IoT Expert Sebastian Golasch: We Need More Regulations and Better Protection of Users Even if That Leads Us to Cut on Features
Every other “smart” gadget on the market brings us closer to the Internet of Things, a huge interconnected network of devices ranging from smartphones and cars to lightbulbs and stoves. As compact and portable computers become increasingly abundant, our kettles and entire houses become smarter and, in some cases, even able to engage in a meaningful conversation with their owners, like the hyperactive cutlery from one well-known animated movie by Disney.
However, such a sci-fi dream coming to life may entail substantial risks when it comes to people’s privacy and even personal safety, let alone the premise of a fridge annoying you with its remarks about your dietary habits.
As well as almost any new technology, the Internet of Things puts forth the need of appropriate regulations to make it serve us well and avoid potential harm. To get a professional’s perspective on the current progress and the potential ramification of the IoT adoption, lawless.tech reached out to Sebastian Golasch, a “smart home” developer and a prominent speaker well acquainted with the matter.
lawless.tech: Could you tell us about yourself? Why have you decided to become a developer? What has drawn your attention to IoT tech?
Sebastian Golasch: I’m Sebastian, I live in Cologne, Germany and I do work for Deutsche Telekom’s Smart Home Project Qivicon for almost six and a half years now. Like most things in my life, I kinda became a developer by accident.
I have been fascinated by science and especially computers since I was about 4 years old (at least that’s how far back my memory goes). When I was young I always wanted to become an architect, well, until I turned 14 and started writing for our local newspaper. After that happened, I became addicted to writing and wanted to become a music journalist, which I tried to pursue until I was in my early 20s. I attended a media school, to learn more about the producing side of magazines and newspapers, but instead I learned a lot about web design, CSS, HTML and PHP there. I’ve become addicted to programming since that day 14 years ago.
For a long time, I thought that my dreams of being a journalist or architect had nothing to do with the job I chose, being a developer, especially in the IoT space, but the more I thought about it, the more it became apparent to me that the creative process of writing those articles, interviews, and essays is quite close to the way I write code and working with IoT components influences the real world, in some way architecture does as well. Might sound a bit far-fetched, but to me it started to make sense.
So, half of my development career I spend working at agencies, developing typical e-commerce sites for airlines etc. and I got so bored: clients that don’t take any advice and the only “impact” was that some other company made more money. I grew sick of agency business and wanted to move to a team that does product development. Around that time I saw the Talk by Nikolai & Jörn at JSConf.eu 2010. That was the first time I’ve seen someone doing hardware hacking with JavaScript and then I realized that this was the part that I was missing from my job, building something that has an immediate impact on users, something that branches out in their everyday lives. I haven’t realized it back then, but that was a revelation which led straight to the job I still have.
lawless.tech: Can you recall your favorite examples of yesterday’s sci-fi technology that are coming to life today?
Sebastian Golasch: Well, it might be a very worn out example, but at the moment it’s still voice recognition. As someone who grew up watching and loving Star Trek: The Next Generation, it just seems like a miracle to me that we are at 80% of the capacities of the voice recognition used on Enterprise already today. It is something truly magical to be able to enter a room and turn on the lights by just saying “Computer, living room lights to 60%”. That is what my childhood Starfleet role models were able to do and it seemed impossible to achieve during my lifetime back in the early 90s. And now, look where we are, I can order an Echo device for 40 bucks and it just works. Yes there are privacy issues, situations where we have to revert to some machine-like grammar that we’d never use when we’d talk to other humans, but I’m feeling confident that we’ll be able to sort this out. Especially nowadays, where we get open source projects like DeepSpeech from Mozilla that make it possible for any developer out there to participate in this space and to be able to help to shape its future.
lawless.tech: What are the main trends in IoT development? Are fragmented IoT services, e.g. separate applications for a kettle, climate control system etc. better than the all-in-one service model, managing the entire smart house?
Sebastian Golasch: Might sound like a downer, but the biggest trend is still to make it work properly. No, seriously, after nearly 7 years of development we’re still tackling bugs you wouldn’t expect from a mature product where a great amount of development is spent on highly sophisticated testing. But here’s the thing: we can’t really peek into customers homes and as we’re dealing with various radio protocols, it’s really hard to account for every possibility out there. It gets better by the day, but still, I can often understand our users and their complaints but sometimes I’d just like to tell them that we can’t bend the laws of physics.
Aside from that, companies are still trying to make sense of the huge amounts of data that could be theoretically harvested, but I’ll think we talk about that a bit later on in more detail.
In regards to the fragmented services vs. the “all-in-one” solutions, the only possible answer is – it depends!
