an ethical principles for ubiquitous communication

8/6/2019 An Ethical Principles for Ubiquitous Communication

1/23

UNU-IISTInternational Institute forSoftware Technology

UNU-IIST Report No. 373 T

An Ethical Principle forUbiquitous Communication

G M Reed and J W Sanders

May 2007


2/23

UNU-IIST and UNU-IIST Reports

UNU-IIST (United Nations University International Institute for Software Technology) is a Research andTraining Centre of the United Nations University (UNU). It is based in Macao, and was founded in1991. It started operations in July 1992. UNU-IIST is jointly funded by the government of Macao andthe governments of the Peoples Republic of China and Portugal through a contribution to the UNUEndowment Fund. As well as providing two-thirds of the endowment fund, the Macao authorities alsosupply UNU-IIST with its office premises and furniture and subsidise fellow accommodation.

The mission of UNU-IIST is to assist developing countries in the application and development of softwaretechnology.

UNU-IIST contributes through its programmatic activities:

1. Advanced development projects, in which software techniques supported by tools are applied,

2. Research projects, in which new techniques for software development are investigated,

3. Curriculum development projects, in which courses of software technology for universities in devel-oping countries are developed,

4. University development projects, which complement the curriculum development projects by aimingto strengthen all aspects of computer science teaching in universities in developing countries,

5. Schools and Courses, which typically teach advanced software development techniques,

6. Events, in which conferences and workshops are organised or supported by UNU-IIST, and

7. Dissemination, in which UNU-IIST regularly distributes to developing countries information oninternational progress of software technology.

Fellows, who are young scientists and engineers from developing countries, are invited to actively partic-ipate in all these projects. By doing the projects they are trained.

At present, the technical focus of UNU-IIST is on formal methods for software development. UNU-IISTis an internationally recognised center in the area of formal methods. However, no software technique is

universally applicable. We are prepared to choose complementary techniques for our projects, if necessary.

UNU-IIST produces a report series. Reports are either Research R , Technical T , Compendia C orAdministrative A . They are records of UNU-IIST activities and research and development achievements.Many of the reports are also published in conference proceedings and journals.

Please write to UNU-IISTat P.O. Box 3058, Macao or visit UNU-IISTs home page: http://www.iist.unu.edu ,if you would like to know more about UNU-IIST and its report series.

G. M. Reed, Director


3/23

UNU-IISTInternational Institute forSoftware Technology

P.O. Box 3058

Macao

An Ethical Principle forUbiquitous Communication

G M Reed and J W Sanders

Abstract

This paper introduces a normative principle for the behaviour of contemporary computing andcommunication systems and considers some of its consequences. The principle, named the prin-ciple of distribution , says that in a distributed multi-agent system control resides as much aspossible with the individuals constituting the system, rather than in centralised agents; andwhen that is infeasible or becomes inappropriate due to environmental changes, control evolves

upwards from the individuals to an appropriate intermediate level rather than being imposedfrom above.The setting for the work is the dynamically changing global space resulting from ubiquitous com-munication. Accordingly the paper begins by determining the characteristics of the distributedmulti-agent space it spans. It then eshes out the principle of distribution, with examples fromdaily life as well as from Computer Science. The case is made for the principle of distributionto work at various levels of abstraction of system behaviour: to inform the high-level discussionthat ought to precede the more low-level concerns of technology, protocols and standardisationbut also to facilitate those lower levels.Of the more substantial applications of the principle of distribution, a technical example con-cerns the design of secure ad hoc networks of mobile devices, achievable without any form of


4/23

4

centralised authentication or identication, but in a solely distributed manner. Here the con-text is how the principle can be used to provide new and provably secure protocols for genuinelyubiquitous communication. A secondmore managerialexample concerns the distributed pro-duction and management of open source software, and a third investigates some pertinent ques-tions involving the dynamic restructing of control in distributed systems, important in times of disaster or malevolence.

Report No. 373, May 2007 UNU-IIST, P.O. Box 3058, Macao


5/23

Mike Reed is the Director of UNU-IIST. He is an Emeritus Fellow of St Edmund Hall, OxfordUniversity, where from 1986 to 2005, he was the General Electric Company Fellow in Computa-tion. His previous experience includes terms as a Senior Research Associate at NASA GoddardSpace Flight Center and the US Naval Research Laboratory, and as a Manager of Postdoc-toral Programs for the US National Science Foundation. He is a former Research Fellow of theAmerican Mathematical Society and former Professor of Mathematics and Computer Scienceat Ohio University, where he was also the Associate Director of the Institute for Medicine andMathematics. On three occasions in the 1970s, he was an Exchange Scholar to Eastern Europe(Poland and Czechoslovakia) for the US National Academy of Sciences. He has been a VisitingProfessor at the University of Maryland, the US Naval Academy, Tulane University, and theUniversity of Paris. He has given over two hundred research presentations at Universities, Re-search laboratories, and International research meetings. In addition, he has been the organizerof several international conferences in both Mathematics and in Computer Science. His currentwork includes the design and analysis of fault-tolerant embedded systems, and automated sup-port for reasoning about computer security. He holds a Doctorate in Pure Mathematics fromAuburn University (USA) and a Doctorate in computation from Oxford University (UK).Jeff Sanders is Senior Research Fellow at UNU-IIST, having recently joined from the Program-ming Research Group at Oxford. His interests lie largely in Formal Methods.

