Explainable AI and Other Questions Where Provenance Matters

Lindsay Frost
January 10, 2019


On the night of 18th March 2018 a woman walking across a road in Tempe, Arizona, was struck and killed by an autonomous vehicle [1]. On 11th December 2018 Google CEO Sundar Pichai [2] faced questions before the US Congress during a 3-hour public hearing [3] about alleged political bias in filtering of news. In Europe, it is almost certain that in the next few years some major company will be in court facing GDPR fines of 4% of annual global revenues [4] if judged culpable in using personal data outside the agreed context [5]. So be warned: if you are an owner or operator of a decision-making software platform, unclear provenance in decision-making and/or context puts you at risk.

This article briefly explains why you (as a data scientist or a CTO or indeed as a citizen) need to worry about data provenance and metadata and then takes a look at the various kinds of tools available to help reduce the risks and costs.

Firstly, unclear sourcing of data and consequent inaccuracy or misunderstandings already cost billions of dollars … and also lives.

The cost of correcting or “cleaning up” data which has incorrect or misinterpreted provenance, before including it in data warehouses, data lakes, CRM systems, etc., is huge. A blogged guesstimate for the USA in 2011 was $3.1 trillion per year [6] (a catchy number uncritically used without attribution by IBM [7], taken up by Harvard Business Review [8] and mentioned by dozens of others – making it itself an example of poor recording of provenance). Nonetheless, errors and duplicates in e.g. company customer records (CRM) obviously do waste millions of erroneous billings and cause a multiplicity of unsolicited credit-card mailings every year, which you – dear customer – pay for one way or another.

Recent publications guesstimate that simply correcting typos, formatting and misinterpretations, so-called Data Wrangling, continues to consume “half the time of data scientists” [9]. This is sufficient reason to spawn an industry for data clean-up [10] and now also an industry for 'Self-Service Data Preparation' [11] i.e. cloud-services helping data producers to improve the initial labelling (provisioning) of their information with metadata.

But lives are also at risk. For example, when hospital records are entered incorrectly and nothing and no-one (has time to) check the context. The quality (completeness, correctness, concordance, plausibility, and currency) of Electronic Health Records (EHRs) is “often not consistent with research standards” [12]. Pregnancy tests ordered for men? … happens all the time [13]; male patient records with the checkbox “cervical cancer diagnosed” marked?… routinely found! In an analysis [14] of the English National Health Service, the annual 2012 hospital statistics showed approximately 20,000 adults attending paediatric outpatient services, approximately 17,000 males admitted to obstetrical inpatient services, and about 8,000 males admitted to gynaecology inpatient services. Many projects in genome research rely on correlating EHRs with DNA nucleotide sequences to infer drug efficiencies and diagnostics, so not all mistakes are merely amusing. A concerted effort to detect such errors is underway [12].

Other errors arise not in the data but in its interpretation or prioritization, e.g. in the machine learning algorithms which are used to define such things as ranking for job applications, eligibility for personal credit, admissibility for a business visa, decisions during automated-vehicle driving, allocation of hospital emergency response resources during peak periods, traffic planning to reduce air pollution near kindergartens and aged-care centres, etc. etc.

For example, do you feel comfortable knowing that there exists job-applicant screening software, for screening future staff in contact with young children, for which the authors claim that over 19,000 test cases have shown that it “correctly identified 77% of the men and over 72% of the women who posed a sexual risk” [15]? Whatever the methodology, I would like to know how many people were screened out by being “incorrectly identified” and what biases might be inherent to the system?

The various forms of provenance accountability, and methodologies available, can be broadly summarized in the table below (with some recent references as examples):

(with recent references)
‘data provenance accountability’ concerns issues of correct recording of the source(s) of information and such meta-data (context) as the timing, location, procedural history of derived information, declared accuracy, declared producing entity and so on (all of which may need to be collated into a cumulative ‘history’ when the data is processed/aggregated)
  • Ontology Management [16]
  • Provenance Ontology [17]
  • Self-Service Data Preparation [9]
‘data flow accountability’ concerns issues of ensuring that the data is permitted (licensed) to flow through a series of correctly identified processes/systems (this is particularly important for privacy regulations in Europe and elsewhere, which require that personal data is only used for the pre-agreed purpose [4] and that there is a ‘right to erasure’ [19] and a ‘right to object to further processing of personal data' [20])
  • Provenance-aware Software Coding [18]
‘algorithmic accountability’ concerns issues of fairness, transparency, and explainability of decision-making (or filtering or rating) software, particularly regarding machine learning
  • Explainable AI [21]
‘legal non-repudiability’ for some or all of the above information may be required when legal liability is asserted, requiring that the accuracy of appropriate records is trusted by all parties (an area of application for e.g. blockchain distributed ledger technologies)
  • Distributed Ledgers for provenance [22]

Now, imagine you have all of the above sufficiently covered within your domain of interest ... how do you share the provenance and context information with another system? The W3C has developed since around 2010 a body of work (PROV) for modelling and transferring provenance information [17] which google asserts has been referenced over half a million times, not counting references internal to W3C. Various protocol bindings are available.

