A Generic Information and Consent Framework for the IoT

12/17/2018 ∙ by Mathieu Cunche, et al. ∙ 0

The Internet of Things (IoT) raises specific issues in terms of information and consent, which makes the implementation of the General Data Protection Regulation (GDPR) challenging in this context. In this report, we propose a generic framework for information and consent in the IoT which is protective both for data subjects and for data controllers. We present a high level description of the framework, illustrate its generality through several technical solutions and case studies, and sketch a prototype implementation.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

The development of the Internet of Things (IoT) raises specific privacy issues especially with respect to information and consent. Data subjects are generally unaware of the devices collecting data about them and do not have prior contact with the third parties operating them. Solutions such as stickers or wall signs are not effective information means since they remain unnoticed from most data subjects. As far as consent is concerned, data subjects do not have simple means to communicate with data controllers to express their privacy choices. Furthermore, the devices used to collect data in IoT environments have scarce resources; some of them do not have any user interface, are battery-operated or operate passively (collecting data without emitting any signal).

The General Data Protection Regulation (GDPR) [gdpr-2016] puts emphasis on the control of data subjects over their personal data. Its application to the IoT is not obvious though. The Working Party 29111One of the roles of the Working Party 29, which is now replaced by the European Data Protection Board, was to make recommendations on data protection and privacy in the European Community. (WP29) has published guidelines on transparency [wp29-transparency-2017] and consent [wp29-consent-2017] and an opinion on the development of the IoT [wp29-iot-2014]. Starting from these recommendations, we discuss in Section 2 the specific challenges raised by the IoT in terms of transparency and consent and we propose in Section 3 an abstract framework to address them. The framework is generic in the sense that it defines essential requirements that have to be met to ensure that information and consent are managed in a manner that is satisfactory both for data subjects and for data controllers. In Section 4, we introduce several techniques to implement this framework in different situations, in particular through declaration registers and beacons. These techniques are illustrated with several challenging case studies in Section 5. In Section 6, we sketch a prototype implementation of these techniques. We discuss related work in Section 7 and conclude with perspectives in Section 8.

2 European Regulation and WP29 Recommendations

Over the last decades, the idea that individuals should have an effective control over their personal data has become a key part of the EU doctrine in the field of data protection. In many policy documents, control is advocated as an important tool for protecting privacy and achieving the empowerment of data subjects [lazaro-lemetayer-2015]. As an illustration, Recital 7 of the GDPR[gdpr-2016] states that “Natural persons should have control of their own personal data” and the current draft of the new ePrivacy Regulation refers to the right for natural and legal persons to “control electronic communications”. Control is not defined precisely in the GDPR but it is backed up by a number of provisions, including enhanced obligations for data controllers in terms of transparency and consent.

To facilitate the interpretation of the GDPR, the WP29 has published two guidelines on transparency [wp29-transparency-2017] and consent [wp29-consent-2017]. The WP29 has also published two opinions that are relevant to this report, on the development of the IoT [wp29-iot-2014] and on the draft ePrivacy Regulation [wp29-eprivacy-2017] respectively.

As far as transparency is concerned, the GDPR defines the categories of information to be provided to data subjects: identity of the controller, purpose of the processing, categories of personal data concerned, recipients, etc. It also introduces some requirements on acceptable communication modes. Recital 39 states “The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used”. According to the WP29, “the easily accessible element means that the data subject should not have to seek out the information; it should be immediately apparent to them where this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it or as an answer to a natural language question.” The WP29 also suggests that IoT devices have a QR code that can be scanned to display the transparency information. However, it is questionable whether informing data subjects through QR codes or signposting is consistent with the idea, also put forward by the WP29, that “the data subject must not have to take active steps to seek the information covered by these articles or to find it among other information”. We believe that the best way to protect the interests of both parties is to make it possible for data controllers to communicate all the required information to data subjects in electronic form. Considering that IoT devices are by definition electronic objects collecting data from subjects, there is no reason why electronic means could not be used also to inform them. However, IoT raise specific challenges to this respect: there is a wide variety of devices, most of them have scarce resources, some of them, such as cameras, are passive or collect data on a permanent basis. Nevertheless, the systematic communication of the information to data subjects is not out of reach, neither from the technical point of view, nor from an economic standpoint, as discussed in the next sections.

