Differentiating Security from Privacy in Internet of Things: A Survey of Selected Threats and Controls

  • A. Al-Gburi
  • A. Al-HasnawiEmail author
  • L. Lilien


We decided to use simpler definitions of security and privacy, boiling down to their most essential characteristics. Our guide was the famous Cooley’s classic definition of personal immunity as “a right of complete immunity: to be let alone” [3]. This phrase was soon adapted for definition of privacy. Being provided by a lawyer, it includes physical aspects of privacy—critical in the real world but not essential in the virtual world; as will be clear from our definitions of security and privacy in the next paragraph, we see these aspects more as security characteristics than privacy characteristics.


  1. 1.
    Sundmaeker, H., Guillemin, P., Friess, P., & Woelfflé, S. (2010). Vision and challenges for realising the Internet of Things. Cluster of European Research Projects on the Internet of Things, European Commission (CERP-IoT). doi:  10.2759/26127
  2. 2.
    Pfleeger, C. P., Pfleeger, S. L., & Margulies, J. (2015). Security in computing (5th ed.). Englewood Cliffs, NJ: Prentice Hall.Google Scholar
  3. 3.
    Cooley, T. M. (1879). Treatise on the law of torts or the wrongs which arise independent of contract. Chicago: Callaghan.Google Scholar
  4. 4.
    Yang, G., Xu, J., Chen, W., Qi, Z. H., & Wang, H. Y. (2010). Security characteristic and technology in the Internet of Things. Journal of Nanjing University of Posts and Telecommunications, 30(4), 20–29.Google Scholar
  5. 5.
    Al-Fuqaha, A., Guizani, M., Mohammadi, M., Aledhari, M., & Ayyash, M. (2015). Internet of Things: A survey on enabling technologies, protocols, and applications. IEEE Communications Surveys & Tutorials, 17(4), 2347–2376.CrossRefGoogle Scholar
  6. 6.
    Lilien, L., Kamal, Z., Bhuse, V., & Gupta, A. (2006). Opportunistic networks: the concept and research challenges in privacy and security. Proceedings of International Workshop on Research Challenges in Security and Privacy for Mobile and Wireless Networks, Miami, FL, pp. 134–147.Google Scholar
  7. 7.
    Lilien, L., Gupta, A., Kamal, Z., & Yang, Z. (2010). Opportunistic resource utilization networks—a new paradigm for specialized ad hoc networks [Special Issue: Wireless Ad Hoc, Sensor and Mesh Networks, Elsevier]. Computers and Electrical Engineering, 36(2), 328–340.Google Scholar
  8. 8.
    Yan, Z., Zhang, P., & Vasilakos, A. V. (2014). A survey on trust management for Internet of Things. Journal of Network and Computer Applications, 42, 120–134.CrossRefGoogle Scholar
  9. 9.
    Spruit, M., & Wester, W. (2013). RFID security and privacy: Threats and countermeasures. Utrecht: Department of Information and Computing Sciences, Utrecht University.Google Scholar
  10. 10.
    Mitrokotsa, A., Rieback, M. R., & Tanenbaum, A. S. (2010). Classification of RFID attacks. Journal of Information Systems Frontiers, 12(5), 491–505.CrossRefGoogle Scholar
  11. 11.
    De Fuentes, J. M., Peris-Lopez, P., Tapiador, J. E., & Pastrana, S. (2015). Probabilistic yoking proofs for large scale IoT systems. Ad Hoc Networks, 32, 43–52.CrossRefGoogle Scholar
  12. 12.
    Katagi, M., & Moriai, S. (2011). Lightweight cryptography for the Internet of Things (Technical Report). Tokyo: Sony Corporation. Online:
  13. 13.
    Specht, S. M., & Lee, R. B. (2004). Distributed denial of service: taxonomies of attacks, tools, and countermeasures. Proceedings of ISCA International Conference on Parallel and Distributed Computing Systems (PDCS), San Francisco, CA, pp. 543–550.Google Scholar
  14. 14.
    Farooq, M. U., Waseem, M., Khairi, A., & Mazhar, S. (2015). A critical analysis on the security concerns of Internet of Things (IoT). International Journal of Computer Applications, 111(7), 1–6.CrossRefGoogle Scholar
  15. 15.
    Mahmood, Z. (2016). Connectivity frameworks for smart devices. Cham: Springer International Publishing.CrossRefGoogle Scholar
  16. 16.
    Roman, R., Alcaraz, C., Lopez, J., & Sklavos, N. (2011). Key management systems for sensor networks in the context of the Internet of Things. Computers & Electrical Engineering, 37(2), 147–159.CrossRefGoogle Scholar
  17. 17.
    Alani, M. M. (2016). Elements of cloud computing security: A survey of key practicalities. Springer Briefs in Computer Science. Berlin: Springer International Publishing.Google Scholar
  18. 18.
    Zunnurhain, K., & Vrbsky, S. V. (2010). Security attacks and solutions in clouds. Proceedings of the 1st International Conference on Cloud Computing, Tuscaloosa, AL, pp. 145–156.Google Scholar
  19. 19.
    Anggorojati, B. (2015). Access control in IoT/M2M-cloud platform. Ph.D. dissertation, The Faculty of Engineering and Science, Aalborg University, Aalborg, Denmark.Google Scholar