Meanwhile, from the Internet of Things and Smart City areas of application, attempts are being made to standardise within ETSI an API and a protocol called NGSI-LD [23] which is designed especially for encouraging ontology management, context information management and ultimately data flow accountability across systems, as illustrated in the figure below.

Figure 1: Cross-platform exchange of context and provenance information [23].

Figure 1: Cross-platform exchange of context and provenance information [23].


We are living in the age of Digital Transformation of business and society. The European Union is spending billions attempting to guide and facilitate a “soft landing” into a society which is fair, efficient and empowering of citizens. On the other hand, we are also living in the age of “fake news”.

Proving how you know what you know is becoming mission-critical.


  1. https://www.nytimes.com/interactive/2018/03/20/us/self-driving-uber-pedestrian-killed.html  Published 21st March 2018. See also a 700 page overview sponsored by Daimler and Benz Stiftung: Maurer, Markus, J. Christian Gerdes, Barbara Lenz, and Hermann Winner (eds.), “Autonomous driving: Technical, Legal and Social Aspects”. Published by Springer, Berlin, 2016. Accessed on 8th January 2019 at http://www.oapen.org/download?type=document&docid=1002194#page=81
  2. https://en.wikipedia.org/wiki/Sundar_Pichai
  3. See https://www.youtube.com/watch?v=Ul5fMAG2tk4 (at timemarker 52 minutes)
  4. GDPR General Data Protection Regulation (EU) 2016/679 of 27 April 2016. Correg. 23rd May 2018. Accessed 8th January 2019 at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02016R0679-20160504&from=EN
  5. GDPR Art 5(1)(b).
  6. Tibbetts, Hollis. “$3 Trillion Problem: Three Best Practices for Today's Dirty Data Pandemic”. Published online 20110910 at http://hollistibbetts.sys-con.com/node/1975126 .
  7. https://www.ibmbigdatahub.com/infographic/four-vs-big-data
  8. Redman, Thomas C. “Bad Data Costs the U.S. $3 Trillion Per Year”. Published by Harvard Business Review online 22 September 2016. Accessed on 02 January 2019 at https://hbr.org/2016/09/bad-data-costs-the-u-s-3-trillion-per-year
  9. Hellerstein, Joseph M., Jeffrey Heer, and Sean Kandel. "Self-Service Data Preparation: Research to Practice." IEEE Data Eng. Bull. 41, no. 2 (2018): 23-34. Accessed on 02 January 2019 at http://sites.computer.org/debull/A18june/p23.pdf
  10. Chu, Xu, Ihab F. Ilyas, Sanjay Krishnan, and Jiannan Wang. "Data cleaning: Overview and emerging challenges." In Proceedings of the 2016 International Conference on Management of Data, pp. 2201-2206. ACM, 2016. Accessed on 20190102 at https://www.cs.sfu.ca/~jnwang/papers/sigmod2016-datacleaning-tutorial.pdf; Tang, Nan. "Big RDF data cleaning." In 2015 31st IEEE International Conference on Data Engineering Workshops (ICDEW), pp. 77-79. IEEE, 2015. Accessed 2nd January 2019 at http://da.qcri.org/ntang/pubs/desweb2015.pdf; Tang, Nan. "Big data cleaning." In Asia-Pacific Web Conference, pp. 13-24. Springer, Cham, 2014. Accessed 2nd January 2019 at https://pdfs.semanticscholar.org/cc63/18aed11065cd1b5773f472c38f8feec51702.pdf
  11. Howard, Philip. “Data Preparation (self-service)”. Published online 04 July 2018 at https://www.bloorresearch.com/technology/data-preparation-self-service  Note: twenty major companies are listed. See also Zaidi, Ehtisham, Rita Sallam, Shubhangi Vashisth. “Market Guide for Data Preparation, ID G00315888” Published by Gartner online on 14th December 2017. See https://www.gartner.com/document/3838463
  12. Hersh, William A, et al.. (2013). “Caveats for the use of operational electronic health record data in comparative effectiveness research”. Medical care, 51(8 Suppl 3), S30-7. Accessed on 2nd January 2019 at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3748381/pdf/nihms491343.pdf
  13. Bethel, Dennis (PhD Med.). Published online on 27 March 2016 at https://www.kevinmd.com/blog/2016/03/this-doctor-orders-pregnancy-tests-on-men-youre-probably-doing-it-too.html Note: the doctor complains about software in major hospitals, not a medical malpractice.
  14. Brennan L, Watson M, Klaber R, Charles T. “The importance of knowing context of hospital episode statistics when reconfiguring the NHS”. British Medical Journal. 2012;344:e2432.
  15. Abel, Gene G., Alan Jordan, Nora Harlow, and Yu-Sheng Hsu. "Preventing child sexual abuse: screening for hidden child molesters seeking jobs in organizations that care for children." Sexual Abuse (2018): 1079063218793634, published 16th August 2018”.
  16. Paschke, A., & Schäfermeier, R. (2018). OntoMaven-Maven-Based Ontology Development and Management of Distributed Ontology Repositories. In Synergies Between Knowledge Engineering and Software Engineering (pp. 251-273). Springer, Cham. Accessed on 3rd January 2019 at https://arxiv.org/pdf/1309.7341.pdf but see also the seminal work Noy, Natalya F., and Mark A. Musen. "Ontology versioning in an ontology management framework." IEEE Intelligent Systems 19, no. 4 (2004): 6-13.
  17. Groth, P., Moreau (eds.), L.”PROV-Overview. An Overview of the PROV Family of Documents. W3C Working Group Note”. Published online on 30 April 2013 at  https://www.w3.org/TR/prov-overview  by World Wide Web Consortium
  18. Sáenz-Adán, C., Pérez, B., Huynh, T. D., & Moreau, L. (2018, January). UML2PROV: Automating Provenance Capture in Software Engineering. In International Conference on Current Trends in Theory and Practice of Informatics (pp. 667-681). Accessed on 02 January 2019 at https://nms.kcl.ac.uk/luc.moreau/papers/uml2prov-sofsem18.pdf
  19. GDPR, Art 17.
  20. GDPR, Art 21.
  21. Malone, Brandon, Alberto García-Durán, and Mathias Niepert. "Knowledge Graph Completion to Predict Polypharmacy Side Effects." In International Conference on Data Integration in the Life Sciences, pp. 144-149. Springer, Cham, 2018. Accessed 8th January 2019 at https://arxiv.org/pdf/1810.09227. See also references in the “European Union High-Level Expert Group on Artificial Intelligence Draft Ethics Guidelines for Trustworthy AI”, published 18th December 2018 at https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=56433
  22. Kim, Henry M., and Marek Laskowski. "Toward an ontology‐driven blockchain design for supply‐chain provenance." Intelligent Systems in Accounting, Finance and Management 25, no. 1 (2018): 18-27. Accessed on 3rd January 2019 at https://arxiv.org/ftp/arxiv/papers/1610/1610.02922.pdf
  23. NGSI-LD API “Context Information Management Application Programming Interface (API): For Public Review””. Published at 18th December 2018 at  https://docbox.etsi.org/ISG/CIM/Open/ISG_CIM_NGSI-LD_API_Draft_for_public_review.pdf