Copyright c 2007 by UNU-IIST


6/23

Contents i

Contents

1 Introduction 1

2 Distributed multi-agent systems 1

3 The principle of distribution 3

4 Discussion and brief examples 5

5 Application of the principle 65.1 Human-centric computing and forward . . . . . . . . . . . . . . . . . . . . . . . 75.2 Open source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85.3 Response to adversity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

6 Conclusions and future research 11

7 Acknowledgements 12

8 Notes 12



7/23


8/23

Introduction 1

1 Introduction

We live in an age in which information and communications technologies span the globe, provid-ing users with mobile and real-time access to information, services and each other. Increasinglythe services offered are becoming not mere luxury but an established part of our everyday lives;a typical example is provided by the growing importance of e-services like e-government. 1 Theresulting structure goes under a multitude of names; 2 here we refer to ubiquitous communication in the comsphere . By using ubiquitous communication we mean to emphasise the importanceof both synchronous and asynchronous communications and the growing mobility of the devices;and by using comsphere (rather than the more accepted cyberspace) we mean to emphasise thedifference that ubiquitous communication brings to the internet: the dynamic recongurabilitynot only of communications but also of actions.

The twin features of globality 3 and mobility provide distinct opportunities, but also revealdistinct difficulties. The former enables a global distribution of resources, but regardless of boundaries and perhaps therefore of propriety; the latter empowers users in remote or transientlocations, but with an increased risk of insecurity. As has been stressed by the InternationalTelecommunication Union at its World Summit on the Information Society [20, 21, 22, 23] meansare needed to increase globality by increasing the penetration of ubiquitous communicationin developing nations whilst simultaneously making the comsphere more secure. In order toaddress those specic points we introduce a normative, or ethical, principle that extends tothe comsphere the style of reasoning by now established in the various elds of applied ethics.But since the principle has application far beyond those specic topics, and for that matter faroutside Computer Science, it is introduced from rst principles in a general setting.

Important features of any principle like that introduced here are its consistency with the standardnormative principles of ethics and the breadth and depth of its applicability. We take care toaddress both points (in Sections 3 and 5, respectively).

In Section 2 we summarise the kind of system that abstracts the important features of thecomsphere: a distributed multi-agent system able dynamically to recongure its actions inresponse to external change. Then, in Section 3, we introduce the general but novel ethicalprinciple, the principle of distribution , in the context of the principles of (standard) Ethics andof applied ethics; discussion of the principle is enhanced by examples from everyday life inSection 4. Section 5 contains a discussion of the principle applied to more dynamic systems andto the two major examples mentioned in the previous paragraphsecurity in the comsphere andmaking software more openly availablein spite of their apparent incompatibility.

2 Distributed multi-agent systems

The kind of system facilitated by ubiquitous communication in particular, and by contempo-rary Information and Communication Technology in general, is composed of (typically many)



9/23


10/23

The principle of distribution 3

member would be gradually marginalised (the most difficult case being the goal keeper, althoughdefenders could to some extent compensate).

We thus see that a major concern with centralised control is its fragility : if a central agentbecomes corrupted or fails then recovery of the entire system may be extremely difficult or evenimpossible. There is also a concern of inefficiency of centralised systems: if each individualin the system has to coordinate its activities with the central agent (as is typically the case)then many communications may be required and bottlenecks may cripple the system. In spiteof those disadvantages, an advantage of centralised systems is that they are often conceptuallysimpler to design and maintain. Recent examples in which distributed control has played anessential r ole are (a) from the East: the use of cellphones in responding to the Tsunami disasterand in organising demonstrations in the face of centralised resistance [44, 38] and (b) from theWest: in Pentagon defense 4 [30].

As seen from the sport example, the centraliseddistributed spectrum is important for quali-fying forms of control in a multi-agent system. Its use was begun by Wiener [43] for controlsystems with only a single agent but it is in the distributed algorithms of Computer Sciencethat it nds its richest expression to date [6, 9]. We highlight the need for further research intosystems able dynamically to recongure themselves, a possibility now offered by the comsphereand required of any system that is expected to respond to environmental changes, whetherroutinely or in adversity. This is the setting in which we present the principle of distribution.

3 The principle of distribution

We subscribe to the view, promoted by Moor [29] two decades ago, that problems in ComputerEthics arise from a policy vacuum concerning the use of new technology and, moreover, that thestandard normative ethical principles are incomplete for reasoning about such problems. Moorexpressed that latter point simply, though without justication ( loc. cit. ):

Applied ethics is not simply ethics applied.

Although that incompleteness has been affirmed many times in the intervening two decades,notably by Johnson [25], and a decade ago named (slightly uniquely) the uniqueness problem by Maner [28], there remain no convincing arguments or accepted examples to substantiate it.

