cfm?abstract id-2409074>
volved in violent crimes' with causation ('young
accessed 12 February 2016. black men should be the first to be arrested on sus
139 Wisman (n 59) s 3. picion when violent crimes occur');
140 See literature following Paul Ohm's seminal discussion, 'Broken (iv) the trend towards exhaustive collection of 'all the
Promises of Privacy: Responding to the Surprising Failure of
Anonymization' (2009) 57 UCLA Law Review 1701. data' and away from the principle of minimisa
141 EDPS (n 51). tion of data collection generally promoted by DP
142 See, eg <http/www.computerworld.com/article/2563635/securityO/ law.
sidebar--the-mosaic-effect.html> accessed 12 February 2016.
143 See further discussion in Bert-Jaap Koops, 'The trouble with
European data protection law' (2014) 4(4) International Data
A particular worry revolves around the potential for
Privacy Law 250. subtle non transparent discrimination based on data

21
46 1 Privacy, Security and Data Protection in Smart Cities EDPL 112016

analysis 144 and the possible creation of a 'data under be (and is) argued 15 2 that the big data assault on pur
class', unable to access the same services and facilities pose limitation can be dealt with by a number of le
as their peers because of their 'big data' profile a new gal strategies, including asking consent for plausible
kind of 'red lining' 145. According to the A2 9 WP, 'an re uses at the start, obtaining a new consent to re us
alytics based on information caught in an IoT envi es of data as they arise, or using a non consent based
ronment might enable the detection of an individual's ground such as 'legitimate interests' to make repur
even more detailed and complete life and behaviour posing lawful. However, in each case, it seems appar
patterns.' 146 This might lead to the denial of insur ent that the solution is in fact illusory A blanket con
ance; exclusion from the sale of certain luxury or high sent to all possible reuses would itself be so vague as
end products; sharing of compromising inferences to fail the 'specific and limited purposes' test; seek
with state agencies 147 ; or even total exclusion from ing a new consent would also most certainly involve
markets for service and essential utilities for those un prohibitive overheads for commercial and public ser
willing to share personal data. In a smart city the con vice data controllers alike; and reversion to a 'legiti
sequences of data exclusion would be physical, as well mate interests' test asks almost compellingly for
as digital. Certain people (or their cars) might be phys abuse, given the difficulties of oversight and the del
ically restricted from entering some streets a new egation of the task of balancing commercial interests
type of 'gated community' or certain shops or en and user fundamental rights to the controller them
tertainment complexes. The complex nature of pub selves. Finally and most problematically, one much
lic private partnership in smart cities also seems im cited feature of data mining is that it may give you
portant here what happens to any right to assem answers to questions not even previously thought of
bly in public squares (or public speech generally) providing answers to not just the 'known un
when all spaces are at least partly privatised? knowns' but the 'unknown unknowns'153 . In such
Another practical worry is that IoT data is quite scenarios, it is hard to see how any pretence at pur
likely full of errors, and hence so would be the de pose limitation can prevail.
rived 'big data' profiles. Townsend has already con
cisely predicted that smart cities and IoT systems will
144 See on the due process implications of such (or lack thereof) D
be 'buggy and brittle'. 148 Kitchin emphasises that be Citron and F Pasquale, 'The Scored Society: Due Process for
cause datastreams in a smart city are all generated in Automated Predictions' (2014) 89(1) Washington Law Review.
Such worries are already well known in the literature in relation
different ways, using a plethora of instruments and to conventional online data profiling, as opposed to profiling
standards, joining them together will result in mis involving loT data: see notably the work of Oscar Gandy and
Latanya Sweeney, Big Data and Smart Devices (n 21) 12, citing
leading data of poor quality149 . the revelation in April 2015 that female users were shown fewer
targeted ads delivered by Google using data profiling techniques
for higher paid jobs than male users. On discrimination in smart
a. Big Data and EU Law cities particularly, see Finch and Tene (n 91) 1602-1604.
145 Marc Ambasna-Jones, 'The smart home and a data underclass'
The Guardian (3 August 2015) <http://www.theguardian.com/
DP law interacts problematically with 'big data' in at media-network/201 5/aug/03/smart-home-data-underclass- internet
least three important ways: purpose limitation, algo -of-things> accessed 12 February 2016.
rithmic transparency and data minimisation. 146 A29 WP IoT(n 119) 8.
First, and most importantly, DP is fundamentally 147 See Brown (n 70).

based on the idea that data must be gathered for 'spec 148 Townsend (n 1).

ified, explicit and legitimate' purposes and not fur 149 It is worth noting that DP contains a right for data subjects to
correct errors in personal data about them. How should this right
ther processed in a way incompatible with those pur be exercised in an age of reused data and non-transparent data
poses 1 50 . This 'purpose limitation' rule applies even profiling?
150 DPD art 6(b).
where processing has been legitimised by a ground
151 Viktor Mayer-Schoenberger and Kenneth Cukier, Big Data: A
other than consent. Big data is quintessentially at Revolution That Will Transform How We Live, Work and Think
odds with this principle. As Mayer Schoenberger and (John Murray 2013) 15.
Cukier put in in their bestselling book, 'in a Big Da 152 See Art 29 WP, Opinion 0312013 on purpose limitation; supple-
mented by WP 221, Statement of the WP29 on the impact of the
ta age, most innovative secondary uses haven't been development of big data on the protection of individuals with
imagined when the data is first collected'. Rather than regard to the processing of their personal data in the EU (Septem-
ber 2014).
regarding this as a problem, the authors continue ex
153 See Kirk Borne, TED talk (10 June 2013) <https://www.youtube
citedly: 'there is a treasure hunt underway'1 51 . It can .com/watch?v-Zr02fMBfuRA> accessed 12 February 2016.

22
EDPL 112016 Privacy, Security and Data Protection in Smart Cities 1 47

Secondly, big data defies the fundamental DP idea be applied and used as consumer protection in the
of transparencyof processing. Big data acts as a 'black big data world is hard to see: even if the controller
box'154 ; data goes in, outputs come out, but the algo actually knows what his algorithm is up to (which
rithm that creates the result is usually invisible to the many now doubt in vast processing scenarios such
user and the results often inscrutable. Algorithms al as Google's search algorithm), how can the result be
so learn and change, in a semi autonomous fashion conveyed to the data subject in any comprehensible
1 58
making them remarkably hard to document. Final way?
ly algorithms are the ultimate trade secret Google's Thirdly, big data also stands in stark opposition to
fortune is arguably based entirely around its ad the principle that personal data collected must be 'ad
vances in search algorithm and so companies will equate, relevant and not excessive' in relation to the
be remarkably unwilling to make them public. purposes for which they are collected and/or further
Opaque big data algorithms are dangerous because processed159 : a principle now reified in the draft
discrimination which might otherwise be illegal, eg GDPR as that of 'data minimisation'.Yet when data
on race or sexual orientation, can easily be hidden, scientists are consulted, their passion for the new
deliberately or not, behind the algorithmic veil (as found ability to collect 'all the data', without the old
discussed above). While subject access rights to find fiddly statistical constraints of sample size, demo
out what data is held about them by a data controller graphic representation, cleansing data of outliers et
are reasonably well known ( at least to lawyers and al, is palpable. Data minimisation is a peculiar restric
campaigners), very little attention is paid to a right tion to a data scientist, as opposed to a privacy advo
also granted by current DP law: to know the 'logic of cate, in an era where it is cheaper, easier and more
the processing' applied to your data1 55. This right to useful to collect all the data than some of it, and where
what might now be called algorithmic transparency basic commercial and human drives point towards
has always been limited by a carve out to protect in acquiring as much data as possible just in case it
tellectual property and trade secrets 156 and may yet comes in useful for that 'treasure hunt' in the future.
be further watered down in the GDPR 157 but it re As Buttarelli, the current EDPS recently declared:
mains at least a fig leaf to transparency How it can '...there is a worrying drift towards thinking that with
regards to personal information, whatever is possi
ble is also desirable' if personal data are available,
they should be collected and stored indefinitely and
154 See Frank Pasquale, The Black Box Society (Harvard UP 2015).
exploited for any expedient purpose '160
155 DPD art 12(a).
These problems are not really soluble without ei
156 DPD recital 41.
ther major alteration of big data business models or
157 See Lilian Edwards, 'Rise of the Algorithms' (paper given at Gikii
2013, Bournemouth) slides at <http://www.slideshare.net/lilianed/ EU law. In fact most data mining, excessive collec
gikii- 13-algorithms> accessed 12 February 2016.
tion and subsequent repurposing of data is justified,
158 Mayer-Schoenbeger and Cukier (n 151) suggest a new profession
of 'algorithmist' who interprets these results to the ordinary user. It
not by proof of compliance with the DP law outlined
is hard to see how the user could check the algorithmist had it above, but by the claim that what is processed is not
right, or check that they were acting independently of the data
controller. See further below on algorithmic transparency, section personal data at all. As already noted above, the ED
VI.5. PS has called this out for what it usually is: the re
159 DPD art 6 (c). placement of true anonymisation with pseudonymi
160 Giovanni Buttarelli, 'Keynote Speech - Big data, big data protec- sation of dubious privacy protective value, for the
tion: challenges and innovative solutions'(ERA Conference on
Recent Developments in Data Protection Law, Brussels, 11 May very good reason that far less commercial value, now
2015) <https://secure.edps.europa.eu/EDPSWEB/webdav/site/
mySite/shared/Documents EDPS/Publications/Speeches/2015/15
or in the future, can be extracted from truly
-05-1 lERA-speechEN.pdf> accessed 12 February 2016. anonymised data161 . Pseudonymised data profiles, as
161 This is not just a problem for businesses. Medical researchers used eg by social media and search engines to deliv
also complain that true anonymisation makes their research more
difficult and less useful, especially to the patients who donated er targeted advertising, still allow individuals to be
their data. 'singled out' and subjected to discriminatory treat
162 See Information Commissioner's Office, 'Anonymisation: ment, simply not by name. A turf war is going on be
managing data protection risk code of practice' (November
2012) <https://ico.org.uk/media/1061 /anonym isation-code.pdf tween what the A2 9 WP thinks is sufficient anonymi
> accessed 12 February 201 6; cf Article 29 WP, Opinion
0512014 on Anonymisation Techniques (10 April 2014)
sation, and what commercial businesses and some
WP21 6. national regulators would like it to be 162 while mean

23
48 1 Privacy, Security and Data Protection in Smart Cities EDPL 112016

while most users (and most lawyers) have no way of ed by much of industry1 6, some of science167 , and
knowing what to make, if anything, of competing some US policy bodies 168 and scholarship 16 , is to
claims of successful anonymisation, pseudonymisa cede legal control over collection of data, in favour of
tion or encryption163 deferring safeguards to the time of use. Such an ap
Yet despite having acutely identified the problems proach has the comforting appearance of being
above and more, the A2 9 WP and the EDPS contin steeped in pragmatism, social benefit and cost sav
ue on the whole to maintain that data protection can ing; enables state surveillance bodies to claim they
survive big data without major reconstruction or de are engaged in harmless 'bulk collection' of metada
molition. ta rather than illegal 'surveillance' 170; rubber stamps
The Working Party acknowledges that the chal the 'treasure hunt' and piling high of big data; and
lenges of big data might require innovative think alleviates the intractable difficulties of getting a valid
ing on how some of these and other key data pro and informed consent out of passers by to data col
tection principles are applied in practice. Howev lection in the IoT. The problem is, as the FTC recog
er, at this stage, it has no reason to believe that the nise, that delaying safeguards to use not collection
EU data protection principles, as they are current simply does not protect privacy, either in actuality or
ly enshrined in Directive 9 5 /46/EC, are no longer in expectations. Once data is into the bag, it will be
valid and appropriate for the development of big impossibly hard to police it at some later time when
data, subject to further improvements to make it has been processed, profiled, 'anonymised, data
164
them more effective in practice. mined, reidentified, copied , mirrored and sent
around the globe to various jurisdictions with vary
This writer would counter argue that the faltering ing laws, powers of enforcement and social norms re
progress of the GDPR on key points such as the def privacy It will also be difficult if not impossible to
inition of consent, the extent of the 'legitimate inter find consensus on what uses are particularly perni
ests'ground for processing and the sudden invention cious. Particularly in relation to 'sensitive data' as the
of an ill thought out category of pseudonymous da FTC agree 17 1 ie mainly, health data people are un
ta 165 halfway through the legislative process, seem to derstandably worried at the prospect of collection as
tell otherwise. well as of use.
The A2 9 WP, the EDPS and European privacy ad In summary therefore DP law as currently consti
vocates in general may feel constrained to continu tuted has no good answers for dealing with the pri
ally assert the effectiveness of the principles of DP vacy problems presented by Big Data. Answers may
as it stands because the alternative, forcibly present conceivably come from other legal instruments such

163 Note the HP/Fortify loT Research Study (n 70) 4: 80% of loT officials from obtaining and using data to address some of their
devices tested raised privacy concerns, not least that as 70% most intractable problems'.
transmitted unencrypted personal information, they were 'one
168 See Executive Office of the President of the US, 'Big Data: Seizing
network misconfiguration away from exposing this data to the
Opportunities, Preserving Values' (2014) 56 <https://www
world'.
.whitehouse.gov/sites/default/files/docs/big-data-privacy-report
164 A29 WP221. _may 1 2014.pdf> accessed 12 February 2016. Note however
the FTC's opposition to this approach: see FTC 2015 (n 66) vi vii.
165 Revised art 4(2a) of the European Parliament draft.
169 See, eg Fred H Cate and Viktor Mayer-Schdnberger, 'Notice and
166 See Craig Mundie, 'Privacy Pragmatism: Focus on Data Use, Not
Data Collection' (2014) 29 Foreign Affairs <https://www Consent in a World of Big Data' (Microsoft Global Privacy Sum-
.foreignaffairs.com/articles/2014-02-1 2/privacy-pragmatism> ac- mit Summary Report and Outcomes, November 2012) 5.
cessed 12 February 2016. Mundie is a senior adviser to Mi- 170 See David Anderson, A Question of Trust Report of the Investi-
crosoft; Letter from Daniel W Caprio, Jr, Senior Strategic Advisor, gatory Powers Review (Independent Reviewer of Terrorism Legis-
Transatlantic Computing Continuum Policy Alliance, to Donald S lation, 11 June 2015) <https://terrorismlegislationreviewer
Clark and FTC (10 January 2014) <https://www.ftc.gov/sites/ .independent.gov.uk/a-question-of-trust-report-of-the-investigatory
default/files/documents/publ ic-comments/2014/01/00017-88305 -powers-review/> accessed 12 February 2016).
.pdf> in which many large loT players including AT&T, General
171 FTC (n 66) 39 and (n 159.) Note that the FTC do suggest that
Electric, Intel Corporation, and Oracle Corporation support the
some 'use based' restrictions or permissions should be accepted:
move.
eg an 'expected use' (p 43) - one that is 'consistent with the
167 See for urban data and smart city researcher perspectives, several context of the interaction' should be allowed without consumer
essays in Lane et al (n 104), especially ch 7. 'Date for the Public consent. It is hard to see how this gels with their admission that 'it
Good: Challenges and Barriers in the Context of Cities': 'Privacy is unclear who would decide which additional uses are beneficial
rules and regulations and bureaucratic silos often prevent city or harmful' (p 44).