lindsay frostLindsay Frost is Chief Standardization Engineer at NEC Laboratories Europe GmbH. He was elected chairman of ETSI ISG CIM in February 2017, elected to the Board of ETSI in November 2017 and is ETSI delegate to the sub-committee of the EC Multi-Stakeholder Platform (Digitizing European Industry) and to the CEN-CENELEC-ETSI Sector Forum on Smart and Sustainable Cities and Communities. He began his career in experimental physics facilities in Australia, Germany and Italy, before joining NEC in 1999 where he has managed R&D teams for 3GPP, WiMAX, fixed-mobile convergence and WLAN. Contact him at Lindsay.Frost@neclab.eu.




Intelligent IoT: Bringing the Power of AI to IoT Deployments

David Schatsky and Sourabh Bumb
January 10, 2019


The Internet of Things (IoT) is getting smarter: companies are incorporating Artificial Intelligence (AI) — in particular, machine learning — into their IoT applications and seeing capabilities grow, including improving operational efficiency and helping avoid unplanned downtime. The key: finding insights in data.

Companies are finding that machine learning can have significant advantages over traditional business intelligence tools for analyzing IoT data. With AI-enabled analytics, businesses across industries can gain benefits from IoT deployments through:

  • Utilizing new types of sensor inputs such as voice or visual, extracting insight from data that used to require human review: for example, a leading conglomerate is leveraging computer vision to analyze data from cameras and infrared detectors to detect cracks and other problems in airplane engine blades [1]. Meanwhile, in healthcare, a hospital is piloting a solution to allow patients to use voice commands to control their environment [2].
  • Generating real-time insights to drive adaptive, optimal responses for dynamic environment: for example, AI-based prediction is helping a leading tech player cut 40 percent of data center cooling costs. The solution, trained on data from sensors in the facility, predicts temperature and pressure over the next hour to guide actions for limiting power consumption [3].
  • Enabling earlier discovery of upcoming challenges: for example, a machine learning-enabled solution used for industrial operations by a machinery and equipment provider could predict pump failures 5 to 6 days in advance, versus a mere 12-hour heads-up by the previous solution, with the same sensor data [4].
  • Facilitating identification of influencers or variables previously not realized: for example, a leading European oil & gas company used machine learning capabilities on top of existing IoT systems to identify key variables affecting their diesel refining process — not only enhancing existing data models, but determining new models. This continues to deliver savings of more than $600,000 per year [5].

