I’m happy to report that the IoT Privacy Forum will be getting a new website very soon….

Behind the scenes

I’m very happy to announce the publication of a new report: Privacy and the Internet of Things. Published by O’Reilly Media, the report explores the privacy risks implied by increasing numbers of devices in the human environment, and the historical and emerging frameworks to address them. It’s a free report, available for download here:


In this report, you will:

  • Learn the various definitions of the Internet of Things
  • Explore the meaning of privacy and survey its mechanics and methods from American and European perspectives
  • Understand the differences between privacy and security in the IoT
  • Examine major privacy risks implied by the proliferation of connected devices
  • Review existing and emerging frameworks for addressing IoT privacy risks
  • Find resources for further reading and research into IoT privacy

I’d be very happy to discuss any of the report’s content. Please feel free to email me at gilad(at)iotprivacyforum.org.


Academics Data Protection Policy Privacy by Design

“Implementing transparency and control in the context of IoT raises a number of challenges. Addressing these challenges is the main goal of the UPRISE-IoT European (CHIST ERA) project in which this PhD will be conducted.

Among these challenges, specific attention will be paid to the following topics:

  • Analysis of the physical environment of the users to get an accurate picture of the devices surrounding them and the data that they collect.
  • Analysis of the purposes of these collections (how the data are supposed to be used) and their legal basis (e.g. the privacy notices of the entities collecting the data).
  • Analysis of the potential privacy risks posed by these data collections.
  • Definition of a framework for interacting with the users. This framework should make it possible for users to get a good understanding of the above information and to express their wishes (e.g. through user-centric privacy policies) in a user-friendly and non-ambiguous way.The PhD project will be conducted in collaboration with the members of the Inria PRIVATICS group and the other partners of the UPRISE-IoT project. It will not necessarily address all the above topics, and the specific focus will be adjusted in agreement with the successful candidate, based on his expertise and motivation.


    The thesis will be located in the Inria Rhône-Alpes Research Center, either in Grenoble or in Lyon (south-east of France).

    Required skills:

    The candidate should have a Master’s degree in computer science or a related field. Knowledge and motivation for one of the following fields would be appreciated: networks, privacy, security, human computer interaction.
    Knowledge of French is not required.”


Academics Transparency User Control

Dr Gilad Rosner, the IoT Privacy Forum’s founder, was recently interviewed by the European Alliance for Innovation. Dr Rosner will be keynoting at the 3rd EAI International Conference on Safety and Security in Internet of Things, taking place in Paris in October. An excerpt from the interview:

How would you comment on the recent clashes between governments and tech firms, regarding privacy and security?

The internet age has been a windfall for law enforcement and intelligence gathering agencies. The routine collection of personal information through social media, search, mobile phones, and web usage has created enormous databases of people’s movements, activities and communications. All of this comes from commercial endeavor – that is, the internet and social media are propelled by private companies in search of profit. They create the products and they store the data, and so those private data stores represent an irresistible target for data-hungry government entities like the NSA and others.

The ‘government’ is never one thing. Governments are comprised of agencies, interests, and people – overlapping powers and agendas. In the case of law enforcement, different groups have different remits and varying degrees of power. Foreign intelligence gathering is not the same as domestic law enforcement, and the rules that enable and constrain different agencies vary widely. There is a blurry line between lawful and unlawful access to private stores of personal data. The Snowden disclosures gave the world some perspective about just how blurry that line is, and how the governance of intelligence gathering may be porous or insufficient.

Sociologists have noted that states ‘penetrate’ their populations; that people need to be made ‘legible’ so that the state can act upon them. A strong argument can be made that intelligence gathering – for foreign or domestic purposes – is a core characteristic of the modern state. As such, lawful and unlawful access (and who gets to say which is which?) are two sides of the same coin: the state’s desire for information about people. Part of the way liberal democracies are judged is through consideration of their legitimacy. When government actors are accused of hacking into private data stores or otherwise circumventing established legal methods of obtaining access, such as search warrants and subpoenas, that legitimacy is called into question. Still, the line is blurry, and because of the secretive nature of intelligence gathering, it’s difficult to get a complete picture of when agencies are acting within their rights, when company practice facilitates or hinders the transfer of personal data to government actors, and when everyone is acting within ‘normal’ operating procedures.