24
EDPL 112016 Privacy, Security and Data Protection in Smart Cities I 49

as discrimination and employment law, or from as the major cloud computing providers are based) and
sertion of due process rights under art 6 of the ECHR. the EU.
Smart cities are likely to be venues for such disputes.
a. The Cloud and EU Law

3. The Cloud The DPD provides for the free flow of personal data
to countries located outside the EEA only if the coun
Finally, it has to be noted that, of course, most of the try or the recipient provides an 'adequate' level of da
vast amount of data generated in smart cities will be ta protection, thus potentially limiting cross border
stored in the Cloud. Cloud computing is typically data transfers. Given the very small number of coun
based on the provision of resources to users from a tries outside the EEA which have established they
network of servers and of providers and sub have 'adequate' DP or similar regimes, the exemp
providers, with data storage, software and infrastruc tions provided by Article 26 of DPD to enable trans
ture all made dynamically available 'as a service': usu fer data out of the EEA have become crucial. They in
ally with huge advantages in speed, cost and clude a number of grounds including the consent of
scaleability to the consumer or business using the the data subject, the 'safe harbor' scheme in the case
Cloud. Data in the cloud typically has an unknown of transfers to US companies, model contractual
and varying place of storage and/or processing, of clauses and binding corporate rules (BCRs).
ten compounded by multiple back ups or distributed However, at the time of writing virtually all the le
processing of data in multiple jurisdictions. It is gal routes to facilitate transfer of data to and from
sometimes possible to specify contractually that da the Cloud (defined as potentially including storage
172
ta will not be stored or processed outside the EU outside the EU) are being challenged and imminent
but this is at present very unusual in the consumer ly in crisis. The Article 29 Working Party, and the fu
market, for reasons of logistics on the part of the ture draft GDPR have taken an increasingly hard line
dominant US companies in the market, and the lack on data exports from Europe since the Snowden rev
of a strong home grown EU cloud industry sector. elations, with the A2 9 WP arguing in particular that
The widespread use of cloud computing for receiv consent as an exemption should not be relied on
ing and processing data from smart IoT devices and where transfers are recurrent, massive or structur
applications thus raises thorny legal issues revolving al 174 The draft GDPR may also in future restrict use
around jurisdiction and applicable law 17 3 com of consent where 'there is a significant imbalance be
pounded by the difference in privacy cultures al tween the position' of the data controller and the da
ready pointed out between the US (where most of ta subject' 175 and it seems likely this will also cause
problems in some cloud computing contracts. Final
ly and most significantly, summing up the frost in
the CJEU since the Snowden affair, the CJEU has re
cently declared the entirety of 'safe harbor' illegal,
172 Google has for example reputedly made this available to some
UK universities implementing its Gmail services for free student with a possible renegotiation now hard to see and fu
and staff e-mail. ture challenges likely also to BCRs, model contractu
173 See discussion in A29 WP, Opinion 0512012 on Cloud Comput- al clauses and other methods of legitimising data
ing WP 196, s 3 passim. For a general UK-focused overview of
cloud computing law, see Christopher Millard (ed), Cloud Com- transfers to the US 1 76.
puting Law (OUP 2013).
It is not at all easy to predict how the Cloud, or the
174 See A29 WP Working Document 12/1998, Transfers of personal
data to third countries: Applying Articles 25 and 26 of the EU
law, will adapt themselves now 'safe harbor' has been
data protection directive, 27-28. See also A29 WP Opinion struck down. The decision may in fact be seen as
0512012 on Cloud Computing WP 196, para 3.5.2.
more symbolic than anything else, given the relative
175 Art 7(4) of draft GDRP as per European Parliament. It remains
uncertain if this provision will survive trilogue. See Paul ly small number of US companies enrolled in safe
Schwartz, 'EU Privacy and the Cloud: Consent and Jurisdiction harbour, and the large amount of data transfers out
Under the Proposed Regulation' SafeGov (13 May 2013) <http://
safegov.org/2013/5/13/eu-privacy-and-the-cloud-consent-and of the EU in fact facilitated by model contracts and
-jurisdiction-under-the-proposed-regulation> accessed 12 Febru- other informal and more flexible arrangements
ary 2016.
176 See Case C-362/14 Schrems v Data Protection Commissioner of
(around 50% according to one estimate). One aspir
Ireland (CJEU, 6 October 2015). ing solution for European smart cities may be to help

25
50 1 Privacy, Security and Data Protection in Smart Cities EDPL 112016

build and use a Europe only cloud (also referred to tures such as smart cities must be built into the code
as a 'Schengen cloud') 177. Deutsche Telekom AG, Ger of these cities not just their software and hardware
many's biggest telecom provider, has apparently al but their material design. This is the principle of 'pri
1 78
ready started to implement such. vacy by design', and in the final section, I examine
At the time of writing, a new 'Privacy Shield' re this both in abstract, and with some concrete exam
placement for 'safe harbor' is on the tablenut its va ples of solutions proposed by data scientists and hu
lidity or longevity are by no means assured. man computer interaction (HCI) specialists.

3. Interim Conclusions VI. Solutions?

It is striking how despite a long period of societal be 1. Privacy by Design and Privacy Impact
moaning of the 'death of privacy' in the digital net Assessments
worked era, the principal privacy institutions of both
the EU and US, aided by an increasingly aggressive Privacy by design (PbD) is an approach to protecting
CJEU, are nonetheless very determined to assert that privacy by embedding it into the design specifica
the so called corpse, or at least the DP version of it, tions of technologies, business practices, and physi
is in fact alive and well. The reaction of the A2 9 WP cal infrastructures183 . PbD solutions (to pick a few
quoted above is typical of Europe's watchdog body: that are particularly relevant to smart cities) include:
DP is still fit for purpose and in principle does not restricting the amount of data applications collect to
need modified, though the detail may need some fine the minimum; encrypting data flows as default;
honing to deal with threats such as the increasing anonymising personal data (see earlier comments on
marginalisation of informed consent, big data, the difficulties thereof); embedding privacy notices sys
IoT and the Cloud. The FTC's reaction is surprising tems in user friendly ways at appropriate times; re
ly similar: faced with the enumerated issues of IoT stricting the retention periods of data ('data expiry');
above, and even without the cultural foundation of providing menus of privacy settings which are in
an omnibus privacy law founded in human rights to
depend on, they still assert 'protecting privacy and
enabling innovation are not mutually exclusive and
177 See W K Hon, C Millard, C Reed, J Singh, I Walden, andJ.
must consider principles of accountability and priva Crowcroft, 'Policy, Legal and Regulatory Implications of a Eu-
cy by design' 179. rope-Only Cloud' (SSRN, 21 November 2014), 2-3 <http://www
.picse.eu/sites/defau It/files/
But other voices from industry, security and poli PolicyLegalandRegulatorylmplicationsof%2OEu ropeOnlyCIoud
.pdf> accessed 12 February 2016.
cy grumble loudly beside them; the UK as a business
178 See Nicole Henderson, 'With Plans to Double Business Cloud
friendly outlier in the privacy culture of Europe has Revenue by 2018, Deutsche Telekom Extends Huawei Partner-
been one of the principle voices pressing for a more ship' (15 June 2015) <http://www.thewhir.com/web-hosting-news/
'risk based' application of DP law which has poten with-plans-to-double-business-cloud-revenue-by-2018-deutsche
-telekom-extends-huawei-partnership> accessed 12 February
tially found its way into various parts of the GDPR1 80; 2016.

and enforcement, rather than the principles them 179 FTC (n 65) 39.

selves, remains the key failure point of DP law, even 180 Of course as the A29 WP themselves remind us, the DPD has
always had some elements of risk assessment, eg the different
more so when taking account the effective landgrab protection accorded ordinary and sensitive personal data. How-
by the EU over data processing by non EU compa ever their resistance to the idea in relation to big data and a move
from restrictions on collection to restrictions on use is patent. See
nies working in EU markets ushered in by the Google WP 21 8, Statement on the role of a risk-basedapproach in data
protection legal frameworks (30 May 2014).
Spain181 case. Just as declaring 'safe harbour' void
181 Case C-131/12 Google Spain (n 127). Also see Case C-230/14
will not in practice stop data flowing to Google, Face Weltimmo s.r.o, v Nemzeti Adatv6delmi 6s Informacioszabadsag
book, Amazon et al, merely make it a bit more diffi Hatosag (CJEU, 1 October 2015).
cult, so privacy in smart cities can also not be safe 182 Or as Neil Brown put it on Twitter post Schrems: 'Law doesn't
protect data it just nudges behaviour. I use maths to encrypt
guarded by ever more exhortations to respect the law, my disk, not wrap it in a copy of directive 95/46/EC.' (@neil_neil-
particularly as that law becomes ever more baroque zone, 6 October 2015).

ly complex and subtle to interpret182 . In this writer's 183 See Information and Privacy Commissioner of Ontario, 'Introduc-
tion to PbD' <https://www.privacybydesign.ca/> accessed 12
opinion, solutions in natural surveillance architec February 2016.

26
EDPL 112016 Privacy, Security and Data Protection in Smart Cities I 51

clear language and user friendly, and where defaults built in which reify the rules of law protecting users,
are particularly protective of children; using 'flash a concept they name 'ambient intelligence' 187 . How
cards' to make system designers think about privacy ever Koops and Leenes have also expressed doubts
issues as they build their systems 184 as to the practicality of architecture embedding DP
PbD, which builds holistically on the older notion rules, arguing that encoding privacy provisions in
of Privacy Enhancing Technologies (PETs) has al law is 'far from trivial', most obviously because of the
ready been applied to the big data issue to produce 'flexible' (ie open textured) phrasing of most laws in
suggestions for 'Big Privacy'1 85 but there is little sign the area and because of the lack of a 'privacy mind
of it in the IoT debates to date (see issues examined set' in IT system designers188 .
above). The most radical solution via PbD to the prob As faith in legal privacy solutions has ebbed in the
lems around the IoT might be to argue that data col globalised information world, PbD solutions have ar
lected by devices be held locally (and as far as possi guably been given more and more visibility by poli
ble processed locally) and thus maintained under the cymakers and privacy regulators as well as acade
control of the user, rather than gifted to data con mics. However in 2014, ENISA still reported that:
trollers, in the Cloud or otherwise. This solution, privacy and data protection features are, on the
sometimes known in the computer science world as whole, ignored by traditional engineering ap
'personal data containers' is receiving a great deal of proaches when implementing the desired func
attention from researchers186 . While detailed cri tionality. This ignorance is caused and supported
tique is beyond the scope of this article, such solu by limitations of awareness and understanding of
tions raise their own problems of security and com- developers and data controllers as well as lacking
prehensibilityto (andhence controlby) average users tools to realise privacy by design. While the re
in the current state of development. Hildebrandt and search community is very active and growing, and
Koops go further and argue that where processing is constantly improving existing and contributing
controlled locally in devices, code constraints can be further building blocks, it is only loosely inter
189
linked with practice.

For most companies, the motivations to code active

184 See Ewa Luger, Lachlan Urquhart, Tom Rodden and Michael
Golembewski, 'Playing the Legal Card: Using Ideation Cards to ly to protect privacy rather than to track data, remain
Raise Data Protection Issues within the Design Process' (Proceed- few 190 .
ings of the SIGCHI Conference on Human Factors in Computing
Systems, Seoul, 18-23 April 2014). Recent empirical work by Irit, Hadar et al in which
185 See Anne Cavoukian and Drummond Reed, 'Big Privacy: Bridging software engineers were interviewed in a number of
Big data and the Personal data Ecosystem Through Privacy by employment settings about their privacy coding
Design 2013' (2013) <https://www.ipc.on.ca/site-documents/
PbDBook- From -Rhetoric-to- Reality-ch3.pdf> accessed 12 Febru- practices, comes to similar conclusions1 91 .They note
ary 2016.
that the engineering mindset often restricts the vo
186 See, eg Malte Schwarzkopf et al, 'Personal Containers: Yurts for
Digital Nomads' <http://www.cl.cam.ac.uk/-avsm2/perscon-dl
cabulary used around privacy, and hence the action
.pdf> accessed 12 February 2016. taken, to 'security' in the sense of third party threats
187 See eg Mireille Hildebrandt and Bert-Jaap Koops, 'The Challenges (section III above) rather than a wider view embrac
of Ambient Law and Legal Protection in the Profiling Era' (2010)
73(3) Modern Law Review 428. ing ideas like consent and purpose limitation. 14 out
188 Bert-Jaap Koops and Ronald Leenes, 'Privacy Regulation Cannot of 27 engineers in the interview sample had no
Be Hardcoded. A Critical Comment on the 'Privacy by Design' knowledge of privacy law, and only 4 could reference
Provision in Data-Protection Law' (2014) 28(2) International
Review of Law, Computers & Technology 159. specific privacy laws. The organisational culture of
189 George Danezis et al, Privacy and Data Protection by Design - commercial companies where some engineers
from Policy to Engineering (ENISA 2014) iv.
worked, though giving lip service to privacy policies,
190 Koops and Leenes (n 188).
actually largely ignored or discouraged considera
191 'Are Designers Ready for Privacy by Design? Examining Percep-
tions of Privacy Among Information Systems Designers?'( 2014 tion of PbD. Interestingly, the team also found con
TPRC Conference Paper) abstract at <http://papers.ssrn.com/sol3/ siderable evidence that coders did not want to 'take
papers.cfm?abstract id-2413498> accessed 12 February 2016.
The authors kindly shared a draft with this writer. responsibility for privacy'. Privacy was a social or
192 This writer has observed herself at multidisciplinary events that moral issue and their domain was technology and
lawyers frequently look to technologists for privacy solutions
while technologists do the exact opposite a sort of regulatory
engineering1 92. The paper concludes: 'Privacy by de
'pass the parcel'. sign? Well, not just yet... if PbD is ever to become a

27
52 1 Privacy, Security and Data Protection in Smart Cities EDPL 112016

viable practice, a considerable change [needs] to be bility of the solutions arrived at which could be adapt
made.' ed to particular industry sectors or technologies. Her
Despite these forebodings of futility, PbD will soon doubts are however interesting. She admits that cre
probably be mandated by law in the EU. A legal com ating the RFID PIA was merely the 'proof of concept'
mitment to PbD (including 'privacy by default') in phase and that companies would have to be 'really
the draft GDPR has been loosely agreed by all parties willing to comply with the rules that they have set
in the process, but has remained throughout mad for themselves'. This is in fact exactlywhat Irit, Hadar
deningly vague. 193 Recital 61 of the European Parlia et al found not to be the case and the anecdotally slow
ment pre trilogue draft of the GDPR asserted that: uptake on the RFID PIA seems to back this up. An
'the principle of data protection by design requires other issue was uncertainty as to whose responsibil
that data protection be embedded within the entire ity it was to kick off a PIA, and whether existing RFID
life cycle of the technology, from the very early stage, implementations should be included in the PIA
right through to its ultimate deployment, use and fi scheme (answer: no, unless there were 'significant
nal disposal.' How ordinary engineers and coders, changes' in the application, such as expanding be
without substantive training or awareness of priva yond original purposes). The biggest question of all
cy in any detail, often working in small IoT or cloud was sanctions. How would companies suffer if they
businesses which are not customer facing, and tasked did not undertake such a PIA, or gain if they did?
to focus on speed and cheapness, will implement this This uncertainty will remain even if the GDPR pass
holy grail in smart city applications, poses avery large es in its current form given the vagueness of the cri
problem for the future. teria for when a DPIA is required.
Privacy Impact Assessments (PIAs) are one ap Can a PIA usefully be carried out for a smart city
proach to making PbD more viable and effective. as an entity? This is unlikely to happen ab initio in
They are also mandated by the draft GDPR (as 'data the Western world model of retrofitted smart cities,
protection impact assessments') though only in par where ubiquitous computing acquires traction by
ticular circumstances of novel or inherently risky pro
cessing194 . The ICO's Code of practice on conducting
privacy impact assessments defines a PIA as 'a
193 Some guidance has been provided by the A29 WP for the loT (n
process which assists organisations in identifying 119) s 7.1.
and minimising the privacy risks of new projects or 194 See discussion in Rolf Weber, 'Privacy management practices in
policies.1 9 5 PIAs are now fairly widely used around the proposed EU regulation' (2014) 4(4) International Data Priva-
cy Law 290-297.
the world by stakeholders in novel or sensitive areas
195 ICO, Conducting privacy impact assessments code of practice
such as medical or genetic technologies, to define and (version: 1.0, February 2014), 5 <https://ico.org.uk/media/for
-organisations/documents/1595/pia-code-of-practice.pdf> ac-
foresee privacy threats in order to develop solutions
cessed 12 February 2016.
at the early stages of projects or programmes. 196 The 196 See Center of Excellence for Information Sharing, 'How Do We
outstanding example of thinking about applying Identify and Assess Risks to Privacy?' <http://informationsharing
.org.uk/our-work/tools/scoping/how-does-the-partnership-assess
PIAs systematically to an early IoT technology can -the-risks-and-benefits-of-the-information-sharing/how-do-we
be found in the work of Spiekerman and her team -identify-and-assess-risks-to-privacy/> accessed 12 February
2016. See generally Wright and deHert (n 84).
on the EU framework for a PIA for RFID chips 197 and
197 Wright and deHert (n 82). The final document produced is
the A2 9 WP has already recommended adapting the available at A29 WP, Privacy and Data Protection Impact Assess-
RFID framework to map threats in smart cities 1988. ment Framework for RFID Applications (12 January 2011) <http://
cordis.europa.eu/fp7/ict/enet/docu ments/rfid-pia-framework-final
This framework has since been refined further to cre .pdf> accessed 12 February 2016. It is however non-mandatory
and uptake has reportedly been low: see 'The Societal Impact of
ate the Data Protection Impact Assessment (DPIA) the Internet of Things', report of workshop on the Internet of
Template for Smart Grid and Smart Metering sys Thing organized by BCS, the Chartered Institute for IT,on 14
199 February 2013, 11-12 <http://www.bcs.org/upload/pdf/societal
tems -impact-report-febl3.pdf> accessed 12 February 2016.
Spiekerman's assessment of the strength of the 198 See A29 2014 (n 119) 21 .
RFID PIA lies in its attempt to control a serious threat 199 See Smart Grid Task Force 2012-14, Expert Group 2: Regulatory
to privacy data collection via the IoT through a Recommendations for Privacy, Data Protection and Cyber-
'relatively complete, holistic and proactive tackling Security in the Smart Grid Environment, Data Protection Impact
Assessment Template for Smart Grid and Smart Metering systems
of the problem'. She also promotes its co production (18 March 2014), 5 <https://ec.europa.eu/energy/sites/ener/files/
documents/2014_dpia smartgrids-forces.pdf> accessed 12 Feb-
with industry, its global acceptability and the flexi ruary 2016.