Commercial Benefits of AI-Powered IoT

With the above capabilities enabled by AI, its powerful combination with IoT technology is helping companies avoid unplanned downtime, increase operating efficiency, enable new products and services, and enhance risk management.

Avoiding Costly Unplanned Downtime

In a number of sectors, unplanned downtime resulting from equipment breakdown can cause heavy losses. And “predictive maintenance” can greatly help mitigate or reduce such losses.

Because AI technologies — particularly machine learning — can help identify patterns and anomalies and make predictions based on large sets of data, they are proving to be particularly useful in implementing predictive maintenance. Leading South Korean oil refiner, for example, expects to save “billions of won” by using machine learning to predict failure of connected compressors [6].

Increasing Operational Efficiency

Not just avoiding unplanned downtime, AI-powered IoT can also help improve operational efficiency. This is due in part to the power of machine learning to generate fast and precise predictions and deep insights.

In one case, machine learning produced insights that persuaded one shipping fleet operator to take a counter-intuitive action, generating significant savings. Data collected from shipboard sensors was used to identify the correlation between the amount of money spent on cleaning the ships’ hulls and fuel efficiency. The analysis showed that by cleaning their ships hulls twice a year rather than every two years — and thereby quadrupling their cleaning budget — they would end up saving $400,000 due to greater fuel efficiency [7].

Enabling New and Improved Products and Services

IoT technology coupled with AI can form the foundation of improved and eventually entirely new products and services as well. For instance, an automotive manufacturer is looking to machine learning analysis of real-time connected vehicle data to enable a new revenue stream, in-vehicle health diagnostics, and predictive maintenance services. These services are claimed to have helped cut downtime for nearly 300,000 vehicles by up to 40 percent [8].

Enhancing Risk Management

Several applications pairing IoT with AI are helping organizations better understand and predict a variety of risks as well as automate for rapid response, enabling them to better manage worker safety, financial loss, and cyber threats.

For instance, a leading tech equipment provider has piloted the use of machine learning to analyze data from connected wearables to estimate its factory workers’ potentially threatening heat stress accumulated over time [9]. One vehicle insurer is using machine learning analysis of data from connected cars to accurately price its usage-based insurance premiums and thus better manage underwriting risk [10]. And the city of Las Vegas has turned to a machine learning solution, to secure its smart city initiatives, aimed at automatically detecting and responding to threats in real time [11].

Implications for Enterprises

For enterprises across industries, AI has the potential to boost the value created by IoT deployments, enabling better offerings and operations to give a competitive edge in business performance. It may soon become rare to find an IoT implementation that does not make some use of AI. Refer to Deloitte Insights’ piece for detailed analysis of the convergence IoT and AI, and the significant implications the development has for enterprises [12].

Further Readings

  1. https://www.technologyreview.com/s/600986/ai-hits-the-mainstream/
  2. https://www.ibm.com/blogs/internet-of-things/harman-health/
  3. https://deepmind.com/blog/deepmind-ai-reduces-google-data-centre-cooling-bill-40/
  4. http://cdn.osisoft.com/osi/presentations/2016-users-conference-emea-berlin/2016-users-conference-emea-berlin-d2-Industrial-IT-E060-SparkCognition-Flowserve-Gillen-FlowserveSparkCognition-Industrial-Intelligence--Cognitive-Analytics-in-Action.pdf
  5. http://cdn.osisoft.com/osi/presentations/2016-rs-houston-iiot/2016-rs-houston-iiot-040-OSIsoft-Harclerode-The-MOL-Story--A-Journey-with-IIOT-Advanced-Analytics-Big-Data--$1B-EBITDA-enabled-by-the-PI-System.pdf
  6. http://pulsenews.co.kr/view.php?year=2017&no=404314
  7. https://www.forbes.com/sites/bernardmarr/2017/02/07/iot-and-big-data-at-caterpillar-how-predictive-maintenance-saves-millions-of-dollars/2/#6afd7f086f5c
  8. http://www.prnewswire.com/news-releases/navistars-iot-deployment-on-cloudera-wins-tdwi-2017-best-practices-award-300492324.html
  9. http://www.fujitsu.com/global/about/resources/news/press-releases/2017/0712-02.html
  10. https://internetofbusiness.com/10-examples-iot-insurance/
  11. http://www.nextgov.com/cybersecurity/2017/09/how-city-las-vegas-uses-ai-protect-against-hackers/140739/
  12. https://www2.deloitte.com/insights/us/en/focus/signals-for-strategists/intelligent-iot-internet-of-things-artificial-intelligence.html



David SchatskyDavid Schatsky analyzes emerging technology and business trends for Deloitte’s leaders and clients. His recent published works include Signals for Strategists: Sensing Emerging Trends in Business and Technology (Rosetta Books 2015), “Demystifying artificial intelligence: What business leaders need to know about cognitive technologies,” and “Cognitive technologies: The real opportunities for business” (Deloitte Insights 2014-15). Before joining Deloitte, David led two research and advisory firms.


