Eleonora Fiore Ethics of technology and design ethics in socio-technical systems Investigating the role of the designer

This paper addresses many of the issues deriving from both design activity itself and the introduction of technology into everyday life. Relevant authors like Papanek (1984), Thackara (2005) and Manzini (2006) warned about the risks of design activity, as well as the consequences of bringing products to the world. Papanek defined design as the second most harmful profession one can practice, while Thackara claims that design is the cause of many troubling situations in our world (Mink, 2016). Manzini advocates the imminent need for a paradigm shift towards both a more sustainable design and way of living. In Design for the Real World, Papanek pointed out that designers have a social and moral responsibility for the consequences of their innovations (Mink, 2016). For this reason, first we cannot ignore the advice, but also, we genuinely believe that designers should include ethical principles in their education. This paper seeks to address design ethics focusing on socio-technical systems and the new challenges introduced by both the Internet of things and artificial intelligence. The methodological framework combines the value sensitive design developed in human computer interaction (HCI) and computer ethics with a methodology based on need, requirements and performances developed in architecture. This approach is applied to the development of connected appliances, to conduct our reflections on an applied case study. Some guidelines are drawn at the end of this paper to guide designers in achieving a greater understanding of the ethical implications involved in the design process, establishing the responsibilities and limits of the designer.


Introduction
Despite the variety of perspectives to address the ethical issues, most of the literature focuses on the theoretical dimension of ethics, following these three traditional approaches: • deontology, based on obligation and duty, that is, the knowledge of what is right and proper; • teleology, which maximises the utility, based on principles and goals; and • virtue ethics, which considers the role of the individual and his/her virtue, (i.e. the worth of living).
Even the design ethics literature tends to frame ethics according to those approaches (Anjou, 2010a(Anjou, & 2010b. Deriving from a philosophical and theoretical debate in the mid-twentieth century, it raises the need for an applied dimension of ethics (Albrechtslund, 2007;Fiore, 2016), which led to its fragmentation into many disciplines with overlapping boundaries, including Computer Engineering Business and Design, to name a few. The bulleted list that follows provides some categories: decision-making in the design of technology and bridge the gap between technical design and ethical concerns expressed through human values. VSD indeed emphasises 'human values with ethical import' (Friedman & Kahn., 2003) as key values to be considered during technological products' development.
VSD is a theoretically grounded approach to the design of technology that accounts for human values in a principled and comprehensive manner, throughout the design process. (Friedman et al., 2002) Herein, VSD deals with the design of technologies. What happens when the designer is called to design a product that includes these technologies? What are the boundaries of different professions, from an ethical perspective? We will try to answer this open-ended question throughout this paper.
Stepping back, VSD can be defined as an iterative tripartite methodology consisting of conceptual, empirical and technical investigations. As we have already seen, VSD seeks to design technology that takes account of human values (Friedman, 1997), and we seek in turn to extend VDS to product design that is embedded in technology. This methodology partly overlaps with the consolidated methodology based on 'need-requirement-performance' developed in architecture by Frateili and Ciribini, then applied to product design (Germak & De Giorgi, 2008;Ciribini, 1964). VSD can be easily incorporated into established design processes, which generally fall along the general structure of 'conceiving an idea, designing an artifact and then testing the design' (according to Cross (2000) most of the design processes have a basic three-phase structure of (i) analysis, (ii) synthesis and (iii) evaluation). For this reason, we coupled the three steps of VSD (conceptual, empirical and technical investigations) with the needs, requirements and performance of the methodology developed by Frateili and Ciribini.