In this section we propose a novel normative principle of applied ethics, here interpreted in therealm of Information Ethics, and argue that since it does not follow from any of the princi-ples of (standard) Ethics, it establishes incompleteness. We take the view that the normativeprinciples of (standard) Ethics have been proposed and developed with the aim of enlighteningthe individual in analysing his or her r ole in an individual-centred ethically-loaded situation. Itis therefore scarcely surprising that for systems in which an individual is merely one of manycomponents bearing ethical responsibility, as in multi-agent systems, such ethical principles are



11/23

4 The principle of distribution

by themselves insufficient. In a (fully) centralised system the central agent is sometimes able toplay the part of the individual and so provide a vehicle for the application of standard Ethics.But otherwise something more than uni-agent Ethics is to be expected in expressing classes (orproperties) of agent-based strategies that achieve the dynamic execution of the system action.The standard view corresponds to normative behaviour of each agent in isolation; the viewproposed here is that more coordinated, system-wide views are required.

The ethical principle of distributed multi-agent systems is not a consequence of the normativeprinciples of (standard) Ethics for precisely that reason: it is not individual-centred. It is,consequently, more involved than the standard principles. That seems to reect the fact thatdistributed systems are comprehensively more complex than centralised systems, in exactly thesame way that societies are comprehensively more complex than individuals.

Principle of distribution: A multi-agent (distributed) system satises the principle of dis-tribution if control for its primary action resides, as much as feasible, with the individual agentsconstituting the system; and if, in dynamically reconguring execution of that action in responseto environmental factors, control arises from its individual agents (rather than being imposedcentrally).

Notice that the principle involves two conditions: the rst is static, pertaining to the systemin its steady state whilst the second is dynamic, pertaining to the system as it responds toexternal inuence.

The usual normative principles from Ethics, which till now have been the only tools available foruse in Information Ethics, include: consequentialism (teleologism); utilitarianism (greatest good;Bentham and Mill); deontologism (duty); virtue ethics (Aristotle); universal law (Kant); con-tractualism (Plato, Hobbes, Rousseau, Rawls, game theory); and particularism (Crisp, Dancey).The principle of distribution relates most closely to utilitarianism and contractualism; the for-mer in so far as it might be used to support the Marxist-Leninist distribution of wealth andcontrol across the population at large instead of investing it in a minority; the latter because of the dynamic nature of the evolution of control arisingin real time and from the bottom upasin game theory with each node performing its local strategy and the system as a whole evolving

as a result.It is important to observe that the principle of distribution is entirely free of anthropomorphicassociation. Whilst the standard normative principles of Ethics depend upon the responsibleagent having free will, and hence being restricted essentially to humans (in fact to adults of sound mind), the the principle of distribution makes no such assumption. It can thus be appliedto systems composed of articial agents [16] or of any combination of articial and sentientagents.

Of course like any normative principle, the principle of distribution seldom holds unequivocallyand, when it does hold that fact seldom provides the whole answer to the matter under analysis.



12/23

Discussion and brief examples 5

It is an ideal situationa guiding principleto be used in conjunction with others in resolvingcomplex issues. It has, as might be expected and as will be substantiated later in the paper,implications for the design of protocols, the management of software development, educationand policy. Let us continue discussion of the principle with the consideration of two brief buttypical examples.

4 Discussion and brief examples

Many families nd themselves confronted with the problem of what access to allow their childrento the web. 6 A centralised or top down solution would involve system-based control (perhaps

at the national level) of undesirable sites. (Here we identify the agents with individual usersof the web, grouped by computers which they use, and we identify the system action as thatof accessing the web.) But one difficulty with that centralised policy is: who has the right tomake a choice for all, particularly in the context of the web (whose design supports democraticaccess)? By comparison the principle of distribution leads us to consider bottom up solutions,empowering individual homes or communities. For instance, each household could lter accessto the web using software chosen and congured by the guardians of the household. 7 (Ideally,free open-source software would be available online.)

The direct empowerment of each user is not feasible in this case since that would be to ignorethe problem. The choice of the family or community as a small group of agents upon which to

impose control reects the natural structure of the system.

It is interesting to compare this example with that of spam . A fully distributed solution results ina system in which each user decides individually what he or she regards as spam by conguring alter program (typically composed of black and white lists of sending addresses). A centralisedsolution results in a system in which email from certain addresses is simply deleted from thesystem. The former solution now turns out naive [23] as it is in practice not strong enough todeal with the massive quantities of spam; whilst the latter solution suffers the same aw as thatof centralised screening of web sites. So in practice an intermediate bipartite design is currentlyadopted: in addition to each user maintaining a lter, certain key servers suppress email fromparticular addresses.

This example demonstrates how in response to an increase in spam the fully distributed,individual-based, design is rened to one that also incorporates partially-centralised control.Both the static and the dynamic conditions of the principle are needed.