Another key issue that has been discussed in many studies is the need to avoid user fatigue. The WP29 states that “The requirement that the provision of information to, and communication with, data subjects is done in a ’concise and transparent’ manner means that data controllers should present the information communication efficiently and succinctly in order to avoid information fatigue”. The WP29 recommends in particular the use of “push” and “pull” notices. As stated by the WP29, “push notices involve the provision of ’just-in-time’ transparency information notices while pull notices facilitate access to information by methods such as permission management, transparency dashboards and ’learn more’ tutorials. These allow for a more user-centric transparency experience for the data subject.”

The GDPR also defines a number of conditions for the validity of consent: it should be freely given, specific, informed and unambiguous. These conditions also raise new challenges in the context of the IoT. For example, Recital 42 states that “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment”. In the context of the IoT, this should entail that consent to physical tracking is not valid if the only alternative for data subjects is to turn off their WiFi and thereby be deprived of useful services. To ensure the lack of ambiguity, consent should, according to the GDPR, “be given by a clear affirmative act”, which should exclude the collection of identifiers such as MAC addresses for example, without any affirmative action from the user. These issues are all the more important for data controllers given that the GDPR requires that they must be able to demonstrate that a valid consent has been provided222This requirement holds only if the legal basis for the processing is consent. Data controllers can rely on other legal bases such as their legitimate interest or the use of the data for the execution of a contract..

The need to avoid user fatigue is also critical for consent. As stated by the WP29 in its guidelines on consent [wp29-consent-2017], “In the digital context, many services need personal data to function, hence, data subjects receive multiple consent requests that need answers through clicks and swipes every day. This may result in a certain degree of click fatigue: when encountered too many times, the actual warning effect of consent mechanisms is diminishing. This results in a situation where consent questions are no longer read. This is a particular risk to data subjects, as, typically, consent is asked for actions that are in principle unlawful without their consent. The GDPR places upon controllers the obligation to develop ways to tackle this issue.”

As far as the IoT is concerned, the WP29 advocates the design of new consent mechanisms, such as “privacy proxies”333“In practice, today, it seems that sensor devices are usually designed neither to provide information by themselves nor to provide a valid mechanism for getting the individual’s consent. Yet, new ways of obtaining the user’s valid consent should be considered by IoT stakeholders, including by implementing consent mechanisms through the devices themselves. Specific examples, like privacy proxies and sticky policies, are mentioned later in this document.” [wp29-iot-2014], on the devices themselves. We agree that this is a key condition for the effective implementation of consent and discuss this further in the next sections.

3 Generic framework for information and consent

The above analysis of the GDPR show that it raises two main categories of challenges in the context of IoT :

  • Communication between data subjects and data controllers: how to ensure that data subjects always receive the required information from the data controllers and that data controllers always receive valid consents from data subjects?

  • Involvement of the data subjects in the process: can they read, analyse and understand all relevant information? Can they define their privacy choices carefully and thoughtfully?

We derive from this analysis a set of technical requirements for implementations of information and consent which are protective both for data subjects (hereinafter “DS”) and for data controllers (hereinafter “DC”). We assume that DC deploy devices that can collect different types of personal data and/or communicate information to DS. For their part, DS may own several devices and at least one of them (typically a smartphone) can be used to consult the information provided by DC and to express their consent. We call this device the Gateway Device. We use the expression “DS privacy policy” to refer to the choices of the data subject regarding his personal data and “DC privacy policy” to refer to the privacy policy declared444A declaration can be seen as a commitment of the DC to implement his DC privacy policy but the actual enforcement of this policy is outside the scope of this paper. by a DC. In order to meet the challenges identified in Section 2, a consent management framework should provide the following facilities for, respectively, information and consent:

Information:

  • The declaration by DC of their devices, with all the necessary information, including their position, range, the type of data collected and the associated DC privacy policy.

