Skip to main content

Automated Approach to Analyze IoT Privacy Policies

  • 49 Accesses

Part of the EAI/Springer Innovations in Communication and Computing book series (EAISICC)

Abstract

The massive popularity of IoT devices raises new challenges for user privacy. Hence, manufacturers are obliged to notify users about their privacy practices as well as give them choices to have control over their data. Privacy policies are long and full of legal jargon, thus not understandable by average users. The problem becomes worse with IoT devices due to the ability of these devices to access sensitive information about users. Previous research has addressed problems related to websites and mobile privacy policies. However, few works focus on analyzing IoT privacy policies. In this chapter, we analyze and annotate 50 IoT privacy policies to determine whether the IoT manufacturers collect personal information about the user as well as the type of such information. To ensure that we extract the correct information, we study in depth the complicated and ambiguous sentences that average users will not understand. With our method, we aim to mimic how an ordinary person reads and understands such policies sentence by sentence. We use supervised machine learning to label the collected personal information according to its sensitivity level to either sensitive personal information or non-sensitive personal information. The high accuracy achieved by the classifier (98.8%) proves its validity and reliability.

Keywords

  • IoT
  • Privacy policy
  • Supervised machine learning
  • IoT privacy policy

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-92968-8_12
  • Chapter length: 24 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   169.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-92968-8
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Hardcover Book
USD   219.99
Price excludes VAT (USA)
Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Notes

  1. 1.

    https://en-uk.ring.com/pages/privacy-notice.

  2. 2.

    https://policies.google.com/privacy.

  3. 3.

    https://www.ezvizlife.com/uk/legal/privacy-policy.

References

  1. Ammar W, Wilson S, Sadeh N, Smith NA (2012) Automatic categorization of privacy policies: A pilot study. School of Computer Science, Language Technology Institute, Technical Report CMU-LTI-12-019

    Google Scholar 

  2. Baalous R, Poet R, Storer T (2018) Analyzing privacy policies of zero knowledge cloud storage applications on mobile devices. In: 2018 IEEE International conference on cloud engineering (IC2E). IEEE, pp 218–224

    Google Scholar 

  3. Balebako R, Schaub F, Adjerid I, Acquisti A, Cranor L (2015) The impact of timing on the salience of smartphone app privacy notices. In: Proceedings of the 5th annual ACM CCS workshop on security and privacy in smartphones and mobile devices, pp 63–74

    Google Scholar 

  4. Cejuela JM, McQuilton P, Ponting L, Marygold SJ, Stefancsik R, Millburn GH, Rost B (2014) tagtog: interactive and text-mining-assisted annotation of gene mentions in PLOS full-text articles. Database 2014

    Google Scholar 

  5. Costante E, Den Hartog J, Petkovic M (2011) On-line trust perception: What really matters. In: 2011 1st workshop on socio-technical aspects in security and trust (STAST). IEEE, pp 52–59

    Google Scholar 

  6. Cranor L, Langheinrich M, Marchiori M, Presler-Marshall M, Reagle, J (2002) The platform for privacy preferences 1.0 (p3p1.0) specification

    Google Scholar 

  7. Federal Trade Commission: https://www.ftc.gov/ (2020)

  8. Grimes RA (2020) What is personally identifiable information (PII)? how to protect it under GDPR. https://www.csoonline.com/article/3215864/how-to-protect-personally-identifiable-information-pii-under-gdpr.html

  9. Harkous H, Fawaz K, Lebret R, Schaub F, Shin KG, Aberer K (2018) Polisis: Automated analysis and presentation of privacy policies using deep learning. In: 27th {USENIX} security symposium ({USENIX} security 18), pp 531–548

    Google Scholar 

  10. Information Commissioner Office (2020) https://ico.org.uk/

  11. Information Commissioner Office (2020) What is personal data? a quick reference guide. https://ico.org.uk/media/for-organisations/documents/1549/determining_what_is_personal_data_quick_reference_guide.pdf

  12. Manyika J, Chui M (2020) By 2025, internet of things applications could have $11 trillion impact. https://www.mckinsey.com/mgi/overview/in-the-news/by-2025-internet-of-things-applications-could-have-11-trillion-impact

  13. McDonald AM, Cranor LF (2008) The cost of reading privacy policies. ISJLP 4:543

    Google Scholar 

  14. Perez AJ, Zeadally S, Cochran J (2018) A review and an empirical analysis of privacy policy and notices for consumer internet of things. Secur Privacy 1(3):e15