The dynamic bottom-up imposition of control takes time and is not appropriate in every sit-uation. Indeed there are some situations in which a distributed solution does not exist. Forexample if each agent behaves deterministically and identically and all agents start in the samestate, then no matter what communications they exchange and what internal decisions theyreach, they will be unable to reach a state in which one of them differs from the others. Thisdemonstrates the need for the qualication feasible in the statement of the principle. As a



13/23

6 Application of the principle

practical example, it is far from clear what is the right level of control at which to control ma-licious minority groups; the obvious solution is highly centralised, but that exhibits the usualproblems involving misuse. It may well be that a hybrid design proves most acceptable. It isinteresting to compare with current practice for neighbourhood security in some western coun-tries, which combines a centralised police force with partially-centralised security services (forbusinesses) and a distributed neighbourhood watch (for individual homes). For such difficultsituations the principle of distribution at least provides a framework and body of concepts tofacilitate discussion.

In view of the proof in the previous paragraph that fully distributed symmetrical deterministicsystems do not exist, it is important as well as interesting to consider how close we can getto constructing such systems. By weakening the hypothesis deterministic in the situation inwhich an average-case bound on system efficiency is acceptable, it suffices to permit each agentthe extra capability of coin tossing (or, equivalently, of random number generation). This is atechnique which can be expected to nd substantial use in the comsphere; it is already usedin computation-intensive simulations. We illustrate with a remarkably successful distributedprotocol from Computer Science: Rabins distributed algorithm for coordinating choice betweentwo alternatives [33] which, without going into details of the protocol, can be appreciated in ourterms like this.

A coach-load of tourists arrives in a new city and is to decide, by the end of the day, at which of two places to meet: inside a certain church or inside a certain hotel. The agents of our systemthus consist of the tourists, and the system action consists of their gathering in a single locationby the end of the day. There is no central agent (like a tour guide) and so the tourists are unableto communicate (centrally) as a group: the tourists function as members of a (fully) distributedmulti-agent system. Rabins algorithm shows that merely with a noticeboard at each locationand a coin (to toss) for each tourist, by alternatively visiting each location and following acertain rule the tourists all end up choosing the same location in, with high probability, a smallnumber of visits. A centralised goal has been reached on the basis of distributed decisions. Thusthe principle of distribution supports the design of realistic, efficient multi-agent protocols.

In part, the richness of the principle of distribution derives from the fact that it may be applied atmany levels of abstraction: one for each level of abstraction at which the system under analysisis considered [15]. If matters of policy are being analysed, a raried level of abstraction will

be chosen in which much of the system detail is abstracted. If matters of system design areunder consideration, a much lower level of abstraction will be chosen, revealing relevant detailsof exactly how the system behaves. The level of abstraction at which the system is consideredand at which the principle is applied are determined by the kind of analysis sought.


In this section we return to the context of the Introduction to illustrate the principle of distribu-tion with two more-substantial examples followed by a third to emphasise the dynamic nature



14/23

Application of the principle 7

of the comsphere.

5.1 Human-centric computing and forward

At present the multifarious applications of ubiquitous communication remain largely untappeddue partly to the increased opportunity that ubiquity in general, and mobility in particular,offer for malevolence. It appears vital that mobile users be able to generate spontaneously asecure network. So for our rst case study we consider the important topic of security in thecomsphere.

We begin by adapting Kizzas denition [26] to incorporate Schneiers point [39] that security isa dynamic process rather than a static product, and interpret security to consist of the processof maintaining:

condentiality : information is available only to those authorised to have it;

integrity : data may be manipulated only by those authorised to do so;

availability : information systems are accessible to all those authorised to access them.

The notion of authorised access underpins each requirement: access is permitted only if authority

has been validated. Thus we concentrate on authorised access: the system under considerationcomprises all users of the comsphere, determined in this case by attribute rather than identity,and the system action consists of authorised access.

Traditionally it has been identities (of either users or devices) that are authenticated. But in thecontext of the comsphere it has been argued by Creese et al. [12, 13] that it is attributes , and notidentities, that must be authorised. Attributes include a devices location, name, manufacturer,internal state, service history and so on. Attributes appropriate to a given situation mustbe authenticated, and must be chosen to provide assurance not only about which devices areinteracting but also about what they can do.

Centralised implementations ensuring authorised access (and hence also the requirements forsecurity) are straightforward and rely on maintaining a central trusted list which is consultedto validate authentication. But in line with the principle of distribution it is preferable to useinstead distributed authorisation (if feasible). This provokes the quest for new protocols; wereport here the recent work of Creese et al , expressed in our context.

Imagine that a group of you, not necessarily previously known to each other, meet (perhapsit is parents night at the local school) and wish to formspontaneously and in real timeanetwork with your wireless PDAs and cellphones. You cannot assume that your devices haveunique identiers or that any such identiers are known in advance; and of course you wishto ensure that the network is established in a distributed manner, contains only those devices



15/23


you want it to contain (those present) and that messages sent between you are secure to thenetwork. You must assume, naturally, that none of you is malevolent. It is perhaps not obviousthat those requirements can be met; but Creese et al. have provided and veried a protocol[10, 11] which meets them. Its verication is achieved by weakening the accepted (Dolev-Yao)model of security to take account of a second kind of channel. The normal insecure channelwith high bandwidth over which it is desired to send data securely is augmented by a second,secure but low bandwidth, channel like that established by empirical engagement (for instancepermitted by physical proximity in the example of the group meeting). The protocol (for whosedetails we refer to [10] and more recently [36] for the extension showing that device identiersare not required) uses the low-bandwidth channel to bootstrap security on the high-bandwidthchannel. In the case of the group meeting that would be achieved by comparing the post-communication values displayed on each others devices which in particular enables participantsto compare the number of devices in communication with the number present in the group (anempirical engagement that is extremely secure) to ensure that only they are included in theirnetwork. The formalism used by Creese et al. for verication of the protocol is that of automatedCommunicating Sequential Processes [37].