If you have a specific use case, like optimizing your heating system by utilizing thermostats, window sensors, etc., I think you’re very well off with a solution that provides exactly this, I haven’t yet found a solution (within one ecosystem) that works well across multiple use cases, especially for high-end users.
Also, the fragmentation will grow, we already have a huge list of used protocols, and even if we only take the most popular ones (ZigBee, Z-Wave, DECT, Wi-Fi, Bluetooth, BidCos (DE), and EnOcean), we see significant differences in the actual application of these. For example, EnOcean is all about energy harvesting devices, the protocol is designed around that idea of having a light switch which has no constant power source, that harvests the energy that it needs to transmit the radio message using the kinetic energy of the button press. A brilliant idea, but it has drawbacks, like the fact that the energy doesn’t suffice to properly encrypt that message. That’s okay for switches, but what about more sensitive areas? Such a protocol couldn’t be used to transmit video data while being as efficient as it is for low energy use cases.
Long story short: I predict we will see even more fragmentation in the market but, at the same time, more companies that cooperate with others, building bridges for each other’s products.
lawless.tech: What are the main legal problems you’ve faced developing IoT products? In general, what are the key complications with IoT solutions in terms of regulations?
Sebastian Golasch: To be honest, beyond the regular regulations that every company that has something to do with either software that collects user data (Hello, GDPR!) or hardware manufacturers (passing CE tests or other tests relevant for tech products in the country they’re sold in), sticking to special frequencies for radio transmissions etc., there are none. At least not from national or international authorities.
The biggest problem we face due those regulations are the mentioned radio frequencies that can be used in different parts of the world (see ISM-Band frequencies). Z-Wave, for example: in Europe it transmits on 868 Mhz, while in the US it’s using the 915 Mhz center frequency. It means you can’t buy a Z-Wave device in the US and use it in Europe, even if they use the same protocol.
Aside from the data protection regulation I haven’t really come across any legal problems, which I think is highly alarming! We need more regulations and better protection of users, even if that leads us to cut on features. Some companies are treating their users very unethically and we need all the power we can get to advocate for the users.
lawless.tech: What aspects of the IoT tech development should be strictly regulated and what aspects should be left up to the developers themselves in order to keep everybody safe and the progress going? Where would you draw the line between too strict and too loose regulations?
Sebastian Golasch: Developers’ primary task is not to write code, our primary task is to understand the problem we’re facing. That implicitly not only contains finding the best technical solution, the top priority should include finding the solution which is the most ethical, least invasive & most inclusive for the user. Until now, this is up to the companies and we all know, personal data means lots of cash these days.
There are at least two domains in which I’d like to see some well-crafted regulations:
- User data handling, which data gets stored where and a way to delete it all (including things like the historical data stored in companies backups, etc).
- Companies that produce security-relevant devices (like door locks, smoke detectors, etc.) should need to pass some (or more than today’s) tests, and have an official review of the devices before they are allowed to sell them. This might be true for some regions, but we need better, almost globally applicable standards for this.
lawless.tech: In the interview for AmsterdamJS you’ve said that computers are getting more powerful, smaller, and cheaper at the same time, and it’s busting the IoT industry. Why? For how long, in your opinion, the “Moore’s law” of doubling the number of transistors in a dense integrated circuit every two years will be relevant?
Sebastian Golasch: We can now add them to nearly every old-fashioned device (like a kettle or a coffee machine) without optical implications and without the need for an extraordinary budget. Everyday objects are turning “smart” (the sheer amount of Kickstarter projects that reinvent the wheel – literally – accounts for this). I’m too far away from the actual chip manufacturer scene to tell or predict where this will end, but if we compare the power, size, and budget needed for a full-blown workstation from 20 years ago with what we can get from a Raspberry PI Zero for just 5 bucks nowadays… Unbelievable is the only word that comes to my mind.
lawless.tech: What are the most advanced IoT devices already available to consumers? Can an enthusiast build themselves their own IoT-enabled world right now? How will it look like?
Sebastian Golasch: I think it’s pretty safe to say that we got the lighting stuff under control. The Hue system from Philips is a huge success, worldwide. We owe it to the success of this system that companies like IKEA are getting into the game as well, producing rather cheap and highly available systems. So, Lights: check!
I’d personally like to see more white goods like connected washing machines, ovens etc. for affordable amounts of money, as well as reliable connected heating solutions. Solutions that aren’t only comforting for us humans, but are also pro-actively trying to help us save energy and water. Solutions that are good for the environment. We’re missing out on this.