  • The receipt of this information by the device of any DS about whom personal data can be collected (i.e. within the range of a DC device).

  • The presentation of this information to the DS in forms and at times that should minimize information fatigue and maximize the likelihood that the DS will not miss any useful information.

Consent:

  • Means for DS to express their consent in forms and at times that should minimize their fatigue and maximize the likelihood that they make appropriate decisions regarding the protection of their personal data.

  • The receipt of this consent by any DC able to collect data about DS and the guarantee that they will not collect the data (or will immediately delete it) if this consent is not consistent with their DC policy.

  • The possibility for DC to store the consents obtained from DS so they can demonstrate GDPR compliance regarding consent, in particular that it has been emitted by the data subject on whom data is held.

The interactions between a DC and a DS can be split into two parts: the interactions of the DS with his Gateway Device (to be informed and to express his consent) and the communications between the DS Gateway Device and the DC devices.

In the rest of this section, we define more precise requirements on the communications between DC devices and DS devices. We first define the operations considered here, which can be triggered either by a DC or by a DS (or their devices):

  • is the deployment of a collecting device at position with range , collecting data of type with DC privacy policy . The position and the range define the physical space in which the device can collect data of type . The type can be for example MAC address, sound, or image. We assume without loss of generality that a device is associated with only one type555Multi-type devices can be considered as several devices at the same location..

  • is the declaration of a collecting device at position with range , collecting data of type with DC privacy policy .

  • is the collection by device of value of type from the DS device ; the value is associated with the DS privacy policy .

  • means that the DS device moves to position .

  • means that the DS privacy policy and the value of data of type on device are set to and respectively.

  • is the pairing of the DS device to the DS device . Pairing is useful in this context to make it possible to define the privacy policy of a device with scarce resources on another device of the DS (his Gateway Device).

  • means that device requires that updates the privacy policy and value of data of type collected from to and respectively. The operation can be used by a DS for example to require the deletion of his data if he wants to withdraw his consent666A deletion request is a request with a policy having a retention delay equal to zero.. Note that is the device emitting the requirement and is the device from which the data has been collected by the DC device . In practice, it is often the case that but we may also have when the DS privacy policy is expressed and stored on a device (the Gateway Device represented by ) and the data is stored on another DS device (his watch for example, represented by ).

Some of the above operations (, ) are physical while describes the actual collection of the data. The key operations in terms of information and consent management are , and . Different implementations of these operations are described in the next section. Our goal at this stage is to provide a high-level description of the framework. For example, what is called a “device” here can be any source of personal data, such as a smart phone, a quantified-self device or even the subject himself for data of type voice or image. The identifier of a device can be implemented in many different ways (MAC address, plate number, etc.) as discussed in the next section and illustrated in Section 5. Some of these devices cannot store their DS privacy policies, hence the need to distinguish and in the operation. Typically, the mobile phone of a DS can play the role of Gateway Device and therefore be used to define and store all his privacy policies (for all his devices).

We do not discuss in this paper the content of a privacy policy . The definition of privacy policies and their semantics are studied in a companion paper [pilot2018]. In the present report, we make only two assumptions about these policies:

  • DC policies contain all the information required by the GDPR (including the information about the DC, purpose of the collection, retention delay, etc.).

  • Policies have a well-defined semantics endowed with an implication relation , with meaning that policy is at least as strong as policy .

In order to define the semantics, or precise meaning, of the above actions, we need to characterize the abstract state of the system. This state consists of the following functions:

  • means that DC device is at position with range ; it collects data of type with DC privacy policy .

  • means that DC device has been declared with position and range , collecting data of type with DC privacy policy .

  • means that DS device has been informed of the presence of a collecting device is at position with range , collecting data of type with DC privacy policy .

  • means that DS device is at position .

  • means that DS device is paired to DS device which hosts its privacy policies. We assume by convention for devices hosting their own policies.

  • means that DC device stores the value of type with DS privacy policy originating from device .

  • means that DS device stores the value of type with DS privacy policy .