Conceptual: Defining needs or values
Defining needs or values requires an inclusive approach to make sure the right stakeholders are included in the decision-making (Devon, 2004).
Design may be the best place to study ethics in technology, because design affects us all. However, not all of us are involved in design, and this asymmetry has great importance for the social ethics of technology. (Devon, 2004). Table 1. Classes of needs defined by the UNI 8289 standard, integrated with VSD values classes of needs presented. (Friedman & Kahn, 2003) User

Safety and security
Safety: Health -

Security: Information
Privacy Freedom from bias Trust Autonomy Informed consent Accountability

Comfort and wellbeing
Human welfare Calmness Aesthetics Identity Usability Universal usability

Management and maintenance
Ownership and property

Environmental protection Environmental sustainability
This approach requires prioritising requirements according to the stakeholders and then iterating the process. After that, some human values are taken into consideration and integrated into and throughout the design process. Designers should choose some relevant values 'that could be viewed as a common thread throughout the project' (Cummings, 2006 p. 703) and iterate the process through the other two phases, which can add or remove values. This approach should be brought to the next stage, in which we detail these hermetic values by explaining what we mean. For example, if we want to develop a system that prevents the user from being tracked, the key value would be 'safety and security -privacy', the requirement that should be discussed with relevant stakeholders would be 'How can we avoid user profiling, tracking and stalking?' and the performance to answer could be, for example, 'a specific software or technical solution able to encrypt user data or, if any solution is safe enough, avoid collecting those data that can put the user in danger'.

Empirical: Identify requirements
The second stage is the empirical investigation, which focuses on quantitative and qualitative measurements (Cummings, 2006 methodology. Focusing on the user, we provide a list of requirements that can be discussed with different stakeholders, without pushing new requirements (Bonino & Corno, 2011;Barbero, 2012b). Detailing the previous categories, we seek to provide a starting point for addressing and forecasting possible issues (Figures 1 and 2). This quick overview refers to the user, his/her safety, which cannot be negotiated. The second part of these requirements involves comfort and satisfaction (Figures 3, 4 and 5). Far from being exhaustive, this list of requirements can be considered to be a tool for structuring the decision-making process. According to the specific project, the next step should be prioritising this second part of requirements and setting the target values of that project. Moreover, requirements can be integrated and, once specifically analysed, they should be investigated directly with the user through surveys and focus groups, since there is a need for research experimentation in the real world.

Technical: Define performances
The last phase concerns the investigation of technical issues. According to the UW: Technical investigations focus on the design and performance of the technology itself, involving both retrospective analyses of existing technologies and the design of new technical mechanisms and systems. The conceptual, empirical, and technical investigations are employed iteratively such that the results of one type are integrated with those of the others, which, in turn, influence yet additional investigations of the earlier types. (University of Washington, 2011) It evaluates the service or work provided by technical solutions and how they support specific values. It also evaluates how different design possibilities could best support the values identified in the conceptual investigation. Even the third step includes decision-making, by choosing from several solutions that meet the requirements. This stage serves the dual purpose of having clearly in mind the state of the art and predicting potential future needs if the solution is currently missing. In this phase, some multiple-criteria decision aid tools (MCDA; Roy, 1990;Doumpos & Zopounidis, 2002) could be used to structure the decision-making, setting some weighted criteria on a decision matrix, to analyse a set of solutions. At the end of the process, these tools can provide a ranking of these solutions, although it is not always necessary.
When values are not negotiable, and technology cannot have agency. We want to report the case of a fully Automated Vehicle (AV) and its behaviour in case of accident.
In the case of a fully AV, the car should have an algorithm that decides what to do in case of accident, because a fully AV is programmed on the assumption that the user is not necessarily alert and active when the vehicle is moving. While humans take responsibility for what they do, for AI without intuition, the rules in these situations should be written by AV programmers, humans that in that moment are not in danger and make efforts to plan for every possible scenario. Although fully AV has not yet been achieved, should we deduce that the designers of such vehicles are already making choices about whose lives matter? Could such a car have the agency to do decide who should die? Clearly, the answer is no.
If such a car needs to be programmed to decide between life and death, then that function should not be developed at all. Other functions that can be automated, including the steering, must always remain in the driver's hands, and the user must be vigilant. The example of AV perfectly fits one of the three types of computing practices that are problematic from the ethical perspective of human agency, that is, (i) 'anthropomorphizing the computational system' (Friedman & Kahn, 1992).
Another example provided by Cummings (2006) fits the second and third types of computing practices that are problematic from the ethical perspective of human agency, that is, (ii) delegating decision-making to computational systems and (iii) delegating instructions to a computational system (Friedman & Kahn, 1992). This case, indeed, is about cruise missile control interfaces, and it investigates which level of automation would be appropriate to support the operator, implying that an automated procedure could give suggestions on how to intervene to destroy lives. Knowing the human tendency towards automated bias, we suggest that no computerised help should be provided in this field, and no designer should work for such interfaces. Since the definition of ethics is based on the decision-making of human agency, humans should keep this agency also in deciding whether an application is right or morally deplorable.

