Mobile-Centric Ambient Intelligence in Health- and Homecare—Anticipating Ethical and Legal Challenges

Abstract

Ambient Intelligence provides the potential for vast and varied applications, bringing with it both promise and peril. The development of Ambient Intelligence applications poses a number of ethical and legal concerns. Mobile devices are increasingly evolving into tools to orientate in and interact with the environment, thus introducing a user-centric approach to Ambient Intelligence. The MINAmI (Micro-Nano integrated platform for transverse Ambient Intelligence applications) FP6 research project aims at creating core technologies for mobile device based Ambient Intelligence services. In this paper we assess five scenarios that demonstrate forthcoming MINAmI-based applications focusing on healthcare, assistive technology, homecare, and everyday life in general. A legal and ethical analysis of the scenarios is conducted, which reveals various conflicting interests. The paper concludes with some thoughts on drafting ethical guidelines for Ambient Intelligence applications.

Introduction

Ambient Intelligence (AmI) and Ubiquitous Computing refer to information and communication technologies (ICT) that become integrated into everyday objects. They enable an unforeseeable amount of useful applications, but pose also ethical and legal concerns. Ambient intelligence can make information and communication technology invisible and uncontrollable. Different information of individual person and her behaviour can be collected without the person even noticing it. The technology should be safe and secure and human values such as privacy, self-control, and trust should not be violated by the technology or the applications. These ethical issues are frequently raised as ethical concerns of ambient intelligence (Bohn et al. 2005; Kosta et al. 2008; Rotter 2008). Ethical issues are not just related to individual applications. They may also require solutions on the infrastructure design as Wasieleski and Gal-Or (Wasieleski and Gal-Or 2008) point out when discussing privacy issues related to RFID (Radio Frequency Identification) tags.

Ethical issues arising out of ICT can relate to privacy and data protection, but they can also concern issues of the nature of work, relationships between individuals or organisations, perceptions of humans and others, while research on ICT can have human research ethics ramifications.

In addition to general ethics research, there are lots of studies on ethical issues related to ICT, and how the ethical values should be considered in designing computerized systems. van den Hoven (2007), for example, presents an approach to software engineering and systems development, which is referred to as “value sensitive design”. It studies the ways in which our accepted moral values can be operationalised and incorporated in ICT design. Introna (2007) has proposed disclosive ethics as a way to make the morality of technology visible.

In addition, there have recently been studies that focus specifically on the ethical issues of Ambient Intelligence. Most notably, Bohn et al. (2005) have published a widely cited framework of social challenges and implications. They discuss privacy issues especially in relation to personal privacy, surveillance, as well as searching and combining data. In addition to privacy concerns, they list the following topics:

• Reliability, including manageability, predictability, and dependability.

• Delegation of control, including content control, system control, and accountability.

• Social compatibility, including transparency, knowledge sustainability, fairness, and universal access.

• Acceptance, including feasibility and credibility, artefact autonomy, impact on health and environment, and the relationship between man and the world.

Dr. Duquenoy, who also participated in the MINAmI Ethical Advisory Board, has gathered from other fields a list of ethical principles that are applicable also to the information society (Harris et al. 2008). These are:

1. (i)

   Respect for persons, which allows for the concept of autonomy, and the ability to make choices, and acknowledges personal dignity. It includes all groups (in particular vulnerable groups), and includes the right to ‘informed consent’.

2. (ii)

   Beneficence that captures the notion of protecting the participant, and in particular the notion that such protection is more important than the pursuit of new knowledge; the benefit to science that will result from the research; personal or professional research interest.

3. (iii)

   Justice that encapsulates equal distribution of risk and benefit, and the special protection of vulnerable groups (Duquenoy 2007a).

From the medical sector, she also borrows the fourth principle: non-malfeasance, do no harm (Duquenoy 2007b).

According to Duquenoy (2007a), the ethical values of individuals in society are transferred to the digital domain, and in that sense a new notion of ‘ethics’ is not required or appropriate. However, in the process of transfer the ethical space or ethical environment is changed to the extent that the practice of ethics is mediated by the technology and policy.

According to Niiniluoto (1991), “relativization is an essential or uneliminable aspect of moral judgements.” Thus ethical values in this context are relational (Airaksinen 2003; Niiniluoto 1991, 1994). One should carefully consider the culture and the values that the users actually have before applying certain ethical principles. While our results are applied to more specific cases, especially outside Europe, one should adapt the results to those users and their values.

The ethical-legal analysis described in this paper has been in connection to the development of a new mobile phone based architecture for ambient intelligence applications. The development work has been carried out in the frame of an EC-funded research project, MINAmI. The ambient intelligence vision of the project refers to an ambient intelligence environment, where the user has her personal mobile device as a medium of communication. The user can interact with everyday objects and surroundings and get information and services from and related to her local environment. To fulfil the vision, the project is designing and implementing a mobile architecture, including a personal mobile phone with access to wireless sensors and memory tags. The architecture facilitates many different applications that utilise embedded data or sensor measurements from the environment or the user herself.