Sourabh BumbSourabh Bumb tracks and analyzes emerging technology and business trends, with a primary focus on the Internet of Things, for Deloitte’s leaders and its clients. He is also involved in assessing and identifying promising startups in various areas including artificial intelligence, blockchain, AR/VR, among others. Prior to Deloitte, Sourabh worked with multiple companies as part of technology and business research teams.



Fostering Authentication and Authorization in the Social IoT through MQTT-Auth

Riccardo Pecori and Luca Veltri
January 10, 2019


The Internet of Things (IoT) is becoming more and more an integrated system of intelligent devices, electrical appliances, personal computers, servers, embedded boards, and so on, endowed with well-defined and standardized communication protocols.

These standard communication paradigms are powerful drivers allowing IoT devices to communicate directly with the external world, as well as to participate in communities of objects, to create groups of interest, and to take collaborative actions with the objective to facilitate service and information discovery for both machines and human beings [1]. These capabilities are driving more and more the IoT towards the so-called “social IoT”, an actual social network of intelligent objects with the establishment of direct relationships across smart devices themselves [2,3]. These relationships can be of various kinds:

  • co-location, between objects used always in the same place;
  • co-working, between object collaborating to provide a common application;
  • same ownership of the objects;
  • membership of the same production batch,

and can be used to establish direct machine-to-machine interactions, consume services from other devices, advertise services and use offered resources to realize complex services in favor of human beings [4].

On the other hand, this growing consciousness and awareness of the smart objects should be carefully monitored since the security of their services, or of the data they manage, is an everlasting issue. In fact, in the last years, large Distributed Denial of Service (DDoS) attacks took place, with unprecedented volumes of data used to knock-down various Internet services directly or indirectly connected to IoT devices. A well-known example is the Mirai malware, specifically designed to attack and hijack IoT devices and to transform them into bots, afterward exploitable to carry out coordinated attacks [5].

MQTT (Message Queue Telemetry Transport) [6] is a lightweight publish-subscribe messaging protocol, which is rapidly becoming a de facto standard for many IoT communications. It is mainly designed for Machine-to-Machine (M2M) communications, even if it is employed also by the popular Facebook Messenger, due to its very low computation load, particularly appropriate for resource-constrained environments. MQTT works well also in not reliable scenarios, i.e., with limited bandwidth and high latency, since it can guarantee the delivery of messages to all subscribers. Its inherent simplicity, support for QoS, lack of complex management and flexible payload format make it suitable for every IoT and social IoT scenario.

Unfortunately, MQTT specification does not include any security-related mechanism, apart from an optional authentication by means of username and password. This security lack, if not filled during the deployment by means of ad-hoc mechanisms (e.g., establishing IPSec VPNs or TLS connections), may lead to some system vulnerabilities. For this reason, proper security solutions for MQTT are expected in order to guarantee an adequate level of security in terms of authentication, authorization, and confidentiality.

Authentication and Authorization for MQTT

MQTT-TLS profile of ACE (Authentication and Authorization for Constrained Environments) [7] is a recent Internet draft trying to set up a standard for endowing MQTT with authentication and authorization capabilities. However, it is based on an Authorization Server for communicating the tokens to the broker and to the clients (either publishers or subscribers); moreover, it relies upon TLS for guaranteeing confidentiality, possibly adding implementation complexity.

When considering a more decentralized and distributed scenario, like the one of the social IoT, a lightweight solution, called MQTT-Auth, has been recently proposed [8] [9].

MQTT-Auth exploits the AugPAKE algorithm [10] for guaranteeing confidentiality. It also uses two novel tokens, one to authenticate the creation and the publishing on a certain topic at the broker side, and a second one to authorize access to a specific topic on the part of other, trusted, subscribers. These tokens can be also applied to a hierarchy of topics by means of wildcards, i.e., symbols replacing explicit topics.

The usage of the tokens is transparent on the point of view of the broker, which is unaware, in advance, of the legitimate topics and subscribers. The broker has only to create an AuthenticationTopic and a temporary topic, named after the ClientID, to allow for the AugPAKE message exchange.
The authorization token, needed to access data coming from the publishers on a particular topic, is transferred to the legitimate subscribers through a secure side channel. This side channel, in the proposed versions of MQTT-Auth, is a direct visual channel in which the authorization token is displayed, for example, in the form of a QR code.

