A Framework for Interconnection

In the coming IoT age, newfangled computer systems will smash into human processes. However, as Chapter 3 noted, this future has been here before. Much of my research work (and, before I returned to academia, my professional work) focused on the issues that arise when this occurs. What are the security and privacy issues if a citizen-facing government agency offers services over the web? Why does adding EMR systems to a hospital sometimes cause problems instead of solving them? Why do password rules intended to improve security actually make it worse?

Semiotic Triads, in 2013

This work led to a framework. When my colleague Ross Koppel and I were analyzing usability trouble in health IT [27], we found it useful to consider three things:

• The mental model of the clinician working with the patient and the health IT system

• The representation of medical reality in the health IT system

• The actual medical reality of patients

Figure 10-1 illustrates. (This model could clearly extend to include other actors with mental states—for example, the patients.)

Figure 10-1. The basic Ogden–Richards triad, moved into 21st-century IT; the arrows indicate the main direction of mappings. (Adapted from my paper [26].)

In theory, these three things should show an exact correspondence. The IT system should actually describe the medical reality; the output of the IT system should enable the clinician to infer correct facts about medical reality; inputs to the IT system should correctly reflect clinician actions affecting the reality of the patient. With advances in medical IT, the IT may even directly interact with reality: computers may control the drug dosage administered by a “smart pump”; sensors on a patient may input data directly into the patient’s electronic record.

In practice, we found that in the usability problems we identified in our fieldwork, there was a lack of correspondence. Usability problems organized nicely according to mismatches between the expressiveness of the representation “language” and the details of reality—between how a clinician’s mental model works with the representations and reality.

Semiotic Triads, in the 1920s

Somewhat to our chagrin, we discovered we had been scooped by almost a century. In their seminal 1920s work on the meaning of language, Ogden and Richards [22] constructed what is sometimes called the semiotic triad. The vertices are the three principal objects:

• What the speaker (or listener/reader) thinks

• The symbol they use in the language

• The actual item to which they are referring

Much of Ogden and Richards’s analysis stems from the observation that there is not a direct connection from symbol to referent. Rather, when speaking or writing, the referent maps into the mental model of the speaker and then into the symbol; when reading (or listening), the symbol maps into the reader’s (listener’s) mental model, which then projects to a referent, but not necessarily the same one. For example, Alice may think of “Mexico” when she writes “this country,” but when Bob reads those words, he thinks of “Canada”—and (besides not being Mexico) his imagined Canada may differ substantially from the real one. Thanks to the connection of IT and reality, we now have a direct symbol–referent connection, complicating the merely linguistic world Ogden and Richards explored.

The semiotics of language and the effective communication of meaning focus on morphisms—“structure-preserving mappings”—between nodes of the triad. However, with IT usability problems we are concerned instead with ineffective communication and hence focus on what we called mismorphisms: mappings that fail to preserve important structure when we go from $z$ in one node of the triad to its corresponding $z^{\text{'}}$ in another. (See Figure 10-2.) Indeed, we later explored the mismorphisms that lie at the heart of user circumvention of security control, because they characterize the scenarios that frustrate users—and often the resulting circumvention itself [26].

Figure 10-2. (a) Standard semiotics considers structure-preserving mappings between the nodes of the triad. (b) In circumvention semiotics, we think about mappings that fail to preserve structure. (c) For example, in a standard mismorphism scenario, the generated reality fails to embody a property the user regards as critical. (Adapted from my paper [26].)

To reestablish context: when we have computers in real-world applications, we can see the computation as a depiction—in signs and symbols—of reality. The computing reflects assumptions and beliefs about how things work. Consequently, when we have computers and reality and humans involved, we have the opportunity for semiotic confusion. The developers produce systems and code (signs and symbols) that reflect their own mental model of what the real world is; these are different things.

Human/Machine Interconnection in the IoT

The emerging IoT runs the risk of taking this confusion to a whole new level, for several reasons:

• The IoT will tie orders of magnitude more computers to vastly more parts of physical reality.

• Unlike the linguistic scenarios of the last century, the IoT will greatly expand the direct connection between computing and reality (even without human intermediaries).

