Special Issue Paper
Free to Read
Privacy in the Internet of Things: threats and challenges
Jan Henrik Ziegeldorf,
Oscar Garcia Morchon,
Klaus Wehrle,
Corresponding Author
Jan Henrik Ziegeldorf
Communication and Distributed Systems, RWTH Aachen University, Aachen, Germany
Correspondence: Jan Henrik Ziegeldorf, Communication and Distributed Systems, RWTH Aachen University, Aachen, Germany.
E-mail: [email protected]
Search for more papers by this authorOscar Garcia Morchon
Philips Research, Eindhoven, The Netherlands
Search for more papers by this authorKlaus Wehrle
Communication and Distributed Systems, RWTH Aachen University, Aachen, Germany
Search for more papers by this authorJan Henrik Ziegeldorf,
Oscar Garcia Morchon,
Klaus Wehrle,
Corresponding Author
Jan Henrik Ziegeldorf
Communication and Distributed Systems, RWTH Aachen University, Aachen, Germany
Correspondence: Jan Henrik Ziegeldorf, Communication and Distributed Systems, RWTH Aachen University, Aachen, Germany.
E-mail: [email protected]
Search for more papers by this authorOscar Garcia Morchon
Philips Research, Eindhoven, The Netherlands
Search for more papers by this authorKlaus Wehrle
Communication and Distributed Systems, RWTH Aachen University, Aachen, Germany
Search for more papers by this authorABSTRACT
The Internet of Things paradigm envisions the pervasive interconnection and cooperation of smart things over the current and future Internet infrastructure. The Internet of Things is, thus, the evolution of the Internet to cover the real world, enabling many new services that will improve people's everyday lives, spawn new businesses, and make buildings, cities, and transport smarter. Smart things allow indeed for ubiquitous data collection or tracking, but these useful features are also examples of privacy threats that are already now limiting the success of the Internet of Things vision when not implemented correctly. These threats involve new challenges such as the pervasive privacy-aware management of personal data or methods to control or avoid ubiquitous tracking and profiling. This paper analyzes the privacy issues in the Internet of Things in detail. To this end, we first discuss the evolving features and trends in the Internet of Things with the goal of scrutinizing their privacy implications. Second, we classify and examine privacy threats in this new setting, pointing out the challenges that need to be overcome to ensure that the Internet of Things becomes a reality. Copyright © 2013 John Wiley & Sons, Ltd.
REFERENCES
- 1 Evans D. The Internet of Things–how the next evolution of the internet is changing everything. CISCO White Paper 2011.
- 2 David K, Jefferies N. Wireless visions: a look to the future by the fellows of the wwrf. IEEE Vehicular Technology Magazine 2012; 7(4): 26–36, doi:10.1109/MVT.2012.2218433.
- 3 Mattern F, Floerkemeier C. From the internet of computers to the internet of things. In From Active Data Management to Event-Based Systems and More, K Sachs, I Petrov, P Guerrero (eds). Springer-Verlag: Berlin, Heidelberg, 2010; 242–259.
- 4 Presser M, Krco S. IOT-I: Internet of Things Initiative: public deliverables—D2.1: initial report on IoT applications of strategic interest, 2010.
- 5 Atzori L, Iera A, Morabito G. The Internet of Things: a survey. Computer Networks 2010; 54(15): 2787–2805, doi:10.1016/j.comnet.2010.05.010.
- 6 Benetton to Tag 15 Million Items. RFID Journal, 2003. Available at: http://bit.ly/XXe4Wi (Accessed 2012-09-25).
- 7 Albrecht K. Boycott Benetton—no RFID tracking chips in clothing! Press Release, 2003. Available at: http://bit.ly/49yTca (Accessed 2012-09-25).
- 8 Cuijpers C. No to mandatory smart metering does not equal privacy! Tilburg Institute for Law, Technology, and Society: Webblog, 2009.
- 9 The INDECT Consortium. INDECT project, 2009. Available at: http://www.indect-project.eu/ (Accessed 2012-10-12).
- 10 Münch V. STOPP INDECT, 2012. Available at: http://www.stopp-indect.info (Accessed 2012-10-12).
- 11 Renaud K, Gá andlvez Cruz D. Privacy: aspects, definitions and a multi-faceted privacy preservation approach, Information Security for South Africa (ISSA), 2010, 2010; 1–8, doi:10.1109/ISSA.2010.5588297.
- 12 Westin AF. Privacy and freedom. Washington and Lee Law Review 1968; 25(1): 166.
