"We have no road. We make the road by walking."
Commissioner Kroes borrowed these words from Antonio Machado, a famous Spanish writer, to describe the European Commission's regulatory approach to the so-called 'Internet of Things'.
When Machado coined his phrase, he was talking about the simple life of Castilian peasants at the beginning of the 20th century.
When Kroes re-used it, she was addressing a 21st century audience of hi-tech experts from all over Europe, who were gathered in Brussels for an annual meeting on the future of the Internet, where objects are connected to one another and information is exchanged on the information superhighway.
Pressed to provide legal guidance to a nascent industry engaged in a global race for technology leadership, Kroes preferred to respond with questions rather than answers.
"I understand that I am posing as many questions as answers today," she said. "But that is because it is not possible for one person or one institution to lay down a single way to approach these issues."
Questions, indeed, were plentiful at the conference. How can interoperability issues be addressed to favour industry cooperation? How can common standards be developed? How can smart objects be more user-friendly? What form should international cooperation take? How can privacy and security concerns be dealt with?
In response, Kroes announced the establishment of a new expert group that will meet four times a year to try to address all these questions. "I would be pleased to discuss with you again in 2011 how this journey is progressing," she concluded in her speech.
In the absence of a clear message from regulators, industry experts gathered at the conference had time to exchange information about the brave new world promised by the 'Internet of Things'.
In a world of ubiquitous smart tags, a fridge, for example, would be able to alert the nearest supermarket when a household runs out of eggs. A blind man would be able to 'see again' as he safely walks along a tag-filled street with his trusty chip-reader showing him the way. Old people could be reminded of when they need to take their medicine and hospitals could access patients' historical health data, helping doctors to make tailor-made treatments.
Potential problems also lie ahead, with privacy protection the first among these. "When a smart tag tells me when and where I have forgotten my key in my house, I'm happy with that. But if it tells me that the key is under my neighbour's bed, there's a privacy issue," explained Jaap-Henk Hoepman, a senior scientist at Dutch research organisation TNO ICT.
Indeed, tag-related risks go much further than this and include identity theft, profiling and fraud. Scaremongers warn of the looming advent of a massive surveillance system.
To avoid such dangers, clear and easily applicable rules are necessary, said EU Data Protection Supervisor Peter Hustinx. Speaking at the conference, he dropped two keywords: privacy by design and privacy by default.
'Privacy by design' means that smart objects have to be made in a way that favours data protection, for instance with embedded protection systems. This is not always the case today.
With privacy by default, Hustinx referred to services which protect users' private data without them having to specifically ask for it. With such a system in place, only people who are voluntarily interested in sharing their data with other people – like private companies, public authorities or strangers – can ask for the barriers to be taken down.
Today, however, the exact opposite principle tends to apply. This happens, for example, with chips and tags that are embedded in goods available in shops, but it can occur in the online world too.
To tackle the issue, Hustinx suggested using "soft" rules like incentives or penalties to favour best practices. He is also pushing to make manufacturers and vendors accountable for the goods and services they offer.
"Controllers should be more in control. This is happening in the financial sector, on environmental issues, and it should also be the case in the context of data protection," Hustinx said.