• The vast decentralization and potential permanence of IoT devices leads to vastly more chances for texts to be wrong—and for wrong texts to remain uncorrected.

As a result, this triad becomes a convenient framework for looking at how these new machines will affect humanity.

Ethical Choices in the IoT Age

In his novel A Clockwork Orange, Anthony Burgess considered whether moral decisions made by clockwork would have the same value as moral decisions made by unconstrained humans.¹

In an IoT world, many scenarios exist where choice and action move from a human in a direct situation to a machine, or perhaps to the human who programmed that machine at some point long ago. Some of these choices will inevitably have moral and ethical dimensions. How will the reality—and the human perception—of the choices change when the actors move?

Ethicists have long considered the Trolley Problem (e.g., see Figure 1 in [15]). One can construct many scenarios involving unfortunate arrangements of trains and human bodies in which a human actor must make a choice between two options. For example:

• If a runaway train is about to hit a fork where it can go in one direction and kill five people or can go in another and kill one, and Alice controls the switch at this fork, which option should she choose?

• If a runaway train is about to hit five people, but Alice is standing on a bridge over the tracks next to a very large Bob, should she let the five people die, or push Bob off the bridge, so he dies but stops the train and thus saves the other five?

Psychologists have studied why humans tend to make different choices in the different scenarios, even though (when evaluated solely in terms of net utility, or lives lost) the choice in each scenario should be the same—lost one life to save five. There’s a mismorphism here: something changes when the situation is mapped from end reality to human perception of the action.

Now, fast-forward to a future of smart technology, when the actor is no longer human. If a self-driving car is in an unfortunate scenario where it must kill either five pedestrians in one lane or one in another, which should it choose? What if the choice is between killing five pedestrians, or crashing into a wall and killing its driver? And what about all the other kinds of smart machine actors the IoT will bring?

These questions are grist for much philosophical discussion (e.g., see [10]).

Perception of Boundaries in the IoT Age

Another structure that can be lost in the mapping between smart IT, the real world, and human perception is that of boundaries.

Even in the plain IoC, the borders in IT infrastructure do not match the borders in reality. Back at the turn of the century, Bill Cheswick’s Internet Mapping Project revealed internet connectivity suggesting mergers between companies that had not yet announced they were merging, and connectivity suggestive of covert nation-state influence. In modern times, Doug Madory of Dyn has done analysis of internet routing data indicating interesting connections with modern political events, among other things; Dyn even markets “internet intelligence” as a business.

As we move into the IoT, as Chapter 1 noted, humans may have difficulty perceiving the risks that compromise of a particular IoT infrastructure, such as smart meters, can pose to apparently unrelated systems, such as the cellphone network; likewise, human perception of security risks to a particular IoT infrastructure, such as Target’s point-of-sale terminals, may not take into account attacks launched at apparently unrelated systems, such as HVAC controls. Chapter 4 noted an instance where a port for a car’s CAN bus—through which one can unlock the vehicle—can be found outside the locked perimeter. In summer 2016, a security analysis of the massive privacy breach at Banner Health noted “it was odd that the point of sale systems at Banner’s 27 food service locations that were affected appear to have been on the same network as clinical systems” [8].

The business relationships in IT manufacturing—who buys and repackages what software and components from whom—also complicate accurate perception of and reasoning about boundaries. As Chapter 4 noted, vulnerabilities in the firmware of one CCTV device affect dozens of vendors, who simply re-packaged that device. The ThinkPwn exploit for a low-level UEFI driver from one particular small vendor affects the larger machines (such as some Lenovo laptops) that used that driver [9]. The flaws enabling hackers to shut down Andy Greenberg’s Jeep were not in the Jeep itself but in a radio manufactured by someone else—and used in other brands of cars as well [21].

Human Work in the IoT Age

Humans often define themselves by work—“your work is your worth.” The IoT changes the workplace. Does it change human worth?

