Internet of Things

(IoT) Privacy
PRIVACY
IOT Privacy

► Privacy in IoT is the right of an individual to have control of when and how their
personal information is collected and processed in the IoT environment
► IoT is the ever growing number of intelligent objects that are being connected to
each other and the internet or similar network.
► These range from simple sensors to smartphones, these appliances communicate
with each other in what seems like an entirely connected world.
► IoT privacy is the special considerations required to protect the information of
individuals from exposure in the IoT environment, in which almost any physical
or logical entity or object can be given a unique identifier and the ability to
communicate autonomously over the Internet or similar network.
IOT Privacy

► As endpoints (entities/things) in the IoT environment transmit data autonomously,

they also work in conjunction with other endpoints and communicate with them.
► Interoperability of things is essential to the IoT's functioning so that, for example,
networked elements of a home work together smoothly.
► The data transmitted by a given endpoint might not cause any privacy issues on its
own.
► However, when even fragmented data from multiple endpoints is gathered,
collated and analysed, it can yield sensitive information.
IOT Privacy

► Privacy is a key factor in trust relationships.

► When we disclose data to others, we are (implicitly or otherwise) trusting them
not to use it in ways that conflict with our interests.
► In the context of IoT, privacy boils down to two things: either we trust third
parties not to abuse the data generated by our use of connected objects, or we rely
on the ability to control the collection and use of that data.
► In the IoT domain, privacy therefore carries strong implications of trust,
transparency and control:
IOT Privacy - trust, transparency and
control aspects
► The ability for individuals to control how the information collected by their IoT
devices is shared, and determine who has access to the data from devices in your
home, in your car, and on your person. This means easy ways to blind and mute
devices, and to have a say in how IoT data is analysed or shared with third parties.
► Clarity about how information about people is collected, used, and shared with
others. IoT devices and their applications should enable the user to find out what
information is collected and shared, when and with whom.
► The ability to determine how identifiable one is when undertaking online or
offline activities. IoT devices should have the option for pseudonymous or
anonymous use.
► The ability to control one’s digital footprint, especially from IoT devices in
intimate settings. The user should understand where information about them has
gone, and how long it is kept.
IOT Privacy issues

► 1. Data Overload - The amount of data IoT devices generate is staggering.

Studies show that 10,000 households can create 150 million distinct data points
every day. This risks not only your own information but details about your family,
daily habits, changes in routine and more. All this information opens entry points
for hackers and leaves sensitive information at risk of attack.
► 2. Spying - The more internet-enabled devices we use, the more open we are to
online threats. When these devices are connected, an attack on any one of them
opens the door to all of them, providing access to all kinds of personal
information. For example, say you want to keep an eye on your devices. In that
case, all the Internet-enabled devices that make communication easy should be
accounted for. This includes all sensors, light bulbs, video cameras, Wi-Fi routers,
and more. Attackers could exploit weaknesses and password recovery processes
to gain access to your system.
IOT Privacy issues

► 3.Data Profiling - The gathering, assembling, and collating of data about

individuals in databases which can be used to identify, segregate, categorize and
generally make decisions about individuals known to the decision maker only
through their computerized profile. The anonymized information submitted by the
Internet-connected modules can be used for a creation of detailed profiles of the
users of those modules. In turn, the profiles can be used for targeted advertising.
The term “targeted advertising” refers to placing advertisements in such a way as
to reach consumers based on various behavioural, demographic, and
psychographic attributes.
IOT Privacy issues

► 4. Interoperability - The rapid expansion of the IoT in recent years has led to the
development of many different kinds of devices, Application Programming
Interfaces (APIs) infrastructure, data formats, standards and frameworks. An API
is a way for a computer to communicate with another computer, or for a person to
interrogate or instruct a computer and get a result. This has caused significant
interoperability issues, in that devices, software and data from one vendor often
do not work with devices, software and data from other vendors.
► 5. Dependency on vendors - Organisations and individuals who use IoT devices
are often dependant on the vendors or manufacturers of those devices to handle
security and privacy issues through the delivery of software or firmware updates
to fix security vulnerabilities. Sometimes they are reliant upon vendors to ensure
that collected personal information is sufficiently de-identified before it is shared.
IOT Privacy issues

► 6. Consent - Consent is a common basis for organisations to use and disclose

personal information. However, valid consent generally requires more than
getting a user to click ‘I agree’. Meaningful consent has five elements: capacity,
voluntary, current, specific and informed.
IOT Privacy issues

► 7. De-identification of IoT data

► The data collected by large IoT ecosystems like smart cities can be valuable for a
range of purposes such as research or informing policy decisions. A common way to
maximise the value of this data is to make it publicly available online. However, it is
generally impermissible for datasets that include personal information to be made
publicly available.
► The simplest way to ensure personal information is not included in a dataset is to
allow individuals to remain anonymous by never collecting information that can
identify them. For example, a smart city could count pedestrians using IoT sensors
that record movements, instead of images or video. The process of removing personal
information from a dataset is called de-identification. However, data collected by the
IoT is often very difficult to de-identify due to its highly granular nature. Longitudinal
information is especially hard to de-identify, even when aggregated.
IOT Privacy issues