In parallel with the technical development of the mobile architecture and the wireless sensors and tags, usage possibilities for the mobile architecture as well as user acceptance of those usages have been studied. The aim has been to recognise usage and application requirements and to analyse their implications for the technical development of both the mobile terminal and the components (Kaasinen et al. 2006a). A central part of the work has been ethical assessment of the usage possibilities. The aim has been to ensure that the mobile architecture to be developed will support, encourage and even force ethically sustainable applications. Ethical principles tend to be easily acceptable but not so easy to concretise and adapt to the design. Our aim is to define ethical guidelines that would be concrete enough to be easy to understand and easy to follow by service designers and application developers. As we have been working with the ethical guidelines parallel to the architecture design, we aim to have the guidelines ready before commercial application developments start.

In this paper we will first present the MINAmI project, its vision, and the technologies to be developed for the realisation of the vision. In section Ethical-Legal Assessment Process we describe ethical-legal assessment process. Section MINAmI Scenarios and Legal-Ethical Assessment contains the MINAmI scenarios along with an ethical-legal analysis and in section Towards Ethical Guidelines we will summarise crucial elements for drafting useful and successful Ethical Guidelines for ambient intelligent applications.

Mobile-Centric Ambient Intelligence

The Micro-Nano integrated platform for transverse Ambient Intelligence applications (MINAmI) is an EU FP6 IST integrated project with the strategic objective to create micro- and nano-technology based sub systems, as well as a mobile platform to facilitate different ambient intelligence applications. The MINAmI project aims at accelerating the adoption of Ambient Intelligence applications that will be used in the everyday life of the user. MINAmI carries on the work done in the MIMOSA project (http://www.mimosa-fp6.com), which focused on building an open technology platform for mobile-centric ambient intelligence applications (Kaasinen et al. 2006a). MINAmI continues MIMOSA work by enriching the MIMOSA platform with additional technologies enabling more functionalities in the applications that are provided to the user on her personal mobile phone.

The MINAmI vision is based on a mobile-centric approach to ambient intelligence. In this vision, as it is shown in Fig. 1, personal mobile devices act as the principal gateways to ambient intelligence. Mobile devices provide trusted intelligent user interfaces and wireless gateways to sensors, networks of sensors, local networks and the Internet. The MINAmI vision applies a human-centred design approach in the infrastructures, such as the platform, tags and common usage patterns. This design approach makes possible to affect basic design decisions that may have effects on user acceptance and ethical issues regarding all the applications that will use the MINAmI ambient intelligence infrastructure (Kaasinen et al. 2006a). The MINAmI project is developing enabling technologies and solutions that can be used by a wide selection of applications in different fields.

Fig. 1

The MINAmI vision

Table 1 gives an overview of the technical components to be developed in the MINAmI project to enable the realisation of its vision.

Table 1 Components that enable the MINAmI vision

In the MINAmI vision, the user’s interaction with the ambient intelligence system takes place wirelessly and locally. The user can communicate with the surrounding environment by wirelessly reading tags and sensors embedded to everyday objects and the environment itself. Alternatively sensor measurements can be collected and processed automatically by relevant applications on the mobile device. The mobile device can connect to the internet and further transmit the received information to the designated entities, a functionality which is of great importance, as it will be further demonstrated in the analysis of the MINAmI scenarios under section MINAmI Scenarios and Legal-Ethical Assessment. The information, applications or services provided by the system are read or activated by touching or scanning tags and sensors with the mobile device, providing natural interaction methods to the user.

The personal mobile terminal, in the form of a mobile phone, a PDA or other, is a trusted device for personal information on the user, providing facilities to ensure the user having control of various actions. This constitutes a good basis for ethically acceptable solutions, as it will be further elaborated. However, already in the predecessor project, MIMOSA, several ethical issues related to the applications enabled by the mobile infrastructure were identified (Kaasinen et al. 2006a). They highlight user requirements of awareness, control, and feedback of data stored in or mediated via the personal mobile device. There were concerns that personal information on the user may be maliciously used to threaten the user’s privacy or security. When things happen effortlessly, e.g. simply by touching or just being close to the tag, keeping the user informed gets extremely important (Kaasinen et al. 2006a). We address these issues in more detail in the ethical-legal analysis of the MINAmI scenarios in section MINAmI Scenarios and Legal-Ethical Assessment.

Ethical-Legal Assessment Process

Ethical issues related to the forthcoming applications and the platform itself are studied in the MINAmI project in a dedicated work package. The MINAmI project has built on the ethical considerations recognised in the MIMOSA project, but external experts have also been called to assist the project researchers. For ethical assessment, the project has nominated an Ethical Advisory Board that consists of eleven external experts representing different fields of ethics¹ (Niemelä 2006). Ethical assessment has also been included in the user and expert evaluation activities in the project. The results presented in this paper are based on cooperation between members of the Ethical Advisory Board and researchers of the project (Carrol 1995; Kaasinen et al. 2006b).

The aim of the MINAmI ethical assessment work is to create, parallel to the architectural solutions and demonstration applications, ethical guidelines that would guide forthcoming application developers and platform implementers into ethically sustainable solutions. These guidelines shall be concrete enough to be easy to understand and easy to follow by service designers and application developers. This paper describes the results of the early ethical assessment of the MINAmI scenarios, on which the ethical guidelines will be built.