That work forms part of the FORWARD programme [17], begun in January 2003 under theUnited Kingdoms Department of Trade and Industrys initiative into Next Wave Technologies .Part of the thrust of that programme has been the use of ubiquitous communication and com-putation to support human-centric goals, like providing information in a form and at a timethat is appropriate to the human user, and exploiting the human users (empirical) senses tocomplement digital bandwidth. We mention this area (of Computer Science) as one in whichfurther work is required.

5.2 Open source

We turn to address the issue of making software available, open source, particularly to devel-oping nations. The productivity and management processes appropriate to such novel modesof production yield unusual consequences for the assurance that open source software meets itsrequirements: it appears to be very difficult to certify such software. We are thus left with adivide between freely-available, recongurable (open source) software that is potentially of huge

benet in developing countries but for which authentication is difficult, and veried authen-ticated (closed source) software that is necessary in a growing number of secure applications.Evidently a balance between both types of software is required. Accordingly, in this section weview software itself in the light of the principle of distribution.

Commercial shrink wrapped software may be seen to be the result of a centralised process:the producer retains all rights and, whilst allowing the user to use the code, does not providedirect access to it. The user is thus completely at a loss to modify the code in any way. Bycomparision, open source software may be seen as the result of a distributed process: it istypically available freely over the web and the user may take a copy to which he or she than hascomplete access. The differences between the two processesthe cathedral versus the bazaar



16/23

Application of the principle 9

have been graphically documented by Raymond: for a graphic exposition of the different businessmodels appropriate to commercial software and open source, see [34]. The resulting differenceis important, because having access to the source enables software to be adapted to its context,for example so that an interface appears with locally-appropriate features (at the very least,linguistic). It also promotes local software productivity and so, eventually, promotes commerce.Perhaps it will one day produce a third-world Bill Gates.

But also of interest to us here is the process underlying open source. In the standard model of software production, software is produced with some (varying, depending on use and style of software) degree of assurance that it meets its requirements. The extreme case is formally spec-ied and veried code (like the protocols reported in the previous section). But of open source,what guarantees are there that a module downloaded from the web meets its requirements; andwhat protection is there against malevolent contributors to an open source project?

One response is to appreciate that a different model is involved. The production of open source,typical of an example of distributed control, is managed dynamically by feedback with somedegree of conformance but also with attrition. Important, kernel, code is checked before releaseby one of a small number of agreed individuals. For less critical software, poor code suffersan evolutionary disadvantage and is gradually superseded. This may seem strange from thetraditional viewpoint based on the concern that even a single bug may lead to program mal-function. The conclusion, however, is simple. Open source and fully authenticated code lie atopposite ends of a spectrum, the whole range of which has a place in the comsphere. Fly-by-wire software, for example, with a huge cost of error, would traditionally be produced by a morecentralised process; uncritical applications software could be open source and so produced by amore distributed process. There remains the difficult issue of how much trust to place in anycopy of a piece of software, whether downloaded or on disk, regardless of the claims that aremade of it; but that is a topic of current research. We highlight the case of open source as beingparticularly important.

At the United Nations Universitys International Institute for Software Technology (UNU-IIST)in Macau, an Open Computing Initiative has recently been launched. The idea is to trainrepresentatives from third-world nations in the development of open source, thereby at onceexpanding the applications available in open source and empowering third world programmers.Together with the fact that Negropontes $100 laptop, 8 set to make a huge impact on the

underdeveloped nations, will contain only open source software, we can expect a swing in theaccepted style of software, from almost entirely centralised, commercial software to a morebalanced hybrid of the two styles.

But the principle of distribution may be used for a deeper analysis of what privacy measuresthe $100 laptop should exhibit. It is quite conceivable that, with ill-chosen software allowingcentralised control, the laptop could become a powerful weapon in the hands of an oppressiveregime or militant splinter group. In line with the principle of distribution one might reasonthat the laptop should have (ignoring economic feasibility) robust encryption built-in perhapsat the hardware level, to ensure secure communication and data storage. It would otherwisebe difficult to avoid misuse and the usual resulting insecurities like eavesdropping, intrusion,



17/23


impersonation, and so on.

It is to be appreciated that many of the existing structures on which ubiquitous communicationis based are already partially centralised. An extreme case is US control of encryption, 9 which isnot easily reconciled with the principle of the principle of distribution. It could be argued, andindeed has been by many, that precisely that conict is a aw in US policy. One response is thatwithout national US control no realistic control is possible. Perhaps, guided by the principle of the principle of distribution, other alternatives can be considered in other countries. For it doesseem that misuse of the centralised platforms implementing ubiquitous communication can beeven more iniquitous, in the presence of the novel functionality of ubiquitous communication,than the more time-honoured misuse of centralised agencies.

