I participated on a panel with Scott Jenson from Google, moderated by Stacey Higginbotham, at last week's Structure Conference in San Francisco. Scott is a usability expert I've followed on Twitter for years. Stacey is all things IoT, so I confess I was a bit awestruck to be on the same stage. To be honest, panels are not a 'User Experience' I typically look forward to, either from the audience or the stage, but this panel was thoroughly enjoyable and, I hope, valuable for the audience.
Scott has long been an advocate of the Physical Web as an enabling piece of the IoT. In the physical web, devices advertise a web address over a Bluetooth Low Energy (BLE) device or comparable short range radio. At this address potential device clients can discover more information like, at a bare minimum, the sort of data and service the device can offer up. Because clients use the web to learn more about the device, the Physical Web model frees us from the seemingly current default of 'one device, one app'.
Physical Web Model User Experience Walk up and interact with any object (a parking meter, a toy, a poster) or location (a bus stop, a museum, a store) without installing an app first. Interactions are only a tap away.
For Scott, I think the primary advantage and value of the Physical Web is the improved usability afforded by not having to first install a particular native application in order to interact with devices around you, ie reduced friction. But, in enabling a simple jump from the physical world to the digital world, the Physical Web model might also be a powerful bootstrap mechanism for the authentication and authorization of interactions with advertising devices. For instance, I can imagine the BLE advertised web address specifying:
The location of the device's authentication/authorization server (where a client can obtain security tokens expressing the identities and authorizations of the client and any user involved)
The device's OAuth scopes, ie "These are the functions I provide."
Minimum LOA required for accessing the device's different data and functions
Calculating IoT's Value to Maximize Its Potential The nominal title of the panel was "Where Do We Find the IoT?"--the premise being where do we find the real value of the IoT, the use cases that will change our lives and not just count our steps. As my opening statement, I argued that the title actually had things reversed. The real value of the IoT will be when it "finds" us--when users need not explicitly request an interaction with a device or devices, but rather devices present their offers to us for us to filter and accept or reject as in the Physical web model. I argued that only then will a serendipitous IoT be possible--one where beneficial device interactions come to us rather than requiring that we go hunting for them.
I had been thinking along the lines of IoT use case value and serendipity before the panel with Stacey and Scott, but presenting with them helped me solidify some of those thoughts which I'll explore below.
I'll start with a provocative statement
For any particular connected or smart device to be meaningful and viable, the value of the relationship between that device and a human user must be greater than the pain for the user associated with the establishment and ongoing management of that relationship.
NB: Of course the above is a very consumer-centric definition of value in the IoT, one that excludes large swaths of the IoT where value may not be for a particular user but rather companies, cities etc.
Shocking premise, I know. If a relationship with some device or thing offers more pain than the value it provides - whether simplifying existing life experiences or enabling new ones - it's simply not worth it for the user (and so logically, shouldn't be so for device manufacturers either.)
We can dig a bit deeper into both sides of the above equation.
I (and others) find it useful to think in terms of the relationship between a user and some device. Doing so stresses that both are necessary pieces, and it is the lifecycle of the combination of the two that must be managed, ie created, updated, refreshed, and eventually destroyed.
I will argue that some device relationships will inherently provide greater value to a user on each manifestation of that relationship than others. Compare a wristband that can identify and alert a user when a senior has fallen to a toothbrush that tracks your children's brushing metrics. The wristband has only to do its job once to deliver significant value to the user and their family. But of course, a relationship may persist over more than a single interaction. The full value of a relationship is actually a sum over the value of individual interactions for however long the user 'owns' that device
Even if the inherent value of a relationship is small (the toothbrush), if the relationship manifests multiple times (large 'N' in the above), then the total value can be significant. And as stated before, for relationships that have a large inherent value, they need only manifest a signal time in order to create meaningful value.
The right-hand side of the equation can also be deconstructed.
I assert that the pain for a user associated with a relationship is a combination of two factors:
The burden placed on the user in its establishment and ongoing management, ie how much work does the user need to do to enable and maintain the relationship.
The risk (in both the security and privacy sense) of harm to the user should the relationship be compromised.
In words, the total aggregate value of a device relationship must be greater than the sum of the burden and risk associated with that relationship. If the burden (B) is large, then the total value has to be large enough to compensate for that effort on the user's part. Likewise, if there might be real harm (large R) to the user should the relationship be compromised, then there had better be significant value making that risk worthwhile.
I will deconstruct the burden (B) on the user as follows:
The burden of getting the device connected (For devices in the smart home, how are they connected to the home wifi or comparable radio? For wearables, how are they connected from the BLE to the phone?).
The burden of binding the device to an identity, either new or existing
The burden of defining the rules that will govern how the device operates both initially and ongoing. The real potential of a device is in its interactions with other devices. How much work is involved in defining the rules for those?
The Physical Web model is a recognition of the importance of minimizing burden - and what could be more burdensome than installing a new native application for each different device?