28
EDPL 112016 Privacy, Security and Data Protection in Smart Cities I 53

slow aggregation (though Spiekerman would almost may have little idea what exactly is happening in their
certainly say such additions form a 'significant data silos and conduits. In this 'Kafkaesque machin
change') but if we look to a future where smart ery that manipulates lives based on opaque justifica
cities (or new sections of them) are routinely built tions '201 we will need to think very hard about how
top down, as in India and Korea, then the challenge to make PIAs useful. This will be as much a job for
is both more likely. Greenfield and brownfield devel urban planners, engineers and architects (among oth
opment schemes in the UK are already routinely pre ers) as privacy experts.
ceded by impact assessments of various kinds eg re Notwithstanding, it would be good to see a re
lating to population, traffic flows etc, and these seem search effort begin to think about how a PIA might
broadly successful despite the complexities. Tradi start to map potential risks, and explore PbD solu
tional PIAs however assume an ability to map data tions in a dedicated way for smart cities 2 2 . A role for
inputs, flows, and outputs, identify the 'owners' (con co ordination and standardisation here (important
trollers) of the data and bring these stakeholders to for global impact 20 3 ) might fall to a number of bod
gether to make decisions, ideally with one person at ies including the BSI and ISO 20 4 authorities. PIAs are
the top of the decision making hierarchy In a smart also ripe for expansion to explicitly investigate a
city, as we have seen, there will be hugely multiple number of other fundamental human rights or ethi
interacting data flows, multiple data owners/con cal areas problematic in smart cities. For example, as
trollers and different jurisdictions of storage and pro briefly mentioned above, big data profiling has seri
cessing, with all of these varying over time and cre ous implications for discrimination practices, due
ating feedback loops with each other. The city may process (eg evidence used to construct crimes) and
or or municipal government may well feel they have freedom of speech (eg when public social media are
the power and duty to control the final design but data mined). A holistic PIA a precautionary but al
20 5
actual (though perhaps not legal) control may rest so enabling framework for 'ethics by design'
with private vendors or investors and their sub and would be a magnificent obsession indeed.
sub sub providers in the Cloud. Future cities may
even have 'adaptive architectures' which begin to de
cide themselves what data to collect and how to 2. Applying PbD More Specifically to
process it 20 0 . Algorithms will be opaque and change Smart Cities
as they learn in ways such that even data controllers
In this sub section I want to focus closelyon one prob
lem that of obtaining informed consent in IoT en
200 Holger Schnfdelbach, 'Smart Cities: The Built Environment as the
vironments. Consent is important because, while not
Interface to Personal Data' in SCL special edition n 1).
201 Taken from Omar Tene and Jules Polonetsky, 'Big data for All:
the only legitimate ground for processing in EU DP
Privacy and User Control in the Age of Analytics' (2013) 11 law, it is the most global standard of legitimacy (giv
Northwestern Journal of Technology and Intellectual Property
239, 243. en the US non mandatory concept of notice and
202 An interesting US contribution from Michael Froomkin suggests a choice), and most likely to engender user trust.
model taken from environmental impact assessments to regulate Where sensitive data, eg health data, is collected in
mass surveillance in urban areas. See 'Regulating Mass Surveil-
lance as Privacy Pollution: Learning from Environmental Impact the EU scheme explicit consent will generally be re
Statements' (55RN, November 2014) <http://papers.ssrn.com/sol3/ quired. As noted above, getting meaningful consent
papers.cfm?abstract id=2400736> accessed 12 February 2016.
in IoT environments is a hard problem. If PbD can
203 It should be noted of course that there are still considerable
dissenters from the value of 'prior warning' approaches such as aid us here, it has a fighting chance of helping else
PIAs at all: see, eg Adam Thierer, championing the value of
'permissionless innovation' over the 'precautionary principle': A where. Consent is also an area where a cross discipli
Thierer, 'The Internet of Things and Wearable Technology: Ad- nary literature related to the IoT has begun to accu
dressing Privacy and Security Concerns without Derailing Innova-
tion' (2015) 21(2) Richmond Journal of Law & Technology, 1 mulate from computer science, security, HCI, ethics,
<http://jolt.richmond.edu/v21 i2/article6.pdf> accessed 12 Febru- medicine and psychology, as well as law.
ary 2016.
Various approaches have already been canvassed
204 See BSIwork on standards in smart cities at <http://www.bsigroup
.com/en-GB/smart-cities/Smart-Cities-Standards-and by researchers, usually in a rather aspirational way.
-Publication/> accessed 12 February 2016. For ISO contribution, Traditionally, consent is given at the time that data
see (n 18)
205 See some foreshadowing of this in work to be commissioned (n
is collected. The FTC and others have come up with
104). a number of existing good practice approaches to ob

29
54 1 Privacy, Security and Data Protection in Smart Cities EDPL 112016

taining such consent 20 6 in a world of multiple tiny caught on as a global standard, or even been much
devices with no user interfaces, designed to be as un used20 9 .
obtrusive as possible. We can catalogue this sort of The key problem remains as already discussed,
approach as not deconstructing traditional 'notice that even if methods can be found for giving some
and choice' but clarifying the choices, or boosting the kind of notice/information, the consents obtained in
notice, to meet the constraints of IoT. the IoT are almost always going to be illusory or at
best low quality in terms of the EU legal demand for
freely given, specific and informed consent.2 10 If use
3. Improved Traditional 'Notice and of smart devices becomes unavoidable in a smart city,
Choice' then 'notice and choice' simply becomes an inapplic
able paradigm.
These strategies include:
(i) directing customers to video tutorials to guide
them through privacy settings pages (drawn from 4. 'Pre-consent'?
Facebook) or alternately providing 'set up' wizards
to get data collection choices right 20 7 ; An alternate approach which might look more
(ii) homes or other locations might have detailed con promising is to reconsider how consent might be giv
trol 'dashboards' or 'management portals' where en in the IoT world, conceiving it as an ongoing
consumers could review with some clarity what process, rather than a one time choice at the point of
data they had chosen to share from time to time data collection2 1 1 We have some precedent for this
across different applications or via different de
vices;
(iii) putting QR codes on IoT devices, which could be 206 See FTC 2015 (n 66) v and 41-42.

scanned by customers using their smartphones, to 207 In the loT, unlike on Facebook, these menus or tutorials would
presumably have to be navigated via another connected device
give them easy access to privacy policies or other the user has access to which does have a screen, eg smartphone.
This is clumsy to say the least.
advice;
208 See, eg A M McDonald and L F Cranor, 'The Cost of Reading
(iv) providing icons to convey privacy related infor Privacy Policies' (2008) 4 Journal of Law and Policy for the
mation, such as a flashing light that appears when Information Society 540. The Ofcom commissioned report Per-
sonal data and Privacy (n 95) Annex at p 64, considered that
an IoT device connects to the Internet; different existing problems with non-reading of privacy policies would
icons might flash up to show different levels of only be exacerbated by the loT, especially given more and more
devices would become connected, demanding more and more
risk, and/or different types of data collection; complicated privacy policies to be read. Furthermore, reading a
(v) customers might ask 'just in time' for privacy and privacy policy might take longer than the actual length of interac-
tion with the loT device, reducing further incentive to read.
security settings to be sent to them via emails or information asymmetries would also be increased in the loT:
'consumers will be very likely to lose any ability to assess possi-
texts. bilities for data uses in the loT', again rendering privacy policies
fairly useless.
None of these seem to get us much further in the con 209 See survey in Lilian Edwards and Wiebke Abel, The Use of
Privacy Icons and Standard Contract Terms for Generating Con-
text of smart cities, especially in busy public settings sumer Trust and Confidence in Digital Services (CREATe Working
such as smart transport networks. Will users really Paper 2014/15) <http://www.create.ac.uk/blog/201 4/10/3 I/create
-working-paper-201415-the-use-of-privacy-icons-and-standard
stop to retrieve, read and consider privacy policies -contract-terms-for-generating-consumer-trust-and-confidence-in
on their phones, even shortened ones, even if ac -digital -services/> accessed 12 February 2016. Successful exam-
ples of the use of icons to provide consumer information do
quired via QR codes, while trying to catch a smart exist 'off-line', eg energy use by applications, laundry instructions
and nutritional labelling; and in the digital world, such as the use
tram or hail an autonomous car/taxi or buy a pizza of Creative Commons icons to indicate the permissions given by
from a passing drone? Most non IoT research on con the creator of a copyright work. The best known online privacy
icons set (PIS) is probably that sponsored by Mozilla and found at
sent and privacy policies says not, and the problems <https://disconnect.me/icons>. It is possible the GDPR may
only get worse in the IoT2 °8 . Icons may be more eas mandate privacy icons as graphic representations of privacy
policies which may hasten standardisation.
ily grasped, and thus of more use: but also raise large
210 Seen 124.
issues of recognisability, confusion, global standard
211 Or use (see below). See further Ewa Luger and Tom Rodden, 'An
isation and interoperability: to date, no single frame informed view on consent for UbiComp' (Proceedings UbiComp
work for privacy icons has emerged, nor has any of '13, Proceedings of the 2013 ACM international joint conference
on Pervasive and ubiquitous computing, ACM, New York, 2013)
the very many aspiring schemes of privacy icons 529-538.

30
EDPL 112016 Privacy, Security and Data Protection in Smart Cities I 55

in the offline world in the form of advance 'opt out' chips'2 14 but none have so far made a workable sug
preference systems, such as the UK Telephone Pref gestion in a global environment.
erences Service , where a user can say they do not From HCI literature (and as far as this writer
wish to receive junk mail or be cold called at any time knows, not yet absorbed into the legal lexicon) comes
in the future. Online, attempts to transfer this mod another suggestion: decoupling the time of giving
el to the placement of cookies bywebsites in the form consent from the time of collection of data, which is
of 'do not track' (DNT) systems have so far been re the idea of 'sticky privacy preferences'. The notion
sounding failures, with attempts to negotiate be here is that the privacy choices you made earlier are
tween browser manufacturers, websites, and policy remembered by smart systems, and applied the next
makers from EU and US ending in abject collapse213. time a choice needs to be made. The FTC suggest that
The DNT fiasco showed up a number of problems: a single device in a smart home a home appliance
first, does 'do not track me' mean 'do not collect my that acts as a hub could learn a consumer's prefer
data' or merely 'do not use my data to send me tar ences based on prior behaviour and apply them to
geted adverts, but collect it anyway?'; second, in a new appliances and new uses. This has some
self regulatory system, how can websites be com promise: psychologically, behaviour is often consis
pelled to obey the DNT tag; third, how can the user tent, and such systems could use big data profiling
know if there is compliance or not, given the infor over time for good not evil. But even the early prim
mation asymmetry? The second problem in particu itive examples we have of smart machine learning in
lar persists even if one regime (eg the EU) legislates homes, for example, the NEST thermostat, which
to require DNT as mandatory, but another (eg the US) learns how users like their home heated at different
does not. A number of commentators have proposed hours, show problems with the outcomes: users com-
in effect extending the DNT model to the IoT, notably plain, for example, that the house is heated how they
Weber with his call for a right to a 'silence of the like, yes, but it costs them more than in the old days
when explicit choices had to be made about when to
turn the heating up. It might be better to skip this
stage and move on to fully fledged programmable
212 Telephone Preference Service, 'Welcome - We are the Telephone software agents which we can use to make 'semi au
Preference Service' (2015) <http://www.tpsonline.org.uk/tps/index
.html> accessed 12 February 2016. While a self regulatory initia- tonomous' choices for us about our privacy in ambi
tive, this system is backed by EU and UK law, giving it enforce- ent environments 2 15 . This idea is gaining some cur
ment teeth via the [CO. DNT systems, as created by W3C and
browser writers, do not benefit from this. rency in computing science research circles 216 but as
213 See (cynically)Scott Gilbertson, 'W3C's failed Do Not Track yet has not proved itself in the wild. To a lawyer as
crusade tumbles to ad-blockers' Vietnam' The Register (29 July opposed to a data scientist, it seems unlikely that the
2015) <http://www.theregister.co.uk/201 5/07/29/dnt dead in the
-water/> accessed 12 February 2016. difficult personal, ethical, social and financial choic
214 See further Rolf Weber and Romana Weber, Internet of Things: es involved in collection and use of personal data, not
Legal Perspectives (Springer 2010), 39. See also A29 WP loT (n
119) 22, suggesting that loT devices must offer a 'do not collect'
to mention the problem of changing contexts, can be
option to subscribers. This would not prevent the data of third reliably modelled by pre coded agents, even ones that
parties being collected however.
learn as time progresses 2 17 but the approach is in
215 See, eg Richard Gomer, M C Shraefel and Enrico Gerding, 'Con-
senting agents: semi-autonomous interactions for ubiquitous theory at least a little hopeful.
consent'(Proceeding UbiComp '14 Adjunct Proceedings of the
2014 ACM International Joint Conference on Pervasive and
Ubiquitous Computing: Adjunct Publication, ACM, New York,
2014), 653-658 <http://dl.acm.org/citation.cfm?id-2638728
.2641682> accessed 12 February 2016.
5. Moving Away from Notice and
216 And, very recently, in law and IT circles: see, eg Polonetsky who Consent Entirely
proposes obtaining consent in advance through profile manage-
ment portals that would allow consumers to determine what
information they agree to share: Jules Polonetsky, 'Comments of Many European commentators are moving towards
the Future of Privacy Forum on Connected Smart Technologies in the notion that notice and choice, or consent as a
advance of the FTC "Internet of Things" Workshop' (10 July
2013). ground for legitimising processing, is simply broken.
217 And one wonders, how easy would such agents be to hack? Users, as has been proven over and over again, have
Would our privacy agents need DRM, or antivirus protection? neither the resources, opportunity, inclination, or
218 See the interesting interdisciplinary project on Meaningful Con- motivation to give meaningful consents 218 in the cur
sent in the Digital Economy at <http://www.meaningfulconsent
.org/> accessed 12 February 2016. rent online environment and this is only exacerbat

31
56 1 Privacy, Security and Data Protection in Smart Cities EDPL 112016

ed by the IoT 219 ; yet their individual chimeric choic less of such permission, certain uses of that data, on
es are allowed to rubberstamp patterns of data col the environmental model, are toxic and thus prohib
lection which are increasingly damaging for society. ited. In other words, to make new law, not rely on
Simultaneously, on the other side of the Atlantic, unenforceable 'ethics'. Obvious examples of possibly
some writers are also arguing that responsibility for prohibited practices include targeting advertising to
ensuring ethical and responsible data collection children, targeting alcohol, diets and drugs to addicts
should be on the data collectors, not the hapless users. and anorexics, and making use of data gathered in
In this case, though, the acknowledgement often inherently private places such as bathrooms. But be
comes with a catch: the transfer of legal or ethical yond this there is, of course, almost no consensus
safeguards to the time of use of the data not its col (and even these might be argued as a fair part of the
lection, with safeguards (if any) varying according to free market by some US industry). Given the whit
use220 . As already noted above22 1 , this could be the tling away in the draft GDPR to date of even exist
kind of loophole, well meant or otherwise, which ing rights to object to automated decision making
might actually spell the final death of data protec and profiling, we should not hold our breath wait
tion. ing for, say, a globally respected regulated and en
Ethical constraints on data collectors, regardless forceable code of conduct for certain data collecting
of whether or not users give meaningless consents, sectors225
are being promoted as a new approach. It is not un One distinct area where we might look for legal
common for professionals such as doctors, lawyers, intervention, in particular in reference to the IoT, big
even architects, engineers or electricians to be held data and smart cities, is the area of algorithmic trans
to a higher level of conduct than the basic law de parency. Although I expressed uncertainty above that
mands, by professional codes, BSI standards or or such transparency is actually available in the world
ganisational seals. Such 'soft law' guarantees are of of big data and learning algorithms, techniques for
ten seen as effective in competitive consumer facing reverse engineering what is going on the 'black box'
markets where good behaviour can attract business. will no doubt improve226 , and it is certainly one of
However the data collection markets to date are fa the best potential tools for shining a light on what
mously not competitive in this sense, as a result of data profilers are actually up to. The little known right
information asymmetries plus network effects. Can in the DPD of data subjects to obtain 'knowledge of
ethical standards be presented as a selling point to the logic involved in any automatic processing of da
users or industry? The EDPS seems to think so: his ta concerning him' 227 should be unambiguously re
latest opinion at time of writing 22 2 recommends a tained and indeed explicitly extended to deal with all
,new digital ethics' for 'accountable controllers' in big data processing, and with some reasonable cut
which empowered prosumers will be able to disclose
data without fearing the loss of their 'dignity'. Such
ideas have appeal within academic research commu
nities, and may offer help in sensitive public sector
219 Discussed supra at n 208.
services such as health, as well as in relation to new
220 See, eg Obama's Big Data report (n 169) 56 and Cate, Cullen and
and potentially dangerous innovation 223 . But al Mayer-Schoenberger (n 170).
though there is some evidence from US cloud com- 221 See pp 48-49 of this article.
puting after Snowden, and panic reactions to securi 222 EDPS Opinion 4/2015 Towards a New Digital Ethics (September
ty breaches, that industry will move to higher stan 2015).
223 See, eg HC Science and Technology Committee, Responsible Use
dards of care than the law requires where there has of Data (41hReport of 2014-15, 19 November 2014).
been a crippling loss of trust224 , the lack of causality 224 See Ethical Code of Practice for Big Data Analysis (Hewlett
between the slow drip of 'ordinary' data disclosure Packard, 2015 shared privately with author); Digital Catapult,
'Trust in Personal data: a UK Review' (2015) <http://www
and eventual harms to users means there is general .digitalcatapultcentre.org.uk/wp-content/uploads/2015/07/Trust-in
ly no such Eureka moment where consumers lose all -Personal-Data-A-UK-Review.pdf> accessed 12 February 2016.;
though cf Rosner (n 54).
faith.
225 See second half of Edwards and Abel (n 209).
So, finally biting an unwelcome bullet, the way
226 Block chains may also offer opportunities for external audit and
forward may simply be to admit that consent is on verification of algorithms.
ly a first step to lawful processing and that regard 227 DPD, art 12(a).

