Designing Privacy-Aware IoT Applications for Unregulated Domains
Article No.: 11, Pages 1 - 32
Abstract
Internet of Things (IoT) applications (apps) are challenging to design because of the heterogeneous systems on which they are deployed. IoT devices and apps may collect and analyse sensitive personal data, which is often protected by data privacy laws, some within highly regulated domains such as healthcare. Privacy-by-design (PbD) schemes can be used by developers to consider data privacy at the design stage. However, software developers are not widely adopting these approaches due to difficulties in understanding and interpreting them. There are currently a limited number of tools available for developers to use in this context. We believe that a successful PbD tool should be able to (i) assist developers in addressing privacy requirements in less regulated domains, as well as (ii) help them learn about privacy as they use the tool. The findings of two controlled lab studies are presented, involving 42 developers. We discuss how such a PbD tool can help novice IoT developers comply with privacy laws (e.g., GDPR) and follow privacy guidelines (e.g., privacy patterns). Based on our findings, such tools can help raise awareness of data privacy requirements at design. This increases the likelihood that subsequent designs will be more aware of data privacy requirements.
References
[1]
Atif Ahmad, Sean B. Maynard, Kevin C. Desouza, James Kotsias, Monica T. Whitty, and Richard L. Baskerville. 2021. How can organizations develop situation awareness for incident response: A case study of management practice. Computers and Security 101 (2021), 102122.
[2]
Hidayet Aksu, Leonardo Babun, Mauro Conti, Gabriele Tolomei, and A. Selcuk Uluagac. 2018. Advertising in the IoT era: Vision and challenges. IEEE Communications Magazine 56, 11 (2018), 138–144.
[3]
Bayan Al Muhander, Jason Wiese, Omer Rana, and Charith Perera. 2023. Interactive privacy management: Toward enhancing privacy awareness and control in Internet of Things. ACM Transactions on Internet of Things 4, 3 (2023), Article 18, 34 pages.
[4]
Nada Alhirabi, Stephanie Beaumont, Jose Tomas Llanos, Dulani Meedeniya, Omer Rana, and Charith Perera.2023. PARROT: Interactive privacy-aware Internet of Things application design tool. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 7, 1 (2023), Article 1, 37 pages.
[5]
Nada Alhirabi, Omer Rana, and Charith Perera. 2021. Security and privacy requirements for the Internet of Things: A survey. ACM Transactions on Internet of Things 2, 1 (2021), Article 6, 37 pages.
[6]
Nada Alhirabi, Omer Rana, and Charith Perera. 2022. Demo abstract: PARROT: Privacy by design tool for Internet of Things. In Proceedings of the 2022 IEEE/ACM 7th International Conference on Internet-of-Things Design and Implementation (IoTDI ’22). 107–108.
[7]
Teresa Almeida, Laura Shipp, Maryam Mehrnezhad, and Ehsan Toreini. 2022. Bodies like yours: Enquiring data privacy in FemTech. In Adjunct Proceedings of the 2022 Nordic Human-Computer Interaction Conference (NordiCHI ’22). Article 54, 5 pages.
[8]
Noah Apthorpe, Yan Shvartzshnaider, Arunesh Mathur, Dillon Reisman, and Nick Feamster. 2018. Discovering smart home Internet of Things privacy norms using contextual integrity. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 2, 2 (2018), Article 59, 23 pages.
[9]
Rebecca Balebako, Jaeyeon Jung, Wei Lu, Lorrie Faith Cranor, and Carolyn Nguyen. 2013. Little brothers watching you: Raising awareness of data leaks on smartphones. In Proceedings of the 9th Symposium on Usable Privacy and Security (SOUPS ’13).
[10]
Masoud Barati, Gagangeet Singh Aujla, Jose Tomas Llanos, Kwabena Adu Duodu, Omer F. Rana, Madeline Carr, and Rajiv Ranjan. 2021. Privacy-aware cloud auditing for GDPR compliance verification in online healthcare. IEEE Transactions on Industrial Informatics 18, 7 (2021), 4808–4819.
[11]
Muhammad Bilal, Abdullah Gani, Muhammad Ikram Ullah Lali, Mohsen Marjani, and Nadia Malik. 2019. Social profiling: A review, taxonomy, and challenges. Cyberpsychology, Behavior, and Social Networking 22, 7 (2019), 433–450.
[12]
Joshua A. Braun and Jessica L. Eklund. 2019. Fake news, real money: Ad tech platforms, profit-driven hoaxes, and the business of journalism. Digital Journalism 7, 1 (2019), 1–21.