5.3 Response to adversity

Most examples considered so far function in their steady state: they continue to behave as theywere originally conceived to do. But the principle of distribution provides important insight intosystems which respond to duress by reconguring their (primary) system action. To return toless technical examples, we reconsider team sports: this time the Tour de France .

The agents are the cyclists and the action in which each agent repeatedly engages is that of cycling, with the aim of achieving the system action of a win (for the team, or individual,

depending on the agent; thus whilst Lance Armstrong and a novice rider both perform the sameactions, their strategies are vastly different).

Before a race begins, each agent performs an entirely autonomous warm up action (ignoringwarm-up by team). At this point the system is behaving in a fully distributed manner, with nocoordination between agents as they cycle to warm up for the event.

For the bulk of each daily race, the cyclists typically act in teams within the peleton . Themechanics of cycling are such that wind resistance (an external inuence on the agents) is of paramount concern, with the result that riders help each other in order to overcome it. Thuswithin a team cyclists take turns to lead, dropping back to benet from slip streaming after

having expended energy in the lead. At this stage, much (but not all) of the control for anagents cycling action resides with the team. It is complicated, in fact, by extra-team individualbehaviour and by the teams or individuals jockeying for position within the peleton. At thispoint the system is behaving in a slightly more centralised manner.

The nal interesting agent behaviour concerns pursuit , when one or more agents leave the peletonto catch the leaders. At this point the cyclists action takes account of the state of the leadersand of his immediate neighbours in pursuit: the action returns to being less centralised, beingcontrolled by fewer other agents.

Thus the different phases in the Tour are helpfully expressed in terms of the degree of distribu-



18/23

Conclusions and future research 11

tion of control with which each agent performs its action. The principle of distribution expressesthe autonomy of each cyclist whilst recognising the infeasibility of each continuing to remainautonomous in the face of external conditions. Consistent with it is the practice of team be-haviour, which provides an intermediate level of control to manage the inherent decentralisationof the system.

More technical examples of systems that respond to duress, and to which the principle of dis-tribution applies, come from Computer Science, Economics, Sociology and Ecology. From theworld around us, any community with ubiquitous communication has the capability to organise,in real time, events that would be impossible to organise without a form of centralised control(which may simply be impractical for geographic, economic or political reasons). The designand study of systems that recongure themselves dynamically is of vital current interest.

6 Conclusions and future research

This paper has presented the principle of distribution to play a part in the resolution of issuesranging from high-level matters of policy, through standards down to implementation concernsof protocol design. It has been presented as a novel principle of Information Ethics (thoughits application is much broader) that is not a consequence of standard Ethics. The examplespresented seem indicate its promise.

By introducing a new name, the comsphere, we have emphasised the important new character-istics of ubiquitous communication, to be exploited if progress is to be made.

The main purpose of this paper has been to introduce the principle of distribution and indicateits use. We have here merely scratched the surface; much work remains. The principle of distribution promises much for the work of the Information Ethics Group [19] one of whosemain interests is the investigation of the ethics of information and the extent to which it isdissociated from homo-centric values.

Important technical work remains in designing security protocols that take into account thevarious characteristics of the comsphere; we have mentioned but one kind of example in Section

5.

Overcoming the digit divide is of global importance. The promotion, particularly in develop-ing countries, of software safeguarded against misuse by militant minorities is key. Here the$100 laptop of Negroponte and its open source code is expected to make a huge contribution.More generally the promulgation of open source is important, including the management of its production, till now largely fully distributed (what are the appropriate partially-centralisedmanagement structures), and some measures and guarantees of its authenticity and conformity.

Perhaps the most exciting topic demanding further work concerns the concepts underpinningsystems that recongure the way they execute actions in response to external inuence. Such



19/23

12 Acknowledgements

study should include a rigorous development of the theory [41] and discovery of appropriatealgorithms.

It will be interesting to see the extent to which the principle of distribution will be useful in thiswork, ranging from the discussion policy to specic matters of system design.

7 Acknowledgements

The principle of distribution was introduced by the present authors as the principle of dis-tributed ethics in [35], written in response to the proposal Ethical strategies for human secu-

rity, by Elisabeth Porter (research director for INCORE, the centre for International ConictResolution, a joint initiative between the United Nations University and the University of Ul-ster), circulated following CONDIR 29, 45 April, 2005, Bonn. The authors are thus grateful toher for the chance to provide an early draft of their views.

They also thank their colleagues Sadie Creese (Systems Assurance Group, QinetiQ, MalvernTechnology Centre, UK) and Scott McNeil (UNU-IIST, Macau) for suggestions made in thewriting of this paper which extends the presentation [14] to the International TelecommunicationUnions World Summit Thematic Meeting on Cybersecurity.

8 Notes

1. See for example the international survey [32]. To quote a specic instance, the aim of the recent u-Japan project is to make 80% of citizens feel comfortable with ICT and toappreciate its role in resolving issues, by the year 2010 [1].

