IOT-2016 7-9 Septermber, 2016, Stuttgart, Germany

Privacy-‐by-‐Design Framework for AssessingInternet of Things Applications and Platforms

Charith Perera, Ciaran McCormick, Arosha K. Bandara, Blaine Price, Bashar Nuseibeh

The 6th International Conference on the Internet of Things (IoT 2016) November 7–9, 2016 in Stuttgart, Germany.

Internet of Things• The Internet of Things (IoT) is “…the network of physical objects—devices, vehicles, buildings and other items—embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data…”#

• By 2020, there will be 50 to 100 billion devices (i.e. things, sensors, smart objects) connected to the Internet*

# International Telecommunication Union, Internet of Things Global Standards Initiative, 2015, http://www.itu.int/en/ITU-‐T/gsi/iot/Pages/default.aspx* International Data Corporation (IDC) Corporate USA, “Worldwide smart connected device shipments,” March 2012, http://www.idc.com/getdoc.jsp?containerId=prUS23398412

Application Development

Desktop ApplicationMobile Application

Web Application Application

• Processing happens locally• UI sits locally

• Processing happens locallycomplemented by cloud resources

• UI sits locally

• Processing happens remotely• UI sits locally

Internet of Things Application Development

BeagleBone

Waspmote

Raspberry PiArdunio

GadgeteerDragonboard 410C

• NO Operating System• Less Powerful

• OS Driven• More Powerful

Cloud Computing

• Unlimited Computational Resources*

Todays IoT Development Market

Hardware Software

Privacy-‐by-‐Design• IoT applications are complex by nature as

they involve both software and hardware as well as many different types of computational devices (e.g., sensors, gateways, cloud)

• Privacy is a significant problem in IoT applications because they handle data that can be used to derive very sensitive personal information

Why hasn’t privacy been a priority?

• IoT systems (applications, service, platforms) are still new; Not mature enough

• Most IoT platforms follow the philosophy “You feed your data to our platform, we do the processing and give you back the results”

• Current IoT platform providers assume, anyone who uses their platform has the full ownership of the data they feed. (In reality this is not the case always)

• Therefore, privacy is not a major concern for IoT platform providers.

Our Motivation and Proposed solution

• There isn’t any process/methodology/framework to help software architects in assessing and designing IoT applications

• Existing frameworks are not prescriptive enough to follow by an engineer(We discuss them few slides later)

• Recent Security and Privacy Violations: HACKING IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities#

• Therefore, we wanted to build a Privacy-‐by-‐design framework that can guide software architects in assessing IoT application.

# https://www.rapid7.com/docs/Hacking-‐IoT-‐A-‐Case-‐Study-‐on-‐Baby-‐Monitor-‐Exposures-‐and-‐Vulnerabilities.pdf

BUT IT IS NOT ….• Guidelines SHOULD NOT be used to compare

different IoT application or platforms.

• The primary reason is that each IoT application or platforms is designed to serve a specific purpose or category of application.

Focus: Enterprise middleware platform for Smart Cities and Businesses

Focus: Smart Home Automation

What is out there ? (Literature)

Privacy by Design Foundational Principles -‐ Ann Cavoukian*

1) Proactive not reactive; preventative not remedial

2) Privacy as the default setting

3) Privacy embedded into design

4) Full functionality positive-‐sum, not zero-‐sum

5) End-‐to-‐end security-‐full life-‐cycle protection

6) Visibility and transparency-‐ keep it open

7) Respect for user privacy, keep it user-‐centric

*A. Cavoukian, “Resolution on privacy by design,” in 32nd International Conference of Data Protection and Privacy Commissioners, 2010.


LINDDUN – Deng et al.*

*M. Deng, K. Wuyts, R. Scandariato, B. Preneel, and W. Joosen, “A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements,” Requirements Engineering, vol. 16, no. 1, pp. 3–32, 2011.