Why do we need to combine social ethics with a systemic design approach?
Towards this end, we seek to promote responsible design through a program of systemic design (SD). SD, indeed, provides a more holistic approach that could help designers to keep the stakeholders in the system while evaluating whether a solution has serious consequences for someone. SD helps to manage the scale of detail, from the micro to the macro, while keeping at hand all the relevant aspects and the network of relationships that are established between the stakeholders. When designers do not know if what they are doing is ethically correct, they can ask the question, 'Is there someone who can suffer from some actions or could be subjected to improper actions?' If the answer is 'yes', 'probably' or 'maybe', the second question is, 'Could these consequences be avoided or foreseen in any way?' If the answer is 'no', then that action or task should not be developed or be carried forward. If the answer is 'yes', then the process can be reiterated to include a solution that solves the problem, so that the first question can be answered, 'no'.
Design ethics should question the ethical validity of the existence of the system itself, especially when its intended use includes 'military hegemony' or the 'decision between life and death'.
The systemic effects of VSD should be included. Some values cannot be prioritised in favour of other values that are preferred by the company or the organisation for which the designer works, which is just one of the stakeholders. Safety and security, as well as environmental sustainability, must be considered to be non-negotiable values.
There are various methods grouped by the UW for engaging designers in critical reflection on the functions and futures of designs, such as scenario-based design, value scenarios, 'speculative futures', 'alternative nows' and 'design noir' (O'Leary et al., 2013). The last one reflects on the dystopian effects of design, creating disturbing scenarios for decision makers to better understand ethical choice outcomes. The designer should always question, 'What if a certain feature would be used by the wrong people? Could one of the stakeholders be endangered?' Moreover, there cannot be an ethics of sociotechnical systems without individuals although there might be thing-to-things scenarios in which an applied dimension of ethics is extended to inanimate things (object-oriented). In the last case, the implications of these things-to-things interactions must be computational and must not have interactions with the user's life. In this paper, we discuss the ethical design for designing sociotechnical systems, in which we can trace implications between individuals, technologies and systems designed to Vol.13 Nr.1, 2020, Art. 1, 1-19 provide interactions with both, and we attribute the sole agency to humans, when important decisions are at stake.
We believe that computers can be agents, but cannot be moral agents, in other words, cannot be held morally responsible for a decision. Computers can establish things-to-things relationships, but they cannot make decisions in the real world. A computer can process data, but it cannot take decisions independently, based on them. Computers can be used to collect data and to support operations performed by individuals, but both processes and data collections should be potentially ceased and accessed at any time by the authorised human agent.
Herein, we are not addressing ethics in response to sociotechnical systems.

Ethics of technology in connected appliances
In this scenario, a product or a service is considered 'the medium through which the dialogue between the designer and the user takes place' (Figure 6). It should help in gaining useful insights into both requirements and 'situated knowledge' (or local knowledge) on how products are used in the real context of use.
Design should be a synergy between the abstract knowledge of the expert and the local knowledge of the user. At its best, value-sensitive-design is not simply the accommodation of local values in the designers' vision of the future, but a process in which designers and citizens depend upon each other's knowledge in the production of a better world. (Kroes et al., 2008) In this case study, the medium could be either a smart object or a platform, bringing out the topic of the IoT, which prompted us to undertake this discussion, moving from generic consideration on computational systems to a defined technology (IoT) and a context (domestic environment) with its inhabitants and a network of direct and indirect stakeholders.