2. By comparison with comsphere, cyberspace is usually interpreted as comprising networked,static, users. It is vital for progress that mobility be acknowledged and catered for, par-ticularly in the context of security. Cell phones provide point-to-point synchronous com-munication either by voice, text or image. Computers and personal digital assistants,

increasingly by wireless link, provide asynchronous access to vast repositories of data aswell as to email. Interactive (digital) televisions (with memory) increasingly resemblenetworked computers. Embedded chips (for example with radio-frequency identication),screens [42], surveillance systems, global-positioning systems, and smart communicatingdevices [18] are changing our work, domestic and even communal environments. Commu-nications are anytime, anywhere, by anything and anyone. Just a few alternative termsfor the activity of computing on the comsphere are:

mobile computing : IEEE Transactions on Mobile Computing , founded 2002;

pervasive computing : IEEE Pervasive Computing: Mobile and Ubiquitous Sys-tems , founded 2002;



20/23

Notes 13

ubiquitous computing : Weiser [42];

personal computing : a term apparently coined by IBM and now interpreted moregenerally to mean individual local access to information facilities;ubiquitous network societies : for the International Telecommunication UnionsWorkshop on Ubiquitous Network Societies, for example, see [3];ubiquitous communication itself, interpreted to describe wearable systems: TheUbiCom project, the Faculty of Information Technology and Systems at the Univer-sity of Delft, led by R. L. Lagendijk.

3. The comsphere is not restricted to just the developed countries. In China, the largestcellphone market in the world, more than a quarter of the population owns a cellphoneand about 100 million text messages are sent daily, although just under a tenth of thepopulation uses the internet [44]. In Singapore 80% of the population has a cellphone; inMalaysia just under half the population does. For comparison, in Australia, for example,more than half the population uses the internet and about three quarters use cell phones[2]; and Japan has moved from its e-Japan project to u-Japan to reect developmentsin ubiquitous communication [1]. The ease of achieving mobile point-to-point connectionis matched only by the empowerment it provides by the applications it nds. Evidentlyubiquitous communication and the comsphere constitute a global phenomenon.

4. For an account of how a genuinely distributed system (investing as much control as possiblein its disributed components) averted disaster when American Airlines ight 77 hit thePentagon on September 11, 2001, see the article [30], which concludes:

. . . the system also remained functional even though a large part of it had beendestroyed. . . . In addition to playing well in large complex systems, they areable to autonomously perform actions that previously required a connection toa central control system.

5. The eld is so young that many of the important textbooks study the topic using theirown notation, which unfortunately makes them relatively inaccessible. For a quite generaltextbook see [9], and for a slightly more representative text see [6].

6. From [27]:

Two-point-ve million use [America Online]. Thats like a city. Parents wouldntlet their kids go wandering in a city of 2.5 million people without them, orwithout knowing what theyre going to be doing.

7. This is an established commercial enterprise. Off-the-shelf programs include CyberSitter,SurfWatch and NetNanny; see [4].

8. See [31]. A similar, but established and successful project, is the Jhai Foundations PCused in particular to provide internet access to villages in Laos without electricity; see [24].

9. See the Communications Assistance for Law Enforcement Act, CALEA, 1994, [8]. Insummary, the US government, with appropriate authority, should be able to



21/23

14 References

intercept all wire and electronic communications originating from or coming to aparticular subscriber;

intercept communications to and from mobile users, for example people using portablephones or portable computers;

obtain call-identifying information, including the phone number from which a calloriginates and the phone number of the destination;

have the intercepted communications and call-identifying information transmitted toa location specied by the government.

References

[1] http://www.nri.co.jp/english/opinion/papers/2003/np200366.html .

[2] http://www.cia.gov/cia/publications/factbook/geos.

[3] http://www.itu.int/ubiquitous .

[4] http://safety.ngfl.gov.uk/?sec=9&cat=99&clear=y .

[5] http://getpopfile.org .

[6] Attiya, H., & Welch, J. (1998). Distributed Computing: Fundamentals, simulations and advanced topics . McGraw Hill.

[7] Baase, S. (1997). A Gift of Fire: Social, Legal and Ethical Issues in Computing . Prentic-Hall International.

[8] http://www.askcalea.net .

[9] Coulouris, G., Dollimore, J., & Kindberg, T. (2001). Distributed Systems: Concepts and Design , third edition. Addison-Wesley.

[10] Creese, S. J., Goldsmith, M. H., Roscoe, A. W., & Zakiuddin, I. (2003). The attacker inubiquitous computing environments: Formalising the threat model. In T. Dimitrakos &F. Martinelli (Eds.) Formal Aspects of Security and Trust , Pisa, Italy, September 2003.IIT-CNR Technical Report.

[11] Creese, S. J., Goldsmith, M. H., Harrison, R., Roscoe, A. W., Whittaker, P., & Zakiuddin,I. (2005). Exploiting empirical engagement in authentication protocol design. In D. Hutter& M. Ullmann (Eds.), Proceedings of the 2nd International Conference on Security in Pervasive Computing (SPC 05) , (pp. 119133). Springer LNCS 3450 .

[12] Creese, S. J., Goldsmith, M. H., Roscoe, A. W., & Zakiuddin, I. (2003). Authentication inpervasive computing. In D. Hutter & M. Ullmann (Eds.), First International Conferenceon Security in Pervasive Computing , Boppard. Springer LNCS.