This is a privacy threat analysis framework that uses data flow diagrams (DFD) to identify privacy threats.

1) Define the DFD

2) Map privacy threats to DFD elements

3) Identify threat scenarios

4) Prioritize threats

5) Elicit mitigation strategies

6) Select corresponding PETS


*J.-‐H. Hoepman, "Privacy Design Strategies," in ICT Systems Security and Privacy Protection, vol. 428, N. Cuppens-‐Boulahia, F. Cuppens, S. Jajodia, A. Abou El Kalam and T. Sans, Eds., Springer Berlin Heidelberg, 2014, pp. 446-‐459.

Privacy Design Strategies –Hoepman*1) Minimize

2) Hide

3) Separate

4) Aggregate

5) Inform

6) Control

7) Enforce

8) Demonstrate

• We determined that Hoepman’s is the most appropriate starting point for developing a more detailed privacy-‐by-‐design

• Primarily because this framework already focuses on the architectural aspects of privacy design

IoT Data Flow View

CDA

DPP

DPADS

DD

CDA

DPP

DPADS

DD

CDA

DPP

DPADS

DD

CDA

DPP

DPA

DS

DD

Consent and Data Acquisition

Data Pre-‐Processing

Data Processing and Analysis

Data Storage

Data Dissemination

Privacy By Design Guidelines1) Minimise data acquisition

2) Minimise number of data sources

3) Minimise raw data intake

4) Minimize knowledge discovery

5) Minimize data storage

6) Minimize data retention period

7) Hidden data routing

8) Data anonymization

9) Encrypted data communication

10) Encrypted data processing

11) Encrypted data storage

12) Reduce data granularity

13) Query answering

14) Repeated query blocking

15) Distributed data processing

16) Distributed data storage

17) Knowledge discovery based aggregation

18) Geography based aggregation

19) Chain aggregation

20) Time-Period based aggregation

21) Category based aggregation

22) Information Disclosure

23) Control

24) Logging

25) Auditing

26) Open Source

27) Data Flow Diagrams (DFD)

28) Certification

29) Standardization

30) Compliance with Policy, Law, Regulations

MINIM

ISE

HIDE

SEPA

RATE

AGGR

EGAT

ION

DEMONSTRA

TE

INFORMCONTROL / ENFORCE

Evaluation of Privacy Capabilities: Methodology

• Step 1: Identify how data flows in the existing application or platform

• Step 2: Build a table for each node where columns represent data life cycle phases and rows represent each privacy-‐by-‐design guideline.

• Step 3: Depending on the level of detail which software architects wish to explore, they can either use

(1) a summarised colour coding base scheme(2) a notes based scheme

Evaluation of Privacy Capabilities: Methodology

Platforms We Assessed

http://www.eclipse.org/smarthome/ https://github.com/OpenIotOrg/openiot

• Focus: Enterprise middleware platform for Smart Cities and Businesses

• Middleware infrastructure supports flexible configuration and deployment of algorithms for collecting, and filtering information streams stemming from internet connected objects

• Focus: Smart Home Automation

• Platform for integrating different home automation systems and technologies into one single solution that allows over-‐arching automation rules and uniform user interfaces

Results

Research Directions

• Can 1) Novice 2) Experience Software architects assess a given platform using the proposed guidelines consistently? If there are variation, why?

• Given a case study, can privacy guidelines guide 1) Novice 2) ExperienceTowards a better privacy-‐aware IoT applications

Evaluation

Future work• Privacy Tactics -‐ Tactics are design decisions that improve individual quality

attribute (e.g. Privacy) concerns. [Basic building blocks]

• Privacy Patterns -‐ Patterns describe the high-‐level structure and behaviour of software systems as the solution to multiple system requirements[Complex Compositions]

Thank You

IOT-2016 7-9 Septermber, 2016, Stuttgart, Germany

Engineering

Transcript of IOT-2016 7-9 Septermber, 2016, Stuttgart, Germany