[13]
Virginia Braun and Victoria Clarke. 2006. Using thematic analysis in psychology. Qualitative Research in Psychology 3, 2 (2006), 77–101.
[14]
Lee A. Bygrave. 2017. Data protection by design and by default: Deciphering the EU’s legislative requirements. Oslo Law Review 4, 2 (2017), 105–120.
[15]
Ann Cavoukian. 2009. Privacy by design: The 7 foundational principles. Information and Privacy Commissioner of Ontario, Canada 5 (2009), 12.
[16]
Z. Berkay Celik, Leonardo Babun, Amit Kumar Sikder, Hidayet Aksu, Gang Tan, Patrick McDaniel, and A. Selcuk Uluagac. 2018. Sensitive information tracking in commodity IoT. In Proceedings of the 27th USENIX Security Symposium (USENIX Security ’18). 1687–1704.
[17]
Chi-Yin Chow and Mohamed F. Mokbel. 2011. Trajectory privacy in location-based services and data publication. ACM SIGKDD Explorations Newsletter 13, 1 (2011), 19–29.
[18]
Eric S. Chung, Jason I. Hong, Lin James, Madhu K. Prabaker, James A. Landay, and Alan L. Liu. 2004. Development and evaluation of emerging design patterns for ubiquitous computing. In Proceedings of the 5th Conference on Designing Interactive Systems: Processes, Practices, Methods, and Techniques (DIS ’04). 233–242.
[19]
Sunny Consolvo, Jaeyeon Jung, Ben Greenstein, Pauline Powledge, Gabriel Maganis, and Daniel Avrahami. 2010. The Wi-Fi privacy ticker: Improving awareness and control of personal information exposure on Wi-Fi. In Proceedings of the 12th ACM International Conference on Ubiquitous Computing (UbiComp ’10). 321–330.
[20]
Lorrie Faith Cranor, Praveen Guduru, and Manjula Arjula. 2006. User interfaces for privacy agents. ACM Transactions on Computer-Human Interaction 13, 2 (2006), 135–178.
[21]
Mina Deng, Kim Wuyts, Riccardo Scandariato, Bart Preneel, and Wouter Joosen. 2011. A privacy threat analysis framework: Supporting the elicitation and fulfillment of privacy requirements. Requirements Engineering 16, 1 (2011), 3–32.
[22]
Vasiliki Diamantopoulou, Christos Kalloniatis, Stefanos Gritzalis, and Haralambos Mouratidis. 2017. Supporting privacy by design using privacy process patterns. In ICT Systems Security and Privacy Protection. IFIP Advances in Information and Communication Technology, Vol. 502. Springer, 491–505.
[23]
Nick Doty and Mohit Gupta. 2013. Privacy design patterns and anti-patterns: Patterns misapplied and unintended consequences.
[24]
Pardis Emami-Naeini, Yuvraj Agarwal, Lorrie Faith Cranor, and Hanan Hibshi. 2020. Ask the experts: What should be on an IoT privacy and security label? In Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP ’20). 447–464.
[25]
Yuanyuan Feng, Yaxing Yao, and Norman Sadeh. 2021. A design space for privacy choices: Towards meaningful privacy control in the Internet of Things. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems (CHI ’21). Article 64, 16 pages.
[26]
Dorothy Forbes. 2013. Blinding: An essential component in decreasing risk of bias in experimental designs. Evidence-Based Nursing 16, 3 (2013), 70–71.
[27]
Damien Geradin, Theano Karanikioti, and Dimitrios Katsifis. 2021. GDPR Myopia: How a well-intended regulation ended up favouring large online platforms-the case of ad tech. European Competition Journal 17, 1 (2021), 47–92.
[28]
Nina Gerber, Paul Gerber, Hannah Drews, Elisa Kirchner, Noah Schlegel, Tim Schmidt, and Lena Scholz. 2018. FoxIT: Enhancing mobile users’ privacy behavior by increasing knowledge and awareness. In Proceedings of the 7th Workshop on Socio-Technical Aspects in Security and Trust (STAST ’17). 53–63.
[29]
Cornelia Graf, Peter Wolkerstorfer, Arjan Geven, and Manfred Tscheligi. 2010. A pattern collection for privacy enhancing technology. Proceedings of the 2nd International Conferences on Pervasive Patterns and Applications (Patterns ’10). 72–77.
[30]
Wentao Guo, Jay Rodolitz, and Eleanor Birrell. 2020. Poli-see: An interactive tool for visualizing privacy policies. In Proceedings of the 19th Workshop on Privacy in the Electronic Society (WPES ’20). 57–71.