22/23

References 15

[13] Creese, S. J., Goldsmith, M. H., Roscoe, A. W., & Zakiuddin, I. (2004). Security propertiesand mechanisms in human-centric computing. In P. Robinson, H. Vogt & W. Wagealla(Eds.), Privacy, Security and Trust within the Context of Pervasive Computing , KluwerInternational Series in Engineering and Computer Science. Proceedings of Workshop onSecurity and Privacy in Pervasive Computing, Wien, April 2004.

[14] Creese, S. J., Reed, G. M., Roscoe, A. W., & Sanders, J. W. (2005). Security and trustfor ubiquitous communication. ITU WSIS Thematic Meeting on Cybersecurity, 28 June1July, Geneva. http://www.itu.int/osg/spu/cybersecurity/contributions/UNU-IIST contribution.pdf .

[15] Floridi, L., & Sanders, J. W., (2004). The method of abstraction. In M. Negrotti (Ed.),Yearbook of the Articial. Nature, Culture and Technology. Models in Contemporary Sci-

ences , (pp. 177220). Peter Lang, Bern.[16] Floridi, L., & Sanders, J. W., (2004). On the morality of articial agents. Minds and

Machines , 14 (3):349379.

[17] The FORWARD project; see www.forward-project.org.uk .

[18] Gershenfeld, N. (2000). When Things Start to Think . Owl Books.

[19] Information Ethics Group. Seehttp://web.comlab.ox.ac.uk/oucl/research/areas/ieg/ .

[20] ITU, WSIS Declaration of Principles (2003). Document WSIS-03/GENEVA/DOC/4-E,12 December.

[21] ITU, WSIS Plan of Action (2003). Document WSIS-03/GENEVA/DOC/5-E, 12 Decem-ber.

[22] ITU, WSIS Declaration of Principles (2003). Document WSIS-03/GENEVA/DOC/4-E,12 December.

[23] ITU, WSIS Thematic Meeting on Cybersecurity (2005).http://www.itu.int/osg/spu/cybersecurity/index.phtml .

[24] http://www.jhai.org/jhai remoteIT.htm .

[25] Johnson, D. G. (1994). Computer Ethics , second edition. Prentice-Hall.

[26] Kizza, J. M. (1998). Ethical and Social Issues in the Information Age . Springer Verlag.

[27] Pam McGraw, P. (1995). See http://www.cybertoday.com/v1n4/runaway.html .

[28] Maner, W. (1996). Unique Ethical Problems in Information Technology. In T. W. Bynum& S. Rogerson (Eds.), Global Information Ethics , (pp. 13752). Opragen Publications,(the April 1996 issue of Science and Engineering Ethics ).

[29] Moor, J. H. (1985). What Is Computer Ethics? In T. W. Bynum (Ed.), Computers & Ethics , (pp. 266275). Basil Blackwell.



23/23

16 References

[30] Needleman, R. (2005). Disaster response: distributed building management proves itself under critical circumstances. http://www.microsoft.com/business/executivecircle/content/page.aspx?cID=979&subcatID=1 .

[31] http://laptop.media.mit.edu .

[32] Ojo, A., Janowski, T., & Estevez, E. (2005). Global Survey of e-Government . e-Macautask 2 report, March.

[33] Rabin, M.O. (1982). The choice-coordination problem. Acta Informatica , 17 (2):121134.

[34] Raymond, E. S. (2001). The Cathedral and the Bazaar . OReilly. See in particular thearticle after which the book is titled, pp. 1963, and The magic cauldron, pp. 113166.

[35] Reed, G. M., & Sanders, J. W. (2005). Ethical principles for secure ubiquitous communi-cation. Draft of May 25, UNU/IIST.

[36] Roscoe, A. W. (2005). New protocols for bootstrapping security in ad hoc networks. Draft,November 15. At http://web/comlab.ox.ac.uk/oucl/work/bill.roscoe/publications/113.pdf .

[37] Ryan, P. Y. A., Schneider, S. A., Goldsmith, M. H., Lowe, G., & Roscoe, A. W. (2001). TheModelling and Analysis of Security Protocols: the CSP Approach . Addison-Wesley.

[38] Sang-Hun, C. (2005, 9 May). Article, International Herald Tribune .

[39] Schneier, B. (2000). Secrets and Lies: Digital Security in a Networked World . John Wileyand Sons.

[40] Tavani, H. T. (2004). Ethics and Technology: Ethical Issues in an Age of Information and Communication Technology , John Wiley and Sons.

[41] Turilli, M. (2006). DPhil. thesis, in preparation. Oxford University Computing Laboratory.

[42] Weiser, M., (1993). Hot Topics: Ubiquitous Computing. IEEE Computer .

[43] Wiener, N. (1948). Cybernetics: or Control and Communication in the Animal and theMachine . Technology Press.

[44] Yardley, J. (2005). A Hundred Cellphones Bloom, and Chinese Take to the Streets. Article,April 25, 2005. Available at: http://www.nytimes.com/2005/04/25/international/asia/25china.html?pagewanted=1 .


an ethical principles for ubiquitous communication

Documents