32
EDPL 112016 Privacy, Security and Data Protection in Smart Cities I 57

ting down of the current hiding place provided by IP whether or not its contents can be shared with oth
rights and trade secrets228 . ers, how much of it will be remembered by both
parties, whether emotional reactions should be
sharedorif facial expressions andvoice inflections
2 31
6. Science Fiction should be algorithmically normalized.

How would we design the perfect future world which Is this 'total privacy society' the world we want to
lets us, both individually and as a society, make the live in? Leaving that aside as a hanging question,
most of every positive feature of living in smart cities some elements of this utopia/dystopia are already
while maintaining our right to a private life? One visibly in sight. There are moves towards DRM for
tempting solution is found in Hannu Rajaniemi's The personal data which might allow you to control
Quantum Thief229 . In Rajaniemi's far future city, peo who does what with your data and to track its prove
ple can choose to be invisible to all forms of data col nance wherever it goes232 , even possibly where com
lection and tracking by assuming a technological bined into profiles or pseudonymised. Joseph Loren
shield known as a 'gevulot 230 '. Certain public spaces zo Hall of the Centre for Democracy and Technology
in the cities exist where gevulots cannot be used so has suggested a 'General Privacy Menu' which could
that accidental communion and public speech can allow consumers to control the amount and nature
still occur, but otherwise all interaction and data dis of data collected by IoT sensors and devices in sen
closure with other citizens is negotiated by the gevu sitive locations, such as home and workplace,
lot. through development of a standard element to the
When two citizens randomly meet on the street networkable components of IoT objects.233 There is
their gevulot automatically exchanges privacy in general a great deal to anticipate in the emergence
preferences and negotiates specific concessions. If of a new discipline of 'HDI' 234 , human data interac
someone does not want to be seen by you, then tion, which proposes 'placing the human at the cen
your gevulot will automatically blur/mute them tre of the flows of data and providing mechanisms
out by interfacing with your visual cortex. If they for citizens to interact with those systems and data
wish to talk to you, then you will have to negoti explicitly'. It is a long way off but the 'computation
ate a gevulot contract which specifies whether this al turn' 235 which has so quickly impacted our priva
is going to be a public or private conversation, cy may turn again to give us tools with which it can
be managed, both for our own purposes and for so
cietal good.
228 See recital 41 and note even the current text says 'these consider-
ations must not, however, result in the data subject being refused
all information'.
VII. Conclusion
229 Hannu Rajaniemi, The Quantum Thief (Gollancz 2011).
230 Hebrew for 'borders'.
The future of smart cities is important. They may of
231 An excellent paraphrase, better than this author could muster,
from Luke Maciak, 'Total Privacy Societies: The Quantum Thief by fer solutions to some of our worst problems con
Hannu Rajaniemi' (Terminally Incoherent, 10 August 2011) serving energy and creating a sustainable environ
<http://www.terminally-incoherent.com/blog/2011/08/10/total
-privacy-societies-the-quantum-thief-by-hannu-rajaniemi/> ac- ment, maintaining public safety, engendering com-
cessed 12 February 2016. munity, rescuing millennials from depression and
232 See, eg Siani Pearson and Marco C Mont, 'Sticky Policies: An
Approach for Managing Privacy across Multiple Parties' (Septem-
loneliness, reducing road deaths. In cities with areas
ber 2011) 4 4 (9) Computer 60-68. of mixed and multiple deprivation like the writer's
233 See Joseph Lorenzo Hall, Center for Democracy & Technology own home town, Glasgow, their appeal is obvious and
(CDT), 'Comments for November 2013 Workshop on the "Inter-
net of Things"' (1 June 2013), 4 <https://www.ftc.gov/sites/default/ not to be rejected, even if a degree of cynicism on
files/documents/public comments/2013/07/00028-86211 .pdf> how much benefit will accrue to vendors and munic
accessed 12 February 2016.
ipal leaders rather than the residents is reasonable.
234 See Richard Mortier et al, 'Human-Data Interaction: the Human
Face of the Data Driven Society' (2014) <http://papers.ssrn.com/ But even within this context, privacy and security are
sol3/papers.cfm?abstract id=2508051> accessed 12 February important: if not simply as a fundamental right, then
2016.
235 See further Mireille Hildebrandt and de Vries (eds), Privacy and
instrumentally, as a prerequisite to keeping the trust
the Computational Turn (Routledge 2013). and engagement of smart city dwellers. By now, as a

33
58 1 Privacy, Security and Data Protection in Smart Cities EDPL 112016

society, we have a number of salutary stories of what is very likely, suffering as they do from the combina
happens when technology is perceived as dangerous tion of three of the most difficult issues for modern
and out of control, rationally or irrationally: eg the privacy law to regulate: the IoT, big data and Cloud
backlash against GM crops and their products; the based infrastructure. Even in the EU with its history
fear of 'killer robots'; and the recent Scottish Govern of strong rights based laws, DP solutions applicable
ment ban on fracking, self admittedly based not on to smart cities are so far generic and tenuous, and
evidence but on public disquiet23 6 , all come to mind. look to be getting further away not nearer, even af
In the privacy sphere, probably the most obvious ter three years of negotiations on the GDPR. 'Code'
recent defeat of innovation by privacy fears has been solutions may be more useful and should certainly
the rise and fall of the wearable Google Glass, with be investigated to supplement the law. Four particu
its users labelled Glassholes, banned from shops and lar suggestions for further research and legislative
public spaces and occasionally even attacked. If we and policy involvement are herein promoted:
lose faith in the physical architecture of our cities, (i) investigation into the potential for a smart city
homes and vehicles then the backlash may be much PIA or DPIA;
worse as perhaps seen in the current outrage at the (ii) investigation into the technical and social poten
revelations of VW's falsifications of its diesel cars' tial of methods of giving 'pre consent' or 'sticky
emissions tests. We might see resistance to surveil consent' to deal with the constraints of the IoT;
lance in smart cities, as we have seen resistance to (iii) legislating for algorithmic transparency and re
CCTV by the young in the form of hoodies. If a sig searching ways of making algorithmic data com-
nificant number of users in smart cities refuse, say, prehensible to consumers;
to engage with services provided via smart devices (iv) moving at least partially away from consent or
or environments, we may produce a new underclass 'notice and choice' as a main mechanism for vali
of the digitally dispossessed or marginalised, unable dating data collection and processing; connected
perhaps to vote, claim welfare, or access medical ser ly, prohibiting certain data processing activities
vices. These are all worrying futures we should try (which?) even where there is consent.
to avoid.
This paper has tried to establish that while the po
litical and economic drivers of smart cities tend to
236 See Simon Johnson, 'SNP announces indefinite fracking ban in
wards technology supremacism, smart cities, at least Scotland' The Telegraph (28 January 2015) <http://www.telegraph
in Europe, will still suffer as a project if they fail to .co.uk/news/earth/energy/fracking/1 1375332/SNP-announces
-indefinite-fracking-ban-in-Scotland.html> accessed 12 February
get privacy right; and that at the moment this failure 2016.

34
Governing The Internet
of Everything

35
 GOVERNING THE INTERNET OF EVERYTHING*

SCOTT J. SHACKELFORD JD, PHD*

ABSTRACT
Since the term was first coined in the late 1990s, the "Internet of
Things" has promised a smart, interconnected world enabling your
toaster to text you when your breakfast is ready, and your sweatshirt to
give you status updates during your workout. This rise of "smart
products" such as Internet-enabled appliances has the potential to
revolutionize both business and society. But the smart wave will not
stop with stuff with related trends such as the Internet of Bodies now
coming into vogue. It seems that, if anything, humanity is headed
toward an Internet of Everything. Yet it is an open question whether
security and privacy protections can or will scale along with this
increasingly crowded field, and whether law and policy can keep up
with these developments. This Article explores what lessons the
Institutional Analysis and Development (IAD) and Governing
Knowledge Commons (GKC) Frameworks hold for promoting security
and privacy, in an Internet of Everything, with special treatment
regardingthe promise and peril of blockchain technology to build trust
in such a massively distributed network. Particularattention is paid to
governance gaps in this evolving ecosystem, and what state, federal,
and internationalpolicies are needed to better address security and
privacyfailings.

A B STRA CT ........................................................................................ 70 1
IN TROD U CTION ................................................................................. 702
I. WELCOME TO THE INTERNET OF EVERYTHING ............................... 704
II. UNDERSTANDING THE OSTROM DESIGN PRINCIPLES IN THE CYBER
C ONTEX T ................................................................................ 705
A . Defined Boundaries.......................................................... 706
B . P roportionality................................................................. 707
C. Collective-Choice Arrangements and Minimal
Recognition ofRights ..................................................... 707

Permission is hereby granted for noncommercial reproduction of this Article in whole or in part
for education or research purposes, including the making of multiple copies for classroom use,
subject only to the condition that the names of the authors, a complete citation, and this copyright
notice and grant of permission be included in all copies.

36
 CARDOZO ARTS & ENTERTAINMENT [Vol. 37:3

D . M onitoring........................................................................ 708
E. GraduatedSanctions and Dispute Resolution .................. 708
F. Sum m ary............................................................................ 709
III. APPLYING THE IAD AND GKC FRAMEWORKS TO THE INTERNET
OF E V ERYTH IN G ..................................................................... 709
Figure 1: The Institutional Analysis and Development
(IA D ) Fram ew ork ..................................................... 711
A. Biophysical Characteristics and Classifying Goods in
Cyberspace ............................................... 711
B . Comm unity A ttributes....................................................... 713
C . R ules-in-Use ..................................................................... 7 15
Figure 2: Types of Rules ................................................ 716
D . A ction A renas ................................................................... 717
E . Outcom es .......................................................................... 7 17
F. E valuative Criteria............................................................ 719
G. Summary and GKC Insights ............................................. 720
Figure 3: Governing Knowledge Commons Framework720
Figure 4: Knowledge Commons Framework and
Representative Research Questions .......................... 721
. . . . . . . . . . ..
IV. Is BLOCKCHAIN THE ANSWER TO THE IoE's WOES? ....... 724
V. POLYCENTRIC IMPLICATIONS FOR MANAGERS AND
726
POLICYM AKERS ......................................................................
Figure 5: Professor Nye's Cyber Regime Complex Map729
C ON CLU SION ..................................................................................... 730

INTRODUCTION

Since the term was first coined in the late 1990s,) the "Internet of
Things" has promised a smart, interconnected world enabling your
toaster to text you when your breakfast is ready, and your sweatshirt to
give you status updates during your workout. 2 This rise of "smart
products" holds the promise to revolutionize business and society. But
the smart wave will not stop with objects, with related trends such as the
Internet of Bodies now coming into vogue. 3 It seems that, if anything,
humanity is headed toward an Internet of Everything (IoE), which,

* Chair, Indiana University-Bloomington Cybersecurity Program; Director, Ostrom Workshop

Program on Cybersecurity and Internet Governance; Associate Professor, Indiana University
Kelley School of Business. A version of this Article will be republished as a book chapter in a
forthcoming volume in the Cambridge Studies on Governing Knowledge Commons series
tentatively entitled, "Privacy as Knowledge Commons Governance."
I Kevin Ashton, That 'Internet of Things' Thing, RFID J. (June 22, 2009),
https://www.rfidjournal.com/articles/view?4986.
2 See, e.g., Chris Ziegler, Finally, There's a Hoodie that Can Text Your Morn, VERGE (June 8,
2014, 4:57 PM), https://www.theverge.com/mobile/2014/6/8/5791464/finally-theres-a-hoodie-
that-can-text-your-mom.
3 See Cyber Risk Thursday: Internet of Bodies, ATLANTIC COUNCIL (Sept. 21, 2017),
http://www.atlanticcouncil.org/events/webcasts/cyber-risk-thursday-internet-of-bodies.

37
2019] GOVERNING THE INTERNET OF EVERYTHING 703

according to Cisco, involves "bringing together people, process, data,

and things to make networked connections more relevant and valuable
than ever before-turning information into actions that create new
capabilities, richer experiences, and unprecedented economic
opportunity for businesses, individuals, and countries. ' 4 Other ways to
conceptualize the problem abound are Bruce Schneier's notion of
Internet+, or Eric Schmidt's contention that "the Internet will
disappear" given the proliferation of smart devices. 5 Regardless, the
salient point is that our world is becoming more connected, if not
smarter, but to date, governance regimes have struggled to keep pace
with this dynamic rate of innovation.
It is an open question whether security and privacy protections can
or will scale along with this increasingly crowded field. As Schneier has
argued,
[t]he point is that innovation in the lnternet+ world can kill you. We
chill innovation in things like drug development, aircraft design, and
nuclear power plants because the cost of getting it wrong is too great.
We're past the point where we need to discuss regulation versus no-
regulation for connected things; we have to discuss smart regulation
versus stupid regulation. 6
Martin Giles, in his article, explores what lessons the Institutional
Analysis and Development (IAD) and Governing Knowledge Commons
(GKC) Frameworks hold for promoting security, and privacy, in an
Internet of Everything, including whether they might help inform the
creation of such smart regulation for an increasingly smart world. It
does not undertake an in-depth regulatory analysis of existing loT
regimes, since this has been done previously, 7 though it does analyze
specific instances that are illustrative of findings from this literature,
such as the work of the National Institute for Standards and
Technology. Rather, the focus here is on assessing findings from the
social science research on governance to identify both best practices and
investigate policy implications. For the first time, for example, the

4 Ahmed Banafa, The Internet of Everything, OPEN MIND (Aug. 29, 2016),
https://www.bbvaopenmind.com/en/the-internet-of-everything-ioe/.
5 See Martin Giles, For Safety's Sake, We Must Slow Innovation in Internet-connected Things,
MIT TECH. REV. (Sept. 6, 2018), https://www.technologyreview.com/s/611948/for-safetys-sake-
we-must-slow-innovation-in-internet-connected-things/; Christina Medici Scolaro, Why Google's
Eric Schmidt Says the 'Internet Will Disappear,' CNBC (Jan. 23, 2015),
https://www.cnbc.com/2015/01/23/why-googles-eric-schmidt-says-the-internet-will-
disappear.html.
6 Giles, supra note 5.
7See, e.g., Andrew Guthrie Ferguson, The "Smart" Fourth Amendment, 102 CORNELL L. REV.
547, 547 (2017); Laura DeNardis & Mark Raymond, The Internet of Things as a Global Policy
Frontier,51 U.C. DAVIS L. REV. 475, 476 (2017); Jane E. Kirtley & Scott Memmel, Rewriting
the "Book of the Machine ": Regulatory and Liability Issues for the Internet of Things, 19 MINN.
J.L. SCI. & TECH. 455,459 (2018).

38
 CARDOZO ARTS & ENTERTAINMENT [Vol. 37:3

groundbreaking IAD and GKC Frameworks are applied to the issue of

loT security, which helps to illustrate governance gaps and what to do
about them. Further, special coverage is offered with regards to the
promise and peril of blockchain technology to build trust in such a
massively distributed network.
This Article is structured as follows. Part I offers an introduction to
the Internet of Everything for the uninitiated. Part II then introduces and
applies the Ostrom Design Principles in the cyber context. Part III
analyzes the IAD and GKC Frameworks, emphasizing their application
for the Internet of Everything. Part IV explores the utility of blockchain
technology to help build trust in distributed systems. Part V then
summarizes implications for managers and policymakers focusing on
the intersection between polycentric governance and cyber peace.

