Possession and Identity in the Internet of Things

I’ve been around technology for a long time. No, I won’t tell you how long, but trust me, it’s long enough to have seen the gradual move of computing devices from no-user to multi-user to single-user models.

In the old days, we just fired up the old Apple ][e and there was no notion of identity. Early PC-based computing followed that same model, until the notion of a family computer entered the vernacular and multi-user systems were born. To each was given a username and password, along with a profile. Slowly but surely we’ve been moving toward the notion of a single-user system. Combining the desire for credentialed access with the notion of a one-user systems, tablets and phones are now exhibit A in this era of computing.

As many parents find, however, this model is frustrating. Consider the case of young Alfie, “an 11-year-old boy from the UK” who “unintentionally racked up almost $7,500 (£6,000) in online game purchases after accessing his parents’ iTunes account, BBC reports. Roy Dodson had previously linked his account to his credit card which allowed his son Alfie to buy over 50 in-app purchases. “The first time he spent £700 in less than five minutes, then £1,100 in half an hour and it just racked up and racked up..”

Now, if you’re a parent with children growing up in this digital economy, you may have experienced this yourselves. I know I have, when our 4-year old did the same (to the tune of far less, thank God). Parental controls exist, of course, and many of us no doubt learned about them out of necessity.

At the root of this (apparently growing) issue, is the single-user model of computing. Some devices are beginning to enable multi-user support. Android has supported multi-users for some time, though it was initially troublesome (and difficult) to configure. Apple introduced multi-user support for iPads in iOS 9.03, but did so only for K-12 educational uses. It specifically excluded “everyday, normal users” from this support. It continues to support only targeted markets like education for multi-users, enforcing its one device-one user model for everyone else. In the view of these devices, possession is identity. Or vice-versa, at least. If you’re holding it, you are the identity associated with that device. Period. 

This will be increasingly problematic in the age of things. Things are registered to an owner, usually via an e-mail address, and subscription services are paid (automatically of course) via an associated credit-card. They follow the single-user mode of computing made popular by other pseudo-things* like phones and tablets.

But those things – like the thermostat or refrigerator or automated home lighting system – are not likely to leave when their owner sells the house and moves elsewhere. Now, certainly we already deal with things like utilities that must be disconnected and reconnected in the new owner’s name, but multiply that by the number of things installed in a home that will require a “change of hands” in the future.

And what if you forget? What’s the plan, here? Is it like Alfie racking up thousands of pounds in credit card debt? Will the new owners be liable for the charges if I prove they took possession of the home before they were incurred? If I have access to the end of the month because that’s the subscription model, can I legitimately turn their AC down to 50 as a prank? Stop their dishwasher half way through the cycle? Order them a hundred turnip twaddlers with that Amazon Dash button affixed to the pantry?

Does my house need its own credentials to which more permanent “things” are attached? Credentials I have to turn over like the keys to the house when we move? Do some things need a token-model instead? A token that’s tied to the thing no matter where it is or who owns it, that can be treated like the keys to the front door? Or are we leaning toward two-factor authentication for things “installed” in a house, to prevent any tom-foolery by departing owners and provide for an easier – and more trustworthy – transition?

Perhaps surprisingly, I don’t have an answer (yet). But it’s an issue that seems important to raise now, while most organizations are just dabbling in things and how they might fit in their business model, because it will need an answer. And it’s going to need an answer sooner rather than later. 

That answer isn’t likely to be based on the existing single-user model of authentication and authorization we use for apps. Because one day Alfie is going to grow up, and sell you a house filled with things…

* Yes, pseudo-things. Phones and tablets were backfilled into the “thing” category when it got to be its own Trend. Much like SaaS suddenly became cloud.