Get started Bring yourself up to speed with our introductory content.

Developing digital trust in the IoT era

The API economy exposes new business value digitally

The API economy has turned the tables on the way businesses monetize their offerings. Application programming interfaces enable every type of industry to expose value digitally, reach out to bigger audiences and disrupt established industries.

Ridesharing is the classic example, upending traditional taxi and car services. Ridesharing apps are now creating sufficient industry disruption that new legal ordinances are being named after them: witness Illinois House Bill 4075, also known as the “Uber bill.”

Moving from web to mobile forced a digital transformation

The main push for APIs came from the smart mobile device revolution and the radical simplification of how users and customers interact with products and services; mobile app developers needed APIs to gain access to the functions of what were originally web applications. The resulting explosion of APIs means that organizations across all industries are pursuing “digital transformation” strategies, prioritizing new processes and workflows.

The new API economy controls smart things, but is it trustworthy?

Now a new type of API economy is growing that exposes not merely the value of applications in a new way, but also the features of smart devices themselves. An API call can control not just hailing a car, but driving a car, accessing the trunk and locking the doors.

The popularity of the internet of things is leading to a whole new set of business opportunities. However, providing safe, secure interactions and handling digital identities and authentication requires greater care in this relatively uncharted territory. For example, security researchers Scott Helme and Troy Hunt uncovered an API vulnerability that not only allows the Nissan Leaf connected car to be controlled independently over an Internet connection, but also provides access to other Leaf automobiles through the NissanConnect EV app.

The state of data privacy regulation

According to a survey of nearly 300 IT professionals conducted earlier this year by TechValidate for ForgeRock, only 9% of respondents agreed that privacy/consent methods such as opt-in checkboxes and cookie acknowledgments are ready to adapt to the new digital economy. Clearly, IoT devices are a major source of tension when it comes to meeting user and business needs for consent. It is not practical to pull out a companion mobile app to consent or to configure your sharing preferences every time you need to interact with a smart “thing.” As the regulatory landscape of data protection and privacy shifts to give a bigger role to consent, developers will need to consider this reality.

In April 2016, the General Data Protection Regulation (GDPR), which is designed to give EU citizens better control of their personal data in the context of a more unified EU marketplace, was set in motion for implementation in 2018. The regulation states that privacy-friendly settings must be the default and requires that developers design privacy-friendly settings for all apps and websites.

The point of the GDPR policy is that data privacy and protection should not just stop at the end user; for developers, it should begin at the API level — by design. Tech companies, especially those that create IoT devices and applications, are beginning to understand the importance of closing all the doors to their APIs. APIs have recently received a bad rap — horror stories about how hackers can tap into the Nissan Leaf’s API for access and control put added pressure on developers to tighten up security during the design process.

Developing digital trust

The bars for companies to meet consumer needs and government regulations are rising. It is likely that legacy technologies and existing tactical compliance efforts can offer only a temporary solution at best. New data privacy methods and technologies will soon need to be deployed widely in the U.S. and EU.

In response to evolving consumer demands and government regulations, companies are exploring ways to incorporate user consent into their applications. For instance, Apple CareKit and ResearchKit integrate with 23andMe. A user’s 23andMe DNA test results, intended to help determine ancestral history, can be integrated with the user’s Apple CareKit to help researchers best understand the individual through his or her ancestral background and health activity. However, researchers can only access data when the user provides specific consent. Apple’s CareKit allows users to share data with other parties; however, the data is proprietary, and only users in the Apple ecosystem can access it. Users also have the ability to block data being sent from 23andMe. While Apple CareKit is a good example of leveraging user consent in ways that go above and beyond regulatory dictates, a consent standard across industries is the more sustainable, long-term solution for API ecosystems that do not involve Apple.

User-Managed Access (UMA) is a key standard in this area; it gives business benefits to those who are not the “800-pound gorilla” in any one field. UMA gives individuals a unified control point for authorizing who and what can access a variety of cloud, mobile and IoT data sources. Users can share data and API access selectively with other parties; withdraw consent for that sharing in a finer-grained fashion so that other data feeds can remain unperturbed; and manage delegation, consent and withdrawal more conveniently from a central sharing hub.

With the rise of cloud-based data, health and wellness apps, and consumer sensors, companies such as Philips have identified the importance of enabling consumers and patients to share all available sources of data with family members, health professionals and others. However, this sharing must be done under close personal control. The company is looking to leverage standard solutions into its HealthSuite Digital Platform that will make it possible to foster patient trust. ARM is also doing great work on developing trust models for sensor-to-device-to-service security.

For companies like Philips, whose core competency is something other than just consent mechanisms, ensuring digital trust is particularly critical. By definition, the API economy and the shift toward the IoT necessitate complex technology partnerships for joining applications and sources of personal data within new ecosystems.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.