Internet of Things
We do now have a plethora of devices with computer technology inside, that are partially connected and with which we interact differently than before (Schurig & Thomas, 2017). The introduction of IoT in people's everyday life is leading to unprecedented opportunities for innovation as well as unprecedented risks and challenges. Combining different definitions, IoT can be defined as: A global network infrastructure of interconnected devices or gadgets (Wasser, Hill & Koczerginski, 2016), able to collect, store, process and communicate information about themselves and their physical environment (Ziegeldorf et al., 2014), IoT indicates a loosely coupled, decentralised system of smart objects (Kortuem et al., 2010). According to different definitions of smart objects provided by Kortuem et al., (2010), we can define this relatively new category of products as 'everyday artefacts augmented with computing and communication, enabling them to establish and exchange information about themselves with other artefacts and/or computer applications' (Beigl et al., 2001), 'not only to communicate with people and other smart objects, but also to discover where they are, which other objects are in proximity and what has happened to them in the past' (Mattern, 2003). Norbert Streitz and colleagues proposed two different approaches to smartness: one is for objects that can take specific actions based on the previously collected information; the second is to empower users to make decisions and take responsible actions (Streitz et al., 2005) based on the result provided by smart objects. For Kortuem et al. (2010), a smart object is characterised by three features: -Awareness is a smart object's ability to understand (that is, sense, interpret and react to) events and human activities occurring in the physical world. An activity-aware object understands the world in terms of event and activity streams, where each event or activity is directly related to the use and handling of the object (pick up, turn on, operate and so on).
-Representation refers to a smart object's application and programming model -in particular, programming abstractions. Its application model consists of aggregation functions for accumulating activities over time. -Interaction denotes the object's ability to converse with the user in terms of input, output, control and feedback. Activity-aware objects primarily log data and do not provide interactive capabilities.
Therefore, since it is established that smart objects can understand and react to their environment, all the other objects that do not, are just connected or sophisticated objects or systems that do not have a level of understanding built into them (Cruickshank & Trivedi, 2017).
My view is that an appliance is 'smart' when its functionality can be improved after it has been delivered. [. . .] So, new software can be downloaded, it can learn behaviors and adapt.
'There is a lot of confusion because it is very tempting to market everything as 'smart,' explains Webb. 'When that happens, the term rapidly becomes meaningless, like "digital"'. There's no easy solution other than being more specific about what a particular product can do that's better than before. (Weber, 2016) However, the true meaningfulness of IoT comes when objects are not considered in isolation. Although smart objects working in isolation create interesting opportunities for novel information services, smart objects' true power arises when multiple objects cooperate to link their respective capabilities (Kortuem et al., 2010). The effectiveness of the IoT increases when the whole system works together (people, objects and technologies). The IoT continues to invoke a variety of unique design challenges across a wide range of different application domains.
As the IoT pervades more widely, we are becoming increasingly entangled within the heterogeneous network of interconnected objects or things that are readable, recognizable, locatable, addressable, and/or controllable via the Internet. (Lindley et al., 2017).
Some legitimate questions arise, regarding the type of data and when they are collected, about who can access them and for what purpose, but also how long they are stored, and so forth.
IoT privacy and security While users generate data by using the interfaces, services and products, these data are not available to the users, and they cannot perceive their implications (Iaconesi, 2017), nor the background data gathering and sharing activities. In fact, the visibility of the data shared by these devices today is at best opaque and in worst cases absent (Lindley et al., 2017). Users often do not have control over their role within the network of stakeholders surrounding an IoT product (IoT Manifesto, 2015). In this complex scenario, there are direct and indirect stakeholders (whose analysis is central to a VSD approach), as well as internal and external uses of these data. The internal use of data is the one expected. Providers are among the third parties in a legitimate way, and they could be commercial actors, such as companies, suppliers, home security providers, software and hardware vendors or standardisation organisations (Jacobsson et al., 2015). Collected information can be used to reduce costs and improve the efficiency towards consumers because this amount of data enhances the understanding of user characteristics and requirements. How are both direct and indirect stakeholders affected by design? What values are implicated? Along with the consolidation of IoT solutions in different areas, there is increased attention among companies on the value derived from the information made available by connected objects. This could lead to an external use of data by other side stakeholders, which might be interested in profiling clients. The improper use of data should also include illegal computer intrusions, motivated by malicious intentions (Figure 7). Moreover, the privacy of other unaware users, such as children, other family members or those who are visiting relatives and friends, should be ensured.

