Abstract
The present paper establishes foundations for implementing Privacy and Security by Design in the scope of the Internet of Things (IoT) by using a new paradigm namely the Privacy Verification Chains (PVC). PVCs will act as a “privacy ledgers” allowing participating entities to prove that they are entitled to hold privacy-related information, regardless of how this information is handled or stored. Furthermore, the PVC structure provides the two following benefits: In case of a security breach resulting in a user data leak, the affected company may browse all the relevant PVCs in order to identify the users affected and trigger the corresponding informative and corrective measures. The PVC will also provide support for bidirectional browsing which means that the data owner will be capable of browsing all the PVCs involving the data he owns in order to find out all the data processors that hold his personal information. From a wider perspective, we enforce a strict separation between data providers and data controllers, where providers are managers of their data privacy, and controllers are accountable for the privacy and protection of the data provided. This role separation will be ensured by a data controller of a so-called Smart Data System (SDS). The SDS handles information along with its privacy settings (metadata), defined by the data owner. In order to control this privacy-preserving framework, our system introduces a Forensic and Auditing System that will enforce the data protection from the processor to a third party. This component will also provide a comprehensive logging functionality that will constitute a legally-binding support to respond to audit procedures, police investigations and(or) law enforcement obligations.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
EU Data Protection Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal L281, pp. 31–50, 23 Nov 1995
EU Directive 2016/680 the European Parliament and of the Council, Official Journal, 27 Apr 2016
Confédération Suisse, Avant-projet de la Loi fédérale sur la protection des données (LPD)
Foukia, N., Billard, D., Solana, E.: A Framework for Privacy by Design in IoT, presented at the Privacy, Security and Trust Conference, Auckland, New-Zealand (2016)
Zyskind, G., Nathan, O.: Decentralizing privacy: using blockchain to protect personal data. In: Security and Privacy Workshops (SPW), IEEE, pp. 180–184 (2015)
Maymounkov, P., Mazieres, D.: Kademlia: a peer-to-peer information system based on the xor metric. In: International Workshop on Peer-to-Peer Systems, pp. 53–65 (2002)
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, vol. 9, pp. 169–178 (2009)
Zanella, A., Bui, N., Castellani, A., Vangelista, L., Zorzi, M.: (2014) Internet of things for smart cities. IEEE Internet Things J. 1(1), 22–32 (2014)
Mainetti, L., Mighali, V., Patrono, L.: A software architecture enabling the web of things. IEEE Internet Things J. 2(6), 445–454 (2015)
Perera, C., Liu, C.-H., Jayawardena, S.: The emerging internet of things marketplace from an industrial perspective: a survey. IEEE Trans. Emerg. Top. Comput. 3(4), 585–598 (2015)
Hossain, M.-M., Fotouhi, M., Hasan, R.: Towards an analysis of security issues, challenges, and open problems in the internet of things. In: IEEE World Congress on services (SERVICES), pp. 21–28 (2015)
Watson, S., Dehghantanha, A.: Digital forensics: the missing piece of the Internet of Things promise. Comput. Fraud Secur. 2016(6), 5–8 (2016)
Zawoad, S., Hasan, R.: FAIoT: Towards building a forensics aware eco system for the internet of things. In: IEEE International Conference on Services Computing, pp. 279–284 (2015)
Liu, Y., et al.: Cloudy with a chance of breach: forecasting cyber security incidents. In: USENIX Security, pp. 1009–1024 (2015)
Verizon 2016 Data Breach Investigations Report (2016)
European Parliament, European Parliament Legislative Resolution of 12 on the Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), (COM(2012) 0011 C7–0025/2012 2012/0011(COD))
Cavoukian, A.: Privacy by Design - The 7 Foundational Principles, originally published on August 2009, revised on January 2011. https://www.ipc.on.ca/wpcontent/uploads/Resources/7foundationalprinciples.pdf
Cavoukian, A.: Operationalizing Privacy by Design: A Guide to Implementing Strong Privacy Practices, December 2012. http://www.cil.cnrs.fr/CIL/IMG/pdf/operationalizing-pbd-guide.pdf
Borking, J.: Organizational adoption of privacy enhancing technologies (PET). In: Computers, Privacy and Data Protection: An Element of Choice. Springer, Netherlands, pp. 309–341 (2011)
EU Directive 2016/680 the European Parliament and of the Council of 27 April 2016. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L:2016:119:01:0089:01:ENG
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Foukia, N., Billard, D., Solana, E. (2017). Privacy Verification Chains for IoT. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. https://doi.org/10.1007/978-3-319-64701-2_58
Download citation
DOI: https://doi.org/10.1007/978-3-319-64701-2_58
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64700-5
Online ISBN: 978-3-319-64701-2
eBook Packages: Computer ScienceComputer Science (R0)