MINAmI Scenarios and Legal-Ethical Assessment

Scenario-based design is an iterative approach to system design that relies on user interaction scenarios, or narratives, as the source of guidance for design requirements (Kosta and Dumortier 2008). These narratives describe how an archetypal person (with a set of goals, behaviours, and knowledge) would carry out a series of interactions with a system. Usually scenario-based design is related to the development of an individual system or application. In our case we chose to use scenarios to illustrate the wide variety of different applications that the mobile architecture would facilitate.

The MINAMI project focuses on the most promising application fields recognised based on the results of the earlier MIMOSA project: healthcare, assistive technology, homecare, and everyday in general. The scenario work in MINAmI has been initiated by the companies who have proposed applications that they would like to develop on the mobile platform. The MINAmI scenarios thus represent product ideas that will later be developed to concrete demonstrators. Even if the amount of the scenarios is limited, the scenarios represent the key application features that the mobile architecture will facilitate.

We present five MINAmI scenarios that demonstrate innovative ambient intelligence solutions based on MINAmI technologies. The narratives below are slightly shortened versions of the original MINAmI scenarios presented in project deliverable D1.1 (Lorenzo and Antolin 2006). The scenarios are accompanied with the main findings of the results of the ethical-legal analysis carried out by the Ethical Advisory Board of the project. The last section of this chapter is dedicated to some general legal remarks, which apply to all scenarios.

The MINAmI demonstrator scenarios entail the processing of personal data, in most cases data of the users of the MINAmI-enabled mobile device. It is very interesting to notice that some of the scenarios reveal a lot of information about the health and medical condition of individuals. As the processing of personal data plays a prominent role in the scenarios, the legal analysis will focus on the data protection legislation and mainly the European one, as MINAmI is an EU FP6 funded project.

Movie Trailer Downloading from a Memory Tag

This scenario presents the basic interaction and technology concept in mobile-centred AmI: a memory tag, from which data can be downloaded to a mobile phone by simply taking the phone to the proximity of the tag.

Scenario 1

Memory Downloading from a Passive Device: 25-year-old Mary is relaxing on her sofa, reading a magazine on the latest movies from Hollywood. After spotting an advertisement in the magazine, she touches the page and a movie trailer along with additional info how to book tickets are downloaded to her mobile. After pressing the start button the trailer is played in the mobile. The trailer ends giving Mary the possibility to order tickets for the specific movie she showed interest in.

Ethical-Legal Analysis

The main issues raised in this scenario relate to privacy and data protection, as well as to the user’s autonomy and the ‘design for all’ principle.

User autonomy is considered to be threatened when the system can send spam information to the user’s mobile phone (e.g., if the reading takes place automatically at a distance close enough to a tag), or if the system allows involuntary or accidental buying of products. Furthermore, tags can contain harmware, trojans, viruses, and tracking software. To prevent these problems, an “opt-in” solution should be promoted in the sense that the user must actively request for the service. Explicit conformation shall always be asked in order to prevent accidental purchase of products and all the provisions of the eCommerce Directive² shall be respected. The eCommerce Directive foresees that specific information needs to be given to the buyer before making her purchase—such as the name of the service provider, the geographic address at which the service provider is established, the details of the service provider, including his e-mail address, etc.—and contains detailed provisions regulating the liability of the service providers. Such “opt-in” solutions to some extent protect also from malware, although people tend to activate them in any case. Closely related to the user autonomy is the issue of trust to the service that is offered and its provider.

The user trusts the device for a multitude of leisure activities that seem pretty harmless against her privacy. However the user privacy can be at stake and shall be protected, if collecting information on the user is possible, for instance through the further functions, such as ticket service, and if others can easily gain access to the device and the downloaded material. However the scenario gives us no information about the technical functions of the specific application. In case the information about Mary’s preferences is not anonymised, significant profiling issues can arise, preparing the ground for the deployment of targeted advertising and discrimination practices. In order to optimise the protection of the user privacy, there should be security protocols in place, and encryption of data should be offered.

The application excludes the disabled if the content is provided only in one format. Therefore, the content should be offered in multiple formats, and “design for all” approach should be used in implementing the applications.

Monitoring Drug Taking

This scenario is one of the three homecare scenarios of MINamI. It presents a mobile phone enabled way for a physician to remotely monitor his patient’s drug taking between consultations. A crucial technology here is a pillbox counting its openings.

Scenario 2

Patient Follow-up: A doctor, who is not sure if the patient takes his medication correctly, provides him with an electronic pill box and informs him how to use it via his own mobile phone. The patient uses his mobile phone to transmit dosing history data at intervals, so that they arrive to the doctor prior to the scheduled visits. In this way the key data on the patient’s medication intake is available to the doctor even between the visits. The patient has the opportunity to see the information about the quality of medication intakes in graphical or textual form on the display of his mobile phone. These results are generated locally by the application running on the mobile phone. When the patient renders it necessary, he can enter some additional information, which helps the doctor to better understand and analyse the transferred compliance data. Using this application the crucial information related to the medication intakes of the patient is available to the doctor, even when the patient fails to attend a scheduled visit. The management system analyses the patient’s dosing history, compares it to the prescription and generates a report which is automatically forwarded to the doctor, who can then decide upon the treatment of the patient.