[31]
Martin Höst, Björn Regnell, and Claes Wohlin. 2000. Using students as subjects—A comparative study of students and professionals in lead-time impact assessment. Empirical Software Engineering 5, 3 (2000), 201–214.
[32]
ICO. 2021. ICO Calls on Google and Other Companies to Eliminate Existing Privacy Risks Posed by Adtech Industry. ICO.
[33]
Information Commissioner’s Office. 2014. Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are. Information Commisioner’s Office.
[34]
Umar Iqbal, Pouneh Nikkhah Bahrami, Rahmadi Trimananda, Hao Cui, Alexander Gamero-Garrido, Daniel Dubois, David Choffnes, Athina Markopoulou, Franziska Roesner, and Zubair Shafiq. 2022. Your echos are heard: Tracking, profiling, and ad targeting in the amazon smart speaker ecosystem. arXiv preprint arXiv:2204.10920 (2022).
[35]
Yinhao Jiang, Ba Dung Le, Tanveer Zia, and Praveen Gauravaram. 2022. Privacy concerns raised by pervasive user data collection from cyberspace and their countermeasures. arXiv preprint arXiv:2202.04313 (2022).
[36]
Haojian Jin, Boyuan Guo, Rituparna Roychoudhury, Yaxing Yao, Swarun Kumar, Yuvraj Agarwal, and Jason I. Hong. 2022. Exploring the needs of users for supporting privacy-protective behaviors in smart homes. In Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems (CHI ’22). Article 449, 19 pages.
[37]
Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, and Sara Kiesler. 2019. “My data just goes everywhere:” User mental models of the Internet and implications for privacy and security. In Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS ’15). 39–52.
[38]
Sumitkumar Kanoje, Debajyoti Mukhopadhyay, and Sheetal Girase. 2016. User profiling for university recommender system using automatic information retrieval. Procedia Computer Science 78 (2016), 5–12.
[39]
Barbara A. Kitchenham and Tore Dybå. 2004. Evidence-based software engineering. In Proceedings of the 26th International Conference on Software Engineering.
[40]
Germán Leiva, Nolwenn Maudet, Wendy Mackay, and Michel Beaudouin-Lafon. 2019. Enact: Reducing designer–developer breakdowns when prototyping custom interactions. ACM Transactions on Computer-Human Interaction 26, 3 (2019), 1–48.
[41]
Tianshi Li, Yuvraj Agarwal, and Jason I. Hong. 2018. Coconut: An IDE plugin for developing privacy-friendly apps. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 2, 4 (Dec. 2018), Article 178, 35 pages.
[42]
Jialiu Lin, Shahriyar Amini, Jason I. Hong, Norman Sadeh, Janne Lindqvist, and Joy Zhang. 2012. Expectation and purpose: Understanding users’ mental models of mobile app privacy through crowdsourcing. In Proceedings of the 2012 ACM Conference on Ubiquitous Computing (UbiComp ’12). 501–510.
[43]
Delfina Malandrino, Vittorio Scarano, and Raffaele Spinelli. 2013. How increased awareness can impact attitudes and behaviors toward online privacy protection. In Proceedings of the 2013 International Conference on Social Computing. 57–62.
[44]
Matthew B. Miles, A. Michael Huberman, and Johnny Saldaña. 2018. Qualitative Data Analysis: A Methods Sourcebook. SAGE Publications.
[45]
Georgios Petkos, Symeon Papadopoulos, and Yiannis Kompatsiaris. 2015. PScore: A framework for enhancing privacy awareness in online social networks. In Proceedings of the 10th International Conference on Availability, Reliability, and Security (ARES ’15). IEEE, 592–600.
[46]
Stefanie Pötzsch. 2008. Privacy awareness: A means to solve the privacy paradox? In IFIP Summer School on the Future of Identity in the Information Society. Springer, 226–236.
[47]
Keith F. Punch. 2013. Introduction to Social Research: Quantitative and Qualitative Approaches. SAGE Publications.
[48]
Lyn Richards. 2020. Handling Qualitative Data: A Practical Guide. SAGE Publications.
[49]
Sasha Romanosky, Alessandro Acquisti, Jason Hong, Lorrie Faith Cranor, and Batya Friedman. 2006. Privacy patterns for online interactions. In Proceedings of the 2006 Conference on Pattern Languages of Programs (PLoP ’06). 1–9.
[50]
Paula T. Ross and Nikki L. Bibler Zaidi. 2019. Limited by our limitations. Perspectives on Medical Education 8, 4 (2019), 261–264.
