Abstract
The increasing growth of the Internet of Things (IoT) escalates a broad range of privacy concerns, such as inconsistencies between an IoT application and its privacy policy, or inference of personally identifiable information (PII) of users without their knowledge. To address these challenges, we propose and develop a privacy protection framework called PHIN, for a heterogeneous IoT network, which aims to evaluate privacy risks associated with a new IoT device before it is deployed within a network. We define a methodology and set of metrics to identify and calculate the level of privacy risk of an IoT device and to provide two-layered privacy notices. We also develop a privacy taxonomy and data practice mapping schemas by analyzing 75 randomly selected privacy policies from 12 different categories to help us identify and extract IoT data practices. We conceptually analyze our framework with four smart home IoT devices from four different categories. The result of the evaluation shows the effectiveness of PHIN in helping users understand privacy risks associated with a new IoT device and make an informed decision prior to its installation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The most popular IoT devices: http://iotlineup.com/.
- 2.
The list of analyzed IoT privacy policies: https://tinyurl.com/y3pbhlf8.
- 3.
- 4.
Policy Phrase and Policy Phrase Categories Schemas: https://tinyurl.com/y5ty2a8d.
- 5.
- 6.
Sensitive API to Sensitive Data Types Mapping: https://tinyurl.com/y5ty2a8d.
- 7.
GitHub Link: https://www.github.com/vijayantajain/PDroid.
- 8.
- 9.
- 10.
PHIN’s Evaluation Dataset: https://tinyurl.com/yyu2r58r.
- 11.
References
California Consumers’ Privacy Act. https://oag.ca.gov/privacy/ccpa
International Data Corporation Forecast. https://tinyurl.com/y694wg2v
IoT-based mobile applications and their impact on user experience. https://tinyurl.com/hpwpjnre
iRobot Privacy Policy. https://tinyurl.com/w6ghop6. Accessed May 2020
The EU GDPR - Article 14. https://eugdpr.org. Accessed May 2020
Bhatia, J., Breaux, T.E.A.: Privacy risk in cybersecurity data sharing. In: Proceedings of the ACM on Workshop on ISCS, pp. 57–64 (2016)
Bokaie, H.M.: Information retrieval and semantic inference from natural language privacy policies. Ph.D. thesis, The University of Texas at San Antonio (2019)
Breaux, T.D., Hibshi, H., Rao, A.: Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements. Requirements Eng. 19(3), 281–307 (2013). https://doi.org/10.1007/s00766-013-0190-7
Breaux, T.D., Smullen, D., Hibshi, H.: Detecting repurposing and over-collection in multi-party privacy requirements specifications. In: 2015 IEEE 23rd International Requirements Engineering Conference (RE), pp. 166–175. IEEE (2015)
Cate, F.H.: The limits of notice and choice. IEEE Secur. Privacy 8, 59–62 (2010)
Emami-Naeini, P., Agarwal, Y., Cranor, L.F., Hibshi, H.: Ask the experts: what should be on an IoT privacy and security label? In: 2020 IEEE Symposium on Security and Privacy (SP)
FTC: Internet of Things: Privacy & Security in a Connected World (2015)
Gupta, S.D., Ghanavati, S.: Towards a heterogeneous IoT privacy architecture. In: The 35th ACM/SIGAPP SAC - IoT Track (2020)
Harkous, H., Fawaz, K., Lebret, R., Schaub, F., Shin, K.G., Aberer, K.: Polisis: automated analysis and presentation of privacy policies using deep learning. In: 27th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2018), pp. 531–548 (2018)
Liu, L., et al.: Toward detection of unsafe driving with wearables. In: Proceedings of the 2015 Workshop on WS, pp. 27–32. ACM
Liu, X., Leng, Y., Yang, W., Wang, W., Zhai, C., Xie, T.: A large-scale empirical study on android runtime-permission rationale messages. In: 2018 IEEE Symposium on Visual Languages and Human-Centric Computing, pp. 137–146 (2018)
Maitra, S., Suh, B., Ghanavati, S.: Privacy consistency analyzer for android applications. In: 5th International Workshop (ESPRE), pp. 28–33 (2018)
Mare, S., Roesner, F., Kohno, T.: Smart devices in airbnbs: considering privacy and security for both guests and hosts, vol. 2020, pp. 436–458. Sciendo (2020)
McDonald, A.M., Cranor, L.F.: The cost of reading privacy policies. Isjlp 4, 543 (2008)
Michalevsky, Y., Schulman, A.E.A.: Powerspy: location tracking using mobile device power analysis. In: 24th \(\{\)USENIX\(\}\) Security Symposium, pp. 785–800 (2015)
Naeini, P., et al.: Privacy expectations and preferences in an IoT world. In: 13th SOUPS’ 2017
National Science & Technology Council: National Privacy Research Strategy (2016) https://www.nitrd.gov/PUBS/NationalPrivacyResearchStrategy.pdf
Nickerson, R.C., Varshney, U., Muntermann, J.: A method for taxonomy development and its application in information systems. Eur. J. Inf. Syst. 22, 336–359 (2013)
Okoyomon, E., et al.: On the ridiculousness of notice and consent: contradictions in app privacy policies (2019)
Rosen, S., Qian, Z., Mao, Z.M.: Appprofiler: a flexible method of exposing privacy-related behavior in android applications to end users. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 221–232 (2013)
Safi, M., Reyes, I., Egelman, S.: Inference of user demographics and habits from seemingly benign smartphone sensors
Schaub, F., et al.: A design space for effective privacy notices. In: 11th Symposium On Usable Privacy and Security, pp. 1–17 (2015)
Slavin, R., et al.: PVdetector: a detector of privacy-policy violations for android apps. In: IEEE/ACM International Conference on Mobile Software Engineering & Systems, pp. 299–300 (2016)
Slavin R., et al.: Toward a framework for detecting privacy policy violations in android application code. In: Proceedings of the 38th International Conference on SE, pp. 25–36 (2016)
Smullen, D., et al.: Modeling, analyzing, and consistency checking privacy requirements using eddy. In: Proceedings of the Symposium and Bootcamp on the Science of Security
Vanderbeck, S., Bockhorst, J., Oldfather, C.: A machine learning approach to identifying sections in legal briefs. In: MAICS, pp. 16–22 (2011)
Yee, G.O.M.: An approach for protecting privacy in the IoT, pp. 2710–2723 (2016)
Yu, L., Lou, X., et al.: Can we trust the privacy policies of android apps? In: 46th Annual IEEE/IFIP International Conference on (DSN), pp. 538–549. IEEE (2016)
Zeng, E., et al.: End user security and privacy concerns with smart homes. In: SOUPS
Zimmeck, S., Story, P., Smullen, D., et al.: Maps: scaling privacy compliance analysis to a million apps. In: Proceedings on Privacy Enhancing Technologies 2019(3), pp. 66–86 (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Gupta, S.D., Nygaard, A., Kaplan, S., Jain, V., Ghanavati, S. (2021). PHIN: A Privacy Protected Heterogeneous IoT Network. In: Cherfi, S., Perini, A., Nurcan, S. (eds) Research Challenges in Information Science. RCIS 2021. Lecture Notes in Business Information Processing, vol 415. Springer, Cham. https://doi.org/10.1007/978-3-030-75018-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-75018-3_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-75017-6
Online ISBN: 978-3-030-75018-3
eBook Packages: Computer ScienceComputer Science (R0)