MQTT-Auth requires very few modifications, with respect to standard MQTT, since it permits to directly encapsulate AugPAKE messages, as well as the novel tokens, directly in the fields of standard MQTT messages.

MQTT Authentication and Authorization in the Social IoT

One key point in MQTT-Auth is the possibility to exchange a piece of information (the Auth2 token), through a secondary secure channel. In the original proposal, only a visual means like a readable token or QR code are indicated as examples.

However, in case of social IoT, other mechanisms can be successfully used as a secure side channel, in particular exploiting the social relations amongst participants. On the other hand, social IoT scenarios, where devices have to communicate trustworthily with each other, in an ecosystem where there is the chance that no human interactions take place, may benefit from an authorization mechanism like MQTT-Auth.

The foreseen advantages of combining the two systems could be summarized as follows:

  • Automated and distributed confidentiality and authorization capabilities: smart objects can socially interact with each other leveraging on MQTT-Auth to exchange securely data across themselves. The confidentiality of the transmitted data is guaranteed by the encryption with the secret key defined through the AugPAKE procedure, while the guarantee that only certain authorized devices can access the data, or part of the data of a hierarchy of topics, is ensured by the usage of the authorization token.
  • Automated and distributed authenticity of the data: thanks to the authentication token, social smart object interacting by means of MQTT-Auth could be sure that only legitimate devices produced the consumed data or services.
  • Exploitation of trusted social relationships: some of the aforementioned social relationships among smart objects could be effectively used to transfer MQTT-Auth authorization token from a publishing device to any, trusted, potential subscribing objects. For instance:
    • devices produced in the same batch could have a pre-shared secret key used to communicate securely the authorization token;
    • co-located devices could use short-range technologies (i.e., NFC or VLC) to exchange securely the authorization token authorization token;
    • co-working objects may exploit other, already existing, secure communication channels to exchange the authorization token.

Figure 1: MQTT-Auth in a social IoT environment.

Figure 1: MQTT-Auth in a social IoT environment.

Figure 1 shows a social IoT scenario, where publishing and subscribing smart objects exploit social IoT relationships for setting up a secure side channel used to exchange the MQTT-Auth authorization token.

Despite the aforementioned benefits and advantages, some challenges are still to be resolved to deploy effectively MQTT-Auth for a social IoT scenario. First, the discovery and choice of the most suitable social relationship to exploit for transmitting the authorization token. This and the degree of trustworthiness of the relationships may change over time causing possible periods of out-of-service in case the trust of certain devices towards other companions decreases under a certain critical threshold. Second, the possible need of multiple brokers in order for the social smart objects to compose a complex service. There is the possibility to federate brokers in MQTT specifications, but the application of MQTT-Auth to bridging or clustering techniques, involving many brokers, has not yet been studied or analyzed, to the best of our knowledge. Third, smart social objects have to be endowed with hardware capable of performing in a lightweight way, the operations involved in all MQTT-Auth phases, i.e., the creation of the shared secret key through the AugPAKE procedure, and authenticated encryption with AES and at least a 256-bit key.


The authors want to thank Prof. Massimo Vecchio for the fruitful insights regarding the security in MQTT, Mr. Marco Calabretta for developing the running code of MQTT-Auth and Mr. Giovanni Perrone for the help in enlightening some useful details of MQTT standard.


  1. B. H. Phuc, P. Van Quang, N. Q. Linh, and P. Van Huong, "Dynamic Threading to Improve Embedded Software Performance in IoT Devices Using MQTT Protocol," 2018 International Conference on Advanced Technologies for Communications (ATC), Ho Chi Minh City, Vietnam, 2018, pp. 321-325.
  2. Luigi Atzori, Antonio Iera, Giacomo Morabito, “Understanding the Internet of Things: definition, potentials, and societal role of a fast evolving paradigm”, Ad Hoc Networks, Volume 56, pp. 122-140, 2017.
  3. L. Atzori et al., "Social-IoT Enabled Identifier/Locator Splitting: Concept, Architecture, and Performance Evaluation," 2018 IEEE International Conference on Communications (ICC), Kansas City, MO, 2018, pp. 1-6.
  4. R. Pecori, “Internet of Things toward Social IoT”, keynote speech at the special session on Communications, Security and Data Analysis in the Social Internet of Things, ISWCS 2017, Bologna, Italy.
  5. Perrone G., Vecchio M., Pecori R. and Giaffreda R., “The Day After Mirai: A Survey on MQTT Security Solutions After the Largest Cyber-attack Carried Out through an Army of IoT Devices,” in Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS 2017.
  6. MQTT Version 5.0 specifications. Available at: http://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html. Accessed: January, 2018.
  7. MQTT-TLS profile of ACE, IETF Internet draft, available at https://tools.ietf.org/html/draft-sengul-ace-mqtt-tls-profile-03, October 2018.
  8. M. Calabretta, R. Pecori and L. Veltri, "A Token-based Protocol for Securing MQTT Communications," 2018 26th International Conference on Software, Telecommunications and Computer Networks (SoftCOM), Split, Croatia, 2018, pp. 1-6.
  9. M. Calabretta, R. Pecori, M. Vecchio, L. Veltri, "MQTT-Auth: a Token-based Solution to Endow MQTT with Authentication and Authorization Capabilities", Journal of Communications Software and Systems. Volume 14, issue 4, pp. 320-331, 2018.
  10. S. H. Shin and K. Kobara, “Efcient Augmented Password-Only Authentication and Key Exchange for IKEv2,” IETF RFC 6628, Experimental, June 2012. Available at https://tools.ietf.org/rfc/rfc6628.txt