Figure 7. Direct and indirect stakeholders and authorised use of information
These concerns, especially when related to privacy, provide an interesting counterpoint to the discussion started in the 70s by Nicholas Negroponte about automation in design. He suggested that a machine that is not able to evolve or self-improve should be considered as unethical (Negroponte, 1970), since it would not be able to adapt to changes and it acts by applying simplistic solutions. In his opinion, intelligent machines should be able to learn and understand contexts by interacting with them. This provides us with the opportunity to introduce the concept of AI.

Artificial Intelligence
The concept of AI dates back to the 50s. With machine learning and deep learning, we will experience a transition of AI from the theoretical field to the applied one. Platforms like Google and Facebook are making active use of the development of AI (Schurig & Thomas, 2017). Schurig and Thomas (2017) distinguish six main fields of application for AI: artificial neural networks (prediction of human-based activities, for example, elections, results of sporting events), fuzzy logic (to deal with uncertainty in problems), software agents (e.g. Google Now, Netflix, Spotify), knowledge-based systems (involved in decision-making), natural language processing (capability to understand and generate natural human language, e.g. Amazon's Alexa and Echo, Apple's Siri and Windows' Cortana), genetic algorithms and evolutionary software (problem-solving systems to find the best solution for a given problem). Some of these types of AI fall into all the ethical problems highlighted above. Can a computational system be considered to have an intentional state? Friedman and Kahn (1992) answered 'no' many years ago, referring to the impossibility to attach any meaning to symbols. And, nearly 30 years later, this position is still valid. A computer has no intentionality, which is a necessary condition of moral agency. A computer can monitor, collect, connect and process data, but they do not attach any meaning to those data.

User disempowerment
In her paper Integrating Ethics in Design through the VSD Approach (2006), Cummings asked several ethical questions: How much automation is needed for a system and to what degree should humans be in the decision-making loop? How automation can best support human decision makers and what level of automation should be introduced into a decision support system to provide human-centered automation support? (Cummings, 2006, p. 705 and p. 708) This paragraph highlights the confusion in this field. These questions seem to assume that technology is here and cannot be questioned.
1. How much automation is needed? . . . We reply: 'Is it really needed?' 2. To what degree should humans be in the decision-making loop? . . . We reply: 'Can they be excluded?' 3. How can automation best support human decision makers? . . . We reply: 'Who are those decision makers?' 4. What level of automation should be introduced into a decision support system to provide human-centred automation support? . . . We reply: 'Should such a level of automation be introduced?' These questions evidently conflict with basic human values, and it is no longer clear if the technology is the helper or the ultimate goal. We try to replace those questions with another list of questions: 1. 'What is the task that the human wants to perform?' 2. 'Could the task be facilitated by some technology/automations?' 3. 'Could the use of technology/automations affect human wellbeing or environmental security?' 4. 'After the implementation of the technology, will the human still be the decisionmaker?' Some authors (Manzini, 2006;Friedman & Khan, 1992) have pointed out that in many circumstances, humans experience a diminished sense of agency. The level of automation (LOA) reached from an automated system has been classified, and it ranges from a minimal LOA to fully automated systems (Cummings, 2006), as we already pointed out with fully AV. A common risk for designers and users is the lack of system understanding and the loss of situational awareness that full automation can cause. A soft example of that behaviour is following the directions of Google Maps to reach a place, without questioning whether they are effective. People are used to relying on it, even though contraindications exist and verification of contradictory information is possible (Skitka et al., 1999). Another example is the introduction of time-saving technologies (Aldrich, 2003) that led to the concept of 'wellbeing as the minimisation of personal involvement'.
The best strategy seems to be the one which requires the least physical effort, attention and time and, consequently, the least need for ability and skills. (Manzini, 2006) This has progressively led to disengaging and disempowering the user in everyday tasks, leading to disabling solutions, such as 'systems of products and services that seek to reduce user involvement and sequester formerly widespread knowledge and skills to integrate them into technical devices' (Manzini, 2006). In the meantime, technologies have filled the time they saved, which was initially intended for leisure. This scenario is 'not-so-hypothetical', and it promotes passive users, disabled to understand how things work that will accept automatic and hyper-technological devices, losing interest in 'what they do', because they cannot understand it. This increases the distance between the user and the object. Disengagement may also come from other factors, such as an excessively technological obfuscation. If it is true that 'obfuscation contributes towards some "notion of HCD-inspired usability"', on the other hand it 'disempowers the user and unintentionally reduces the acceptability of IoT devices [and resulted in a] lack of trust in the device' (Lindley et al., 2017). Another source of disempowerment is attributable to an ever-increasing number of connected devices, which brings humans to daily friction in interacting with them. As the friction increases, the user feels more frustrated about the overall experience, perceiving a diminished usefulness of the connected object (Streitz et al., 2005). Moreover, all these factors deeply hinder the attachment dynamics, leading to increasing product obsolescence.

