Assessing Privacy Policies of Internet of Things Services

  • Niklas Paul
  • Welderufael B. Tesfay
  • Dennis-Kenji Kipker
  • Mattea Stelter
  • Sebastian PapeEmail author
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 529)


This paper provides an assessment framework for privacy policies of Internet of Things Services which is based on particular GDPR requirements. The objective of the framework is to serve as supportive tool for users to take privacy-related informed decisions. For example when buying a new fitness tracker, users could compare different models in respect to privacy friendliness or more particular aspects of the framework such as if data is given to a third party. The framework consists of 16 parameters with one to four yes-or-no-questions each and allows the users to bring in their own weights for the different parameters. We assessed 110 devices which had 94 different policies. Furthermore, we did a legal assessment for the parameters to deal with the case that there is no statement at all regarding a certain parameter. The results of this comparative study show that most of the examined privacy policies of IoT devices/services are insufficient to address particular GDPR requirements and beyond. We also found a correlation between the length of the policy and the privacy transparency score, respectively.


Internet of Things Privacy policies General Data Protection Regulation GDPR ePrivacy Regulation ePR 



This research was partly funded by the German Federal Ministry of Education and Research (BMBF) with grant number: 16KIS0371.


  1. 1.
    Stankovic, J.A.: Research directions for the internet of things. IEEE Internet Things J. 1(1), 3–9 (2014)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Information Commissioner’s Office: Privacy regulators study finds Internet of Things shortfalls (2016)Google Scholar
  3. 3.
    Mayer, C.P.: Security and privacy challenges in the internet of things. In: Electronic Communications of the EASST, vol. 17 (2009)Google Scholar
  4. 4.
    DZone: The DZone guide to Internet of Things (2016)Google Scholar
  5. 5.
    Milne, G.R., Culnan, M.J.: Strategies for reducing online privacy risks: why consumers read (or don’t read) online privacy notices. J. Interact. Mark. 18(3), 15–29 (2004)CrossRefGoogle Scholar
  6. 6.
    European Commission: Special Eurobarometer 431: Data Protection Report (2015)Google Scholar
  7. 7.
    Jensen, C., Potts, C., Jensen, C.: Privacy practices of internet users: self-reports versus observed behavior. Int. J. Hum.-Comput. Stud. 63(1–2), 203–227 (2005)CrossRefGoogle Scholar
  8. 8.
    Casadesus-Masanell, R., Hervas-Drane, A.: Competing with privacy. Manag. Sci. 61(1), 229–246 (2015)CrossRefGoogle Scholar
  9. 9.
    Xia, F., Yang, L.T., Wang, L., Vinel, A.: Internet of things. Int. J. Commun. Syst. 25(9), 1101–1102 (2012)CrossRefGoogle Scholar
  10. 10.
    European Parliament, Council of The European Union: Regulation (EU) 2016/679 General Data Protection Regulation (GDPR) (2016). Accessed 15 Jan 2018
  11. 11.
    European Commission: Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation) (2017). Accessed 15 Jan 2018
  12. 12.
    European Interactive Digital Advertising Alliance (EDAA): The e-privacy regulation - good or bad for european consumers? (2018) Accessed 15 Jan 2018
  13. 13.
    Engeler, M., Felber, W.: Draft of the ePrivacy Regulation from the perspective of the regulatory practice (2017). Accessed 15 Jan 2018
  14. 14.
    Pellikan, L.: Bundesregierung: ePrivacy-Verordnung kommt erst 2019. W&V of 22 November 2017 (2017). Accessed 15 Jan 2018
  15. 15.
    Ziegeldorf, J.H., Morchon, O.G., Wehrle, K.: Privacy in the Internet of Things: threats and challenges. Secur. Commun. Netw. 7(12), 2728–2742 (2014)CrossRefGoogle Scholar
  16. 16.
    Smith, H.J., Milberg, S.J., Burke, S.J.: Information privacy: measuring individuals’ concerns about organizational practices. MIS Q. 20(2), 167 (1996)CrossRefGoogle Scholar
  17. 17.
    Milne, G.R., Culnan, M.J.: Using the content of online privacy notices to inform public policy: a longitudinal analysis of the 1998–2001 U.S. web surveys. Inf. Soc. 18(5), 345–359 (2002)CrossRefGoogle Scholar
  18. 18.
    Peslak, A.R.: Internet privacy policies. Inf. Resour. Manag. J. 18(1), 29–41 (2005)CrossRefGoogle Scholar
  19. 19.
    Agrawal, R., Grosky, W.I., Fotouhi, F.: Ranking privacy policy. In: IEEE 23rd International Conference on Data Engineering Workshop, pp. 192–197 (2007)Google Scholar
  20. 20.
    Flesch, R.: A new readability yardstick. J. Appl. Psychol. 32(3), 221–233 (1948)CrossRefGoogle Scholar
  21. 21.
    Ranking Digital Rights: 2017 Corporate Accountability Index (2017)Google Scholar
  22. 22.
    Terms of Service; Didn’t Read project: Website (2017). Accessed 15 Jan 2018
  23. 23.
    Zimmeck, S., Bellovin, S.M.: Privee: an architecture for automatically analyzing web privacy policies. In: Proceedings of the 23rd USENIX Security Symposium, 20–22 August 2014. USENIX Association (2003)Google Scholar
  24. 24.
    Zimmeck, S., et al.: Automated analysis of privacy requirements for mobile apps. In: NDSS 2017 Network and Distributed System Security Symposium (2017)Google Scholar
  25. 25.
    WebpageFX: Readability Test Tool. Accessed 15 Jan 2018
  26. 26.
    Saaty, T.L.: What is the analytic hierarchy process? In: Mitra, G., Greenberg, H.J., Lootsma, F.A., Rijkaert, M.J., Zimmermann, H.J. (eds.) Mathematical Models for Decision Support, pp. 109–121. Springer, Heidelberg (1988). Scholar
  27. 27.
    Gluck, J., et al.: How short is too short? Implications of length and framing on the effectiveness of privacy notices. In: Symposium on Usable Privacy and Security (SOUPS) (2016)Google Scholar
  28. 28.
    D’Agostino, R.B., Stephens, M.A., (eds.): Goodness-of-Fit Techniques, Volume 68 of Statistics, 5. print edn. Dekker, New York (1986)Google Scholar
  29. 29.
    Hollander, M., Wolfe, D.A.: Nonparametric Statistical Methods, 2nd edn. Wiley-Interscience (1999)Google Scholar
  30. 30.
    McCarthy, J.: TRUSTe decides its own fate today - slashdot (1999)Google Scholar
  31. 31.
    von Leitner, F.: Das IoT-Problem (2017). Accessed 15 Jan 2018

Copyright information

© IFIP International Federation for Information Processing 2018

Authors and Affiliations

  1. 1.Goethe-UniversityFrankfurtGermany
  2. 2.University of BremenBremenGermany

Personalised recommendations