Scenario 3

Hazardous Dosing Errors: For some types of medicine it is very critical to take them at the predefined by the doctor intervals, while others can be skipped one or more times without consequences for the medical treatment. The pill box records its openings and analyses constantly the sequence of openings, making computations based on its own algorithm. It detects if the patient has made a hazardous dosing error, based on information specific to that medication. The hazard usually starts to increase when the interval since the last-taken dose passes a certain medication-specific magnitude. At this point the system sends via the mobile phone information related to the patient identifier, the scheduled intakes and the interval since the last-taken dose to a computer-based management system, and triggers a series of pre-arranged alerts to be sent to the patient.

Ethical-Legal Analysis

The ethical issues in this scenario relate to the reliability of the system (both technical and functional), protection of data, and autonomy of the patient.

Functional reliability is doubted since opening the pill box and even taking pills out of the box does not imply taking the pills themselves. Technical reliability of the system or mobile network may be a problem. The system can crash or be affected by bugs; mobile phones and networks do not always function as expected and furthermore mobile phones can be lost. The proposed solution to the reliability challenges is that the medication personnel should not overly rely on the data transmitted by the pillbox for controlling the taking of the medication, but there should also be in-person checks of the patient. This solution however may lead to another problem: who checks the data? The resources of physicians and medical centres are usually limited, thus if the amount of data is increased, there is a risk of leaving this function to the system or to a subordinate. This further raises questions on responsibility if something goes wrong.

Patient autonomy is seen to be at risk with regard to the voluntariness of the patient to reveal the dosing data. Especially if the application functions on an “opt-out” basis, in the sense that using the application takes place by default but the patient can deny using it, the autonomy of the patient may be at stake. The physician shall provide explicit information to the patient before the latter is asked to use the pillbox and shall respect the objection of the patient to use it. The patient autonomy also relates to the choice of taking the medication, i.e. whether it is the choice of the patient or the physician to decide if the pills should be taken. Arguably the application may reduce the patient’s self-determination as the patient needs to explicitly “opt-out”, if he decides not to take the medicine. It shall be safeguarded that the data are only gathered to databases with adequate security measures in place and with privacy protection. In this way the patient will be less reluctant to agree to the collection of his dosing habits.

The protection of data is an issue that involves the processing of personal data, and in this scenario involves also the processing of sensitive health data. This scenario reveals a lot of information about the medication of the patient and its dosing. Bearing in mind that such information concerns the health life of the patient, it has to be handled with extra care. Such data, i.e. data concerning health life, are considered by the European data protection legislation as belonging to a special category of data, commonly known as “sensitive data” (Art 8(1) Data Protection Directive³). The processing of such data is prohibited, unless the patient has given their explicit consent (in some Member States, e.g. in Belgium, the law demands not only the explicit but the written consent of the patient). Processing can also be allowed when it is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent (Art. 8(2)(c) Data Protection Directive).

Moreover the Directive provides for another exception, when “processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy” (emphasis added) (Art. 8(3) Data Protection Directive). Therefore it is important to identify who is involved in the processing of data and who has access to databases of Electronic Health Records. The Article 29 Working Party (2007) has published an Opinion on Electronic Health Records, where it analyses the conditions under which the aforementioned exception shall apply. In the MINAmI demonstrator scenarios it is important to point out that all medical information is directly transferred to the physician of the patient, without the interference of any third, possibly technical, staff.

Furthermore the patients need to be informed in a clear and comprehensive manner about the persons that can have access and use their data, the reasons for this, as well as about their rights to ask the rectification of incorrect information or to object to any of their further use (The Article 29 Working Party 2007).

It shall be further noted that the liability can be strict, if an unauthorised person gains access to sensitive data, i.e. the controller will be responsible for the damage and loss caused by the disclosure of sensitive data regardless of culpability. Therefore, the controller should carefully secure all the sensitive data and its transmissions (Kosta and Dumortier 2008).

Monitoring Sleep Quality

This scenario is another of the MINAmI homecare scenarios. The patient, suffering from sleeping problems, is able to do the necessary sleep monitoring at home instead of staying nights at a hospital. The scenario is technically founded by connecting the mobile phone to an ultra-light EEG (electroencephalography) logger to be handled by the user herself.

Scenario 4

EEG Logging with Video-Conferencing and Remote Monitoring Application: Eliza, a senior citizen, lives alone in her apartment, which is equipped with a healthcare application that provides video conferencing and remote monitoring of vital signs. In her communication with her physician, she complains about having sleep problems and therefore the physician decides that he needs to know more about the way Eliza actually sleeps.

During her next visit to Eliza, the home-care nurse gives her a “Sleep Quality Logger”,⁴ and advises Eliza to wear it on the forehead during the night and take it off in the morning. The nurse also programmes the logger to send the electro-encephalography (EEG) data collected by the “Sleep Quality Logger” to the healthcare application. Eliza follows the instructions and collects EEG and acceleration data with the logger over night.

