Topic: Data security of smart technologies.
Engineering disciplines: Electronics, Data, Mechatronics.
Ethical issues: Autonomy, Dignity, Privacy, Confidentiality.
Professional situations: Communication, Honesty, Transparency, Informed consent.
Educational level: Intermediate.
Educational aim: Practise ethical analysis. Ethical analysis is a process whereby ethical issues are defined and affected parties and consequences are identified so that relevant moral principles can be applied to a situation in order to determine possible courses of action.
Learning and teaching notes:
This case involves a software engineer who has discovered a potential data breach in a smart home community. The engineer must decide whether or not to report the breach, and then whether to alert and advise the residents. In doing so, considerations of the relevant legal, ethical, and professional responsibilities need to be weighed. The case also addresses communication in cases of uncertainty as well as macro-ethical concerns related to ubiquitous and interconnected digital technology.
This case study addresses two of AHEP 4’s themes: The Engineer and Society (acknowledging that engineering activity can have a significant societal impact) and Engineering Practice (the practical application of engineering concepts, tools and professional skills). To map this case study to AHEP outcomes specific to a programme under these themes, access AHEP 4 here and navigate to pages 30-31 and 35-37.
The dilemma in this case is presented in two parts. If desired, a teacher can use Part one in isolation, but Part two develops and complicates the concepts presented in Part one to provide for additional learning. The case allows teachers the option to stop at multiple points for questions and/or activities as desired
Learners will have the opportunity to:
- analyse the ethical dimensions of an engineering situation
- identify professional responsibilities of engineers in an ethical dilemma
- determine and defend a course of action in response to an ethical dilemma
- practise professional communication
- debate possible solutions to an ethical dilemma.
Teachers will have the opportunity to:
- highlight professional codes of ethics and their relevance to engineering situations
- address approaches to resolve interpersonal and/or professional conflict
- integrate technical content on software and/or cybersecurity
- informally evaluate students’ critical thinking and communication skills.
Learning and teaching resources:
- European Union’s General Data Protection Regulation (GDPR)
- RAEng/Engineering Council Statement of Ethical Principles
- Association for Computing Machinery: Code of Ethics
- The Ada Lovelace Institute: An independent research institute with a mission to ensure data and AI work for people and society
- A road to independent living for the disabled
- Are smart homes too smart?
- Ethical considerations regarding the use of smart home technologies
Smart homes have been called “the road to independent living”. They have the potential to increase the autonomy and safety of older people and people with disabilities. In a smart home, the internet of things (IoT) is coupled with advanced sensors, chatbots and digital assistants. This combination enables residents to be connected with both family members and health and local services, so that if there there are problems, there can be a quick response.
Ferndale is a community of smart homes. It has been developed at considerable cost and investment as a pilot project to demonstrate the potential for better and more affordable care of older people and people with disabilities. The residents have a range of capabilities and all are over the age of 70. Most live alone in their home. Some residents are supported to live independently through: reminders to take their medication; prompts to complete health and fitness exercises; help completing online shopping orders and by detecting falls and trips throughout the house. The continuous assessment of habits, diet and routines allows the technology to build models that may help to predict any future negative health outcomes. These include detecting the onset of dementia or issues related to dietary deficiencies. The functionality of many smart home features depends on a reliable and secure internet connection.
Dilemma – Part one:
You are the software engineer responsible for the integrity of Ferndale’s system. During a routine inspection you discover several indicators suggesting a data breach may have occurred via some of the smart appliances, many of which have cameras and are voice-activated. Through the IoT, these appliances are also connected to Amazon Ring home security products – these ultimately link to Amazon, including supplying financial information and details about purchases.
Optional STOP for questions and activities:
1. Activity: Technical analysis – Before the ethical questions can be considered, the students might consider a number of immediate technical questions that will help inform the discussion on ethical issues. A sample data set or similar technical problem could be used for this analysis. For example:
- Is it possible to ascertain whether a breach has actually happened and data has been accessed?
- What data may have been compromised?
- Is a breach of this kind preventable, and could it be better prevented in the future?
- Has the security been subject to a hack or is the data not secure?
- Has the problem now been rectified, and all data secured?
2. Activity: Identify legal and ethical issues. The students should reflect on what might be the immediate ethical concerns of this situation. This could be done in small groups or a larger classroom discussion.
- Is there a risk that the breach comprised the residents’ personal details, financial information or even allowed remote and secret control of cameras? What else could have been compromised and what are the risks of these compromises? Are certain types of data more risky when breached than others? Why?
- What are the legal implications if there has been a breach? Do you, as a software engineer, have any duty to the residents at this point?