Read the whole interview here: http://blog.eai.eu/the-blurry-line-between-data-protection-and-coercion/

Academics Conference Data Protection

UC Berkeley’s Center for Long-Term Cybersecurity released “Cybersecurity Futures 2020,” a set of scenarios meant to spur conversations about the future of cybersecurity and related topics. Dr. Gilad Rosner, founder of the IoT Privacy Forum, was one of the contributors to the Intentional Internet of Things scenario, which provokes discussion with this image of the future:

“While the widespread adoption of IoT technologies may be predictable in 2016, the mechanism that will propel this shift is less so. In this scenario, government will intentionally drive IoT adoption to help societies combat recalcitrant large-scale problems in areas like education, the environment, public health, and personal well-being. This will be widely seen as beneficial, particularly as the technologies move quickly from being household novelties to tools for combating climate change and bolstering health. “Smart cities” will transition from hype to reality as urban areas adapt to the IoT with surprising speed. In this world, cybersecurity will fade as a separate area of interest; when digitally connected technologies are part of everyday life, their security is seen as inseparable from personal and national security. But while this world will offer fantastic benefits for public life and reinvigorate the role of governments, there will also be greater vulnerability as IoT technologies become more foundational to government functions and the collective good.”   (from: https://cltc.berkeley.edu/scenario/scenario-four/)

Main page: https://cltc.berkeley.edu/scenarios/

Intro and Executive Summary: https://cltc.berkeley.edu/files/2016/04/intro_04-27-04a_pages.pdf

Full report: https://cltc.berkeley.edu/files/2016/04/cltcReport_04-27-04a_pages.pdf


Academics Policy Privacy by Design Security

This Tuesday, Dr Gilad Rosner, founder of the IoT Privacy Forum, will be doing a free one hour webcast called Privacy, Society & the Internet of Things. It’s an exploration of the many meanings of ‘privacy,’ the privacy risks implied by a world of connected devices, and some of the frameworks emerging to address those risks. The webcast will be broadcast live at 10am PT / 1pm ET / 6pm GMT. Register for it here: http://www.oreilly.com/pub/e/3582

Conference Law Policy Privacy by Design

The Open Web Fellows program — a collaboration between Ford Foundation and Mozilla – is an international leadership initiative that brings together technology talent and civil society organizations to advance and protect the open Web. Specifically, the goals of the Open Web Fellows programs are to:

  • Increase public awareness and understanding of Internet policy issues
  • Support career paths in the Internet policy and advocacy sector
  • Celebrate and support the vibrant network of Internet advocacy organizations

Broadly speaking, we are looking for makers – those who see a problem in the world and can solve it through technology or media. The right candidate may bring specialties in design, development, storytelling, research and policy analysis, and should be comfortable performing as a technologist, a tinkerer, and a curious contributor to the fellowship program. You do not need to have previous experience with Internet advocacy, policy or activism.”

Deadline Mar 20, 2016



In this new article for O’Reilly, IoT Privacy Forum Founder Dr Gilad Rosner discusses how the IoT amplifies the problems of Notice & Choice and Consent. Academics and experts have long been aware of their failure as privacy protection strategies, and some have called for them to be eliminated in favor of a controversial policy: letting businesses choose which data uses are and are not appropriate. The article examines the pros and cons of this approach with regard to connected devices.


Data Protection Law Policy

While waiting for a taxi in Barcelona, my friend, irritated at waiting for one to appear, told me that Uber was made illegal in Spain. However, she was not 100% sure it was still illegal; perhaps something had changed. To answer this, she took the most direct route and opened Uber on her phone: Nope, we could not order transportation. I saw this moment as a wonderful inversion of that 90s internet tenet, ‘code is law.’ The main idea is that the architectures of electronic systems perform similar regulation of behavior as law does in the physical, social realm. In some of the more utopian and techno-deterministic formulations of this idea, the world of paper laws and hoary legislative debates would crumble before the might of the interweb and its meritocratic ways. Opening Uber on her phone to see if it could sell its wares in the Catalan capital was a wonderful reminder of the over-exaggeration of regulation’s untimely demise. Academics love the word, ‘tension,’ and companies like Uber and Airbnb cause mountains of it. They’re such good case studies for regulation, perturbing existing regimes such as hotel taxation and taxi passenger safety, stepping on toes economic and political. The earliest discussions of the social impact of the internet invoked its borderless character and the inevitable clashes that would arise with national sovereignty. That tension is is alive and well, visible in US alarmism over the coming EU General Data Protection Regulation, in the regulatory tussle over Uber and its so-called sharing economy kin, and in the recent invalidation of the Safe Harbor framework. Law may move slowly, but it still packs a punch.

Law Policy Power

Data Protection Policy Privacy by Design Realpolitik