This project is to forge new directions towards the important, but largely unexplored challenge of aligning the Internet of Things (IoT) with legal and regulatory realities.
The broad vision of the IoT is where the physical world comes online. It entails sensors and actuators seamlessly integrated with virtual services, as part of a wide-scale, potentially global systems infrastructure that dynamically reacts and responds to meet various goals.
This vision has captured mainstream imagination. The connected infrastructure, a large-scale distributed system, enables a potentially limitless range of applications, which can be customised to individuals, groups and organisations, in areas including cities, retail, energy, health and lifestyle, transport and agriculture.
However, with this vision comes legal, regulatory and social challenges. The scale and physical nature of this emerging systems environment involves sensors generating data on many detailed aspects of the world, much of it (potentially) highly personal or otherwise sensitive, and where actuation capabilities give systems a real, physical-world effect.
As such, IoT (and more generally, ICT) applications, systems and services are increasingly subject to law and visible to regulators, while consumers, businesses and governments are beginning to demand more transparency and agency. Having the means for managing the associated risks, responsibilities, and obligations of the IoT is crucial for realising its potential, and the significant economic and social benefits it promises.
This project directly targets these issues, by taking an interdisciplinary (tech-legal) approach towards legally-compliant distributed systems. The aim is to develop the conceptual frameworks for considering tech-legal compliance issues as well as the technical means for enabling systems (and therefore, those responsible) to comply with legal and regulatory obligations. By facilitating compliance, we work to improve agency, trust and accountability in the IoT, as well as reducing the overheads of compliance.
As the IoT is data driven, the specific focus is on data flow management. We seek to improve the *control* and *visibility* of data as it moves throughout the IoT, in line with data management policy, reflecting legal obligations. This is so that those who have rights over data (including end-users), and those responsible for data (including service providers), are able to ensure their requirements and obligations are met, even as data moves `out of their hands'.
This entails investigating how law and regulation, reflecting responsibilities and obligations, and personal preferences, can be embodied in policy, which technical mechanisms enforce end-to-end, system-wide. This includes auditing policy enforcement, to assist in demonstrating compliance, apportioning liability and indicating whether policy adequately captures legal responsibilities. This also entails the development of legal-technical frameworks that provide the methodology for investigating, enumerating and aligning compliance concerns across the disciplines, and identifying the mismatches between law and technology.
Addressing such challenges requires an interdisciplinary approach. This project embodies a technical/legal symbiosis: work on the technical mechanisms for system-wide control and audit will be driven by legal and regulatory realities, and at the same time, we consider how the technical work impacts the emerging liability and policy concerns arising from the physical and increasingly pervasive and intrusive nature of the IoT.
In undertaking this work, we seek to build the foundations for a broader area of multidisciplinary research concerning legally compliant systems.