I. WELCOME TO THE INTERNET OF EVERYTHING

As more things-from doorbells to medical devices-are
interconnected, the looming cyber threat can easily get lost in the
excitement over cheaper, smarter tech. 8 Indeed, smart devices,
purchased for their convenience, are increasingly being used by
domestic abusers as a means to harass, monitor, and control their
victims. 9 Yet, for all the press that the loT has received, it remains a
topic little understood or appreciated by the public. One 2014 survey,
for example, found that fully eighty seven percent of respondents had
never even heard of the "Internet of Things."10 Yet managing the
growth of the Internet of Everything impacts a diverse set of interests:
U.S. national and international security; the competitiveness of firms;
global sustainable development; trust in democratic processes; and
safeguarding civil rights and liberties in the Information Age. I

8 See Aaron Tilley, How Hackers Could Use A Nest Thermostat As An Entry Point Into Your
Home, FORBES (Mar. 6, 2015, 6:00 AM),
https://www.forbes.com/sites/aarontilley/2015/03/06/nest-thermostat-hack-home-
network/#235d0d693986; Carl Franzen, How to Find a Hack-ProofBaby Monitor, OFFSPRING
(Aug. 4, 2017, 6:30 PM), https://offspring.lifehacker.com/how-to-find-a-hack-proof-baby-
monitor-1797534985; Charlie Osborne, Smartwatch Security Fails to Impress: Top Devices
Vulnerable to Cyberattack, ZDNET (July 22, 2015, 10:25 PM),
http://www.zdnet.com/article/smartwatch-security-fails-to-impress-top-devices-vulnerable-to-
cyberattack/; John Markoff, Why Light Bulbs May Be the Next Hacker Target, N.Y. TIMES (Nov.
3, 2016), https://www.nytimes.com/2016/11/03/technology/why-light-bulbs-may-be-the-next-
hacker-target.html?_r- L0.
9 See Nellie Bowles, Thermostats, Locks and Lights: Digital Tools of Domestic Abuse, N.Y.
TIMES (June 23, 2018), https://www.nytimes.com/2018/06/23/technology/smart-home-devices-
domestic-abuse.html.
10 See Chris Merriman, 87 Percent of Consumers Haven't Heard of the Internet of Things,
INQUIRER (Aug. 22, 2014), https://www.theinquirer.net/inquirer/news/2361672/87-percent-of-
consumers-havent-heard-of-the-internet-of-things.
I For more on these topics, see SCOTT J. SHACKELFORD, GOVERNING NEW FRONTIERS IN THE
INFORMATION AGE (forthcoming 2019).

39
2019] GOVERNING THE INTERNET OF EVERYTHING 705

The potential of loT tech has, arguably, only been realized since
2010,12 and is possibly the result of the confluence of at least three
factors: (1) the widespread availability of always-on high-speed Internet
connectivity in many parts of the world; (2) faster computational
capabilities permitting the real-time analysis of Big Data; and (3)
economies of scale lowering the cost of sensors and chips to
manufacturers.' 3 However, the rapid rollout of loT technologies has not
been accompanied by any mitigation of the array of technical
vulnerabilities across these devices, highlighting a range of governance
gaps that may be filled in reference to the Ostrom Design Principles
along with the IAD and GKC Frameworks.

II. UNDERSTANDING THE OSTROM DESIGN PRINCIPLES IN THE CYBER

CONTEXT
As Professor Dan Cole has stated, governance scholars have long
been mining the Ostroms' work on property regimes governing
common-pool resources (CPRs) to better understand their application
for contemporary challenges, including the "knowledge commons." 14
Rather than a direct application of the Ostrom Design Principles or the
IAD Framework, discussed further below, Professors Elinor Ostrom and
Charlotte Hess recognized the distinct nature of natural and artificial
commons spaces, which require "systematic study of its own resources,
actors, [and] institutions .... ,15 After all, these are vastly different
resource domains holding unique types of goods, thus requiring novel
governance mechanisms and frameworks for understanding the
dynamics in play. 16 One should not let the terminology used confuse
this effort; after all, Professor Ostrom herself reportedly "regretted
confusion arising from the phrase 'design principles' and has suggested
7
'best practices' as an alternative."'
Beginning with the Ostrom Design Principles, Professor Ostrom
was "focused on constructing empirically informed frameworks,
theories, and models that were (1) conceptually clear; (2) thickly
descriptive (embracing complexity); (2) diagnostic; (3) analytically
rigorous; and (4) integrative of configural interactions among

12See Jacob Morgan, A Simple Explanation Of 'The Internet of Things', FORBES (May 13, 2014,
12:05 AM), http://www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanation-internet-
things-that-anyone-can-understand/.
13See Jim Chase, The Evolution of the Internet of Things, TEX. INSTRUMENTS (2013),
www.ti.com/lit/ml/swrb028/swrb028.pdf; Scott J. Shackelford et al., When Toasters Attack: A
PolycentricApproach to Enhancing the 'Security of Things', 2017 U. ILL. L. REV. 415 (2017).
14Dan H. Cole, Learningfrom Lin: Lessons and Cautionsfrom the Natural Commons for the
Knowledge Commons, in GOVERNING KNOWLEDGE COMMONS 45, 45 (Brett M. Frischmann,
Michael J. Madison, & Katherine J. Strandburg eds., 2014).
15 Id.
16Id. at 46.
17Id. at 50 n.9.

40
706 CARDOZO ARTS & ENTERTAINMENT [Vol. 37:3

explanatory factors, suggesting patterns of social interactions and their

social-ecological consequences ...."18 This was the thinking behind her
groundbreaking work Governing the Commons, in which Professor
Ostrom created an informative framework of eight design principles for
the management of common pool resources. 19 These principles include
the importance of: (1) "clearly defined boundaries for the user pool...
and the resource domain"; 20 (2) "proportional equivalence between
benefits and costs"; 21 (3) "collective choice arrangements" ensuring
"that the resource users participate in setting ... rules"; 22 (4)
"monitoring ... by the appropriators or by their agents"; 23 (5)
"graduated sanctions" for rule violators; 24 (6) "conflict-resolution
mechanisms [that] are readily available, low cost, and legitimate"; 25 (7)
"minimal recognition of rights to organize"; 26 and (8) "governance
activities [being] ... organized in multiple layers of nested
enterprises. ' 27 Only some of Professor Ostrom's design principles,
though, are applicable in the Internet of Everything and are discussed in
turn. 28

A. Defined Boundaries
According to Professor Ostrom, "the boundary rules relate to who
can enter, harvest, manage, and potentially exclude others' impacts.
Participants then have more assurance about trustworthiness and
cooperation of the others involved." 29 In the IoE context, defined
boundaries are problematic given the extent to which various smart
devices interconnect, forming "smart homes" and eventually "smart
cities" that may be conceptualized as an ecosystem with its final
realization in an Internet of Everything. 30 Trust, then, may only be built
in such a landscape by segmenting the IoE into smaller micro
communities, and/or by leveraging new technologies, such as

18 Id. at47.
19 See ELINOR OSTROM, GOVERNING THE COMMONS: THE EVOLUTION OF INSTITUTIONS FOR
COLLECTIVE ACTION 212 (1990).
20 SUSAN J. BUCK, THE GLOBAL COMMONS: AN INTRODUCTION 32 (1998).
21 See OSTROM, supra note 19, at 90.
22 BUCK, supra note 20, at 32.
23 Id.
24 Id.
25 Id.
26 Elinor Ostrom, Polycentric Systems: Multilevel Governance Involving a Diversity of
Organizations, in GLOBAL ENVIRONMENTAL COMMONS: ANALYTICAL AND POLITICAL
CHALLENGES INVOLVING A DIVERSITY OF ORGANIZATIONS 105, 118 tbl. 5.3 (Eric Brousseau et
al. eds., 2012).
27 Id.
28 An earlier version of this research appeared as Shackelford et al., supra note 13.
29 Id. at 464.
30 See, e.g., Abdullahi Arabo, Cyber Security Challenges within the Connected Home Ecosystem
Futures,61 PROCEDIA COMP. SCI. 227, 227 (2015).

41
2019] GOVERNING THE INTERNET OF EVERYTHING 707
31
blockchain, as is discussed further below.

B. Proportionality
A key component of proportionality is equity, such that some of
the "users [do not] get all the benefits and pay few of the costs .... -32
Problems of proportionality often arise in the cybersecurity context,
given well-documented issues with misaligned incentive structures. 33
For example, the National Bureau of Economic Research has estimated
that the average firm only sees an approximately one percent drop in
stock value following a cyber attack, though the figure raises to six
percent for firms with insufficiently engaged Boards of Directors. 34
Under this argument, cybersecurity may be considered as a public good
alongside national security, and if cyber attacks do not result in
increased cybersecurity investments, then there exists a market failure
in the IoE context, necessitating some form of regulatory intervention to
correct, as is discussed further below. 3 5

C. Collective-ChoiceArrangements andMinimal Recognition of Rights

Good governance of common-pool resources may be reinforced
when "most of the individuals affected by a resource regime are
authorized to participate in making and modifying the rules related to

31 Dep't Homeland Sec., Information Sharing and Analysis Organizations (ISAOs),

http://www.dhs.gov/isao (last visited Dec. 17, 2015).
32 Ostrom, supra note 26, at 120.
33 See Intel., New Global Cybersecurity Report Reveals Misaligned Incentives, Executive
Overconfidence Create Advantages for Attacker, PHYS.ORG (Mar. 1, 2017),
https://phys.org/news/201 7 -03-global-cybersecurity-reveals-misaligned-incentives.html.
34 Ren6 M. Stulz, What is the Impact of Successful Cyberattacks on Target Firms?, HARV. L.F.
ON CORP. GOVERNANCE & FrN. REG., (Mar. 30, 2018),
https://corpgov.law.harvard.edu/2018/03/30/what-is-the-impact-of-successful-cyberattacks-on-
target-firms/ ("We find a significant negative abnormal return for firms that announce a
cyberattack. In particular, for firms experiencing cyberattacks that result in loss of personal
financial information such as social security numbers, bank account, and credit card information,
their mean cumulative abnormal returns from one day before to one day after the cyberattack
announcement date is -1.12%, which implies an average value loss of $607 million. Cyberattacks
have a much worse impact when the incident is a recurring event within one year and when
affected firms are older. The impact is especially negative when the affected firm does not have
evidence of board attention to risk management as the abnormal return is lower by 6 percentage
points for such a firm.").
35 See Robert Beeres & Myriame Bollen, An Economic Analysis of Cyber Attacks, in CYBER
WARFARE: CRITICAL PERSPECTIVES 147, 153 (Paul Ducheine et al. eds., 2012) (discussing cyber
security as a public good and, thus, defining it as "the goods, services, measures, techniques that
aim to enhance the feeling of being secure in cyberspace"); Eli Dourado, Is There a Cybersecurity
Market Failure? (George Mason Univ. Mercatus Ctr., Working Paper No. 12 05, 2012),
http://mercatus.org/publication/there-cybersecurity-market-failure-0 (arguing that market failures
are not so common in the cybersecurity realm); Jennifer Booton, 3 Reasons Why Cyberattacks
Don't Hurt Stock Prices, MARKETWATCH (Apr. 3, 2015, 1:33 PM),
http ://www.marketwatch.com/story/3-reasons-why-eyberattacks-dont-hurt-stock-prices-20 15-04-
03.

42
 CARDOZO ARTS & ENTERTAINMENT [Vol. 37:3

boundaries, assessment of costs .... etc."'36 Such an outcome, though,

is not foreordained in most governance systems, given that it requires
engaged and proactive rulemaking by technical communities (such as
the Internet Engineering Task Force), the private sector, and the
international community. 3 7 Such efforts have been on display in the IoE
context, as seen in the National Institute for Standards and Technology
Cybersecurity Framework (NIST CSF) and related NIST Privacy
Framework, along with the Paris Call for Trust 38 and Security in
Cyberspace, which are analyzed further in Part III(C).

D. Monitoring
Trust is a necessary but insufficient criterion to promote good39
governance, according to the literature on polycentric governance.
Monitoring is also vital to ensure "conformance of others to local
rules."'40 Norm entrepreneurs, such as Microsoft, could fill this role.
Already, we are seeing the beginning of this trend through the more
than sixty participants in the Cybersecurity Tech Accord, which seeks to
set out industry norms barring covered firms from using their platforms
and tools to attack civilian critical infrastructure. 4 1 This role could also
be fulfilled by the courts through litigation such as LabMD, Inc. v. FTC,
along with other state and federal actions, which are forming the
contours of what constitutes a "reasonable" level of cybersecurity care
42
for IoE operators.

E. GraduatedSanctions andDispute Resolution

The Design Principles also underscore the need for graduated
sanctions and effective dispute resolution for rule breakers. The former
point underscores the significance of not "[1]etting an infraction pass

36 Ostrom, supra note 26, at 120.

37 See George J. Siedel & Helena Haapio, Using Proactive Law for Competitive Advantage, 47
AM. BUS. L.J. 641, 656 57 (2010) (discussing the origins of the proactive law movement, which
may be considered "a future-oriented approach to law placing an emphasis on legal knowledge to
be applied before things go wrong").
38 Press Release, NIST, NIST Releases Version 1.1 of Its Popular Cybersecurity Framework
(Apr. 16, 2018) (available at https://www.nist.gov/news-events/news/2018/04/nist-releases-
version- 11 -its-popular-cybersecurity-framework); Privacy Framework, NIST,
https://www.nist.gov/privacy-framework (last visited Jan. 9, 2018).
39 Ostrom, supra note 26, at 120.
40 Id. at 121.
41 See CYBERSECURITY TECH ACCORD, https://cybertechaccord.org/ (last visited Oct. 3, 2018).
42 See Allison Frankel, There's a Big Problemfor the FTC Lurking in the l1th Circuit's LabMD
Data-Security Ruling, REUTERS (June 7, 2018), https://www.reuters.com/article/us-otc-
labmd/theres-a-big-problem-for-the-ftc-lurking-in- 11 th-circuits-labmd-data-security-ruling-
idUSKCN1J32S2; see also Scott J. Shackelford, Scott Russell & Jeffrey Haut, Bottoms Up: A
Comparison of "Voluntary" Cybersecurity Frameworks, 16 UNIV. CAL. DAVIS Bus. L.J. 217
(2016).

43
2019] GOVERNING THE INTERNET OF EVERYTHING 709

unnoticed. '4 3 There have also been proposals, especially in the wake of
scandals such as the October 2018 Facebook data breach, to increase
penalties and resources at the federal level, such as through stepped-up
Federal Trade Commission (FTC) enforcement. 44

F. Summary
Together, these Design Principles provide some guidance for the
governance of the Internet of Everything, such as the importance of
graduated sanctions and encouraging bottom-up efforts for the NIST
CSF and the Cybersecurity Tech Accord. By following the insights of
these Principles, it may be possible to promote the sustainable
development of these technologies, even though such conceptions are
often divorced from normative stances. As Professor Cole has asserted,
"we might legitimately argue that the 'design principles' from
Governing the Commons were informed by an implicit normative
commitment to long-run sustainability. '45 The full picture, though,
requires a deeper dive into the IAD and GKC Frameworks, discussed
next.

III. APPLYING THE IAD AND GKC FRAMEWORKS TO THE INTERNET OF

EVERYTHING
The animating rationale behind the lAD Framework was, quite
simply, a lack of shared vocabulary to discuss common governance
challenges across a wide range of resource domains and issue areas. 4 6
"Scholars adopting [the IAD] framework essentially commit to 'a
common set of linguistic elements that can be used to analyze a wide
diversity of problems,' including potentially, ' 47 cybersecurity, and
Internet governance. Without some level of clarity, according to Cole,
confusion can occur, such as in defining "resource systems" that can
include "information, data, or knowledge" in the intellectual property
context, with natural resources. 48 Similarly, CPRs may refer to
common-pool resources (e.g., "naturally existing systems with various
biophysical attributes") and common-property regimes (e.g., "human-
created sets of institutions for managing common-pool resources."). 49 In

43 See Ostrom, supra note 26, at 121.

44 See, e.g., Emily Bary, Facebook Could Face Huge Fines in FTC Investigation, MARKET
WATCH (Mar. 26, 2018), https://www.marketwatch.com/story/facebook-could-face-huge-fines-
in-fic-investigation-2018-03-26; see also Alex Hickey, 'PunchingAbove its Weight,' FTC Needs
More Rule-Making Power, Resources, Commissioner Says, CIO DIVE (Oct. 3, 2018),
https://www.ciodive.com/news/punching-above-its-weight-ftc-needs-more-rule-making-power-
resources-c/538718/.
45 Cole, supra note 14, at 49.
46 Id. at 50-51.
47 Id. at 51.
48 Id.
49 Id. at 52.

44
 CARDOZO ARTS & ENTERTAINMENT [Vol. 37:3

the Internet governance context, similar confusion surrounds core terms

such as "information security" and "cybersecurity." 50 There are also
other more specialized issues to consider, such as defining what
constitutes "critical infrastructure," and what, if any, "due diligence"
obligations operators have to protect it from cyber attackers. 51 Similarly,
the data underlying these systems is subject to a range of sometimes
vying legal protections. As Professor Cole argues, "[t]rade names, trade
secrets, fiduciary and other privileged communications, evidence
submitted under oath, computer code, and many other types of
information and flows are all dealt with in various ways in the legal
52
system."
Although created for a different context, the lAD Framework can
nevertheless (a) improve our "understanding of information and
information flows under alternative institutional arrangements;
(b) diagnose problems (or dilemmas) in existing institutional
arrangements; and (c) predict[, in select cases, the] outcomes under
alternative institutional arrangements. ' 53 Indeed, Professor Ostrom
believed that the TAD Framework had wide application, including, "to
microeconomic theory, game theory, transaction cost theory, social cost
theory, public choice, and constitutional and covenantal theory, along
with theories of public goods and common-pool resources." 54 It is now
arguably "the most widely used framework in studies of the natural
commons." 55 The IAD Framework is unpacked in Figure 1, and its
application to IoE governance is analyzed in turn, after which some
areas of convergence and divergence with the GKC Framework are
highlighted.

