The talk he explores models and technical architectures for a new generation of data marketplace for Personal Data from Things (PDT). In this model, brokered data exchanges that occur on the network are tracked without the need for a trusted authority, namely using (a) blockchain technology to record data exchange transactions, and (b) smart contracts that operate on the blockchain, to enforce agreements between data producers and consumers. In this vision, smart contracts can also be used for dispute resolution, in combination with reputation management mechanisms, to provide incentives for fair behaviour by participants. Simple data tracking of brokered exchanges is a natural precursor to recording the full provenance of data further down the value chain, i.e., through value-adding aggregators and services. As provenance arguably adds value to information, the project will also study mechanisms for observing and recording complex transformations over data streams.

1. P.Missier2017
SystemsResearchChallenges
Towards an authority-free marketplace for
personal IoT data (Personal Data from Things)
Paolo Missier
Jan 16th, 2017
Systems Research Challenges in the Internet of
Things Workshop
Ack: Dr. Michele Nati, DE Catapult

2. P.Missier2017
SystemsResearchChallenges
2
About a year ago,
in a fancy Northumberland country house, ...

3. P.Missier2017
SystemsResearchChallenges
3
IoT ∩ People  Personal Data from Things (PDT)
IoT vision: personal devices will make our lives better
They often also produce data that is also personal
As per the Data Protection Act 1998
• Are people aware of the trade-offs between privacy and benefits?
1. Ownership:
• What is “my” data? Who else has access to it? To what extent?
2. Awareness of third party use of personal data:
• Who has been doing what with my data?
3. Control.
• How much control can I have on the data that devices produce on my behalf?
Ownership + awareness + control  Trust

4. P.Missier2017
SystemsResearchChallenges
5
Activity detection pattern
Accelerometry data
Indoor location data
Activity
Detection
Accelerometry data
Indoor location data
Activity
Detection
Aggregate
Analytics
03 January 2016 10:16

5. P.Missier2017
SystemsResearchChallenges
6
Moving forward: brokered Personal Data exchanges
Working assumption: Personal data are assets with a value
fitness / health monitoring, energy metering, …
PDT: Control  trading
Primary
producers
(wearables…)
Value Added Services /
aggregators
Topics (minimal
data semantics)
What would an infrastructure for a PDT marketplace look like?
Sensor data streams,
batched into windows

6. P.Missier2017
SystemsResearchChallenges
7
Baseline (personal) data marketplace scenario
1-hop Contract model between Primary producers PP and Primary
Consumers PC:
Each topic has an associated unit value: T  val(T)
For each batch of N messages from PPi, to PCj about Tk:
(PPi, PCj, Tk, N)  PCj owes (N . val(Tk)) coins to PPi

7. P.Missier2017
SystemsResearchChallenges
8
Raw message logging, baseline

8. P.Missier2017
SystemsResearchChallenges
9
Count cubes from messages, 1-hop

9. P.Missier2017
SystemsResearchChallenges
10
Using count cubes to enforce contracts

10. P.Missier2017
SystemsResearchChallenges
11
Baseline scenario, realisation – broker-based tracking

11. P.Missier2017
SystemsResearchChallenges
12
Baseline scenario, realization - unilateral tracking

12. P.Missier2017
SystemsResearchChallenges
13
Moving forward
Two directions for a more interesting marketplace:
1. Fully decentralised / unilateral message tracking without trusted authority
2. Multi-hop contracts:
Primary Consumer PC-VAS  [resell]  Secondary Consumer SC-VAS  …

13. P.Missier2017
SystemsResearchChallenges
14
Decentralising and removing trust

14. P.Missier2017
SystemsResearchChallenges
15
What does the authority do?
1. Control the Tracker DB
1. Prevent fraud:
• Producers have an incentive to over-claim data production
• VAS have an incentive to deny receiving some of the data
• (Data ownership / data theft / Replay attack)
• A third party will have an interest in claiming ownership of messages sent by
others
• For instance, by copying data (possibly encrypted) and replaying it on the
channel, publishing it as its own

15. P.Missier2017
SystemsResearchChallenges
16

16. P.Missier2017
SystemsResearchChallenges
17

17. P.Missier2017
SystemsResearchChallenges
18
Approach
Blockchain + smart contracts technology, used to:
1. Associate identity to marketplace participants
2. Agree on contract specification
3. Settlement of contractual disputes given unilaterally generated
count cubes
Concrete prototyping [in progress]: the Ethereum platform
“A blockchain is a globally shared, transactional database”

18. P.Missier2017
SystemsResearchChallenges
19
Basic BitCoin protocol(*)
(*) Source:
A Next-Generation Smart Contract and Decentralized Application Platform
https://github.com/ethereum/wiki/wiki/White-Paper
State S: {<owner, balance>}
Transactions transfer ownership of (unspent) coins
APPLY(S,TX)  S' or ERROR
APPLY({ Alice: $50, Bob: $50 },"send $20 from Alice to Bob") =
{ Alice: $30, Bob: $70 }