At the time specified by the nurse, Eliza receives an incoming call in her healthcare application from her physician, who requests Eliza to place the logger on a dedicated reader/charger in order to transfer the data collected during the night to the healthcare centre. Data read-out is an “on-line” procedure that shall not take a significant time of the appointment. The healthcare application carries out this communication assuring the privacy and data protection required by this type of sensitive data. While the data transfer is in progress, the physician asks Eliza routine questions. In the physician’s office, the “Sleep Quality Analyser” processes the collected data into legible information for the physician regarding the patient’s sleep quality. This information is displayed on the physician’s healthcare application.

In the next virtual appointment with her physician, Eliza is informed that indeed she does not have a normal sleep rhythm, not managing to reach the deepest levels of sleep. As the physician has on-line accesses to Eliza’s vital sign parameter trend files, as well as to her medical history file and is equipped with all the test results, he prescribes a customised treatment for Eliza.

Scenario 5

EEG Logging—A Mobile-Centric Approach: Tom, a hard working young man, visits the health care centre at his work place, due to the fact that he has been feeling awfully tired lately. The physician cannot come to any conclusions or recommendations without knowledge of Tom’s sleep quality. After taking blood samples from Tom, the nurse gives him a “Sleep Quality Logger” and advices him to wear the device during the night.

Tom follows the instructions and collects EEG and acceleration data via the logger over night. He then uses his MINAmI-enabled mobile phone to read-out wirelessly the data captured by the logger. The Analyser detects that during the night the contacts became loose and the data quality does not allow any conclusions. The system automatically sends a message to Tom’s mobile phone, advising him to repeat the measurement the following night, giving him additional instructions how to avoid the technical problem this time.

Ethical-Legal Analysis

Overlapping with the previous analysis, the ethical issues of this scenario relate to technical and functional reliability of the system and protection of data. Patient autonomy however was not seen to be at risk.

Functional reliability of the EEG logger suffers from possibility to misapply the device, which may result in a mistaken diagnosis by the physician. Correct usage should be ensured and in unsure cases, the patient should be called in.

Privacy and data security are seen as potential problem area in the scenario even though it was specifically pointed out that this was taken care of. The analysis of the previous scenario “Monitoring drug taking” in relation to the protection of data and the modalities regarding the processing of sensitive health data applies to this scenario as well.

Similarly to the analysis of the Smart pillbox, the transfer of data is seen as a potential problem. The main concern however is the use of the data, in a long term in particular. There should be clear policies on how and for what purposes the data is stored and for how long.

Other raised issues relate to the necessity of the EEG logger. The device should supply relevant and necessary information in order to avoid unneeded tests. Furthermore, the equipment should be as unobtrusive as possible and avoid long term usage in home environment if possible—the living environment should not be “laboratorized”.

Ambient Sensors for Friendly Home Applications

This scenario is the last of the three homecare scenarios, with the least emphasis on healthcare but rather aiming to improve the security of the home environment e.g., for the elderly living alone. The enabling technologies are different sensors (vision sensors and accelerometers). The role of the mobile phone is to mediate information about the events at home.

Scenario 6

Mrs. Bates is a 73-year-old lady, who lives on her own with her cat, named Norman. One evening she walks downstairs to the basement of her house to check if the garage door is locked. The staircase lights up automatically when she walks down: falling down may happen so quickly. Mrs. Bates goes to her living-room and sits down comfortably in her armchair, ready to watch a movie on TV. As there have been several burglaries in the neighbourhood, she uses her “friendly-home remote control”^® to turn on the anti-intrusion alarm system in the basement.

The movie is now beginning. When the suspense reaches its peak, Mrs. Bates’ mobile phone rings and indicates that a pet was detected in the basement. She remembers that Norman followed her when she went downstairs a while ago—and she returns there to let the cat in. Mrs. Bates can now enjoy the end of the movie with Norman, happily purring on her lap, but she falls asleep.

Not long after, a burglar breaks into the basement through the back door, which is not protected. The friendly-home system detects the intruder and activates the siren with a pre-alarm ringing. Having heard this unexpected noise, the burglar runs away. Mrs. Bates wakes up in a start, rushes up and trips over Norman. She heavily falls down and cannot rise to her feet again.

Fortunately, the vision sensor analyses the event and detects an emergency. The friendly-home system quickly sends a message to a remote home care monitoring service, which organises an intervention at Mrs. Bates’ house as quickly as possible. It just took a few days before Mrs. Bates got over this accident and resumed a normal life.

Ethical-Legal Analysis

The scenario raised ethical concerns in relation to privacy and user autonomy. The analysis pointed out severe surveillance risks.

The scenario presents the vision sensor as a very positive application. Notwithstanding its undoubted contribution to the rescuing of Mrs. Bates, it shall be highlighted that the scenario raises severe surveillance issues. While the usefulness of a system detecting movement in the basement of the house or even the injury of Mrs. Bates goes beyond question, the system should only be limited to intrusion detection and not to actual identification of the moving object/subject (e.g. identifying the image of a pet). Such an approach maintains the advantages of the application and respects the principle of proportionality. Access to data collected or stored by the system should be made available only to authorised personnel.

With regard to privacy, the scenario leaves open what data actually is gathered by the vision sensors, how they are used, for how long they are stored and for what purposes. If these questions are not adequately answered, then there is a risk of data being misused. In any case the installation of a vision sensor at home requires the consent of the inhabitants, after they are fully informed not only about the benefits, but also about the risks the use of this device entails. The system must be declared the same way as cybersurveillance at work is declared, and the companies who install and monitor such system should have strict deontological and ethical rules to respect.