- 13 Radomirovic S. Towards a model for security and privacy in the internet of things, 1st International Workshop on the Security of the Internet of Things, Tokyo, Japan, 2010; 1–487.
- 14 Moore B. Privacy: Studies in Social and Cultural History. M.E. Sharpe: Armonk, NY, USA, 1984.
- 15 Solove D. A taxonomy of privacy. University of Pennsylvania Law Review 2006; 154(3): 477–560.
- 16 International Telecommunication Union (ITU). The Internet of Things. ITU Internet Reports, 2005.
- 17 Vermesan O, Friess P, Guillemin P, et al. Internet of Things strategic research roadmap. Internet of Things: Global Technological and Societal Trends 2009.
- 18 Bauer M, Carrez F, Egan R, et al. IOT-I: Internet of Things Initiative: Public Deliverables – D1.2 First Reference Model White Paper, 2011.
- 19 IOT-A Consortium. Internet of Things architecture, 2011. Available at: http://bit.ly/124jw0M (Accessed 2012-10-12).
- 20 Dunkels A, Vasseur J. IP for smart objects. Ipso alliance white paper, 2008.
- 21 Organisation for Economic Co-operation and Development (OECD). Recommendation of the council concerning guidelines governing the protection of privacy and transborder flows of personal data, 1980.
- 22 The European Parliament and the Council of the European Union. Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995.
- 23 US Department of Commerce. The U.S.-EU & U.S.-Swiss Safe Harbor Frameworks, 2012. Available at: http://export.gov/safeharbor/ (Accessed 2012-10-12).
- 24 Privacy Rights Clearinghouse. Chronology of Data Breaches 2005—present, 2012. Available at: http://bit.ly/bHHODz (Accessed: 2012-10-12).
- 25 Internet of Things European Research Cluster (IERC). The Internet of Things 2012—New Horizons, 3rd ed.: Halifax, UK, 2012.
- 26 Roman R, Najera P, Lopez J. Securing the Internet of Things. Computer 2011; 44(9): 51–58, doi:10.1109/MC.2011.291.
- 27 Hewlett Packard – CENSE, 2013. Available at: http://bit.ly/7N763 (Accessed 2013-01-31).
- 28 Jon Iwata. IBM—making markets: smarter planet, 2012. Available at: http://ibm.co/X8warV (Accessed 2013-01-31).
- 29 Welbourne E, Battle L, Cole G, et al. Building the internet of things using RFID: the RFID ecosystem experience. IEEE Internet Computing 2009; 13(3): 48–55.
- 30 Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2012–2017. CISCO white paper, 2013.
- 31 Gaudin S. Intel: xhips in brains will control computers by 2020. Computerworld, 2009. Available at: http://bit.ly/yYyoF (Accessed: 2013-01-31).
- 32 Spiekermann S, Cranor L. Engineering privacy. IEEE Transactions on Software Engineering 2009; 35(1): 67–82, doi:10.1109/TSE.2008.88.
- 33 Heer T, Garcia-Morchon O, Hummen R, Keoh S, Kumar S, Wehrle K. Security challenges in the IP-based internet of things. Wireless Personal Communications 2011; 61: 527–542, doi:10.1007/s11277-011-0385-5.
- 34 Sundmaeker H, Guillemin P, Friess P, Woelfflé S. Vision and challenges for realising the Internet of Things. Cluster of European Research Projects on the Internet of Things, European Commision 2010.
- 35 Federal Trade Commission. Google will pay $22.5 million to settle ftc charges it misrepresented privacy assurances to users of Apple's Safari Internet Browser, 2005. Available at: http://1.usa.gov/MkXMqe (Accessed 2012-10-12].
- 36 Weiser M. The computer for the 21st century. Scientific American 1991; 265(3): 94–104.
- 37 Kranz M, Roalter L, Michahelles F. Things that twitter: social networks and the internet of things. In What can the Internet of Things do for the Citizen (CIoT) Workshop at The Eighth International Conference on Pervasive Computing (Pervasive 2010), 2010.
- 38 Atzori L, Iera A, Morabito G, Nitti M. The Social Internet of Things (SIoT) - When social networks meet the Internet of Things: Concept, architecture and network characterization. Computer Networks 2012; 56(16): 3594–3608.
- 39 Juels A. RFID security and privacy: a research survey. IEEE Journal on Selected Areas in Communications 2006; 24(2): 381–394, doi:10.1109/JSAC.2005.861395.