19. P.Missier2017
SystemsResearchChallenges
20
Ethereum transactions and smart contracts
external
accounts are
asset owners
contract accounts
also contain:
• contract code
• storage
BitCoin Transactions:
{ <owner, balance> } —> { <owner’, balance’> }
TX-eth: Transactions become messages
Messages carry arbitrary data
APPLY(S,TX-eth):
run the code associated with the destination (contract) account

20. P.Missier2017
SystemsResearchChallenges
21
Smart contracts in the Ethereum Virtual Machine
http://solidity.readthedocs.io/en/develop/index.html
runtime environment
for smart contracts in
Ethereum

21. P.Missier2017
SystemsResearchChallenges
22
Contracts for device registration / identity management

22. P.Missier2017
SystemsResearchChallenges
23
Contracts for formalising agreements between parties
Note: this sets the list of topics st(PC) to which each PC subscribes

23. P.Missier2017
SystemsResearchChallenges
24
Contracts used for reputation management

24. P.Missier2017
SystemsResearchChallenges
25
Using smart contracts for unilateral reporting verification
Given N PP, M PC,
and R topics T1, T2, …, TR:
Each PPi and each PCj all report their unilateral count cubes for each window w
They all agree on the time interval that defines W (magic, to be dealt with later)
1) No trouble: 1. All PPi and / all PCj report independently and accurately
2. Some do not report, but reports are accurate
2) Trouble: 1. The reports from PPi and PCj do not “add up”
2. The reports do not sync on time / windows
Scenarios:

25. P.Missier2017
SystemsResearchChallenges
26
Publishers transactions
CCs(w,i,k) = ni,k count of messages sent by PPi during w about Tk
Fragment of counts cube viewed by PPi:
This is one row of sender matrix SMw for w:
SMw[i,k] = CCs(w,i,k)

26. P.Missier2017
SystemsResearchChallenges
27
Publishers transactions
Each of these fragments is sent to the Reconciliation Smart Contract as a
Ethereum blockchain transaction:
- The contract receives N messages associated with w
- For each PCj, the contract has access to the set of topics it subscribes to:
Credit PCj  PPi:

27. P.Missier2017
SystemsResearchChallenges
28
Subscribers transactions
Fragment of counts cube viewed by PCj:
-- note: include senders as an extra dimension
Credit PCj  PPi:

28. P.Missier2017
SystemsResearchChallenges
29
Reports propagation
Settlements are straightforward when reports are partial but accurate
Matrices SM, RM, are two views of the same data exchanges:
C1. For each PPi and topic Tk:
SMw(i,k) = RMw(j,i,k) for each j:1..M such that Tk ∈ st(PCj)
C2. for i:1..N:
RMw(j,i,k) = SMw(i,k)
Q. Which subsets of reports are sufficient to complete the matrices?

29. P.Missier2017
SystemsResearchChallenges
30
Fraud detection
Incentives to behave unfairly:
• Can fraudulent reporting be always detected?
• Can responsibility for the fraudulent reporting be ascribed to one or
more specific participants?
• Publishers: over-report
• Subscribers: under-report
1. Detection:
SMw(i,k) > RMw(j,i,k) for some j (1)
2. Ascribing responsibility:
Case 1: PC fraud
Case 2: PP fraud

30. P.Missier2017
SystemsResearchChallenges
31
Fraud detection – initial thoughts on responsibilities
Case 1: PC fraud
It follows from C1, C2 (above) that:
If Tk ∈ PCj ∩ PCj then RMw(j,i,k) = RMw(j’,i,k) for i:1..N
let j’ such that Tk ∈ PCj ∩ PCj:
Suppose SMw(i,k) = RMw(j’,i,k)
This suggests that (1) may be due to PCj under-reporting on Tk, and
PPi reporting correctly
- The more topics the PCs share, the stronger the evidence...
Case 2: PP fraud
Suppose RMw(j,i,k) = RMw(j’,i,k) for all Tk
This suggests that PPi has over-reported
(1) SMw(i,k) > RMw(j,i,k)

31. P.Missier2017
SystemsResearchChallenges
32
The last slide
Some novel uses for blockchain (amongst many others)
https://solarcoin.org
http://www.electricchain.org
http://www.mediachain.io/
https://www.coalaip.org
…
Personal data in the IoT space:
Mashhadi, Afra, Fahim Kawsar, and Utku Gunay Acer. “Human Data Interaction in IoT:
The Ownership Aspect.” In Internet of Things (WF-IoT), 2014 IEEE World Forum on,
159–162, 2014.
Vescovi, Michele, Corrado Moiso, Fabrizio Antonelli, Mattia Pasolli, and Christos
Perentis. “Building an Eco-System of Trusted Services through User Transparency,
Control and Awareness on Personal Data Privacy.” In Procs. W3C Workshop on
Privacy and User–Centric Controls. Berlin, Germany, 2014.
Multi-hop contracts and transitive credit management:
Missier, Paolo. “Data Trajectories: Tracking Reuse of Published Data for Transitive
Credit Attribution.” International Journal of Digital Curation 11, no. 1 (2016): 1–16.
doi:doi:10.2218/ijdc.v11i1.425.