Skip to main content
Top

2017 | OriginalPaper | Chapter

7. A Privacy Engineering Framework for the Internet of Things

Authors : Antonio Kung, Frank Kargl, Santiago Suppan, Jorge Cuellar, Henrich C. Pöhls, Adam Kapovits, Nicolás Notario McDonnell, Yod Samuel Martin

Published in: Data Protection and Privacy: (In)visibilities and Infrastructures

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

This paper describes a privacy engineering framework for the Internet of Things (IoT). It shows how existing work and research on IoT privacy and on privacy engineering can be integrated into a set of foundational concepts that will help practice privacy engineering in the IoT. These concepts include privacy engineering objectives, privacy protection properties, privacy engineering principles, elicitation of requirements for privacy and design of associated features. The resulting framework makes the key difference between privacy engineering for IoT systems targeting data controllers, data processors and associated integrators, and privacy engineering for IoT subsystems, targeting suppliers.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Footnotes
1
The structure into three layers is inspired from architecture discussions held within AIOTI working group 4 (http://​www.​aioti.​eu/)
 
4
For an overview, the reader is referred to (Tragos et al. 2014a).
 
8
A comprehensive list of the IERC projects can be found in http://​www.​internet-of-things-research.​eu/​partners.​htm
 
9
Also called Plan-Do-Check-Act cycle.
 
10
Note that the integration of privacy engineering into Agile methodologies is a challenge because of the lack of a clear design phase.
 
12
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (www.​datenschutzzentr​um.​de). Data protection authority in the federal state of Schleswig-Holstein, Germany
 
13
i.e. proactive not reactive; preventative not remedial, privacy as the default setting, privacy embedded into design, full functionality, end-to-end security, visibility and transparency, respect for user privacy.
 
14
i.e. consent and choice, purpose legitimacy and specification, collection limitation, data minimization, use retention and disclosure limitation, accuracy and quality, openness, transparency and notice, individual participation and access, accountability, information security, privacy compliance.
 