[51]
A. Sadeghi, C. Wachsmann, and M. Waidner. 2015. Security and privacy challenges in Industrial Internet of Things. In Proceedings of the 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC ’15). 1–6.
[52]
Miraqa Safi, Sajjad Dadkhah, Farzaneh Shoeleh, Hassan Mahdikhani, Heather Molyneaux, and Ali A. Ghorbani. 2022. A survey on IoT profiling, fingerprinting, and identification. ACM Transactions on Internet of Things 3, 4 (Sept. 2022), Article 26, 39 pages. DOI:
[53]
Merve Sahin, Tolga Unlu, Cedric Hebert, Lynsay A. Shepherd, Natalie Coull, and Colin Mc Lean. 2022. Measuring developers’ web security awareness from attack and defense perspectives. In Proceedings of the 43rd IEEE Symposium on Security and Privacy Workshops (SPW ’22). 31–43.
[54]
Robert W. Shirey. 2007. Internet Security Glossary, Version 2. RFC 4949. RFC Editor.
[55]
Forrest Shull, Janice Singer, and Dag I. K. Sjøberg. 2008. Guide to Advanced Empirical Software Engineering. Springer.
[56]
Joanna Strycharz, Edith Smit, Natali Helberger, and Guda van Noort. 2021. No to cookies: Empowering impact of technical and legal knowledge on rejecting tracking cookies. Computers in Human Behavior 120 (2021), 106750.
[57]
Mohammad Tahaei, Alisa Frik, and Kami Vaniea. 2021. Privacy champions in software teams: Understanding their motivations, strategies, and challenges. In Proceedings of the Conference on Human Factors in Computing Systems (CHI ’21).
[58]
Blase Ur, Pedro Giovanni Leon, Lorrie Faith Cranor, Richard Shay, and Yang Wang. 2012. Smart, useful, scary, creepy: Perceptions of online behavioral advertising. In Proceedings of the 8th Symposium on Usable Privacy and Security (SOUPS ’12). Article 4, 15 pages.
[59]
Michael Veale and Frederik Zuiderveen Borgesius. 2022. Adtech and real-time bidding under European data protection law. Cambridge Law Journal 23, 2 (2022), 226–256.
[60]
Wirewheel. 2021. Data Privacy Laws in 2022: What You Need to know. Retrieved February 24, 2024 from https://wirewheel.io/blog/data-privacy-laws-guide/
[61]
Robert K. Yin. 2018. Case Study Research and Applications. SAGE.
[62]
Joseph W. J. W. Yoder and Jeffrey Barcalow. 1998. Architectural patterns for enabling application security. Proceedings of PLoP 1997 51 (1998), 31.
[63]
Shuai Yuan, Jun Wang, and Xiaoxue Zhao. 2013. Real-time bidding for online advertising. In Proceedings of the 7th International Workshop on Data Mining for Online Advertising (ADKDD ’13). Article 3, 8 pages.
Index Terms
- Designing Privacy-Aware IoT Applications for Unregulated Domains
Recommendations
PARROT: Interactive Privacy-Aware Internet of Things Application Design Tool
Internet of Things (IoT) applications typically collect and analyse personal data that is categorised as sensitive or special category of personal data. These data are subject to a higher degree of protection under data privacy laws. Regardless of legal ...
Privacy-Patterns for IoT Application Developers
UbiComp/ISWC '22 Adjunct: Adjunct Proceedings of the 2022 ACM International Joint Conference on Pervasive and Ubiquitous Computing and the 2022 ACM International Symposium on Wearable ComputersDesigning Internet of things (IoT) applications (apps) is challenging due to the heterogeneous nature of the systems on which these apps are deployed. Personal data, often classified as sensitive, may be collected and analysed by IoT apps, where data ...
IoT Security & Privacy: Threats and Challenges
IoTPTS '15: Proceedings of the 1st ACM Workshop on IoT Privacy, Trust, and SecurityThe era of the Internet of Things (IoT) has already started and it will profoundly change our way of life. While IoT provides us many valuable benefits, IoT also exposes us to many different types of security threats in our daily life. Before the advent ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
May 2024
214 pages
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Journal Family
Publication History
Published: 23 April 2024
Online AM: 15 February 2024
Accepted: 20 January 2024
Revised: 19 January 2024
Received: 03 May 2023
Published in TIOT Volume 5, Issue 2
Check for updates
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 401Total Downloads
- Downloads (Last 12 months)401
- Downloads (Last 6 weeks)36
Reflects downloads up to 18 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in