As noted previously, mixing technology into the workplace changes the workplace. One might think that it would make things “better,” by some definition: people could get more things done more accurately in less time. For example, NPR’s Planet Money notes [17]:

The economist John Maynard Keynes predicted [in 1930] that his grandkids would work just 15 hours a week. He imagined by now, we would basically work Monday and Tuesday, and then have a five-day weekend.

Why did Keynes get this wrong? NPR posits it was because although technology improved productivity, people still choose to work, due to some combination of opportunity cost (that hour of leisure is not worth the lost income) and personal satisfaction. Observers taking a long view of the US economy might add that even the productivity improvement cannot compensate for the decrease in wages per unit of productivity, and the increase in cost of living. Back in the 1980s, the older businessman who ran one of the first tech companies I worked for lamented how (even then) both parents working would not support a family as well as one parent working when he was younger. Paraphrasing, “I never thought I would see the next generation do worse than the previous one.”

The IoT promises an even more disruptive technological revolution in the workplace. In terms of the triad discussed earlier, the permeation of IT into physical reality fundamentally changes the way business processes work—and human understanding of these processes (and of the role of human workers in it) lags behind.

In particular, the new technology enables a sort of arbitrage: tasks that required specialized humans can now be done by machines; tasks that required expensive local infrastructure (such as big computing) can now be outsourced inexpensively (e.g., to the cloud). In a series of articles [5, 6, and 7], writers Bernard Condon, Jonathan Fahey, and Paul Wiseman analyzed this impact:

Five years after the start of the Great Recession, the toll is terrifyingly clear: Millions of middle-class jobs have been lost in developed countries the world over. And the situation is even worse than it appears. Most of the jobs will never return, and millions more are likely to vanish as well, say experts who study the labor market. What’s more, these jobs aren’t just being lost to China and other developing countries, and they aren’t just factory work. Increasingly, jobs are disappearing in the service sector, home to two-thirds of all workers….

For more than three decades, technology has reduced the number of jobs in manufacturing….

Start-ups account for much of the job growth in developed economies, but software is allowing entrepreneurs to launch businesses with a third fewer employees than in the 1990s….

Those jobs are being replaced in many cases by machines and software that can do the same work better and cheaper….

Reduced aid from Indiana’s state government and other budget problems forced the Gary, Ind., public school system last year to cut its annual transportation budget in half, to $5 million. The school district responded by using sophisticated software to draw up new, more efficient bus routes. And it cut 80 of 160 drivers….

The analysis concludes with considering what will happen in a society where (thanks to technology) a majority of humans cannot find employment—or must compete for a vanishing number of “midskill” jobs. The machines will be wonderful and enable a wonderful life for the innovators. But what about the rest of us?

As far back as 1958, American union leader Walter Reuther recalled going through a Ford Motor plant that was already automated. A company manager goaded him: “Aren’t you worried about how you are going to collect union dues from all these machines?” “The thought that occurred to me,” Reuther replied, “was how are you going to sell cars to these machines?”

Many in the field already talk about dark factories (with no human employees). However, humans like doing—that’s one of the reasons Keynes was wrong. What will our future hold?

Brave New Internet, with Brave New People in It

The previous chapter used the fashionable term “digital divide.” A similarly fashionable term, “digital natives” refers to humans who grow up with new information technology. Rather than having to adapt to a new world (as “digital immigrants” must do), a digital native has always seen the universe as having this IT enhancement.

Confronted with the internet, the web, digital music, YouTube, iPods, and smartphones, digital immigrants are often frightened by the skill and ease with which digital natives interact with the digital. As Groucho Marx quipped in technologically ancient times:

A child of five would understand this. Send someone to fetch a child of five.

In slightly less ancient times, when I was considering leaving industry for academia, I asked a mentor how you lead students. His response: “You don’t lead them—you follow them.”

The IT of the 2010s is considerably advanced from the IT of the 1990s or the 1970s, and the teenagers of the 2010s perceive a very different world from their predecessors. However, the IoT of the 2020s promises (or threatens) to be potentially a far greater advancement. What world will the digital natives of the IoT grow up in? Will they regard our current dumb houses and dumb cars and dumb bridges as hopelessly archaic? Alternatively, if we don’t adequately resolve the security and privacy risks, will they be able to cope if their world reverts to a cyber Love Canal?