50 See Neal Ungerleider, The Chinese Way of Hacking, FAST CO., (July 12, 2011),
http://www.fastcompany.com/1766812/inside-the-chinese-way-of-hacking (transcribing an
interview with Adam Segal, the Ira A. Lipman Fellow at the Council on Foreign Relations, in
which Mr. Segal discusses how the Chinese differentiate between information security and
cybersecurity).
51See Scott J. Shackelford, Scott Russell & Andreas Kuehn, Unpacking the InternationalLaw on
Cybersecurity Due Diligence: Lessons from the Public andPrivate Sectors, 17 CHI. J. INT'L L. 1
(2016); Scott J. Shackelford & Amanda N. Craig, Beyond the New 'DigitalDivide': Analyzing
the Evolving Role of Governments in Internet Governance and Enhancing Cybersecurity, 50
STAN. J. INT'L L. 119 (2014).
52 Cole, supra note 14, at 52.
53 Id. at 46.
54 Id. at 49.
55 Id. at 52.

45
2019] GOVERNING THE INTERNET OF EVERYTHING 711

Figure 1: The Institutional Analysis and Development (IAD)

56
Framework

Biophysical Arena
Characteristics Patternsof
Acoin Interaction

Attributes tuto
of the # s
L Tm Evatuative
Communit" __ Crteria

RuLes-in-Use
------------------ ----.-.----
........
. . . . . . . .[ O t o e

A. Biophysical Characteristicsand Classifying Goods in Cyberspace

Digging into the IAD Framework, beginning on the left side of
Figure 1 (with all three boxes being considered as endogenous variables
to the Framework), 57 there are an array of characteristics to consider,
including "facilities through which information is accessed" such as the
Internet itself, as well as "artifacts... including ...computer files" and
the "ideas themselves." 5 8 The "artifacts" category is especially relevant
in cybersecurity discussions, given that it includes trade secrets
protections, which are closer to a pure private good than a public good
and are also the currency of global cybercrime. 59 Internet governance
institutions (or "facilities" in this vernacular) can also control the rate at
which ideas are diffused, such as through censorship. 60
There is also a related issue to consider: what type of "good" is at
issue in the cybersecurity context? In general, goods are placed into four
categories, depending on whether they fall on the spectra of exclusion
and subtractability. 6 1 Exclusion refers to the relative ease with which
goods may be protected. 62 Subtractability evokes the extent to which
one's use of a good decreases another's enjoyment of it.63 If it is easy to
exclude others from the use of a good, coupled with a high degree of
subtractability, then the type of good is likely to be characterized as

56 Elinor Ostrom & Charlotte Hess, A Frameworkfor Analyzing the Knowledge Commons, in
UNDERSTANDING KNOWLEDGE AS A COMMONS: FROM THEORY TO PRACTICE 44, fig. 3.1
(Charlotte Hess & E. Ostrom eds., 2007).
57 Id. at 9.
58 Id. at 10.
59 For more on this topic, see Scott J. Shackelford et al., Using BITs to Protect Bytes: Promoting
Cyber Peace and Safeguarding Trade Secrets through BilateralInvestment Treaties, 52 AM. BUS.
L.J. 1 (2015).
60 See, e.g., Hannah Beech, China's Great Firewall is Harming Innovation, Scholars Say, TIME
(June 2, 2016), http://time.com/4354665/china-great-firewall-innovation-online-censorship/.
61 SUSAN J. BUCK, THE GLOBAL COMMONS: AN INTRODUCTION 5 6 (1998).
62 Id.
63 See id.

46
712 CARDOZO ARTS & ENTERTAINMENT [Vol. 37:3

"private goods" that are defined by property law and best regulated by
the market. 64 Examples range from iPads to toy cars. Legal rights,
including property rights, to these goods include the right of exclusion
discussed above. At the opposite end of the spectrum, where exclusion
is difficult and subtractability is low, goods are more likely
characterized as "public goods" that might be best managed by
governments. 65 An example is national defense, including, some argue,
cybersecurity. 66 But, in its totality, the Internet of Everything includes
all forms of goods, including devices catalyzing a range of positive and
negative externalities, from network effects to cyber-attacks. The
Internet of Everything includes digital communities as a form of club
good, with societies being able to set their own rights of access; a
contemporary example is the efforts of Reddit moderators to stop trolls, 67
limit hate speech, and promote a more civil dialogue among users.
Such communal property rights may either be recognized by the state,
or be based on "benign neglect. '6 8 Indeed, as of this writing, there is an
active debate underway in the U.S. and Europe about the regulation of
social-media platforms to limit the spread of terrorist propaganda, junk
news, sex trafficking, and hate speech. 69 Such mixed types of goods are
more the norm than the exception. As Cole has argued,
since the industrial revolution it has become clear that the
atmosphere, like waters, forests, and other natural resources, is at
best an impure, subtractable, or congestible public good. As such,
these resources fall somewhere on the spectrum between public
goods, as technically defined, and club or toll goods. It is such
impure public goods to which Ostrom assigned the label 'common-
70
pool resources.'
Naturally, the next question is whether, in fact, cyberspace may be
comparable to the atmosphere as an impure public good, since pure

64 See id. For an extended treatment of this subject, see Janine Hiller & Scott J. Shackelford, The
Firm and Common Pool Resource Theory: Unpacking the Rise of Benefit Corporations, 55 AM.
BUS. L.J. 5 (2018).
65 See Vincent Ostrom & Elinor Ostrom, Public Goods and Public Choices, in ELINOR OSTROM
AND THE BLOOMINGTON SCHOOL OF POLITICAL ECONOMY Vol. 2, at 3, 6 (Daniel H. Cole &
Michael McGinnis eds., 2015).
66 ELINOR OSTROM, BEYOND MARKETS AND STATES: POLYCENTRIC GOVERNANCE OF

COMPLEX ECONOMIC SYSTEMS 413 (2009), http://www.nobelprize.org/nobel prizes/economic-

sciences/laureates/2009/ostrom lecture.pdf (2009 Nobel Prize lecture).
67 See Kevin Roose, Reddit Limits Noxious Content by Giving Trolls Fewer Places to Gather,
N.Y. TIMES (Sept. 25, 2017), https://www.nytimes.com/2017/09/25/business/reddit-limits-
noxious-content-by-giving-trolls-fewer-places-to-gather.html.
68 BUCK, supra note 61, at 5.
69 See, e.g., SESTA Is Flawed,but the Debate Over It Is Welcome, ECONOMIST (Sept. 23, 2017),

https://www.economist.com/leaders/2017/09/23/sesta-is-flawed-but-the-debate-over-it-is-
welcome (discussing the extent to which legal liability should attach to online services that have
long enjoyed immunity in the U.S. under the Communications Decency Act).
70 Cole, supra note 14, at 54.

47
2019] GOVERNING THE INTERNET OF EVERYTHING 713

public goods do not present the same sort of governance challenges,

such as the well-studied "tragedy of the commons" scenario, which
predicts the gradual overexploitation of all common pool resources. 71
Though cyberspace is unique given that it can, in fact, expand such as
through the addition of new networks, 72 but increased use also
73
multiplies threat vectors.
Solutions to the tragedy of the commons typically "involve the
replacement of open access with restricted access and use via private
property, common property, or public property/regulatory regimes. '74
However, in practice, as Elinor Ostrom and numerous others have
shown, 75 self-organization is in fact possible in practice, as is discussed
further below. Without such polycentric action, this vital, digital
common-pool resource may be depleted. 76 The growth of the Internet of
Everything could hasten such tragedies if vulnerabilities replete in this
77
ecosystem are allowed to go unaddressed.

B. Community Attributes
The next box on the left side of the IAD Framework, titled

71See David Feeny et al., The Tragedy of the Commons: Twenty-Two Years Later, 18 HUM.
ECOLOGY 1, 4 (1990). Former DHS Secretary Michael Chertoff, for example, has argued that the
cyber threat constitutes "a potential tragedy of the commons scenario," given "[o]ur reliance on
cyberspace." Michael Chertoff, Foreword, 4 J. NAT'L SEC. L. & POL'Y 1, 2 (2010).
72 See TIM JORDAN, CYBERPOWER: THE CULTURE AND POLITICS OF CYBERSPACE AND THE
INTERNET 120 (1999) (describing the increase in Internet access as well as information overload);
cf RON DEIBERT, DISTRIBUTED SECURITY AS CYBER STRATEGY: OUTLINING A
COMPREHENSIVE APPROACH FOR CANADA IN CYBERSPACE 6 11 (2012),
https://citizenlab.org/wp-content/uploads/2012/08/CDFAI-Distributed-Security-as-Cyber-
Strategy_-outlining-a-comprehensive-approach-for-Canada-in-Cyber.pdf (discussing the
expansion of cyberspace to other countries and regions of the world, yet noting the increasing use
of censorship practices within some of these nations).
73See Nick Nykodym et al., Criminal Profiling and Insider Cyber Crime, 2 DIGITAL
INVESTIGATION 261, 264 -65 (2005) (explaining how the Internet's expanding role in business
has correspondingly increased the threat of cybercrime and made criminals more difficult to
catch); Richard Chirgwin, AusCERT Wrap-Up, Day 2: Attack Vectors Will Multiply Faster than
Defenses, CSO (May 17, 2012), http://www.cso.com.au/article/424868/auscertwrap-
upday_2 attack vectorswill multiply_faster-than defences/ (declaring that it is "hard to
escape the conclusion that the 'Internet of Things' will create a host of new attack vectors that
will probably only become clear after we have enthusiastically adopted a new technology").
74Brett M. Frischmann, Michael J. Madison & Katherine J. Strandburg, Governing Knowledge
Commons, in GOVERNING KNOWLEDGE COMMONS 1, 54 (Brett M. Frischmann, Michael J.
Madison & Katherine J. Strandburg eds., 2014)
75See, e.g., Brett Frischmann, The Tragedy of the Commons, Revisited, SCl. AM.:
OBSERVATIONS. (Nov. 19, 2018), https://blogs.scientificamerican.com/observations/the-tragedy-
of-the-commons-revisited.
76 See, e.g., Cybersecurity Strategy of the European Union: An Open, Safe and Secure
Cyberspace, EUR. COMM'N, at 2 (Feb. 7, 2013) (reporting that "a 2012 Eurobarometer survey
showed that almost a third of Europeans are not confident in their ability to use the internet for
banking or purchases") [hereinafter EU Cybersecurity Strategy].
77 See, e.g., Michael Smith, 'The Tragedy of the Commons' in the JoT Ecosystem,
COMPUTERWORLD (Aug. 16, 2017, 9:32 AM),
https://www.computerworld.com.au/article/626059/tragedy-commons-iot-ecosystem/.

48
 CARDOZO ARTS & ENTERTAINMENT [Vol. 37:3

"Attributes of the Community," refers to the network of users making

use of the given resource. 7 8 Unlike in the natural commons context in
which relatively small, local communities might share access to a forest
or lake, in the cyber context, communities can be far larger given the
more than four billion global Internet users as of October 2018, 7 9 not to
mention the billions of devices comprising the Internet of Everything.
The scale of the problem parallels the battle to combat the worst effects
of global climate change.80 Such a vast scale stretches the utility of the
IAD Framework, which is why most efforts have considered subparts,
or clubs, within this ecosystem.
An array of polycentric theorists, including Professor Ostrom, have
extolled the benefits of small, self-organized communities in managing
common pool resources. 8 1 Anthropological evidence has confirmed the
benefits of small-scale governance.8 2 However, micro-communities can 83
ignore other interests, as well as the wider impact of their actions.
Sustainable development, such as corporate social responsibility tools
like the Global Reporting Initiative, are a useful mechanism for
overcoming these issues.8 4 A polycentric model favoring bottom-up
governance but with a role for centralized coordination so as to protect
against free riders may be the best-case scenario.8 5 Such self-regulation
has the flexibility "to adapt to rapid technological progress" '8 6 better

78 Cole, supra note 14, at 55.

79 See INTERNET WORLD STATS, https://www.internetworldstats.com/stats.htm (last visited Oct.
2,2018).
80 Cole, supra note 14, at 56. For an analysis of how the Ostrom Design Principles might apply in
this context, see Scott J. Shackelford, On Climate Change and Cyber Attacks: Leveraging
Polycentric Governance to Mitigate Global Collective Action Problems, 18 VAND. J. ENT. &
TECH. L. 653 (2016) (analyzing how the Ostrom Design Principles might apply in this context.).
81 See, e.g., Elinor Ostrom et al., Revisiting the Commons: Local Lessons, Global Challenges,
284 Sci. 278, 278 (1999) (questioning policymakers' use of Garrett Hardin's theory of the
"tragedy of the commons," in light of the empirical data showing self-organizing groups can
communally manage common-pool resources).
82 See, e.g., Gregory A. Johnson, OrganizationalStructure and Scalar Stress, in THEORY AND
EXPLANATION IN ARCHEOLOGY 389, 392-94 (Colin Renfrew et al. eds., 1982).
83 See ANDREW D. MURRAY, THE REGULATION OF CYBERSPACE: CONTROL IN THE ONLINE
ENVIRONMENT 164 (2007) (explaining how members of micro-communities tend to focus only
on what directly impacts their own activities).
84 See Scott J. Shackelford et al., Sustainable Cybersecurity: Applying Lessons from the Green
Movement to Managing Cyber Attacks, 2016 UNIV. ILL. L. REV. 1995 (2016).
85 The DHS's Cybersecurity Awareness Month every October helps to highlight the important
role played by bottom-up efforts to enhance cybersecurity, noting, "[e]very Internet user has a
role to play in securing cyberspace and ensuring the safety of ourselves, our families, and our
communities online." National Cyber Security Awareness Month, DEP'T HOMELAND SEC.,
http://www.dhs.gov/national-cyber-security-awareness-month (last visited Jan. 24, 2013).
Competitions rewarding communities that distinguish themselves in enhancing their
cybersecurity along defined metrics such as through grants could also help build awareness and
increase the potential for successful polycentric governance, especially when coupled with other
hallmarks such as effective dispute resolution.
86 According to Notre Dame Professor Don Howard, different online communities "have a
complicated topology and geography, with overlap, hierarchy, varying degrees of mutual

49
2019] GOVERNING THE INTERNET OF EVERYTHING 715

than black letter law, which often changes incrementally, if at all. Even
if enacted, it can result in unintended consequences, as seen now in the
debates surrounding California's 2018 IoT law. As of January 2020, this
law would require "any manufacturer of a device that connects 'directly
or indirectly' to the Internet ...[to] equip it with 'reasonable' security
features, designed to prevent unauthorized access, modification, or
'87
information disclosure.

C. Rules-in-Use
This component of the LAD Framework comprises both
community norms along with formal legal rules. 88 One of the driving
questions in this area is identifying the appropriate governance level at
which to formalize norms into rules, for example, whether that isat a
constitutional level, collective-choice level, etc. 89 The driving research
task in this variable, according to Cole, "in applying the TAD
framework, is to determine, and diagnose perceived problems with, the
rules-in-use that govern day-to-day ('operational-level') interactions in
the action situations under study." 90 That is easier said than done in the
cybersecurity context, given the wide range of industry norms,
standards-such as the National Institute for Standards and Technology
Cybersecurity Framework (NIST CSF)-state-level laws, sector-
specific federal laws, and international laws regulating everything from
banking transactions to prosecuting cybercriminals. Efforts have been
made to begin to get a more comprehensive understanding of the
various norms and laws in place, such as through the International
Telecommunication Union's (ITU)'s Global Cybersecurity Index 91 and
the Carnegie Endowment International Cybersecurity Norms Project,
but such efforts remain at an early stage of development. 92 A variety of

isolation and mutual interaction. There are also communities of corporations or corporate
persons, gangs of thieves, and . ..on scales small and large." Don Howard, Civic Virtue and
Cybersecurity,in THE NATURE OF PEACE AND THE MORALITY OF ARMED CONFLICT 192 (Florian
Demont-Biaggi ed., 2017). What is more, Professor Howard argues that these communities will
each construct norms in their own ways, and at their own rates, but that this process has the
potential to make positive progress toward addressing multifaceted issues such as enhancing
cybersecurity. Id. at 199. For more on this topic, see SCOTT J. SHACKELFORD, MANAGING CYBER
ATTACKS IN INTERNATIONAL LAW, BUSINESS, AND RELATIONS: IN SEARCH OF CYBER PEACE,
ch.7 (2014).
87Adi Robertson, CaliforniaJust Became the First State with an Internet of Things Cybersecurity
Law, VERGE (Sept. 28, 2018, 6:07 PM),
https://www.theverge.com/2018/9/28/17874768/califomia-iot-smart-device-cybersecurity-bill-sb-
327-signed-law.
88 Cole, supra note 14, at 56.
89 Id. at 57.
90 Id.
91 INT'L TELECOMM. UNION, GLOBAL CYBERSECURITY INDEX (2017) (available at
https://www.itu.int/dmspub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf).
92 See Cyber Norms Index, CARNEGIE ENDOWMENT FOR INT'L PEACE,
https://carnegieendowment.org/publications/interactive/cybernorms (last visited Oct. 2, 2018).

