How to design, implement and operate a privacy ensured and trustful IoT – System


Privacy and Trust is a wide field. There are many concepts, technologies, implementations and also regulation and laws outside that are dealing with the privacy of individuals or groups and trust in systems or organizations. Most of the approaches clearly distinguish between personal identifiable information (PII) that can be linked to a certain person and other arbitrary data.

But Privacy and Trust becomes crucial in the Internet of Things because even an arbitrary data, like a temperature might be related to a user when it’s combined with other data like location or it is profiled of a certain time period. A very drastic example is the ability to determine what kind of TV-Program a user is watching just from measuring the energy consumption with very frequent probs like described in a paper of Greveler et. Al [1]

The following text is a start to collect basic principles, design strategies or technical methods that can be taken into account while designing a IoT system in order to protect user privacy and in order to increase the trust in a system:

 ISO/IEC/IEEE 42010:2011 defines a template where so called concerns are described to frame an architecture viewpoint:

Even if it is sometimes easy to collect “interesting data that can be used “later” for other services keep in mind that these data might be a potential privacy risk when they are leaked or misused.

It is often necessary to process or transmit data that can be easily linked to a person. But make this very clear to a user. No hidden mechanisms. Be open and state clear what you do with the user data. Transparency is a source for trust in a service or organization.

User consent is important. In many legislations user consent makes things easier. It enables to process and transmit data. The Kantara Initiative Information Consent & Information Sharing Work Group works on a framework for handling user consent. The idea is to give users means to manage their consent. A user gets a consent receipt. This is an advantage for both users and service providers. The user gets an overview of given consent and can extend or revoke it. A company has a legal safe way to manage and to proof the possessing of user consent.

Once Access rights are granted there should be also a way to revoke this right. This lets the user in control of the process.

This is a kind of red button.

Aggregation is a very important method.

Trust related concerns:

[1] Ulrich Greveler, Benjamin Justus, and Dennis Loehr, “Multimedia Content Identification Through Smart Meter Power Usage Profiles“