- 40 Langheinrich M. A survey of RFID privacy approaches. Personal and Ubiquitous Computing 2009; 13(6): 413–421, doi:10.1007/s00779-008-0213-4.
- 41
van Deursen T. 50 ways to break RFID privacy. In Privacy and Identity Management for Life, vol. 352, IFIP Advances in Information and Communication Technology. Springer: Boston, 2011; 192–205, doi:10.1007/978-3-642-20769-3 16.
10.1007/978‐3‐642‐20769‐3 Google Scholar
- 42 ZigBee Alliance. ZigBee specification, 2006.
- 43 Z-Wave Alliance. The Z-Wave Alliance, 2012. Available at: http://www.z-wavealliance.org/ (Accessed 2012-10-12).
- 44 ANT wireless—Dynastream Innovations Inc. Availabe at: http://www.thisisant.com/ (Accessed 2012-10-12).
- 45 Bluetooth SIG. Specification of the Bluetooth system, 2001. Available at: http://www.bluetooth.com (Accessed 2012-10-12).
- 46 Zhang W, Wang C, Feng T. GPˆ2S: Generic privacy-preservation solutions for approximate aggregation of sensor data (concise contribution), Sixth Annual IEEE International Conference on Pervasive Computing and Communications, 2008. PERCOM 2008, Hong Kong, China, 2008; 179–184.
- 47 Chan ACF, Castelluccia C. A security framework for privacy-preserving data aggregation in wireless sensor networks. ACM Transactions on Sensor Networks (TOSN) 2011; 7(4): 1–45. doi:10.1145/1921621.1921623.
- 48 Carbunar B, Yu Y, Shi L, Pearce M, Vasudevan V. Query privacy in wireless sensor networks, 4th Annual IEEE Communications Society Conference on Sensor, Mesh and ad Hoc Communications and Networks, 2007. SECON ’07, San Diego, CA, USA, 2007; 203–212, doi:10.1109/SAHCN.2007.4292832.
- 49 Zhang R, Zhang Y, Ren K. Distributed privacy-preserving access control in sensor networks. IEEE Transactions on Parallel and Distributed Systems 2012; 23(8): 1427–1438, doi:10.1109/TPDS.2011.299.
- 50 Kamat P, Zhang Y, Trappe W, Ozturk C. Enhancing source-location privacy in sensor network routing, Proceedings of the 25th IEEE International Conference on Distributed Computing Systems, 2005. ICDCS 2005, Columbus, Ohio, USA, 2005; 599–608, doi:10.1109/ICDCS.2005.31.
- 51 Deng J, Han R, Mishra S. Decorrelating wireless sensor network traffic to inhibit traffic analysis attacks. In Elsevier Pervasive and Mobile Computing Journal, vol. 2, Special Issue on Security in Wireless Mobile Computing Systems. Elsevier Science Publishers B.V.: Amsterdam, The Netherlands, 2006; 159–186.
- 52
Rios R,
Cuellar J,
Lopez J. Robust probabilistic fake packet injection for receiver-location privacy in WSN. In 17th European Symposium on Research in Computer Security (ESORICS 2012), vol. 7459, LNCS. Springer: Berlin, Heidelberg, 2012; 163–180, doi:10.1007/978-3-642-33167-1 10.
10.1007/978‐3‐642‐33167‐1 Google Scholar
- 53 Privacy Rights Clearinghouse. Privacy in the age of the smartphone, 2005. Available at: http://bit.ly/NkNlyM (Accessed 2012-10-12).
- 54 Beresford A, Stajano F. Location privacy in pervasive computing. IEEE Pervasive Computing 2003; 2(1): 46–55, doi:10.1109/MPRV.2003.1186725.
- 55 Minch R. Privacy issues in location-aware mobile devices, Proceedings of the 37th Annual Hawaii International Conference on System Sciences, 2004, Big Island, Hawaii, USA, 2004; 50127.2 (10 pages). doi:10.1109/HICSS.2004.1265320.
- 56 Krumm J. A survey of computational location privacy. Personal Ubiquitous Computing 2009; 13(6): 391–399, doi:10.1007/s00779-008-0212-5.
- 57 Enck W, Gilbert P, Chun B-G, Cox LP., Jung J, McDaniel P, Sheth AN. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI’10. USENIX Association: Berkeley, CA, USA, 2010; 1–6.