User autonomy might decrease since the system is found to be complex to be controlled by an elderly or a disabled person. This includes a risk that the person has decreased control over her environment, and furthermore, that the person may become a ‘prisoner’ of the system in one’s own home—giving flesh and blood to Panopticon or Big Brother scenarios.

It must be ensured that the control of the application stays in the hands of the user at all times. The system should also “design for all” and easy to use.

Assistive Listening Device

This healthcare scenario has a very explicit aim, to improve the hearing conditions of the hearing-impaired. The mobile phone is augmented with a special microphone able to pick over different sound sources, and can be used to control the hearing conditions of the user wearing a specific hearing instrument as well.

Scenario 7

Hearing-Impaired Child in a Normal Class: Although Jenny seems like a typical student, she has a hearing loss, which makes it hard for her to concentrate, despite the special hearing system, the school is equipped with. One day, the teacher asks if she can borrow Jenny’s mobile phone. At first she thinks that the teacher wants to search for music, but when the teacher points the phone to her, Jenny knows that something else is up. The teacher explains that when a check mark sign is set next to Jenny’s classroom on her mobile phone display, Jenny can hear the teacher. A smart microphone that is installed in the ceiling of the classroom picks up the sound and transmits it to Jenny’s hearing instruments.

The teacher tells Jenny that this new smart microphone is equipped with a special functionality, called voice priority. This means that it is smart enough to focus on what Jenny needs to hear, like the voice of her teacher, and at the same time it turns down other distracting sounds, like that old fan that hums all day, so that Jenny can hear and understand every word. The teacher doesn’t have to wear the microphone anymore like in the old days and Jenny can even hear her classmates talking now.

Scenario 8

At a Restaurant: Sally has been hearing impaired since she was born and is used to wearing hearing instruments. Recently, she received a new set of wireless hearing instruments that she can use in combination with her mobile phone. This makes it a lot easier to talk on the phone, as the hearing instruments double as a wireless headset. They look much cooler and sleeker than the bulky hearing devices. A new program running on her phone allows her also to select other sound sources, e.g. when she watches a movie at the local theatre or when she is in the classroom at school. The best is, however, that she got this portable MINAmI enabled mobile phone that she can carry everywhere she wants. This way she can hear much more clearly what her friends say and she can even remove the sound of the coffee machine in the background with a push of a button on her mobile phone. Looks like text messaging, but is much cooler than that.

Ethical-Legal Analysis

In this scenario, the person that needs support is put at the centre, and thus the technology was found very positive from ethical point of view. Ethical challenges were identified in privacy and data protection, security, as well as the user’s integrity and dignity.

Data protection and privacy could be in concern if there is a possible access point to the information gathering circuit from an outside source. Furthermore, the possibility to record sound, it typically happens with any mobile phone today, might create a privacy issue to others around her. Eavesdropping on discussions by using the device could be possible by anyone having a similar device.

Also, security issues arise in the “Hearing-impaired child in a normal class” scenario, where the teacher can easily get access to the mobile phone of the student. The system should be secured and authentication should be required in order to access it. It is important to safeguard security in all steps of the procedure followed for the provision of the service, especially when it includes online steps. Technical measures shall be enforced to allow only authorised access to the transmitted data and secure log-in systems. Additional encryption measures may also be necessary. Moreover interoperability with other, possibly intrusive, systems shall be avoided.

Integrity and dignity of the user of the listening device raised concerns in relation to self and world images of the user. If the device was only available in certain environments (e.g., in the class), it might have an (negative) effect on self image. There could be an effect on world image or hearing context information (such as alarms or even something such as music) if other sounds can be made to disappear by the system. We build the world based on a multitude of data around us.

General Legal Remarks on the Scenarios

The MINAmI Ethical Advisory Board analysed the MINAmI demonstrator scenarios from the ethical-legal viewpoint. The scenarios developed within the project are very interesting, illustrating clearly several applications of mobile-centric Ambient Intelligence systems. Although the fact that they are quite concise makes them easily comprehensive by the reader, it creates a difficulty to the Ethical Advisory Board in their task to identify legal and ethical issues and further analyse them, based on the current European legislation. In this section we will tackle some legal and ethical issues that arise in ambient intelligence and we will make some general remarks that apply also to the demonstrator scenarios in question. In this way we will complement the specific ethical-legal analysis that followed each scenario.

The relationship between ambient intelligence technology on one hand and law and ethics on the other is not monolithic and can not be strictly delineated. Ambient intelligence technology is used for different applications and can result in both protecting or threatening people’s rights and morals. The prerequisites for using ambient intelligence technologies, such as the cost of the available applications, their ease of use etc., can determine the final approach as to whether ambient intelligence is creating a social exclusion regime or it is functioning as a factor promoting “eInclusion”. Advanced eHealth systems and applications can offer great assistance to people, but can simultaneously create an elitist and reserved to the rich and technology-savvy ones regime, deepening the social and digital divide. Furthermore ambient intelligence applications can be used as working towards the protection of the environment or can have a negative effect on it.