Of course, if you are very enthusiastic and have a lot of skill and time, you can build your DIY home automation system, but let us be honest: every time you need to plug something into a power socket that you build yourself you’re going to live with the fear of burning down your house. Don’t get me wrong, DIY hardware projects are fun, they are great ways to learn how things work. I like to compare it to the era a 100 years ago when toy steam engines were really popular, assembling them was a great way to learn the inner mechanics, but just because you’re capable of that didn’t lead people to build their own power plants for their household.
There are certain tasks where I’d like to put my trust into the hands of professionals and not into my own.
That’s true for hardware, on the other hand, DIY projects based on open source software that interact with consumer electronics is a very much needed and a very desirable thing to have.
It can give us back some control and it can foster our faith in this new technology segment. If you open source your code (or build your product on an open source system, like we do with Eclipse Smarthome) I’m your first paying customer. Open source is the only option to free us from vendor lock-ins!
lawless.tech: Who should be liable if, for example, a smart house locks its owner inside: the hardware manufacturer, the user, or the software developer?
Sebastian Golasch: Hard to tell. As far as I know, we haven’t had many cases or lawsuits regarding this. First of all, a good system should always provide a manual override, if that isn’t given, I think it’s the manufacturers’ fault. You should always be able to enter or leave your home, you should always be able to turn on your lights the old fashioned way if no internet connection is available etc.
Even more tricky, if your smoke alarm goes off while your away and the system automatically calls 911, what happens if that is a false alarm? Who will take over the costs for that?
I feel not capable of answering that; we will see a few lawsuits in the future and we will get answers case by case.
lawless.tech: The IoT service providers collect a lot of information about their users, so this information should probably be properly protected. How Qivicon, for example, keeps the data and users’ privacy protected?
Sebastian Golasch: I can’t disclose the details of how we, at Qivicon, are handling this on a technical level, but this isn’t very important, because the most important thing is that the manufacturer itself should only be able to access and remotely store the bare minimum of data. In our case, that’s the name and the address of our customer for billing. All data is stored on the users’ router device at home, and even if we wanted, we wouldn’t be able to access the data. Even for diagnostics data and logs, we need the owner of the system granting us access (limited to 24 hours) to that data.
I’m very proud of our policy regarding this. In my opinion, it should be the default for every company out there. Period. People spend lots of money on their systems, we shouldn’t be treating them as cash cows turning their private data into money as well. My personal wish would be that this becomes a major selling point and relevant enough for the marketing departments to advertise for this, maybe this way we could put some pressure on companies not following this best practices.
lawless.tech: Is it a good practice to use encryption in IoT services to make users data more protected and private, or do the IoT services protect data in other ways?
Sebastian Golasch: Theoretically, nearly every system provides a way to encrypt communication, but with the exception of ZigBee (if we’re talking about the radio communication itself) it is treated as an optional feature. Enocean, for example, provides encryption for radio messages, but many (if not most) devices do not implement it.
Other protocols, like Homematic BidCos offer a private/public key signing service for radio messages, but no encryption. So using a $10 DVB-T stick, tuned on to 868 Mhz allows us to read all the sensory data, but at least attackers can’t take over our homes, because all commands that issue actions need to be signed.
I bet other systems do use various other techniques to try and protect data. The problem we’re facing here is mostly related to battery powered devices, manufacturers need to make them as energy efficient as possible, which leads to the fact that we have processors that are not suitable for high-level encryption. I have hopes that the technical evolution will lead to more powerful and less energy-hungry hardware and that will allow us to have encryption by default.
lawless.tech: Is it necessary to use AI for developing an IoT-related product? How frequently IoT projects use AI in general
Sebastian Golasch: Necessary, definitely not. I’d even say dangerous if they rely on parsing your data remotely, in the “cloud”. Because then they have to get your data into their remote systems, that opens up many more possibilities for intruders. We have the computing power available at home for image recognition, voice recognition, and other highly sophisticated tasks, the power of a Raspberry Pi Model 3 is enough to do exactly that in nearly real-time. Once we have that power available in retail systems then I’m up for a talk about integrating this on a large scale. But there are many other problems, biased AI systems for example. I’m not sure if I would put my home in the hands of a machine that decides what’s best for me. We will get there, but we need to let the buzzword dust settle a bit.
Coming from there, aside from the big players (Amazon Alexa, Google Home, Netatmo face recognition features), it’s not used widely yet, and I highly believe that we will see very good and useful applications for this soon-ish. One thing that I hope for are systems targeting elderly care, something that analyzes the daily routine of the elderly and alarms the loved ones if something seems odd. Or provide helpful reminders/suggestions for people suffering from dementia, the applications that humanity could benefit from are countless, we just have to find the right balance between the cases that we get enough revenue from and the ones which maybe aren’t that profitable but help us to tackle real-world problems people are suffering from.