- At the stage where the breach and its potential implications are unknown, should you tell the community and, if so, what should you say? Some residents aren’t always able to understand the technology or how it works, so they may be unlikely to recognise the implications of situations like this. Should you worry that it might cause them distress or create distrust in the integrity of the whole system if the possible data breach is revealed?
- At the stage where the breach and its potential implications are unknown, is there anyone else you should inform? What should you tell them? Are there any risks you may be able to mitigate immediately? How?
- Who owns the data collected on a person living in a smart home? What should happen to it after that person dies?
3. Activity: Determine the wider ethical context. Students should consider what wider moral issues are raised by this situation. This could be done in small groups or a larger classroom discussion.
- When engineered products or systems go wrong, what is our responsibility to tell the people affected?
- What is our right to privacy? Can, or should, it be traded away or sacrificed for another good? Who gets to decide?
- Are smart homes a good thing if their technology is always going to present privacy risks? Should the technology be limited in some way?
- The homes in this case are inhabited by senior citizens with disabilities. Do we owe a different level of care to these people than others? Why? Should engineers working on software for these homes employ a duty of care in a different way than they would in software for homes for young able-bodied professionals? Why? Should a duty of care be delivered by people who have the capacity to care in the emotional sense?
- Should individuals have the ability to determine their own level of risk and choose what functionality to accept based on this risk? Should technology enable these kinds of choices?
- Should engineers be held responsible for unsafe systems? If not, who is responsible?
Dilemma – Part two:
You send an email to Ferndale’s manager about the potential breach, emphasising that the implications are possibly quite serious. She replies immediately, asking that you do not reveal anything to anyone until you are absolutely certain about what has happened. You email back that it may take some time to determine if the software security has been compromised and if so, what the extent of the breach has been. She replies explaining that she doesn’t want to cause a panic if there is nothing to actually worry about and says “What you don’t know won’t hurt you.” How do you respond?
Optional STOP for questions and activities:
1. Discussion: Professional values – What guidance is given by codes of ethics such as the Royal Academy of Engineering/Engineering Council’s Statement of Ethical Principles or the Association for Computing Machinery Code of Ethics?
2. Activity: Map possible courses of action. The students should think about the possible actions they might take. They can be prompted to articulate different approaches that could be adopted, such as the following, but also develop their own alternative responses.
- Do nothing. Tell no one. Try to improve the security to avoid future breaches.
- Shut down the smart home technology until any, and all, risks can be mitigated.
- Explain the situation fully to the residents, detailing subsequent risks for the future and steps they should take to mitigate the risks themselves.
- Offer a partial explanation of the situation, the solutions proposed (or carried out) and reassure them that everything is in order.
3. Activity: Hold a debate on which is the best approach and why. The students should interrogate the pros and cons of each possible course of action including the ethical, technical, and financial implications. They should decide on their own preferred course of action and explain why the balance of pros and cons is preferable to other options.
4. Activity: Role-play a conversation between the engineer and the manager, or a conversation between the engineer and a resident.
5. Discussion: consider the following questions:
- What is the role of robotics and artificial intelligence in caring for people in the future?
- Is there a limit to what data should be shared and is it justified to use other people’s data for profit?
- Could people like Ferndale’s residents be exploited through access to their data? How?
- What more could be achieved through the use of data and connectivity to care for older or ill people, in their homes or hospitals, and what additional safeguards should be put in place?
6. Activity: Change perspectives. Imagine that you are the child of one of Ferndale’s residents and that you get word of the potential data security breach. What would you hope the managers and engineers would do?
7. Activity: Write a proposal on how the system might be improved to stop this happening in the future or to mitigate unavoidable risks. To inform the proposal, the students should also explore the guidance of what might be best practice in this area. For example, in this instance, they may decide on a series of steps.
- Use human care providers to inform and explain to residents (or their families) about digital security.
- Deploy a more rigorous security protocol as well as a programme of regular testing and updates to minimise the risk of the situation occurring again.
- Shut down systems where the risks outweigh the potential benefits.
- Instigate a reporting procedure and a chain of command for decision-making in the future.
Authors: Professor Sarah Hitt SFHEA (NMITE), Professor Raffaella Ocone OBE FREng FRSE (Heriot Watt University), Johnny Rich (Engineering Professors’ Council), Dr Matthew Studley (University of the West of England, Bristol), Dr Nik Whitehead (University of Wales Trinity Saint David), Dr Darian Meacham (Maastricht University), Professor Mike Bramhall (TEDI-London), Isobel Grimley (Engineering Professors’ Council).
This work is licensed under a Creative Commons Attribution-ShareAlike 2.0 Generic License.