The actual function of ambient intelligence services and applications presupposes the collection and processing of a vast number of information about the user, raising a series of privacy issues (Quirchmayr and Wills 2007). Questions arise regarding the way these data are processed within the system. Furthermore, it is important to examine whether the information that is collected via the ambient intelligence terminal equipment is used only for the specified purposes. Further processing for purposes that have nothing to do with the initial ones shall not be allowed, because it could result in profiling and consequently discriminatory practices, to name but a few. Since the times of John Locke, Immanuel Kant, and John Stuart Mill (Pietarinen 1994), the right of the individual to self-determination has been considered fundamental. It was also clearly recognised by the German Constitutional Court in its Census Act Case.⁵ However, ambient intelligence can put it at stake.

According to the European data protection legislation “any information relating to an identified or identifiable natural person” (Art. 2(a) Data Protection Directive) is considered as personal data. In most cases, when user-centric ambient intelligence applications, like the MINAmI demonstrator scenarios, utilise information about the user, processing of personal data takes place.

All of the MINAmI scenarios deal with information relating to an identified or identifiable natural person, usually the user, and thus with the processing of personal data. The processing of personal data is allowed only under the grounds mentioned in Article 7 of the Data Protection Directive and shall be respected when the processing of personal data is taking place in ambient intelligence applications. This means that any kind of processing of personal data—collection, recording, storage, adaptation, alteration, retrieval, consultation, disclosure, dissemination, etc.—shall fall under one of the criteria of the Data Protection Directive for making data processing legitimate.

The first case in which processing of personal data can be considered as legitimate is when the data subject has unambiguously given her consent. The “data subject’s consent” is defined as any freely given specific and informed indication by which the data subject signifies her agreement to personal data relating to him being processed (Art. 2(h) Data Protection Directive). The processing is equally legitimate when it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject for entering into a contract. The processing is in the third place authorised when it is necessary for compliance with an obligation to which the controller is subject. In the fourth place, processing of personal data is legitimate when necessary to protect the vital interest of the data subject. Finally, the processing of personal data is legitimate when it is necessary for purposes of legitimate interests pursued by the controller or by a third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (Buchta et al. 2005). The processing of personal data in ambient intelligence systems and applications shall be based on one of the aforementioned grounds and shall be compliant with the principles that are set out in Article 6 of the Data Protection Directive.

One basic principle for the processing of personal data is that the data shall be processed fairly and lawfully (Art. 6(a) Data Protection Directive). Furthermore the data controller, i.e. the persona which alone of jointly with others determines the purposes and means of the processing of personal data (Art. 2(a) Data protection Directive), shall ensure that the collected data are “adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed” (Art. 6(c) data protection directive). The procedure followed for the collection of data shall be transparent for the additional reason that in this way the criteria used for choosing the specific data as appropriate can be easily checked. The data shall also be “accurate and, where necessary, kept up to date” (Art. 6(d) data protection directive). Finally, the data shall be kept in a form, which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed (Art. 6(e) data protection directive).

Towards Ethical Guidelines

To summarise the results of the ethical assessment, the MINAmI scenarios raised many concerns. User privacy was considered to be in risk in several but especially in the Monitoring drug taking and Monitoring sleep quality scenarios. Medical data is considered as private and sensitive data, and thus applications collecting, storing, and processing it must be paid particular attention. The reliability of the systems is also of importance here as a person’s health or even life may be in risk.

The Ambient sensors for friendly home applications scenario raised issues of surveillance in particular. Taking this kind of applications into use, requires awareness and consent from the users but also that the stakeholder companies strictly respect ethical rules.

Technology in healthcare and homecare in general seems to be a personally, socially, and societally problematic area. Healthcare applications or technology may have effect on user autonomy and self-image. Furthermore, healthcare clinic systems are an essential part of modern welfare societies, and taking new technology into use should not lead to overloading the scarce human resources of them. A fear is that technology is taken into use because of itself, resulting in leaving humans alone and isolated, and that technology only solves symptoms, not the causes.

Some of these challenges were also identified in the Assistive listening device scenario, but overall this scenario was perceived as positive, providing technology for a need and having the person in need in focus. In many other scenarios the solution was found to be overly technical considering the problem. Applications should not be taken into use only because we have the technology but as a solution to a problem or a need.

The scenario describing the basic mobile interaction concept, the “Movie trailer downloading from a memory tag”, raised ethical issues on privacy and user autonomy if information from the user can be collected in relation to a service use and if the user must involuntary receive information or services (cf.e-mail spam). These problems are however perhaps more related to the services themselves and not to the technology as such. On the contrary, this interface improvement may facilitate elderly and weak-sighted people accessing mobile services as the interface problems of the small screen and keyboard are solved.

Based on the assessment of the scenarios, the Ethical Advisory board proposed six Ethical Principles for the forthcoming applications. These principles form a framework to start defining the MINAmI ethical guidelines on.

Privacy: an individual shall be able to control access to her personal information and to protect her own space.

Autonomy: an individual has the right to decide how and to what purposes she is using technology.

Integrity and dignity: individuals shall be respected and technical solutions shall not violate their dignity as human beings.