50
 CARDOZO ARTS & ENTERTAINMENT [Vol. 37:3

rules may be considered to help address governance gaps, such as

"position rules," as is discussed further in Figure 2.
93
Figure 2: Types of Rules

Position rules Define positions that actors hold, including as owners of property rights
and duties.
Boundary Define: (i) Who is eligible to take a position;
rules (z) The process for choosing who is eligible to take a position;
(3) How actors can leave positions;
(4) Whether anyone can hold multiple positions simultaneously;
(5) Succession to vacant positions.
Choice rules Define what actors in positions must, must not, or may do in their
position and in particular circumstances.
Aggregation Determine whether a decision by a single actor or multiple actors is
rules needed prior to acting at a decision point in a process.
Information Specify channels of communication among actors, as well as the kinds of
rules information that can be transmitted between positions.
Payoff rules Assign external rewards or sanctions for particular actions or outcomes.

Many of these rules have cyber analogues, which emphasize

cybersecurity information sharing through public-private partnerships to
address common cyber threats, penalize firms and even nations for lax
cybersecurity due diligence, and define the duties-including liability-
94
of actors, such as Facebook and Google.
The question of what governance level is most appropriate to set
the rules for loT devices is pressing, with an array of jurisdictions,
including California, pressing ahead. For example, aside from its loT-
specific efforts, California's 2018 Consumer Privacy Act is helping to
set a new transparency-based standard for U.S. privacy protections.
Although not comparable to the EU's new General Data Protection
Regulation (GDPR) discussed below, it does include provisions that
allow consumers to sue over data breaches, including in the loT context,
and decide when, and how, their data is being gathered and used by
companies. 95 Whether such state-level action, even in a state with an

93 Elinor Ostrom & Sue Crawford, Classifting Rules, in UNDERSTANDING INSTITUTIONAL

DIVERSITY 186 (Elinor Ostrom ed., 2005).
94 See, e.g., Marguerite Reardon, Facebook's FTC Consent Decree Deal: What You Need to
Know, CNET (Apr. 14, 2018), https://www.cnet.com/news/facebooks-ftc-consent-decree-deal-
what-you-need-to-know.
95 See Ben Adler, California Passes Strict Internet Privacy Law with Implications for The
Country, NAT'L PUB. RADIO (June 29, 2018, 5:05 AM),
https://www.npr.org/2018/06/29/624336039/california-passes-strict-internet-privacy-law-with-
implications-for-the-country.

51
2019] GOVERNING THE INTERNET OF EVERYTHING 717

economic footprint the size of California, will help foster enhanced

cybersecurity due diligence across the broader IoE ecosystem remains
to be seen.

D. Action Arenas
The arena is just that, the place where decisions are made, where
"collective action succeeds or fails."' 96 Such arenas exist at three levels
within the IAD Framework--constitutional, collective-choice, and
operational. 97 Decisions made at each of these governance levels, in
turn, impact a range of rules and community attributes, which is an
important feature of the Framework that makes it "uniquely compatible
with multiple theories and models, including ...neoclassical theory,
game theory, public choice theory, and behavioral economics, with the
exception of (usually deterministic) models of irrational behavior." 9 8
Examples of decisionmakers in each arena in the cybersecurity context
include (1) at the constitutional level, judges deciding the bounds of
"reasonable care" and "due diligence"; 99 (2) federal and state
policymakers at the collective-choice (e.g., policy) level, such as FCC
Commissioners deciding the bounds of net neutrality (although a case
can be made there for them being at the constitutional level); and (3) at
the operational level, firms and everyone else. 100

E. Outcomes
This component of the lAD Framework references predictable
outcomes of interactions from social situations, which can include
consequences for both resource systems and units. 10 1 Whether such
outcomes are positive or negative is a normative question. Although
such considerations are beyond the findings of the IAD Framework, in
the cybersecurity context, an end goal to consider is defining and
implementing cyber peace.
"Cyber peace," which has also been called "digital peace,"' 10 2 is a term
that is increasingly used, but it also remains an arena of little consensus.
It is clearly more than the "absence of violence" online, which was the
starting point for how Professor Galtung described the new field of

96 Cole, supra note 14, at 59.

97 Id.
98 Id.
99See Scott J. Shackelford et al., Toward a Global Standard of Cybersecurity Care? Exploring
the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National
and InternationalCybersecurityPractices,50 TEX. INT'L L.J. 287 (2015).
100Cole, supra note 14, at 60.
10, Id. at 61.
102Digital Peace Now, MICROSOFT, https://digitalpeace.microsoft.com/ (last visited Nov. 5,
2018).

52
 CARDOZO ARTS & ENTERTAINMENT [Vol. 37:3

peace studies he helped create in 1969.103 Similarly, Galtung argued that

finding universal definitions for "peace" or "violence" was unrealistic,
but rather the goal should be landing on an apt "subjectivistic"
definition agreed to by the majority.10 4 He undertook this effort in a
broad, yet dynamic way, recognizing that as society and technology
changes, so too should our conceptions of peace and violence. That is
why he defined violence as "the cause of the difference between the 10 5
potential and the actual, between what could have been and what is."
Cyber peace is defined here not as the absence of conflict, what may be
called negative cyber peace. 10 6 Rather, it is the construction of a
network of multilevel regimes that promote global, just, and sustainable
cybersecurity by clarifying the rules of the road for companies and
countries alike to help reduce the threats of cyber conflict, crime, and
espionage to levels comparable to other business and national security
risks. To achieve this goal, a new approach to cybersecurity is needed
that seeks out best practices from the public and private sectors to build
robust, secure systems, and couches cybersecurity within the larger
debate on Internet governance. Working together through polycentric
partnerships of the kind described below, we can mitigate the risk of
cyber war by laying the groundwork for a positive cyber peace that
respects human rights, spreads Internet access along with best practices,
and strengthens governance mechanisms by fostering multi-stakeholder
collaboration.10 7 The question of how best to achieve this end is open to
interpretation. As Cole argues, "[f]rom a social welfare perspective,
some combination of open- and closed-access is overwhelmingly likely
to be more socially efficient than complete open or close-access."1 0 8
Such a polycentric approach is also a necessity in the cyber regime

103 Johan Galtung, Violence, Peace, and Peace Research, 6 J. PEACE RES. 167, 168 (1969).
104 Id.
105Id.
106 The notion of negative peace has been applied in diverse contexts, including civil rights. See,
e.g., Martin Luther King, Jr., Non- Violence and Racial Justice, CHRISTIAN CENTURY, Feb. 6,
1957, at 118, 119 (arguing "[t]rue peace is not merely the absence of some negative force
tension, confusion or war; it is the presence of some positive force justice, good will and
brotherhood.").
107 See Johan Galtung, Peace, Positive and Negative, in THE ENCYCLOPEDIA OF PEACE
PSYCHOLOGY 758 60 (Daniel J. Christie ed., 2012) (comparing the concepts of negative and
positive peace). Definitions of positive peace vary depending on context, but the overarching
issue in the cybersecurity space is the need to address structural problems in all forms, including
the root causes of cyber insecurity such as economic and political inequities, legal ambiguities, as
well as working to build a culture of peace. Id at 759. ("The goal is to build a structure based on
reciprocity, equal rights, benefits, and dignity . . . and a culture of peace, confirming and
stimulating an equitable economy and an equal polity."); see also G.A. Res. 53/243A, Declaration
on a Culture of Peace (Oct. 6, 1999) (offering a discussion of the prerequisites for creating a
culture of peace including education, multi-stakeholder collaboration, and the "promotion of the
rights of everyone to freedom of expression, opinion and information").
108 Cole, supra note 14, at 61.

53
 2019] GOVERNING THE INTERNET OF EVERYTHING 719

complex, given the prevalence of private and public sector stakeholder

controls.

F. Evaluative Criteria
The final IAD framework box, according to Cole, is "the most
neglected and underdeveloped" of the frameworks. 09 Ostrom, for
example, offered the following "evaluative criteria" in considering how
best to populate it, including "(1) economic efficiency; (2) fiscal
equivalence; (3) redistributional equity; (4) accountability;
(5) conformance to values of local actors; and (6) sustainability." 1 0 In
the GKC context, these criteria might include "(1) increasing scientific
knowledge; (2) sustainability and preservation; (3) participation
standards; (4) economic efficiency; (5) equity through fiscal
equivalence; and (6) redistributional equity."Il1 This lack of rigor might
simply be due to the fact that, in the natural commons context, the
overriding goal has been "long-run resource sustainability."'' 12
In the cybersecurity context, increasing attention has been paid
identifying lessons from the green movement to consider the best-case
scenario for a sustainable cyber peace. According to Frank Montoya,
the former U.S. National Counterintelligence Chief, "[w]e're an
information-based society now. Information is everything. That
makes.., company executives, the front line-not the support
mechanism, the front line-in [determining] what comes."' 1 3 This
means the role of the private sector is integral in ongoing efforts aimed
at enhancing cybersecurity in the Internet of Everything, much like the
increasingly vital role firms are playing in fostering sustainability.1 14
Similar trends are playing out in cybersecurity circles,1 15 which are
prompting the consideration of novel cybersecurity strategies aimed at
translating this increased interest into action, including certification
schemes inspired by the organic trade movement, and even the
application of environmental law principles such as "no harm" to help

109 Id. at 62.

110 Id. at 62.
Ill Hess & Ostrom, supra note 56, at 62.
112Cole, supra note 14, at 62.
113 Tom Gjelten, Bill Would Have Businesses Foot Cost of Cyberwar, NAT'L PUB. RADIO (May
8, 2012), http://www.npr.org/2012/05/08/152219617/bill-would-have-businesses-foot-cost-of-
cyber-war.
114 See A New Era of Sustainability: UN Global Compact-Accenture CEO Study 2010, UNITED
NATIONS GLOBAL COMPACT (June 2010),
https://www.unglobalcompact.org/docs/newsevents/8. 1/UNGCAccentureCEOStudy_201 O.p
df.
115See, e.g., Matt Egan, Survey: Investors Crave More Cyber Security Transparency, Fox Bus.
(Mar. 4, 2013), https://www.foxbusiness.com/markets/survey-investors-crave-more-cyber-
security-transparency.

54
 CARDOZO ARTS & ENTERTAINMENT [Vol. 37:3
1 16 Indeed,
fill out an international cybersecurity due diligence norm.
cybersecurity is increasingly integral to discussions of sustainable
development-including Internet access-which could inform the
evaluative criteria of a sustainable cyber peace in the Internet of
Everything. Such an approach also accords with the "environmental
metaphor for information law and policy" that has been helpful in other
efforts.1 17 However, the analogy is not perfect, given that, unlike in the
natural world, "knowledge commons arrangements usually must create
a governance structure within which participants not only share existing
resources but also engage in producing those resources and, indeed, in
determining their character."1' 18

G. Summary and GKC Insights

It can be difficult to exclude users from networks, especially
those with valuable trade secrets, given the extent to which they present
enticing targets for both external actors and insider threats. Given these
distinctions, Professor Brett Frischmann has suggested a revised lAD
Framework for the Knowledge Commons reproduced in Figure 3.

Rues-n-Use

119
Figure 3: Governing Knowledge Commons Framework
Space constraints prohibit an in-depth analysis of the myriad ways in
which the GKC Framework might be useful E. in conceptualizing an array
of security and privacy challenges in the In brief, the distinctions
with this approach, as compared with the traditional IAD Framework,
include (1) greater interactions on the left side of the chart underscoring
the complex interrelationships in play; (2) the fact that the action area
community
can similarly influence the resource characteristics andoutcomes
attributes; and (3) that the interaction of rules and in

11l6 See Shackelford et al., supra note 84.

l117Frischmann, Madison & Strandburg, supra note 74, at 16.
118 Id.
''9 Id. at 19.

55
2019] GOVERNING THE INTERNET OF EVERYTHING 721

knowledge commons are often inseparable. 1 20 These insights also

resonate in the IoE context, given the tremendous amount of
interactions between stakeholders, including IoT device manufactures,
standards-setting bodies, regulators (both national and international),
and consumers. Similarly, these interactions are dynamic, given that
security compromises in one part of the IoE ecosystem can lay out in a
very different context, as seen in the Mirai botnet, in which
compromised smart light bulbs were networked to crash critical Internet
12 1
services.
An array of research questions can and should be pursued using
the GKC Framework as applied to the IoE, as are laid out in Figure 4.

Figure 4: Knowledge Commons Framework and Representative

122
Research Questions

Background Environment

* What is the background context (legal, cultural, etc.) of

this particular commons?

* What normative values are relevant for this community?

* What is the "default" status of the resources involved in

the commons (patented, copyrighted, open, or other)?

* How does this community fit into a larger context? What

relevant domains overlap in this context?

Attributes

Resources * What resources are pooled and how are they created or
obtained?

a What are the characteristics of the resources? Are they

rival or nonrival, tangible or intangible? Is there shared
infrastructure?

* What is personal information relative to resources in this

120Id.
121See Bogdan Botezatu, Unprotected loT Devices Killed the US Internet for Hours,
BITDEFENDER (Oct. 23, 2016), https://www.bitdefender.comibox/blog/iot-news/mirai-iot-
security-alert/.
122 Frischmann, Madison & Strandburg, supra note 74, at 20 21.

56
 CARDOZO ARTS & ENTERTAINMENT [Vol. 37:3

action arena?

* What technologies and skills are needed to create, obtain,

maintain, and use the resources?

* What are considered to be appropriate resource flows?

How is appropriateness of resource use structured or
protected?

Community * Who are the community members and what are their
Members roles?

* What are the degree and nature of openness with respect

to each type of community member and the general
public?

* What non-community members are impacted?

Goals and 0 What are the goals and objectives of the commons and
Objectives its members, including obstacles or dilemmas to be
overcome?

* Who determines goals and objectives?

* What values are reflected in goals and objectives?

* What are the history and narrative of the commons?

a What is the value of knowledge production in this

context?

Governance

Context 0 What are the relevant action arenas? How do they relate
to the goals and objectives of the commons and the
relationships among various types of participants, and
with the general public?

* Are action arenas perceived to be legitimate?

Institutions * What legal structures (e.g., intellectual property,

subsidies, contract, licensing, tax, antitrust) apply?

57
2019] GOVERNING THE INTERNET OF EVERYTHING 723

* What are the governance mechanisms (e.g., membership

rules, resource contribution or extraction standards and
requirements, conflict resolution mechanisms, sanctions
for rule violation)?

* What are the institutions and technological

infrastructures that structure and govern decision
making?

* What informal norms govern the commons?

* What institutions are perceived to be legitimate?

Illegitimate? How are institutional illegitimacies
addressed?

Actors 0 Who are the decision-makers, and how are they selected?
Are decision-makers perceived to be legitimate?

* How do nonmembers interact with the commons? What

institutions govern those interactions?

* Are there impacted groups that have no say in

governance?

Patterns and Outcomes

* What benefits are delivered to members and to others

(e.g., innovations and creative output, production,
sharing, and dissemination to a broader audience, and
social interactions that emerge from the commons)?

* What costs and risks are associated with the commons,

including any negative externalities?

* Are outcomes perceived to be legitimate by members?

By decision-makers? By impacted outsiders?

Space constraints prohibit a comprehensive analysis of how each of

these questions apply in the IoE context, and many of these points were
addressed already in reference to the Ostrom Design Principles, as well
as the IAD and GKC Frameworks. In brief, though, and focusing on the
governance section, as has been discussed in reference to action arenas,
there are a huge number of forums-both public and private-in play,
including sector-specific ISACs, broader Information Sharing and

58
 CARDOZO ARTS & ENTERTAINMENT [Vol. 37:3

Analysis Organizations (ISAOs), as well as Cyber Emergency Response

Teams (CERTs) and joint Security Operations Centers (SOCs). It is
important to recognize the polycentric nature of this domain to ascertain
the huge number of stakeholders-including users-that can and should
have a say in contributing to legitimate governance. Indeed, such
concerns over "legitimate" Internet governance have been present for
decades, especially since the creation of the Internet Corporation for
Assigned Names and Numbers (ICANN). 123 Given the pushback against
that organization as a relatively top-down artificial construct as
compared to the more bottom-up Internet Engineering Task Force
(IETF), 124 legitimacy in the IoE should be predicated to the extent
possible locally through independent (and potentially air gapped)
networks, Internet Service Providers (ISPs), and nested state, federal,
and international law. To conceptualize such system, the literature on
regime complexes might prove helpful, which is discussed below after
first considering the application of blockchain tech to build trust in the
distributed IoE.