After all, they are us.²

Works Cited

1. R. Beckerman, “Large recording companies vs. the defenseless: Some common sense solutions to the challenges of the RIAA litigations,” The Judges Journal, American Bar Association, July 2008.

2. L. J. Camp, “DRM: Doesn’t really mean digital copyright management,” in Proceedings of the 9th ACM Conference on Computer and Communications Security, 2002.

3. J. Cheng, “Study: Surfing the internet at work boosts productivity,” Ars Technica, April 2, 2009.

4. E. Clark, “Driverless cars need Australia’s latitude and longitude coordinates to be corrected,” Australian Broadcasting Corporation News, July 28, 2016.

5. B. Condon, J. Fahey, and P. Wiseman, “Practically human: Can smart machines do your job?,” AP: The Big Story, January 24, 2013.

6. B. Condon and P. Wiseman, “AP IMPACT: Recession, tech kill middle-class jobs,” AP: The Big Story, January 23, 2013.

7. B. Condon and P. Wiseman, “Will smart machines create a world without work?,” AP: The Big Story, January 25, 2013.

8. J. Conn, “Banner Health cyberattack impacts 3.7 million people,” Modern Healthcare, August 3, 2016.

9. L. Constantin, “Firmware exploit can defeat new Windows security features on Lenovo ThinkPads,” PC World, July 1, 2016.

10. C. Doctorow, “The problem with self-driving cars: Who controls the code?,” The Guardian, December 23, 2015.

11. C. Doctorow, DRM: You Have the Right to Know What You’re Buying! Electronic Frontier Foundation, August 5, 2016.

12. S. J. Dubner, The Dangers of Safety Full Transcript. Freakonomics Radio, August 13, 2015.

13. E. Felten, “Too stupid to look the other way,” Freedom to Tinker, October 29, 2002.

14. A. Fotheringham, “Quintana calls for power meters to be banned from racing,” Cyclingnews, August 30, 2016.

15. M. Hauser and others, “A dissociation between moral judgments and justifications,” Mind & Language, February 2007.

16. L. Huber and others, “How in-home technologies mediate caregiving relationships in later life,” International Journal of Human–Computer Interaction, 2013.

17. D. Kestenbaum, “Keynes predicted we would be working 15-hour weeks. Why was he so wrong?,” NPR Planet Money, August 13, 2015.

18. J. M. Laskas, “Inside the Federal Bureau of Way Too Many Guns,” GQ, August 30, 2016.

19. R. Liu and others, Remote Driving: A Ready-to-Go Approach to Driverless Car? Technical Report DCS-TR-712, Rutgers University, Department of Computer Science, February 2015.

20. C. Mele, “Self-service checkouts can turn customers into shoplifters, study says,” The New York Times, August 10, 2016.

21. D. Morgan, “Car hacking risk may be broader than Fiat Chrysler: U.S. regulator,” Reuters, July 31, 2015.

22. C. Ogden and I. Richards, The Meaning of Meaning. Harcourt, Brace and Company, 1927.

23. N. Patel, “Self-driving cars aren’t going to be so great until we make our maps way better,” The Verge, August 24, 2016.

24. S. Sinclair and S. W. Smith, “What’s Wrong with Access Control in the Real World?,” IEEE Security and Privacy, July/August 2010.

25. S. Shinde-Nadhe, “Not using smartphones can improve productivity by 26%, says study,” Business Standard, August 30, 2016.

26. S. W. Smith and others, Mismorphism: A Semiotic Model of Computer Security Circumvention (Extended Version). Dartmouth Computer Science Technical Report TR2015-768, March 2015.

27. S. W. Smith and R. Koppel, “Healthcare information technology’s relativity problems: A typology of how patients’ physical reality, clinicians’ mental models, and healthcare information technology differ,” Journal of the American Medical Informatics Association, June 2013.

28. C. Winston and others, “An exploration of the offset hypothesis using disaggregate data: The case of airbags and antilock brakes,” Journal of Risk and Uncertainty, March 2006.