  20. 20.
    Patel, A., Taghavi, M., Bakhtiyari, K., & Júnior, J. C. (2013). An intrusion detection and prevention system in cloud computing: A systematic review. Journal of Network and Computer Applications, 36(1), 25–41.CrossRefGoogle Scholar
  21. 21.
    Ahmed, N. (2016). Designing, implementation and experiments for moving target defense. Ph.D. dissertation, Department of Computer Science, Purdue University, West Lafayette, IN.Google Scholar
  22. 22.
    Hong, J. (2012). The state of phishing attacks. Communications of the ACM, 55(1), 74–81.CrossRefGoogle Scholar
  23. 23.
    Muir, B. (2009). Radio frequency identification: privacy & security issues (slides). Slide Share. Online:
  24. 24.
    Thompson, D. R., Chaudhry, N., & Thompson, C. W. (2006). RFID security threat model. In Proceedings of Conference on Applied Research in Information Technology, Conway, AR.Google Scholar
  25. 25.
    Virmani, D., Soni, A., Chandel, S., & Hemrajani, M. (2014). Routing attacks in wireless sensor networks: A survey. arXiv preprint arXiv:1407.3987.Google Scholar
  26. 26.
    Ben Othmane, L., & Lilien, L. (2009). Protecting privacy in sensitive data dissemination with active bundles. In Proceedings of Seventh Annual Conference on Privacy, Security and Trust (PST) (pp. 202–213). Saint John, NB.Google Scholar
  27. 27.
    Sibert, O., Bernstein, D., & Van Wie, D. (1995). The DigiBox: A self-protecting container for information commerce. Proceedings of First USENIX Workshop on Electronic Commerce, New York, NY, pp. 15–15.Google Scholar
  28. 28.
    Berthold, O., & Langos, H. (2002). Dummy traffic against long term intersection attacks. In Proceedings of International Workshop on Privacy Enhancing Technologies (pp. 110–128). Berlin: Springer.Google Scholar
  29. 29.
    PCI Security Standards Council. (2010). Initial roadmap: point-to-point encryption technology and PCI DSS compliance. Emerging Technology Whitepaper. Online:
  30. 30.
    Wan, Z., Xing, K., & Liu, Y. (2012). Priv-Code: Preserving privacy against traffic analysis through network coding for multi-hop wireless networks. Proceedings of 31st Annual IEEE International Conference on Computer Communications (INFOCOM), Orlando, FL, pp. 73–81.Google Scholar
  31. 31.
    Pearson, S. (2009). Taking account of privacy when designing cloud computing services. Proceedings of the ICSE Workshop on Software Engineering Challenges for Cloud Computing, Vancouver, BC, pp. 44–52.Google Scholar
  32. 32.
    Waterson, D. (2015). IoT inference attacks from a whole lotta talkin’ going on. Thoughts on Information Security. Online:
  33. 33.
    Squicciarini, A., Sundareswaran, S., & Lin, D. (2010). Preventing information leakage from indexing in the cloud. Proceedings of 3rd IEEE International Conference on Cloud Computing, Miami, FL, pp. 188–195.Google Scholar
  34. 34.
    Nasim, R. (2012). Security threats analysis in Bluetooth-enabled mobile devices. International Journal of Network Security & its Applications, 4(3), 41–56.CrossRefGoogle Scholar
  35. 35.
    Monir, S. (2017). A Lightweight attribute-based access control system for IoT. Ph.D. dissertation, University of Saskatchewan, Saskatoon, SK.Google Scholar
  36. 36.
    Tebaa, M., & Hajji, S. E. (2014). Secure cloud computing through homomorphic encryption. International Journal of Advancements in Computing Technology (IJACT), 5(16), 29–38.Google Scholar
  37. 37.
    Tchao, A., Di Marzo, G., & Morin, J. H. (2017). Personal DRM (PDRM)—A self-protecting content approach. In F. Hartung et al. (Eds.), Digital rights management: Technology, standards and applications. New York: CRC Press, Taylor & Francis Group.Google Scholar
  38. 38.
    Ziegeldorf, H., Morchon, G., & Wehrle, K. (2014). Privacy in the Internet of Things: Threats and challenges. Security and Communication Networks, 7(12), 2728–2742.CrossRefGoogle Scholar
  39. 39.
    Pfitzmann, A., & Hansen, M. (2010). A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management (Version v0.34). Online:
  40. 40.
    Duncan, G., & Stokes, L. (2009). Data masking for disclosure limitation. Wiley Interdisciplinary Reviews: Computational Statistics, 1(1), 83–92.CrossRefGoogle Scholar
  41. 41.
    Ren, K., Lou, W., Kim, K., & Deng, R. (2006). A novel privacy preserving authentication and access control scheme for pervasive computing environments. IEEE Transactions on Vehicular Technology, 55(4), 1373–1384.CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  1. 1.Department of Computer ScienceWestern Michigan UniversityKalamazooUSA
  2. 2.On leave from Department of Computer ScienceAl-Mustansiriyah UniversityBaghdadIraq
  3. 3.On leave from Department of Electrical EngineeringAl‐Furat Al‐Awsat Technical UniversityNajafIraq

Personalised recommendations