Literature
go back to reference Tragos, E. Z., Angelakis, V., Fragkiadakis, A., Gundlegard, D., Nechifor, C. S., Oikonomou, G. & Gavras, A. (2014a, March). Enabling reliable and secure IoT-based smart city applications. In Pervasive Computing and Communications Workshops (PERCOM Workshops), 2014 IEEE International Conference on (pp. 111–116). IEEE. Tragos, E. Z., Angelakis, V., Fragkiadakis, A., Gundlegard, D., Nechifor, C. S., Oikonomou, G. & Gavras, A. (2014a, March). Enabling reliable and secure IoT-based smart city applications. In Pervasive Computing and Communications Workshops (PERCOM Workshops), 2014 IEEE International Conference on (pp. 111–116). IEEE.
go back to reference Pöhls, H. C., Angelakis, V., Suppan, S., Fischer, K., Oikonomou, G., Tragos, E. Z., & Mouroutis, T. (2014, April). RERUM: Building a reliable IoT upon privacy-and security-enabled smart objects. In Wireless Communications and Networking Conference Workshops (WCNCW), 2014 IEEE (pp. 122-127). IEEE. Pöhls, H. C., Angelakis, V., Suppan, S., Fischer, K., Oikonomou, G., Tragos, E. Z., & Mouroutis, T. (2014, April). RERUM: Building a reliable IoT upon privacy-and security-enabled smart objects. In Wireless Communications and Networking Conference Workshops (WCNCW), 2014 IEEE (pp. 122-127). IEEE.
go back to reference Bassi, A., Bauer, M., Fiedler, M., Kramp, T., Van Kranenburg, R., Lange, S., & Meissner, S. (2013). Enabling things to talk. Designing IoT Solutions With the IoT Architectural Reference Model, 163-211. Bassi, A., Bauer, M., Fiedler, M., Kramp, T., Van Kranenburg, R., Lange, S., & Meissner, S. (2013). Enabling things to talk. Designing IoT Solutions With the IoT Architectural Reference Model, 163-211.
go back to reference International Organization for Standardization (ISO) (n.d.), Internet of Things Reference Architecture (IoT RA), Under development. International Organization for Standardization (ISO) (n.d.), Internet of Things Reference Architecture (IoT RA), Under development.
go back to reference Leonid Titkov, Poslad Stefan, and Jim Tan Juan, An integrated approach to user-centered privacy for mobile information services. Applied Artificial Intelligence 20.2-4 (2006): 159-178. Leonid Titkov, Poslad Stefan, and Jim Tan Juan, An integrated approach to user-centered privacy for mobile information services. Applied Artificial Intelligence 20.2-4 (2006): 159-178.
go back to reference Florian Scheuer, Klaus Plößl and Hannes Federrath, Preventing profile generation in vehicular networks. Networking and Communications, 2008. WIMOB'08. IEEE International Conference on Wireless and Mobile Computing, IEEE, 2008. Florian Scheuer, Klaus Plößl and Hannes Federrath, Preventing profile generation in vehicular networks. Networking and Communications, 2008. WIMOB'08. IEEE International Conference on Wireless and Mobile Computing, IEEE, 2008.
go back to reference Siani Pearson and Marco Casassa Mont, Sticky policies: an approach for managing privacy across multiple parties. Computer 9 (2011): 60-68. Siani Pearson and Marco Casassa Mont, Sticky policies: an approach for managing privacy across multiple parties. Computer 9 (2011): 60-68.
go back to reference Mark Manulis, et al., Group Signatures: Authentication with Privacy. Federal Office for Information Security-Study, Cryptographic Protocols Group, Department of Computer Science, Technische Universität Darmstadt, Germany, 2012. Mark Manulis, et al., Group Signatures: Authentication with Privacy. Federal Office for Information Security-Study, Cryptographic Protocols Group, Department of Computer Science, Technische Universität Darmstadt, Germany, 2012.
go back to reference Camenisch, Jan, and Els Van Herreweghen. “Design and implementation of the idemix anonymous credential system.” Proceedings of the 9th ACM conference on Computer and communications security. ACM, 2002. Camenisch, Jan, and Els Van Herreweghen. “Design and implementation of the idemix anonymous credential system.” Proceedings of the 9th ACM conference on Computer and communications security. ACM, 2002.
go back to reference Batina Lejla, et al., Low-cost elliptic curve cryptography for wireless sensor networks. Security and Privacy in Ad-Hoc and Sensor Networks (pp. 6–17). Springer Berlin Heidelberg, 2006. Batina Lejla, et al., Low-cost elliptic curve cryptography for wireless sensor networks. Security and Privacy in Ad-Hoc and Sensor Networks (pp. 6–17). Springer Berlin Heidelberg, 2006.
go back to reference Jorge Cuellar, Santiago Suppan, and Henrich Poehls. Privacy-Enhanced Tokens for Authorization in ACE. Internet Draft. 2015. Jorge Cuellar, Santiago Suppan, and Henrich Poehls. Privacy-Enhanced Tokens for Authorization in ACE. Internet Draft. 2015.
go back to reference ISO/IEC 29134 (2016 draft) Draft International Standard. Information technology — Security techniques — Privacy impact assessment — Guidelines ISO/IEC 29134 (2016 draft) Draft International Standard. Information technology — Security techniques — Privacy impact assessment — Guidelines
go back to reference ISO/IEC 29151. (2016 draft) Draft International Standard. Code of Practice for Personally identifiable information protection, ISO/IEC 29151. (2016 draft) Draft International Standard. Code of Practice for Personally identifiable information protection,
go back to reference Antonio Kung, PEARs: Privacy Enhancing Architectures. Annual Privacy Forum, May 21–22, 2014, Athens, Greece. Proceedings APF14 “Privacy Technologies and Policy”. Lecture Notes in Computer Science Volume 8450, 2014, pp 18–29 Antonio Kung, PEARs: Privacy Enhancing Architectures. Annual Privacy Forum, May 21–22, 2014, Athens, Greece. Proceedings APF14 “Privacy Technologies and Policy”. Lecture Notes in Computer Science Volume 8450, 2014, pp 18–29
go back to reference Software Architecture in Practice (3rd Edition), Len Bass, Paul Clementz, Rick Kazman. Addison-Wesley, 2012 Software Architecture in Practice (3rd Edition), Len Bass, Paul Clementz, Rick Kazman. Addison-Wesley, 2012