IV. Is BLOCKCHAIN THE ANSWER TO THE IoE's WOES?

Professor Ostrom argued that "[t]rust is the most important
resource." 125 Indeed, the end goal of any governance institution is
arguably trust-how to build trust across users to attain a common goal,
be it sustainable fishery management or securing the IoE. The IAD and
GKC Frameworks provide useful insights toward this end. But one
technology could also help in this effort, namely blockchain, 126 which,
' ' 27
according to Goldman Sachs, could "change 'everything. "
Regardless of the question being asked, some argue that it is the answer
to the uninitiated-namely, a blockchain cryptographic distributed
ledger. 128 Its applications are widespread, from recording property deeds

123 See Scott J. Shackelford & Amanda N. Craig, Beyond the New "DigitalDivide ": Analyzing
the Evolving Role of National Governments in Internet Governance and Enhancing
Cybersecurity, 50 STAN. J. INT'L L. 119, 119 (2014).
124 Id.
125 Interview with Nobel Laureate Elinor Ostrom, ESCOTET FOUND.,
http://escotet.org/2010/11/interview-with-nobel-laureate-elinor-ostrom/ (last visited June 29,
2018).
126 See Naomi Lachance, Not Just Bitcoin: Why the Blockchain Is a Seductive Technology to
Many Industries, NAT'L PUB. RADIO (May 4, 2016, 7:01 AM),
http://www.npr.org/sections/alltechconsidered/2016/05/04/476597296/not-just-Bitcoin-why-
blockchain-is-a-seductive-technology-to-many-industries.
127 Id.
128 At its root, a blockchain is a "shared, trusted, public ledger that everyone can inspect, but
which no single user controls." The Promise of the Blockchain: The Trust Machine, ECONOMIST
(Oct. 31, 2015), https://www.economist.com/leaders/2015/10/3 1/the-trust-machine. For more on
how blockchain works, see Appendix A in Scott J. Shackelford & Steve Myers, Block-by-Block:
Leveraging the Power of Blockchain Technology to Build Trust and Promote Cyber Peace, 19

59
 2019] GOVERNING THE INTERNET OF EVERYTHING 725

to securing medical devices. 129 As such, its potential is being

investigated by a huge range of organizations. 130 These include the U.S.
Defense Advanced Research Projects Agency (DARPA), 13 1 IBM,
Maersk, Disney, 132 and Greece, the latter of which is seeking to leverage
blockchain to help enhance social capital by helping to build trust
around common governance challenges, such as land titling. 33
Examples are similarly abound regarding how firms use blockchains to
enhance cybersecurity. 134 The technology could enable the Internet to
become decentralized, pushing back against the type of closed platforms
analyzed by Professor Johnathan Zittrain and others, 35 but this "will
only happen when it becomes accepted that decentralized is safer than
centralized." 136 Already, a number of loT developers are experimenting
with the technology in their devices; indeed, according to one recent
survey, blockchain adoption in the IoT industry doubled over the course
of 2018.137
Yet formidable hurdles remain before blockchain technology
can be effectively leveraged to help promote sustainable development,
peace, and security in the IoE. No blockchain, for example, has yet
scaled to the extent necessary to search the entire web. There are also
concerns over hacking and integrity (such as when a single entity
controls more than fifty percent of the processing power), including the
fact that innovation is happening so quickly that defenders are put in a
difficult position as they try to build resilience into their distributed
systems. 138 But the potential for progress demands further research,

YALE J.L. & TECH. 334, 383 88 (2017).

129See Asha McLean, ASX Argues Medical Records Are Ripe for Blockchain, ZDNET (Nov. 16,
2016), http://www.zdnet.com/article/asx-argues-medical-records-are-ripe-for-blockchain/. See
generally Scott J. Shackelford etal., Securing the Internet of Healthcare, 19 MINN. J.L. SCI. &
TECH. 405 (2018).
130See Kyle Torpey, Prediction: $10 Billion Will Be Invested in Blockchain Projects in 2016,
COIN J. (Jan. 22, 2016), http://coinjournal.net/prediction-10-billion-will-be-invested-in-
blockchain-startups-in-2016/.
131See Lachance, supra note 126.
132 See Don Tapscott & Alex Tapscott, Here's Why Blockchains Will Change the World,
FORTUNE (May 8, 2016), http://fortune.com/2016/05/08/why-blockchains-will-change-the-world.
133MICHAEL J. CASEY & PAUL VIGNA, THE TRUTH MACHINE: THE BLOCKCHA1N AND THE
FUTURE OF EVERYTHING 6 (2018).
134Tapscott & Tapscott, supra note 132.
135JONATHAN ZITTRAIN, THE FUTURE OF THE INTERNET AND HOW TO STOP IT 36 37 (2008).
136 Bernard Lunn, Bitcoin Blockchain Could Solve the Cyber Security Challenge for Banks,
DAILY FINTECH (Oct. 30, 2015), https://dailyfintech.com/2015/10/30/Bitcoin-blockchain-could-
solve-the-cyber-security-challenge-for-banks/.
137See Adrian Zmudzinski, Blockchain Adoption in loT Industry More Than Doubled in 2018:
Survey, COINTELEGRAPH (Jan. 15, 2019), https://cointelegraph.com/news/blockchain-adoption-
in-iot-industry-more-than-doubled-in-2018-survey.
138 See John Villasenor, Blockchain Technology: Five Obstacles to Mainstream Adoption,
FORBES (June 3, 2018, 7:43 PM),

60
726 CARDOZO ARTS & ENTERTAINMENT [Vol. 37:3

including how it could help promote a polycentric cyber peace in the

burgeoning Internet of Everything.

V. POLYCENTRIC IMPLICATIONS FOR MANAGERS AND POLICYMAKERS

As Professor Cole has maintained, "those looking for normative
guidance from Ostrom" and the relevant governance frameworks and
139 Similar to
design principles discussed herein are often left wanting.
the big questions in the field of intellectual property, such as defining
140 it stands to reason, then, that the
the optimal duration of a copyright,
Ostroms' work might tell us relatively little about the goal of defining,
and pursuing, cyber peace. An exception to the Ostroms' desire to
eschew normative suggestions, though, is polycentric governance,
which builds from the notion of subsidiarity in which governance "is a
'co-responsibility' of units at central (or national), regional
14 1
(subnational), and local levels."'
For purposes of this study, the polycentric governance
framework may be considered to be a multi-level, multi-purpose, multi-
2
functional, and multi-sectoral model 14 that has been championed by
numerous scholars, including Nobel Laureate, Elinor Ostrom, and
Professor Vincent Ostrom.143 It suggests that "a single governmental
unit" is usually incapable of managing "global collective action
problems"' 144 such as cyber-attacks. Instead, a polycentric approach
recognizes that diverse organizations working at multiple scales can
45 Such
enhance "flexibility across issues and adaptability over time."'

https://www.forbes.com/sites/j ohnvillasenor/2018/06/03/blockchain-technology-five-obstacles-
to-mainstream-adoption/#6979b4955ad2.
139 Cole, supra note 14, at 46.
140 Id. at 47.
141 Id.
142Michael D. McGinnis, An Introduction to lAD and the Language of the Ostrom Workshop: A
Simple Guide to a Complex Framework, 39 POL'Y STUD. J. 163, 171 72 (2011) (defining
polycentricity as "a system of governance in which authorities from overlapping jurisdictions (or
centers of authority) interact to determine the conditions under which these authorities, as well as
the citizens subject to these jurisdictional units, are authorized to act as well as the constraints put
upon their activities for public purposes").
143 Elinor Ostrom, Polycentric Systems as One Approachfor Solving Collective-Action Problems
I (Ind. Univ. Workshop in Pol. Theory & Pol'y Analysis, Working Paper Series No. 08 6, 2008),
http://dlc.dlib.indiana.edu/dlc/bitstream/handle/10535/4417/W08-
6 Ostrom DLC.pdf? sequence= 1.
44 Elinor Ostrom, A Polycentric Approach for Coping with Climate Change 35 (World Bank,
Pol'y Res., Working Paper No. 5095, 2009),
26 8
http://www.iadb.org/intal/intalcdi/pe/2009/04 .pdf.
145 Robert 0. Keohane & David G. Victor, The Regime Complex for Climate Change, 9 PERSP.
ON POE. 7, 15 (2011); cf Julia Black, Constructingand Contesting Legitimacy andAccountability
in Polycentric Regulatory Regimes, 2 REG. & GOVERNANCE 137, 157 (2008) (discussing the
legitimacy of polycentric regimes, and arguing that "[a]ll regulatory regimes are polycentric to
varying degrees ... ").

61
 2019] GOVERNING THE INTERNET OF EVERYTHING 727

an approach can help foster the emergence of a norm cascade improving

the Security of Things. 146
Not all polycentric systems are guaranteed to be successful.
Disadvantages, for example, can include gridlock and a lack of defined
hierarchy. 147 The Ostrom Design Principles can help predict the
institutional success of given interventions, 148 then, but the literature
remains immature, as does the current state of IoE governance.
However, progress has been made on norm development, including
cybersecurity due diligence, discussed below, which will help JoT
manufacturers better fend off attacks against foreign nation states.
Further polycentric efforts are needed, as was made evident when the
Information Systems Audit and Control Association (ISACA) 149
surveyed IT professionals in the United Kingdom and found that
"[seventy five] percent of the security experts polled say they do not
believe device manufacturers are implementing sufficient security
measures in IoT devices, and a further [seventy three] percent say
existing security standards in the industry do not sufficiently address
JoT specific security concerns." 15 0 Such sentiments are perhaps one
reason that, according to a Dutch cybersecurity survey, "[seventy nine]
percent [of respondents] are requesting more robust government-issued
security guidelines." 1 5'
It is important to note that even the Ostroms' commitment to
polycentric governance "was contingent, context-specific, and focused
on matching the scale of governance to the scale of operations
appropriate for the particular production or provision problem under
investigation."' 152 During field work in Indianapolis, IN, for example,
the Ostroms found that, in fact, medium-sized police departments
"outperformed both smaller (neighborhood) and larger (municipal-
level) units."' 153 In the IoE context, as has been noted, the scale could

146 See Martha Finnemore & Kathryn Sikkink, International Norm Dynamics and Political
Change, 52 INT'L ORG. 887, 895 98 (1998). For a deeper dive on this topic, see Chapter 2 in
SCOTT J. SHACKELFORD, MANAGING CYBER ATTACKS IN INTERNATIONAL LAW, BUSINESS, AND
RELATIONS: IN SEARCH OF CYBER PEACE (2014).
147 See Robert 0. Keohane & David G. Victor, The Regime Complex for Climate Change 17
(Harv. Project on Int'l Climate Agreements, Discussion Paper 10-33, 2010),
http://belfercenter.ksg.harvard.edu/files/KeohaneVictor Final_2.pdf.
148 For more on this topic, see Shackelford et al., supra note 13.
149 See generally About ISACA, ISACA, http://www.isaca.org/about-isaca/Pages/default.aspx
(last visited Dec. 16, 2015) (stating that ISACA was previously known as "Information Systems
Audit and Control Association").
150 Existing Security Standards Do Not Sufficiently Address loT, HELP NET SEC. (Oct. 15, 2015),
http://www.net-security.org/secworld.php?id= 18981.
151Zmudzinski, supra note 137.
152 Cole, supra note 14, at 47.
153 Id.

62
 CARDOZO ARTS & ENTERTAINMENT [Vol. 37:3

not be greater with billions of people and devices interacting across

myriad sectors, settings, and societies. The sheer complexity of such a
system, along with the history of Internet governance to date, signals
that there can be no single solution or governance forum to foster cyber
peace in the IoE. Rather, polycentric principles gleaned from the
Ostrom Design Principles along with the TAD and GKC Frameworks
should be incorporated into novel efforts designed to glean the best
governance practices across a range of devices, networks, and sectors.
These should include creating clubs and industry councils of the kind
that the GDPR is now encouraging to identify and spread cybersecurity
best practices, leveraging new technologies such as blockchain to help
build trust in this massively distributed system, and encouraging norm
entrepreneurs like Microsoft and the State of California to experiment
with new public-private partnerships informed by the sustainable
development movement. Success will be difficult to ascertain as it
cannot simply be the end of cyber-attacks in the ToE. As has been noted,
evaluation criteria are largely undefined in the TAD Framework, which
the community should take as a call to action, such as by laying out the
154 The members
objectives of cyber peace in the Internet of Everything.
of the Cybersecurity Tech Accord and the Trusted loT Alliance should
take up this call to action and work with civil society, academics, and
the public sector to begin to define end goals to help drive concrete
polycentric action.
Such efforts may be conceptualized further within the literature
on the cyber regime complex. As interests, power, technology, and
information diffuse and evolve over time within the loE, comprehensive
1 55
regimes are difficult to form. Once formed, they can be unstable. As a
result, "rarely does a full-fledged international regime with a set of rules
and practices come into being at one period of time and persist
intact."' 5 6 According to Professor Oran Young, international regimes
emerge as a result of "codifying informal rights and rules that have
evolved over time through a process of converging expectations or tacit
bargaining." 157 Consequently, regime complexes, as a form of bottom-
up institution building, are becoming relatively more popular due to
divergent interests. These divergent interests may have some benefits
since negotiations for multilateral treaties could divert attention from
more practical efforts to create flexible, loosely coupled regimes within

154 Id. at 49.

155Keohane & Victor, supra note 145, at 7 8.
156 Id.at 9.
157 Oran R. Young, Rights, Rules, and Resources in World Affairs, in GLOBAL GOVERNANCE:
DRAWING INSIGHTS FROM THE ENVIRONMENTAL EXPERIENCE 10 (Oran R. Young ed., 1997).

63
2019] GOVERNING THE INTERNET OF EVERYTHING 729

the IoE ecosystem.15 8 An example of such a regime from Professor

Joseph S. Nye, Jr. is included in Figure 5.

Figure 5: Professor Nye's Cyber Regime Complex Map 159

- -

iFt

But there are also the costs of regime complexes to consider. In

particular, such networks are susceptible to institutional fragmentation
and gridlock caused by overlapping authority that must still "meet
standards of coherence, effectiveness, [and] ... sustainability. ' 1 60 And
there are moral considerations about such regime complexes. For
example, in the context of climate change, these regimes omit nations
that are not major emitters, such as the least developed nations that are
the most at-risk to the effects of a changing climate. Similar arguments
could play out in the IoE context with some consumers only being able
to access less secure devices due to jurisdictional difference that could
impinge on their privacy. Consequently, the benefits of regime
complexes must be critically analyzed. To aid in this effort, scholars and
policymakers should make use of the literature on modularity, which is
"essential to the design of complex systems, considering that we have
limited mental capabilities and can only process sub-segments of such
systems at a time."1 6 1 By identifying design rules for the architecture,
interfaces, and integration protocols within the JoE, both governance

158 Keohane & Victor, supra note 145, at 2.

159 Joseph S. Nye, Jr., The Regime Complex for Managing Global Cyber Activities 8 (Global
Comm'n on Internet Governance, Paper Series: No.1, May 2014),
https://www.cigionline.org/sites/default/files/gcigjpaper-no 1.pdf.
160Id.at 2, 18 19, 25.
161JOSEF WALTL, IP MODULARITY IN SOFTWARE PRODUCTS AND SOFTWARE PLATFORM
ECOSYSTEMS 20 (2013) (citing CARLISS YOUNG BALDWIN & KIM B. CLARK, DESIGN RULES:
THE POWER OF MODULARITY 63 (2000)).

64
730 CARDOZO ARTS & ENTERTAINMENT [Vol. 37:3

scholars and policymakers may be able to develop novel research

designs and interventions to help promote cyber peace.

CONCLUSION
As has been argued, "there are no institutional panaceas for
resolving complex social dilemmas." 162 Never has this arguably been
truer than in the IoE context. Yet, we ignore the history of governance
investigations at our peril, as we look ahead to twenty-first century
global collective action problems such as promoting cyber peace in the
Internet of Everything. Cole aptly sums up the current situation as
follows:
Thanks primarily to Elinor Ostrom and her colleagues at the Ostrom
Workshop in Political Theory and Policy Analysis, we have learned
that common-property regimes are a viable third category of
governance regimes for successfully managing natural common-pool
resources over long periods of time. And we have gained some idea
of the conditions under which common-property regimes seem more
or less likely to succeed based on the 'design principles' Ostrom
derived from her meta-analyses of hundreds of individual cases.
Since then, despite increasing data collection and efforts to improve
analytical methods, further progress toward understanding and
diagnosing (let alone resolving) commons 63
problems has been
marginal (though hardly insignificant). 1

Important questions remain about the utility of the Design Principles,

the IAD, and GKC Frameworks to helping us govern the Internet of
Everything. Still, more questions persist about the normative goals in
such an enterprise, for example, what cyber peace might look like and
how we might be able to get there. That should not put off scholars
interested in this endeavor. Rather, it should be seen as a call to action.
The stakes could not be higher. Achieving a sustainable level of
cybersecurity in the Internet of Everything demands novel
methodologies, standards, and regimes. The Ostroms' legacy helps to
shine a light on the path toward cyber peace.

162 Cole, supra note 14, at 48.

163 Id. at 64.

65
Center for Digital Society

Faculty of Social and Political Sciences

Universitas Gadjah Mada
Room BC 201-202, BC Building 2nd Floor,
Jalan Socio Yustisia 1
Bulaksumur, Yogyakarta, 55281, Indonesia

Phone : (0274) 563362, Ext. 116

Email : [email protected]
Website : cfds.fisipol.ugm.ac.id

facebook.com/cfdsugm Center for Digital Society (CfDS) cfds_ugm

@cfds_ugm @cfds_ugm CfDS UGM