► 8. Collection, use and disclosure of IoT data

► The data collected from IoT devices generally comes from sensors including
microphones, accelerometers and thermometers. Data from sensors such as these is
often highly detailed and precise. This granularity allows additional information to be
easily created through machine learning inferences and other analysis techniques that
can yield results that would not be possible with coarser data.
► In addition, devices with multiple sensors, or multiple devices in close proximity, can
combine their data in a process known as sensor fusion, which allows for more
accurate and specific inferences that would not be possible with data from a single
sensor. For example, sensor data about the temperature, humidity, light level and CO2
of a room can be combined to track its occupancy with considerably higher accuracy
than would be possible with only one of those kinds of data.
IOT Privacy threaths

► Identification – this denotes the threat of associating a persisatent identifier like a

name and address with an individual and the data about him. For example, our
voice is used to control many of these smart devices can be used to potentially
Identify us
► Localization – this denotes the threat of tracking a person using the digital data
footprints left by him. For example, when you use Samsung Pay to get a bus
ticket could leave data trace.
► Profiling – all of us know that with just our search history and our Facebook
profile there is a huge business going to decide what advertisements need to be
displayed on our screen but IoT while data collection increases quantitatively by
orders of magnitude it also changes qualitatively as data being collected from
previously inaccessible private part of people’s lives.
Make IoT devices more secure in a
workplace environment
► 1. The first thing you should do is buy your IoT devices from a reliable vendor.
Some manufacturers have stricter privacy policies than others. Try to choose the
stricter option.
► 2. Some developers also give you options to choose from the privacy settings.
Choose the developer who empowers you to control your privacy settings rather
than taking control itself.
► 3. The first thing you should do after buying an IoT device is to change the default
name and password. Try to use complex passwords for safety purposes.
► 4. Change the default settings before you bring the IoT device in the workplace.
The default setting may be benefiting the developers more than it's benefiting you.
Make IoT devices more secure in a
workplace environment
► 5. Set up a guest network for guests and temporary users, without the IoT devices.
Implement a policy where only regular employees would be able to access the
network with IoT devices. Try to restrict the number of employees on the main
network as well.
► 6. Try to limit the features as much as you can. There may be a lot of features that
your office work wouldn't need. Disable these features to limit the info leak and to
gain more control over the devices
► 7. Keep your device up to date. When the manufacturer wants to update the
device, do it immediately. Don't put off the new installations because it may be
some kind of new feature to improve the device’s security and privacy.
Make IoT devices more secure in a
workplace environment
► 8. Also, keep a check on the new update. Try to be aware of the updates
manufacturers are suggesting and learn if these updates are compromising your
firm’s privacy in any way. Being vigilant is the key to avoiding privacy issues in
today’s time.
Questions to Consider for IoT Data
Privacy
► What personal data does my IoT device collect about others?
► Where is that data sent?
► How is the data used?
► Is all of the data collected used, or is there information the device should not collect?
► Does anyone else have access to the data?
► Where is the data ultimately stored?
► How long is the data kept?
► Do we need to build in an expiration time frame for data storage?
► How secure is that data during transfer and storage?
► How will consumers be notified if there is a data breach?
Privacy Requirements

► The data stewards, data architects, data administrators, and data modellers should
review and use the following privacy requirements throughout the system
development life cycle.
Privacy Requirements that can be
considered
► Purpose: Collect and process for purposes that are relevant to the services being
provided. PI must not be collected or used for purposes that are materially
different from the original purpose for which the data was provided.
► Notice: System creators, owners, and fiduciaries must explain to users how their
personal information will be used, collected, protected, retained, kept accurate,
accessed, corrected, or otherwise processed before any processing occurs.
► Choice/Consent: Data subjects must consent to the collection and use of their
personal information.
► Transfer: Data should not be transferred to third parties for their own use without
the data subject’s permission.
Privacy Requirements that can be
considered
► Access, Correction, Deletion: Data subjects must have a means of accessing the
personal information that has been collected about them. They also are entitled to
delete or amend false or inaccurate data.
► Security: Use appropriate technical, logical, and administrative measures to
ensure only authorized access and use of data.
► Minimization: Collect and process the minimum necessary data to achieve the
identified, legitimate intended purposes. The minimization principle is closely
related to the purpose limitation requirement where only the necessary PI is
collected and processed to achieve a legitimate purpose.
Privacy Requirements that can be
considered
► Proportionality: Data collection should be legitimately proportional to need,
purpose, and sensitivity of data. This requirement can be one-step further
abstracted to connect that data to quality and value.
► Retention: Retain data only as long as it is required.
► Act Responsibly: Put a privacy program in place.