go back to reference Japp Henk Hoepman, Privacy design strategies. ICT Systems Security and Privacy Protection – 29th IFIP TC 11 Int.Conf, SEC 2014, Marrakech, Morocco Japp Henk Hoepman, Privacy design strategies. ICT Systems Security and Privacy Protection – 29th IFIP TC 11 Int.Conf, SEC 2014, Marrakech, Morocco
go back to reference ISO/IEC 29100:2011. Information technology – Security techniques – Privacy framework, ISO/IEC 29100:2011. Information technology – Security techniques – Privacy framework,
go back to reference Sarah Spiekermann and Lorrie Cranor, Privacy Engineering. IEEE Transactions on Software Engineering, Vol. 35, Nr. 1, January/February 2009, pp. 67–82. Sarah Spiekermann and Lorrie Cranor, Privacy Engineering. IEEE Transactions on Software Engineering, Vol. 35, Nr. 1, January/February 2009, pp. 67–82.
go back to reference Sesa Gürses, Carmela Troncoso, and Claudia Diaz, Engineering Privacy-by-Design. Computers, Privacy & Data Protection, 2011 Sesa Gürses, Carmela Troncoso, and Claudia Diaz, Engineering Privacy-by-Design. Computers, Privacy & Data Protection, 2011
go back to reference Antonio Kung, Johan-Christoph Freytag, and Frank Kargl, “Privacy-by-design in ITS applications. 2nd IEEE International Workshop on Data Security and Privacy in wireless Networks, June 20, 2011, Lucca, Italy. Antonio Kung, Johan-Christoph Freytag, and Frank Kargl, “Privacy-by-design in ITS applications. 2nd IEEE International Workshop on Data Security and Privacy in wireless Networks, June 20, 2011, Lucca, Italy.
go back to reference Marit Hansen, Meiko Jensen, and Martin Rost, Protection Goals for Engineering Privacy. 2015 International Workshop on Privacy Engineering – IWPE'15. Marit Hansen, Meiko Jensen, and Martin Rost, Protection Goals for Engineering Privacy. 2015 International Workshop on Privacy Engineering – IWPE'15.
go back to reference The Privacy Engineer’s Manifesto. Getting from Policy to Code to QA to Value. Michelle Finnaran Dennedy, Jonathan Fox, Thomas Finneran. Apress. ISBN13: 978-1-4302-6355-5, January 2014. The Privacy Engineer’s Manifesto. Getting from Policy to Code to QA to Value. Michelle Finnaran Dennedy, Jonathan Fox, Thomas Finneran. Apress. ISBN13: 978-1-4302-6355-5, January 2014.
go back to reference Nicolás Notario et al., PRIPARE: Integrating Privacy Best Practices into a Privacy Engineering Methodology. 2015 International Workshop on Privacy Engineering – IWPE'15. Nicolás Notario et al., PRIPARE: Integrating Privacy Best Practices into a Privacy Engineering Methodology. 2015 International Workshop on Privacy Engineering – IWPE'15.
go back to reference ISO/IEC 25010:2011 Systems and software engineering — Systems and software Quality Requirements and Evaluation (SQuaRE)) — System and software quality models. ISO/IEC 25010:2011 Systems and software engineering — Systems and software Quality Requirements and Evaluation (SQuaRE)) — System and software quality models.
go back to reference ISO/IEC 27034:2011 Information technology — Security techniques — Application security ISO/IEC 27034:2011 Information technology — Security techniques — Application security
go back to reference Martin Kost, Johann-Christoph Freytag, Frank Kargl, Antonio Kung. Privacy Verification Using Ontologies. First International Workshop on Privacy by Design (PBD 2011), August 28, 2011, Vienna, Austria Martin Kost, Johann-Christoph Freytag, Frank Kargl, Antonio Kung. Privacy Verification Using Ontologies. First International Workshop on Privacy by Design (PBD 2011), August 28, 2011, Vienna, Austria
go back to reference Munawar Hafiz, A Collection of Privacy Design Patterns. Proceedings of the Pattern Language of Programs Conference, 2006.CrossRef Munawar Hafiz, A Collection of Privacy Design Patterns. Proceedings of the Pattern Language of Programs Conference, 2006.CrossRef
go back to reference Sasha Romanosky, et al., Privacy Patterns for Online Interactions. Proceedings of the Pattern Languages of Programs Conference, 2006CrossRef Sasha Romanosky, et al., Privacy Patterns for Online Interactions. Proceedings of the Pattern Languages of Programs Conference, 2006CrossRef
go back to reference Nick Doty, Privacy Design Patterns and Anti-Patterns. Trustbusters Workshop at the Symposium on Usable Privacy and Security. July 2013. Nick Doty, Privacy Design Patterns and Anti-Patterns. Trustbusters Workshop at the Symposium on Usable Privacy and Security. July 2013.
go back to reference ISO/IEC 27005:2011 Information technology — Security techniques — Information security risk management ISO/IEC 27005:2011 Information technology — Security techniques — Information security risk management
go back to reference ETSI. Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Methods and protocols; Part 1: Method and proforma for Threat, Risk, Vulnerability Analysis ETSI TS 102 165-1 V4.2.3 (2011-03) ETSI. Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Methods and protocols; Part 1: Method and proforma for Threat, Risk, Vulnerability Analysis ETSI TS 102 165-1 V4.2.3 (2011-03)
go back to reference A. van Lamsweerde, Goal-Oriented Requirements Engineering: A Guided Tour. 5th International Symposium on Requirements Engineering, IEEE Computer Society Press, 2001 A. van Lamsweerde, Goal-Oriented Requirements Engineering: A Guided Tour. 5th International Symposium on Requirements Engineering, IEEE Computer Society Press, 2001
go back to reference ISO/IEC/IEEE 15288:2015 Systems and software engineering – System life cycle processes ISO/IEC/IEEE 15288:2015 Systems and software engineering – System life cycle processes
Metadata
Title
A Privacy Engineering Framework for the Internet of Things
Authors
Antonio Kung
Frank Kargl
Santiago Suppan
Jorge Cuellar
Henrich C. Pöhls
Adam Kapovits
Nicolás Notario McDonnell
Yod Samuel Martin
Copyright Year
2017
Publisher
Springer International Publishing
DOI
https://doi.org/10.1007/978-3-319-50796-5_7