Other undesired effects
If the relationship between technology and the user is often controversial, sometimes their interaction is different from the designed or expected one, making some issues challenging to anticipate and prevent. Some authors have sought to explain these unpredicted effects, as follows: People learn to manipulate the systems to do completely new activities, ones not contemplated in the design. [. . .] Sometimes people discover how to take advantage of the system design, deliberately misusing the systems when they discover that by doing so, they get beneficial results. (Norman & Stappers, 2016, p. 89) The unpredictable nature of user behaviour may result in rebound effects such as increased consumption, the bypassing of technology, or its ignorance and unintended use. (Wilson, Bhamra & Lilley, 2016., p. 91) Vol.13 Nr.1, 2020, Art. 1, 1-19 Manipulation, safety issues, rebound effects and unintended uses are some of the side effects of the interaction between people and technology, but undesired effects are not limited to the interaction with the user. They can be extended to societies and the environment, undermining different areas.
Over the years, CSE (Cognitive Systems Engineering) has learned from many examples in which technologies that were designed to improve performance actually introduced new unintended problems, sometimes making things worse. Wiener coined the term 'clumsy automation' to describe a recurring pattern where technological innovations solved the easy problems, but made solving the hard problems more difficult. The potential for clumsy automation typically arises when the designers of the automation lose sight of either (1) the work domain, for example by trivializing aspects of a complex problem; or (2) the people using the technology, for example by overloading limited resources. (Flach, 2016, p. 95) To prevent or at least mitigate these effects, the designer should ask him/herself: • 'Can the technology be manipulated for other purposes, even by the same user? How?' • 'Can the technology if misused become destructive to the same goal for which it was intended? How?' • 'Can I foresee these in the early stages of design? How?'

The impact of the ethics of technology on design professionals
Many authors have pointed out how product innovation could also have unintended consequences on individuals, as well as on the environment (Mink, 2016). The separation of technology from its social context (Van de Poel, 2001) and the idea that technological practices are free from any consequences should be considered outdated. Technology should be freed from the instrumentalist paradigm, which perceived it as external to moral choices. The ethics of technology associated with this instrumentalist model could ask if the ends justify the means, or whether certain consequences are justifiable and to what extent is the designer virtuous or not in the use of technology (Chan, 2016).
Design is, in the Aristotelian sense, a science of correct action. Ethics is an integral part of all aspects of our designs and all our uses of technology. Technology is human behavior that, by design, transforms society and the environment, and ethics must be a part of it. Different design theorists and practitioners have persisted in envisioning and articulating a design ethics that can inform, clarify, and improve design practices. (Devon, 2004) Design ethics should bridge the gap between technology and context, considering contextspecific, socio-political and cultural values. In doing so, the designer should fully understand the environment and explore future possibilities. Going back to the case study, the connected device is the technical element of a broader system that also contains individuals and social contexts. Technology has both shaped society and been shaped by social factors in turn. Should the designer be considered responsible for producing the material environment, through the existence and use of what is produced for his/her employers (Van de Poel, 2001)? Are both the design team and the company responsible for the information generated from the IoT connected devices? What is the responsibility of design? According to Chan, the responsibility of design has so far been problematically understood and defined, and mostly it does not go beyond the obligation for professional due diligence. A first way to consider responsibility is indeed a form of professional ethics or code of conduct towards clients and users; the second way, however, admits to a broader social intention, as social and moral responsibilities of design (Chan, 2016).
Thus, the first way should lead to writing a design ethics code that addresses the implications deriving from new technologies and establishing a design ethics community able to judge controversial cases and protect the designer from the requests coming from companies, as well as penalise designers who have behaved in unethical ways. In this way, the designer should feel entitled to act in an ethical way, even more so because if he/she does not, his/her work will be judged. Designers should avoid working on tasks in which they foresee any negative consequences. Giving more emphasis to the second way, however, a social and moral responsibilities of design is included in the design process through the definition of three guidelines. We aim to demonstrate that the designer could act as a promoter of ethical aspects because 'technical issues' do not fall upon the responsibility of 'other experts'.