- 58
Hornyack P,
Han S,
Jung J,
Schechter S,
Wetherall D. These aren't the droids you're looking for: retrofitting android to protect data from imperious applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11. ACM: New York, NY, USA, 2011; 639–652, doi:10.1145/2046707.2046780.
10.1145/2046707.2046780 Google Scholar
- 59 Lane ND, Miluzzo E, Lu H, Peebles D, Choudhury T, Campbell AT. A survey of mobile phone sensing. IEEE Communications Magazine 2010; 48(9): 140–150.
- 60 Christin D, Reinhardt A, Kanhere SS, Hollick M. A survey on privacy in mobile participatory sensing applications. Journal of Systems and Software 2011; 84(11): 1928–1946, doi:10.1016/j.jss.2011.06.073.
- 61 Ristenpart T, Tromer E, Shacham H, Savage S. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds, Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS ’09, Chicago, IL, USA, 2009; 199–212, doi:10.1145/1653662.1653687.
- 62 Squicciarini A, Sundareswaran S, Lin D. Preventing information leakage from indexing in the cloud, 2010 IEEE 3rd International Conference on Cloud Computing (CLOUD), Miami, Florida, USA, 2010; 188–195, doi:10.1109/CLOUD.2010.82.
- 63 Wang C, Wang Q, Ren K, Lou W. Privacy-preserving public auditing for data storage security in cloud computing, 2010 Proceedings IEEE INFOCOM, San Diego, CA, USA, 2010; 1–9, doi:10.1109/INFCOM.2010.5462173.
- 64 Itani W, Kayssi A, Chehab A. Privacy as a service: privacy-aware data storage and processing in cloud computing architectures, Eighth IEEE international Conference on Dependable, Autonomic and Secure Computing, 2009. DASC ’09, Changzhou, China, 2009; 711–716, doi:10.1109/DASC.2009.139.
- 65 Van Dijk M, Juels A. On the impossibility of cryptography alone for privacy-preserving cloud computing. In Proceedings of the 5th USENIX Conference on Hot Topics in Security, HotSec’10. USENIX Association: Berkeley, CA, USA, 2010; 1–8.
- 66 COSM—connect to your world, 2013. Available at: https://cosm.com/ (Accessed 2013-01-30).
- 67 ARRAYENT—the platform for connected products, 2013. Available at: http://www.arrayent.com/ (Accessed 2013-01-30).
- 68 Auto-ID Labs. Architecting the Internet of things, 2013. Available at: http://www.autoidlabs.org/ (Accessed 2013-02-04).
- 69 Sample A, Yeager D, Smith J. A capacitive touch interface for passive RFID tags, 2009 IEEE International Conference on RFID, 2009; 103–109, doi:10.1109/RFID.2009.4911212.
- 70 Smith H, Milberg S, Burke S. Information privacy: measuring individuals’ concerns about organizational practices. MIS Quarterly 1996: 167–196.
- 71 Liu X, Krahnstoever N, Yu T, Tu P. What are customers looking at? IEEE Conference on Advanced Video and Signal Based Surveillance, 2007. AVSS 2007., London, UK, 2007; 405–410, doi:10.1109/AVSS.2007.4425345.
- 72 Senior AW, Brown L, Hampapur A, et al. Video analytics for retail, IEEE Conference on Advanced Video and Signal Based Surveillance, 2007. AVSS 2007, London, UK, 2007; 423–428, doi:10.1109/AVSS.2007.4425348.
- 73 Solon O. Facedeals lets you check in to venues with your face. WIRED Magazine, 2012. Available at: http://bit.ly/Pdgsry (Accessed 2012-10-12).
- 74 Talbot D. Siris großer Bruder. Technology Review, 2012. Avaible at: http://bit.ly/RUyLBS (Accessed 2012-10-12).
- 75 Sweeney L. K-anonymity: a model for protecting privacy. International Journal of Uncertainty, Fuzziness and Knowlege-Based Systems 2002; 10(5): 557–570, doi:10.1142/S0218488502001648.
- 76 Uzuner Ö, Luo Y, Szolovits P. Evaluating the state-of-the-art in automatic de-identification. Journal of the American Medical Informatics Association 2007; 14(5): 550–563, doi:10.1197/jamia.M2444.
- 77 Fung B, Wang K, Chen R, Yu P. Privacy-preserving data publishing: a survey of recent developments. ACM Computing Surveys 2010; 42(4): 14:1–14:53, doi:10.1145/1749603.1749605.
