Governance in the Internet of Things

Gartner defines information governance as “the specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”

And that is where we immediately run into a road block when dealing with governance in the Internet of Things.  If information governance is meant to “ensure appropriate behavior” how will we apply that to “things?” Things don’t really behave if you’re applying the traditional inferences of the word. Sure, they can be said to exhibit certain behaviors, and certainly those behaviors are preprogrammed into them, but even then we obviate the need for governance. Programmed devices hardly need an accountability framework for appropriate behavior if they’re already preprogrammed to behave in specific ways.

This provides more grist for my mill that it is not an “Internet of Things” but simply the Internet with more things attached to it. The guidelines are meant for those who will be making things and putting things onto the Internet. They must observe and adhere to these guidelines when putting those things on.

Who Are “They?”

As if we didn’t have enough additional layers of complexity as we scale to the unimaginable proportion of the envisioned resulting Internet, who “they” are introduces a tremendous one. One with the potential to create both conflict and new legislation for decades to come.

When it comes to information governance in the context of a vastly expanded Internet that includes devices as well as people all conducting mediated communication with each other that can be captured, shared, recorded, aggregated, sold, re-sold, there are at least three categories of parties who will want to be sure they establish some form of regulation.

This is the obvious one. Governments seem to want to regulate how everyone uses all information everywhere, except for themselves. To listen to folks like Edward Snowden and the Electronic Frontier Foundation you’d come to believe, and perhaps rightly so, that governments monitor absolutely everything they can monitor and use what they collect in as many ways as they possibly can until they are caught. Even then they find ways to obfuscate what they are doing much to the delight of angry analysts everywhere.

The rest of us, however, must exercise extraordinary care lest we run afoul of legislative acts such as Sarbanes-Oxley, Gramm-Leach-Bliley, PCI, HIPAA or many others. Many, like HIPAA, extend potential penalties for non-compliance beyond organizations to the individuals who own and operate them.

Imagine what happens when a medical diagnostic device captures information, conveys it to its manufacturer for quality control, and the report on the aggregated data somehow reveals some protected private patient information. Visions of an enormous MRI behind bars.

Data indemnification has been an issue ever since the first byte crossed the Internet to a waiting “cloud” server. Who owns that data? Who owns responsibility for that data? If the data is breached, accessed, corrupted, stolen, destroyed or otherwise exploited, who gets punished? What is their penalty? How does the originator of the data prosecute that loss? 

More important, how does the originator of that data mitigate that risk? And what penalty will be sufficient if the data is critical enough to the continued operation of the enterprise?

How does one indemnify a device?

Once again, corporate information governance consists of the establishment and enforcement of policies.  Policies are designed to moderate the behavior of sentient beings, people. People are fallible. People are capable of nefarious acts, of disobeying policies. Devices, at least at this point in time, are not. What happens when a defective device relays private corporate information to a public source?  How does the corporation pursue restitution for that loss? Who do they pursue?

From the larger perspective, what happens when the needs of the corporation conflict with the requirements of the government? Whose governance prevails? Then again, what happens when the governance requirements of the corporation or the government conflict with what is technologically viable?

Which brings us to the third community of potential governance and regulation, the technology community. The folks who bring us the circuitry and the governing protocols that control internet access and data transport? How do we interface our layers of politics in governance with their layers of networking, transport, and presentation of data?

This community is probably the hardest to define and always has been due to its genesis.

To illustrate what this means, ask yourself “Who owns the Internet?” The current answer would be many, and nobody. Nobody owns the entire Internet, and many companies own parts of the infrastructure. It can be said that the Internet Engineering Task Force (IETF) owns responsibility for the development and operation of the Internet, but then you’d have to ask, “who says so?” For many years the Internet Assigned Numbers Authority (IANA) who own responsibility for distributing IP addresses consisted of Jon Postel, one person. Fortunately that changed before Postels’ untimely passing several years ago.

Since the Global Internet crosses all national borders, no one country legislates it, and there is no singular body that can claim authority to do so. A startlingly loose tacit agreement between nations has allowed for several organizations, including the IEEE, the IETF, ICANN, IANA, and others to maintain such key operations as DNS for many years. As the enormity of the “Internet of Things” explodes it will be a significant matter of concern to see how these semi-formal corporations morph to accommodate it.

This only serves to pose the questions, and scratch the surface of how we will achieve governance of something that will unquestionably grow to be as massive as what we are currently calling the “Internet of Things.” But then, we’ve only scratched the surface of the development of the Internet of Things itself.