1) Consider privacy, security and data accessibility
In this specific field, the designer should consider privacy and security issues and current limits to avoid falling into any of the problems described above. This task is even more challenging when designers cannot count on social norms to provide guidance in many matters of new technology and design (Flusser, 1999). In the current state of the art there is a general lack of legislation and policies, which directly leads to the possibility of: a wrong/improper use of information; user identification, tracking and profiling; and user limitation of freedom As mentioned before, these issues should be included in the design process, in the same way in which user needs are considered. The designer should question how to prevent and avoid wrong or bad behaviour resulting from the misuse of the products and information. The designer is responsible for determining what to collect, which data are needed (Streitz et al., 2005) and which are unnecessary or even dangerous to collect. According to Streitz et al. (2005) and the IoT Design Manifesto (2015), 'privacy-by-design' must be guaranteed in any device and related digital application, and an effort made to identify and foresee potential security threats. This operation involves studying, modelling and analysing the environment in which the system will operate (Cheng & Atlee, 2008). This is not the business of hoarding data; we only collect data that serves the utility of the product and service. Therefore, identifying what those data points are must be conscientious and deliberate. (IoT Design Manifesto, 2015) The designer should draw on the methods presented before to simulate critical reflection with different stakeholders on the possible negative effects of some functions and futures of designs, regarding privacy, security and accessibility, considering possible data leak, data breach and other negative scenarios.
Data should be accessible to users who generated them, promoting accessibility and transparency, and users should be empowered to set the boundaries of how their data are accessed and how they are engaged with it via the product (IoT Design Manifesto, 2015). Even in this case, focus groups and participative sessions can make designers understand how the user would like to access his/her own data, what does he/she want to see and, consequently, with the help of company and computer experts, designers should understand how to prevent third parties to access data, thus protecting the user.

2) Protect the human agency
Keeping the operator, the designer and the user (stakeholders in general) in the decision-making loop should counteract the tendency to rely upon automated (computer-generated) recommendations. An ethical design should shift from a passive to an active involvement of the user with his/her active participation in the design process. Moreover, this approach should never let the user think that his/her freedom and control over things or systems is failing. We can always check if the human agency is protected through prototyping the solution and asking directly to the stakeholders, but, in any step, we should ask ourselves, 'After the implementation of the technology, will the human still be the decision-maker?' If the answer is no, then we must interpret the reason why it is not, and try to solve the friction between humans and technologies.
If the task is simple, such as 'adjust the temperature of the heater', the procedure can be automated. However, individuals should never consider themselves at the mercy of the automated decisions, and if one individual feels too cold or too hot, according to the other people in the room, he/she should be able to act to diminish his/her thermal discomfort, even if the HVAC system has complex algorithms to decide which is the right temperature for that environment. On the other hand, when an automated system makes a choice that cannot be changed, the user should at least be informed about the reasons behind the choice. The user should be able to ask somehow, 'Why cannot the HVAC system raise the temperature in the office by a few degrees?' If the answer is that 'raising a single degree of temperature would bring an increase in energy consumption of 5€/min' or 'the system is in a technical failure and cannot be controlled', the user would find at least an intellectual satisfaction, understanding the reason why he/she is experiencing discomfort or should work wearing an extra jacket and, in the case of technical failure, he/she may decide to work from a different place (if possible). The user should not feel any automation as 'restrictive' and should always be informed about the reason behind some effects.