Riccardo PecoriRiccardo Pecori got his Ph.D. in Information Technology from the University of Parma in 2011. He has been Adjunct Professor of various courses regarding telecommunication networks, informatics, didactics of telecommunications, cybersecurity for both University of Parma and eCampus University. Since 2015 he has been Assistant Professor of Computer Science at eCampus University teaching Computer Security, Network Security, and the Internet of Things. He is editor of “Future Generation Computer Systems” and has been TPC member of various conferences about computer science and telecommunications, organizing also a special session on “Social Internet of Things” at ISWCS 2017. His research interests regard network security, security in the Internet of Things, educational and social Big Data analysis.


Luca VeltriLuca Veltri is an assistant professor at the Department of Engineering and Architecture of the University of Parma, teaching classes on Communication Networks, and Network Security. From 1999 to 2002, before joining the University of Parma, he has been with CoRiTeL, a research consortium founded by Ericsson Telecomunicazioni, where he led different research projects in networking and multimedia communications. He participated also in several research projects funded by the European Union, by the European Space Agency, and by the Italian Ministry of University and Research. His current research interests include Internet of Things, Software-Defined Networking, and Network Security. He is a co-author of more than 70 papers on international conferences and journals.



How IoT Technology Transforms Fleet Operations

Ekim Saribardak
January 10, 2019


The first commercial transistor radio went on sale in 1954 and it was considered a huge milestone in technology for its small size and portability. Decades later, we are at another milestone in technology; Internet of Things which has taken the world by storm with its connectivity and advanced capabilities making ordinary objects and machines “smart”.

IoT’s journey began with RFID chips helping to advance manufacturing process and then followed by the consumer IoT applications with homes started seeing a huge level of automation with air conditions, lights and coffee machines self-operating according to our needs and choices. Naturally, this level convenience brought along a wave of innovations where every tool or device can be connected with each other and controlled over the Internet remotely.

The business world immediately recognized the potential benefits of the IoT technology and how it could restructure their business operations. With superior connectivity and continuous data flow as well as the ability to control and monitor their assets over the Internet, fleet operators gained access to a cutting-edge tool that will help them run their operations seamlessly. Fleet management systems have been a groundbreaking development for the fleet industry from day one. With the advanced network of IoT and sophisticated cloud-based tracking software, field operators keep track of fleet productivity and gain valuable insight into the condition of their vehicles and goods.

Figure 1: Internet of Things (IoT).

Figure 1: Internet of Things (IoT).

Other industries have a lot to learn from the fleet industry in leveraging the benefits of IoT. Owners of fleet businesses have to allocate a vast amount of resources, time and money effectively to meet the customer demand and operate at the optimum performance levels. IoT systems help businesses to manage their resources more efficiently to increase overall productivity and lower operational costs with improved visibility and access to vital information on-demand.

Telematics devices are the main source for gathering information on a fleet of vehicles. GPRS and GSM technologies used to be the preferred methods of communication for vehicle tracking devices and similar tracking systems for transmitting vast amounts of GPS, vehicle and driver data. However, these communication methods caused delays and problems as they were not a reliable way to convey data but IoT technologies reshaped the way how fleet businesses transfer and store information. With the advancement of the Internet technology itself and the rapid progress of IoT devices, telematics systems can easily obtain and analyze a plethora of information with the help of onboard telematics devices and cloud-based tracking software.

There are many aspects to a fleet operation and to thrive in a market as competitive as the fleet industry, field operators need accurate, real-time data to maximize the efficiency of their vehicles and drivers. By connecting a vehicle fleet over the cloud, managers can utilize a number of tools such as reports, trip log, driver behavior analysis, geofence zones, sensors and event alerts. These intelligent tools help the daily struggles of a fleet business from reducing the maintenance costs to keeping comprehensive mileage logs for the mileage tax deduction. Let’s take a look at some of these features and how IoT helps enhance the capabilities of the telematics systems.