And for risk (R), I will contend that there are two mostly orthogonal (often conflated) risks:
The privacy risk to the user should a known actor compromise the relationship
The security risk to the user should an unknown actor compromise the relationship
So combining everything together we get:
Bc = the burden of connecting the device to a network Bi = the burden of creating and/or authenticating an identity into the device platform Br = the burden of defining rules/policy by which the device will operate Rp = the privacy risk associated with the device and associated data Rs = the security risk associated with the device and associated data
Wow, that's one ugly equation. But let's see what it tell us:
The above equation will be different for different users. Some will be comfortable with uncertain privacy, and value itself is, of course, very subjective. I would argue that each and every user, when considering buying some device (and so establishing a relationship with it) implicitly performs the above calculation. They just may come up with different results.
Perceived (and not unjustified) high values for the privacy and security risks speak to the importance of gaining the trust of consumers before they will be willing to fully embrace IoT devices. Every time they hear about a hack or DDoS their sense of security and privacy risks increases.
The above quantifies the need for security and privacy and highlights the consequence should we not achieve both. Without security and privacy, large values for the risks on the right-hand side effectively invalidate any relationships that cannot deliver an equivalently large value on the left side.
Today's device relationships are (at the risk of over generalizing):
Hard to set-up
Require the creation of a new identity
Of uncertain security
With questionable privacy
Consequently, only relationships that can deliver significant value (either inherently or in the aggregate) can exceed the high burden and risk and render the relationship viable. Does being able to monitor the status of your breakfast toast remotely meet this criteria?
A high burden for one relationship may be acceptable if that burden can be amortized over other similar relationships. Only by reducing the burden and risk on the right-hand side of the equation can we make viable those relationships that could create small but still useful value.
We can see the above point graphically by plotting inherent value (from low to high) against the number of interactions (from one to many). Below is a graph with high burden and risk (denoted by the red line) and a correspondingly small set of viable relationships.
Compare the above graph with the graph below that depicts small burden and risk opening up more of the currently unaccessible relationships in the lower left.
So as the burden and risk get smaller, greater numbers of meaningful and valuable relationships become viable.
A Serendipitous IoT Emerges with Zero Burden, Zero Risk What happens when both burden and risk approach zero, and so lower the 'value bar'?
The user performs minimal or no overt actions to enable the establishment of the relationship, ie things just work.
The data created in the context of the relationship is secure from external threats.
The user's preferences for how the above data and other potential PII is used and shared are guaranteed.
I believe that it is only in this theoretical limit of zero burden and risk that we will approach a serendipitous IoT, ie one where IoT value comes to users without users having to actively search it out. In a serendipitous IoT, users don't go out explicitly looking for relationships with devices by purchasing them at Best Buy and bringing them home to be installed, but rather the devices that find the users with the process of establishing the relationship mostly (but likely not completely) invisible to the user. A serendipitous IoT is one where many relationships are ephemeral and short-lived - established in real-time to create some value for the user and then quickly torn down when no longer relevant.
Imagine a car travelling down the freeway that receives an alert about the presence of an accident around the next bend in the road from another car travelling in the opposite direction. A necessarily short-lived interaction.
Imagine making a tight airport connection because your phone's location in the terminal is made available to the airline's gate staff.
But what is required to enable zero burden and risk relationships to support this serendipitous and ephemeral IoT? Perhaps not surprisingly, I believe identity is a fundamental piece - identities of both devices and the users. The framework would include the following criteria:
For devices to negotiate the creation of a relationship on behalf of a user, there must be a way by which they can identify each other and discover the relevant metadata about their functions, their capabilities, and critically, their authentication infrastructures.
In many scenarios, it is neither the device's identity nor the user's identity that is fundamental but rather the combination or relationship between the two.
If the user is not actively and overtly involved in the establishment of the relationship, then how will their preferences over that relationship be guaranteed? Or how will the relevant identity attributes be factored into that relationship? Well, their preferences and authorizations, at least at a high level, must have been captured beforehand, with perhaps only a 'Proceed?' prompt or a subtle vibration of their phone to alert them to a relationship being established/destroyed.
Similarly, with no overt participation in the establishment of a relationship, creating a new identity is not tenable. Necessarily then, an existing identity must be used for the new relationship, with some sort of single sign on (SSO) in place. There will necessarily be a framework of distributed and federated trust to allow an IOT actor to place any confidence in the identity claims presented to them.
Keeping risk low obviously demands effective security - particularly for the authentication and authorization of all actors participating in the relationship. It's hard to imagine that passwords for authentication will serve here. Instead actors will lay claim to identities as expressed in identity tokens, issued and signed by a trusted party.
Even if the risk or privacy risk of a particular device relationship is low (e.g. tooth flossing metrics), if users are not empowered with usable login mechanisms when establishing that relationship, they will likely fall into the understandable but dangerous trap of reusing passwords. Consequently, there is the potential of a domino effect where the compromise of a low-risk relationship can lead to the compromise of a higher-risk relationship,effectively tied together through a shared credential.
A just-in-time and serendipitous IoT will be very different than the reality of today's manually established and configured device interactions with associated burden on the user. In a serendipitous IoT, users will be able to, a priori, define the broad parameters of their preferences and authorizations by which devices, both known and unknown, can interact on their behalf and then sit back and wait. Critically, by putting in place the necessary identity and authorization framework, we will enable an ephemeral IoT as well, one where users can receive meaningful value even from short-lived and one-time relationships.