3) Promoting physical interfaces
To mitigate the undesired effects reported as the third source of disempowerment, that is, the daily friction in interacting with dematerialised technologies, one possible solution could be enhancing the importance of the physical interface and tangible parts of the system. This also could be a way for the product designer to take care of designing tangible objects. Many authors, indeed, agree on the importance of using physical objects and physical interfaces instead of delegating functions to screens, displays and smartphones through apps (digital interfaces). When a digital and immaterial counterpart augments tangible objects, the value of the physical part must be clarified and highlighted (Vitali, Arquilla& Tolino, 2017). Schurig and Thomas (2017) predict that: The rising complexity will make a digital interaction so unfriendly for the user that the added intelligence will be used to enable designs that focus completely on tangible interfaces and natural interactions between human and objects. (p. S3809) According to Vitali et al. (2017): More than ever, there is the opportunity to experiment and 'imagine less intrusive ways of integrating technology into our lives'. Smartphones have an important role as bridges for IoT products, but screen-only interaction is not always perceived as rewarding. People are often ashamed of being tethered and dependent on their devices and may feel the need to 'disconnect' for a digital detox pause. (p. S2594) Schurig and Thomas (2017) suggest that: 1. Design should take the lead over technology in terms of developing physical products. 2. If the application of AI can save resources when applied to an existing object, then it should be done. If not, it should be evaluated before being forced upon an object. 3. Designing fall-backs in a natural, tangible way will be the most important part of the design of future intelligent objects.

Conclusions
The proposed theoretical framework differs from Friedman's assessment, because only certain values can be prioritised, while user safety and environmental sustainability are not negotiable.
Moreover, it provides a guide to the product designer, abstracting from HCI. Design ethics, as far as possible, should be able to foresee future problems, while addressing current ones. Although designers cannot always foresee all consequences of the usage of their designs (Mink, 2016;Albrechtslund, 2007), they should at least try to anticipate ethical scenarios and possible issues, keep thinking through the consequences of their innovations and make efforts to uncover the values, motivations and commitments that stakeholders bring into the design process (Mink, 2016). Keeping the user in the design loop could lead him/her to understand how things work and how to use them properly, understanding the cause-effect of different actions and modifying his/her future behaviour to reach personal, social or environmental goals. Designers are called to mediate the social/human component with the technological one. Designing sociotechnical systems requires the designer to pay attention to several implications, even unexpected, to ensure that the user is not exposed to risks. In these kinds of systems, the behaviour of the agents is generally unpredictable and maybe cannot be controlled (Kroes et al., 2008). The defined guidelines propose a return to the materialisation of abstract concepts, because all this digitalisation is getting out of hand. The user is frustrated, more and more, by the lack of contact with tangible supports, the lack of cause-effect, action-reward, actionpunishment that could be regarded as antiquated in a hyper-digitalised world. Is it a pure coincidence that the concept of 'consequentialism' has marked all eras except the twenty-first century? In this paper, we consider a behaviour 'right' if it produces good consequences, while if it produces bad consequences that can be foreseen, it must be avoided. Ethics should investigate the cause-effect that may occur, detaching from the case-specific, looking at the whole picture and consequences/relations that can be triggered by a product or service. What if those consequences/relations cannot be seen or, worse, are not attributable to anyone? This is the paradox that we, as designers, are called to unmask. Design in an ethically responsible manner is an evolutionary process, and we cannot generalise trying to follow step-by-step predefined rules because contexts change, people change and the whole system evolves. The design should try to direct evolution and changes in an ethical and sustainable direction.

Eleonora Fiore
PhD Politecnico di Torino, Department of Architecture and Design, Italy Email address: eleonora.fiore@polito.it