Improving lives, this is what technology is all about, it has been since we discovered how to light a fire, since humanity invented the wheel. Sometimes the tech sector needs to remind itself that we should build tools for people not for the sake of maximizing our profits. In the end, AI is a yet another tool, way more sophisticated than a shovel of course, but essentially the same thing.
lawless.tech: What are the benefits of using blockchain technology in IoT products? Is it a viable alternative?
Sebastian Golasch: There’s a lot of fuzz about blockchain nowadays. Same was true for serverless a year ago and “cloud” two years ago. I don’t consider myself as a someone who’s embracing traditional technologies, actually I’m quite the opposite, I like to try progressive methods and give new technologies a spin as soon as I can get my hands on them, but in regards to benefits of “blockchain technologies” for IoT, I do have a bit of a reserved attitude. What kind of problem do we have in IoT, or in my specialty, the Smart Home, that needs to be solved or is better solved by using blockchain tech? I can’t think of any.
If we are afraid of someone tampering with the data that we collect in our homes, we first should think of powerful encryption and then think of ways to not expose that data to others (including companies we bought the devices from). If we want to use a Merkle Tree based hash system to ensure the integrity of our data over time or as an additional security layer to secure a command to send to a device with the hash of the last received message etc., nice, let’s do that. But I wouldn’t call that blockchain technology. Only if I was very desperate to get some venture capital into my life saving connected toaster startup that failed to raise enough money in Kickstarter.
lawless.tech: Should lawyers learn JavaScript or other programming languages and why?
Sebastian Golasch: Phew, tough one. Shortest (and the most correct) answer would be: It depends! From a lawyer who specializes in online and media, I expected knowledge of the technology and the ecosystem. They do not need to possess the skills of building a website, but they should know what happens we a browser requests a website, at least on a high level. Same will be true for lawyers who might be specializing in the IoT sector in the future, I expect that they know what happens if I flip a light switch, but I don’t expect them to be able to assemble a lights witch themselves.
lawless.tech: As the humanity embraces the IoT, some awkward examples of buggy devices we can see now might give way to catastrophic consequences of minor bugs. How to prevent such unpleasant situations? Can such a giant interconnected system of physical devices as the IoT be completely reliable?
Sebastian Golasch: First, we should talk about what “completely reliable” actually means. Personal Computers have been around for half a century, are we considering them completely reliable? Cars are around for more than 100 years, do we consider them completely reliable? I guess both are not. Every technology where higher complexity is involved, and with higher complexity, I mean something more sophisticated than an old-fashioned light bulb, cannot be considered 100% reliable.
When you drive down a motorway, every time you see people standing in the rescue lane next to their precious battle proven cars. Same is true for peoples connected homes, everyone who owns one has dealt with flaws in the past. As software & hardware manufacturers we can (and must) try to reduce the impact of those flaws, make recovery easy and enable the user to understand what went wrong and why. Networks can never be 100% reliable, especially not wireless ones, and that’s what a connected home essentially is, a big, mostly wireless, local network. As an example, Miele produces connected stoves, but you can’t turn them on remotely. And that’s a good thing because it takes away the possibility of accidentally setting your cat on fire while you’re on the other side of the planet.
What I’m trying to say is that while we would be technically able to do things like this, we must think about the theoretical problems beforehand, and if that means that we need to reduce functionality to prevent catastrophes, then we need to do that. It’s way more unpleasant to deal with the consequences of setting your house on fire, than losing 5 minutes of your time, because you had to manually turn on your stove after arriving at home.
Conclusion
While some of the most pessimistic forecasts about smart homes going rogue are apparently exaggerated, the advent IoT brings certain concerns to the developers’, regulators’, and end users’ table.
Many will agree with Mr. Golasch regarding the less-than-perfect reliability of any somewhat complex tech we’ve seen since the steam engine. The more responsibility we lay upon a technology, the bigger is the cost of its malfunction. Of course, the overwhelming majority of risks can be eliminated if the manufacturers make it their top priority, yet for some the money involved in the business may be too much a temptation. It would be definitely unwise to leave it all up to the corporations without creating a solid and thoughtful regulatory framework, but as soon as the rules for the game are in place, chances are we all will enjoy playing it.
Follow us on Twitter to stay tuned on the recent developments in regulation of new technologies, and be the first to read expert opinions.