Figure 2: Mileage Tax Deduction for Fleet Businesses.

Figure 2: Mileage Tax Deduction for Fleet Businesses.

Companies with a vehicle fleet have a lot of expenses to cover and few ways to lower their costs. However, there is a reliable way for a fleet company to reduce their yearly tax payments; mileage tax deduction and all the HMRC requires from companies are accurate mileage records as a proof for their business trips. The HMRC compensates companies for a portion of their operating expenses such as fuel, depreciation, maintenance costs, insurance payments, and registration fees. The gimmick for benefiting from this service to the full extent is to present HMRC with proper mileage logs of every single business trip taken by the company vehicles. It is an extremely challenging task to gather the data for each journey and determine whether it is a business trip or a personal one but with the help IoT technology and trip log, business managers can easily distinguish between business and personal trips. Telematics devices send the necessary data to the tracking platform to keep individual logs of every delivery, dropoff or a client meeting down to the last detail such as total mileage, the date of the trip, purpose of the business trip and destination. IoT devices and the trip log prove to be a perfect combination to provide HMRC with immaculate mileage records and take advantage of the tax reimbursements.

Figure 3: Fleet Management Software 2019.

Figure 3: Fleet Management Software 2019.

Cargo security is a major issue for all businesses with a vehicle fleet that manufacture and transport goods. Thieves have always been a problem for fleet companies but it is an even bigger issue for manufacturing companies since they are a priority target for the adept criminals. While field managers are wary of the constant threat of theft, experienced thieves always look for opportunities for a quick buck which makes their work harder. A truck full of merchandise is an alluring prospect for criminals and if the vehicle doesn’t have proper security measures in place, it may as well have a bullseye painted on its back. Over the last years, IoT technology and fleet management systems have significantly improved the security aspect of fleet operations. Combined with the support of GPS location technology and sensors on board, IoT-enabled devices offer a set of features to ensure the safety of the cargo onboard the vehicle. From motion sensor to tampering alarm to geofence alerts, fleet managers gain access to a range of powerful security measures. The ability to monitor the location of a company vehicle as well as having multiple active event alerts will make sure no thief will be able to lay a hand on a single piece of cargo without triggering multiple alerts.

Running any business is a tedious task and it requires a lot of work hours but running a fleet business is an even more challenging task with more complex systems. The reporting capabilities of telematics systems provide business managers with a wide range of prominent tools to streamline their operations. Fully customizable reports allow managers to analyze routes, driver behavior, mileage, and fuel usage and provide valuable insight for fleet managers to make necessary changes throughout the fleet. From speed violations to causes of excess fuel consumption, business owners and operators can use these reports for guidance that can impact the decision-making process. This task requires a large amount of information and often in real-time to be accurate and effective and the whole process heavily relies on IoT technology. Telematics devices capture relevant data and quickly report to the cloud-based tracking server using the connectivity of the IoT technology. With 24/7 access to the essential fleet data, it's easy to keep track of assets and generate comprehensive diagnostic reports.

IoT and telematics technologies are becoming prevalent among fleet businesses for all the right reasons. Companies with a vehicle fleet are always on the lookout for ways to increase productivity, reduce operating costs and become more profitable. IoT technology presents fleet businesses with an array of tools to enhance overall operations. IoT plays a critical role in keeping the costs down and improving the connectivity of a vehicle fleet, that is why it is vital for companies to keep up with the times and take advantage of the sophisticated IoT systems.

Image Credits: Shutterstock


  1. https://en.wikipedia.org/wiki/Global_Positioning_System
  2. https://www.rewiresecurity.co.uk/blog/future-of-gps-and-global-positioning-locating
  3. https://www.telegraph.co.uk/business/business-reporter/telematics-fleet-management/
  4. https://www.geospatialworld.net/blogs/iot-applications-for-businesses/https://www.geospatialworld.net/blogs/iot-applications-for-businesses/
  5. https://www.rfidjournal.com/articles/view?18021/
  6. https://iotbusinessnews.com/2018/12/28/48744-how-to-tackle-logistics-and-cargo-security-issues-with-iot-and-telematics-systems/
  7. https://www.edn.com/electronics-blogs/edn-moments/4400387/First-commercial-transistor-radio-goes-on-sale--November-1--1954-



Ekim SaribardakEkim Saribardak is a highly motivated IT professional who possesses a never-ending love and passion for web application and software projects. He is experienced with technical knowledge in all areas of telecommunications, GPS technology, web applications, digital marketing and product management, with an aptitude for problem-solving and decision-making with the ability to influence others in complex and pressurized circumstances. He has been a technology geek since 1990, starting from the moment he first had his hands on a computer. Since then, he has been researching and studying anything related to computers, fascinated with the way computers are changing everyday life. He has worked in both hardware and software fields for different businesses for over two decades.