    Google Scholar 

  15. Ramanath R, Liu F, Sadeh N, Smith NA (2014) Unsupervised alignment of privacy policies using hidden Markov models. In: Proceedings of the 52nd annual meeting of the association for computational linguistics (Vol. 2: Short Papers), pp 605–610

    Google Scholar 

  16. Reidenberg JR, Bhatia J, Breaux TD, Norton TB (2016) Ambiguity in privacy policies and the impact of regulation. J Legal Stud 45(S2):S163–S190

    CrossRef  Google Scholar 

  17. Sathyendra KM, Schaub F, Wilson S, Sadeh N (2016) Automatic extraction of opt-out choices from privacy policies. In: 2016 AAAI fall symposium series

    Google Scholar 

  18. Sathyendra KM, Wilson S, Schaub F, Zimmeck S, Sadeh N (2017) Identifying the provision of choices in privacy policy text. In: Proceedings of the 2017 conference on empirical methods in natural language processing, pp 2774–2779

    Google Scholar 

  19. Schaub F, Balebako R, Durity AL, Cranor LF (2015) A design space for effective privacy notices. In: Eleventh symposium on usable privacy and security ({SOUPS} 2015), pp 1–17

    Google Scholar 

  20. Shayegh P, Ghanavati S (2017) Toward an approach to privacy notices in IoT. In: 2017 IEEE 25th international requirements engineering conference workshops (REW). IEEE, pp 104–110

    Google Scholar 

  21. Shayegh P, Ghanavati S (2017) Toward an approach to privacy notices in IoT. In: 2017 IEEE 25th international requirements engineering conference workshops (REW). IEEE, pp 104–110

    Google Scholar 

  22. Shayegh P, Jain V, Rabinia A, Ghanavati S (2019) Automated approach to improve IoT privacy policies. Preprint. arXiv:1910.04133

    Google Scholar 

  23. Siboni S, Shabtai A, Tippenhauer NO, Lee J, Elovici Y (2016) Advanced security testbed framework for wearable IoT devices. ACM Trans Internet Technol (TOIT) 16(4):1–25

    CrossRef  Google Scholar 

  24. Singh RI, Sumeeth M, Miller J (2011) Evaluating the readability of privacy policies in mobile environments. Int J Mobile Human Comput Interact (IJMHCI) 3(1):55–78

    CrossRef  Google Scholar 

  25. Statista Research Department (2020) Internet of things (IoT) connected devices installed base worldwide from 2015 to 2025. https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/

  26. Subahi A, Theodorakopoulos G (2018) Ensuring compliance of IoT devices with their privacy policy agreement. In: 2018 IEEE 6th international conference on future internet of things and cloud (FiCloud). IEEE, pp 100–107

    Google Scholar 

  27. Sunyaev A, Dehling T, Taylor PL, Mandl KD (2015) Availability and quality of mobile health app privacy policies. J Am Med Inf Assoc 22(e1):e28–e33

    CrossRef  Google Scholar 

  28. The text annotation tool to train AI (2020). https://www.tagtog.net/

  29. Wilson S, Schaub F, Dara AA, Liu F, Cherivirala S, Leon PG, Andersen MS, Zimmeck S, Sathyendra KM, Russell NC, et al (2016) The creation and analysis of a website privacy policy corpus. In: Proceedings of the 54th annual meeting of the association for computational linguistics (Vol 1: Long Papers), pp 1330–1340

    Google Scholar 

Download references

Acknowledgements

The first author’s work is sponsored by King Abdul Aziz University in Saudi Arabia.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Alanoud Subahi .

Editor information

Editors and Affiliations

Appendix A: IoT Manufacturers

Appendix A: IoT Manufacturers

See Table 4.

Table 4 IoT manufacturers PPA URL

Rights and permissions

Reprints and Permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Cite this chapter

Subahi, A., Theodorakopoulos, G. (2023). Automated Approach to Analyze IoT Privacy Policies. In: Cagáňová, D., Horňáková, N. (eds) Industry 4.0 Challenges in Smart Cities. EAI/Springer Innovations in Communication and Computing. Springer, Cham. https://doi.org/10.1007/978-3-030-92968-8_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-92968-8_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-92967-1

  • Online ISBN: 978-3-030-92968-8

  • eBook Packages: EngineeringEngineering (R0)