- 78
Camenisch J,
Van Herreweghen E. Design and implementation of the idemix anonymous credential system. In Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS ’02. ACM: New York, NY, USA, 2002; 21–30, doi:10.1145/586110.586114.
10.1145/586110.586114 Google Scholar
- 79
Camenisch J,
Shelat A,
Sommer D, et al. Privacy and identity management for everyone. In Proceedings of the 2005 Workshop on Digital Identity Management, DIM ’05. ACM: New York, NY, USA, 2005; 20–27, doi:10.1145/1102486.1102491.
10.1145/1102486.1102491 Google Scholar
- 80 Barbaro M, Zeller T. A face is exposed for AOL searcher no. 4417749. New York Times, 2006. Available at: http://nyti.ms/H6vd2 (Accessed 2012-10-12).
- 81 Narayanan A, Shmatikov V. Myths and fallacies of “personally identifiable information”. Communications of the ACM 2010; 53: 24–26, doi:10.1145/1743546.1743558.
- 82 El Emam K, Jonker E, Arbuckle L, Malin B. A systematic review of re-identification attacks on health data. PLoS ONE 2011; 6(12), doi:10.1371/journal.pone.0028071.
- 83 Voelcker J. Stalked by satellite—an alarming rise in GPS-enabled harassment. IEEE Spectrum 2006; 43(7): 15–16, doi:10.1109/MSPEC.2006.1652998.
- 84
Chow C,
Mokbel M. Privacy in location-based services: a system architecture perspective. SIGSPATIAL Special 2009; 1(2): 23–27, doi:10.1145/1567253.1567258.
10.1145/1567253.1567258 Google Scholar
- 85 Toch E, Wang Y, Cranor LF. Personalization and privacy: a survey of privacy risks and remedies in personalization-based systems. User Modeling and User-Adapted Interaction 2012; 22(1): 203–220, doi:10.1007/s11257-011-9110-z.
- 86 Path Intelligence. Pedestrian measurement, 2012. Available at: http://www.pathintelligence.com/ (Accessed 2013-01-31).
- 87 Nearbuy. Nearbuy micro location, 2013. Available at: http://bit.ly/14XgkE6 (Accessed 2013-02-04).
- 88
Chow C,
Mokbel M. Privacy in location-based services: a system architecture perspective. Sigspatial Special 2009; 1(2): 23–27.
10.1145/1567253.1567258 Google Scholar
- 89
Odlyzko A. Privacy, economics, and price discrimination on the internet. In Proceedings of the 5th International Conference on Electronic Commerce, ICEC ’03. ACM: New York, NY, USA, 2003; 355–366, doi:10.1145/948005.948051.
10.1145/948005.948051 Google Scholar
- 90 Kwasniewski N. Apple-nutzer zahlen mehr für hotelzimmer, 2012. Availabe at: http://bit.ly/MRBTwT (Accessed 2012-10-12).
- 91
Orgill G,
Romney G,
Bailey M,
Orgill P. The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems. In Proceedings of the 5th Conference on Information Technology Education, CITC5 ’04. ACM: New York, NY, USA, 2004; 177–181, doi:10.1145/1029533.1029577.
10.1145/1029533.1029577 Google Scholar
- 92 Menn J. Social networks scan for sexual predators, with uneven results. Reuters, 2012. Available at: http://reut.rs/Nnejb7 (Accessed 2013-02-07).
- 93
Kobsa A. Privacy-enhanced web personalization. In The Adaptive Web. Springer-Verlag: Berlin, Heidelberg, 2007; 628–670.
10.1007/978-3-540-72079-9_21 Google Scholar
- 94 Rastogi V, Nath S. Differentially private aggregation of distributed time-series with transformation and encryption, Proceedings of the 2010 ACM SIGMOD International Conference on Management of Data, SIGMOD ’10, New York, NY, USA, 2010; 735–746, doi:10.1145/1807167.1807247.
- 95 Woman finds disturbing nude photos on ‘new’ smartphone, 2012. Available at: http://nbcnews.to/Qpqg0w (Accessed 2012-10-12).
- 96
Eckersley P. How unique is your web browser? In Proceedings of the 10th International Conference on Privacy Enhancing Technologies, PETS’10. Springer-Verlag: Berlin, Heidelberg, 2010; 1–18.
10.1007/978-3-642-14527-8_1 Google Scholar
- 97 Bloxham A. Most burglars using Facebook and Twitter to target victims, survey suggests. The Telegraph, 2011. Available at: http://bit.ly/pOL8MX (Accessed 2013-02-07).