Reliability: Technical solutions shall be sufficiently reliable for the purposes that they are being used for. Technology shall not threat user’s physical or mental health.

E-inclusion: Services should be accessible to all user groups despite of their physical or mental deficiencies.

Benefit to the society: The society shall make use of the technology so that it increases the quality of life and does not cause harm to anyone.

The MINAmI ethical guidelines are intended to those who design applications and services that utilise MINAmI technology and for those who implement the MINAmI platform itself. The guidelines are designed to impact on design solutions, i.e. what kinds of solutions are ethically acceptable, and on design process, i.e. how to design ethically acceptable solutions. During the different phases of the technology design process, different ethical considerations are required, while the perspectives of different stakeholders should also be taken into account. A holistic perspective should imply considering the challenges, threats and opportunities in advance, when designing new technologies for our future everyday environments, in respect to the “privacy and security by design” model (Dumortier and Goemans 2004).

However, it seems that the task of producing ethical guidelines that are really useful is very challenging, as they shall provide a balance between conflicting values and interests. The guidelines should be based on ethical principles that highlight user needs, but are not too individual-centric, taking into account e.g. societal and environmental interests.

An additional difficulty is the drafting of guidelines that are practical enough to be followed by the designers of ambient intelligence applications. Abstract instructions and ethical discussions will not help designers and engineers a lot in their everyday work. In this view there is a need for a balance between ethical principles and business benefits. In business practices, it is a common conception that the main goal of every commercial company in the market economy should be the maximisation of profit, without paying a lot of attention or spending significant resources dealing with ethical issues. In practice, when ethical principles are in conflict with business benefits, the choice that is usually made is business driven and profit oriented, having as a result that the ethical implications are neglected. This is natural since the impacts of the decision not to follow ethical rules are often externalities, i.e. they impact on third parties. Unfortunately, they do not affect rational economic decisions unless they are internalised e.g. by laws that impose sanctions to those who disobey the rules. The ultimate goal of the guidelines is to give instructions to the designers to find ethically sound solutions to the practical design problems, while still promoting business economy. The guidelines could even provide the designers with incentives to follow the ethical principles, which unfortunately seems a very difficult objective.

In some fields of law, certain ethical principles are strongly built in and have already been incorporated into the legislation. Therefore it is sometimes enough to obey the law in order to comply with some ethical demands. For example, the European data protection legislation defines a strong framework on how to protect private information. As a result, it is not always necessary to consider the ethical principles of informational privacy when implementing an ambient intelligence application, but obeying the law usually ensures also rather high ethical standards. Nevertheless, this is not true for all ethical considerations. Many ethical issues are not covered by legal systems, and arguably some of the legal rules can be even ethically questionable.

As discussed above, ethical principles and the legal systems need to be considered relative: they depend on the culture, people’s values, needs, and beliefs—and they change over time. Arguably, even the legal system reflects partially outdated expectations on ethical principles. Therefore, ethical guidelines should be built on top of an ethical framework that is based on cultural and—especially in ambient intelligence—on user studies. Only a comprehensive user study can reveal e.g. the real privacy needs of ambient intelligence users and consequently it is very difficult to formulate ethical guidelines without such information (Pitkänen et al. 2008).

The nature of ambient intelligence implies that some of the ethical issues that arise in these applications include topics that are fundamentally different from those related to traditional applications or systems. An RFID tag and the “sleep quality monitor” are products that enable health services beneficial to the user. The life-cycle of the monitoring device and the service are very different. The device will be developed, produced in large quantities, and then distributed to the designated selling points. The health service, in contrary, is produced in relation to the customer. The service life-cycle begins, when the person goes to the doctor, and it ends, when the doctor (in collaboration with the patient) has solved the problem. Thus the phases of those two life-cycles are completely different. From the ethical point of view, it is necessary to high-light the human-centric service life-cycle, not the technology-centric product one. Therefore it is questionable, how much can be based on earlier product-based ethical analysis and how much new work is needed, based on the fundamentally different model that is being presented in the advent of Ambient Intelligence.

Ethical Guidelines for mobile-centric Ambient Intelligence have now been published (Ikonen et al. 2008). They give guidance on ethical issues that should be taken into account when designing applications and services that utilise MINAmI platform for mobile-centric Ambient Intelligence. The guidelines also cover issues related to implementing the MINAmI platform itself. Ethical Guidelines is a living document that will be updated based on feedback from ethics experts and people who are applying the guidelines in practise.

Conclusions

The experiences of the MINAmI project show that external experts can provide valuable insights to a legal and ethical assessment. The remarks of the Ethical Advisory Board are based on the current European legislation, mainly on privacy and data protection. The analysis of the scenarios has illustrated legal and ethical issues that shall be taken into account during the development and implementation phase of the demonstrators. The comments and the recommendations of the Ethical Advisory Board have influenced the MINAmI scenarios and have led to a second revised set of demonstrator scenarios. However, it has become also clear from the experience of the project that drafting general ethical guidelines to be followed in ambient intelligence services and applications is difficult. The complexity of the issues generated in ambient intelligence, as well as the conflicting interests that are grown within such environments render it a real challenge to give practical guidance in such a form that designers could easily adopt them.