In the same way as the operations, the state is defined at a very high level at this stage and it can be implemented in different ways, as discussed in the following section. Basically, the , and functions describe the physical environment (position and features of the devices) whereas the other functions define the information stored by DC ( and ) and by DS ( and ). In practice, this information can be stored on the devices themselves, on a server, or a combination of both.

We can now use this abstract state to define the requirements on the operations. Each operation is associated with a precondition and a postcondition in the style of Hoare logic. The precondition is a property of the state that must be satisfied for the operation to occur and the postcondition is a property of the state that must be satisfied after the execution of the operation. Following the usual notation, we use primes to denote the state after the execution of the operation and we assume that the parts of the states that are not specified in the postcondition are not affected by the operation. For example, the property means that the state is unchanged except for which is set to .

In the following, the notation is used to denote any value and function is defined as follows: if then , otherwise . Relation expresses the fact that position is within the range of a device located at position with range .

Operation:

Precondition:

Postcondition:

Operation:

Precondition:

Postcondition:

Operation:

Precondition:

Postcondition:

Operation:

Precondition:

Postcondition:

)

Operation:

Precondition:

Postcondition: =

with

Operation:

Precondition:

Postcondition:

Operation:

Precondition:

Postcondition:

The preconditions for , and are equal to because a DC can always declare a new device and a DS can always decide to move or to modify his personal data or privacy policies. The precondition for captures the requirement that all installed devices must be declared. The precondition for expresses the fact that the DS device must be within the range of the collecting device . Note that some of the values in the state can be undefined. For example, if the DC does not have any policy for data of type originating from . The intuition for the precondition of is similar except that two paired DS devices and are involved777As discussed above, we have for devices hosting their privacy policies. : is the device hosting the policy () and the device hosting the data ().

The postconditions of and capture the requirement that any DS device within the range of a DC device must receive the declaration made by the DC (which is expressed by for ). Function is used to take into account the fact that certain parameters may be undefined. For example, if data is collected (through ) without a privacy policy, we have and . This means that the policy associated with the data is , which has already been collected by the DC (, from the precondition, therefore ). The postcondition of also expresses the requirement that a DC cannot store any data associated with a DS privacy policy that is not met by his own DC policy ().

From the above requirements, we can prove key properties such as the following:

  • No collection of data can take place if the DS has not previously received the required information from the DC.

  • As long as DS do not change their DS privacy policies, any data collected by a DC is associated (in the state of the DC) with the privacy policy of the DS.

  • If a DS changes his privacy policies, any data collected by a DC is associated (in the state of the DC) with the last privacy policy received from the DS.

  • No data is collected from a DS and stored by a DC if the current DS privacy policy is not met by the DC policy.

4 Technical options

The requirements introduced in the previous section are very high-level and can be implemented in different ways. In this section, we present technical options to implement them depending on the context and the capacities of the DC and DS devices. These techniques are illustrated through several case studies in Section 5. We first describe the implementation of communications between DC devices and DS devices, which corresponds to the , and operations. Section 4.1 considers direct communications between devices while Section 4.2 focuses on indirect communications (through registries). For each solution, we discuss its compliance with the above requirements and its feasibility in terms of cost and deployment effort. Then, we suggest ways to allow DS to interact with their devices through a Personal Data Custodian in Section 4.3. These interactions concern in particular the implementation of the operation (expression of consent). They also contribute to the information of the DS (operation ).

4.1 Direct communications

Figure 1: Direct and indirect declarations

A first option to implement information and consent is through direct communications between DC devices and the DS Gateway Device. In this option (hereinafter “direct communication”), DC devices use a direct communication channel to advertise their presence and communicate all the parameters of the operation (position, range, type of data collected and DC privacy policy) within their area of operation. The same communication channel can be used by the DS to transmit his potential consent to the DC.

Direct communication can typically be implemented using medium and short range wireless communications technologies such as Bluetooth or Wi-Fi which are now common place and are embedded in many devices (e.g. smartphones). In addition, their range (typically several meters to tenths of meters) matches the scale of the area of operation of IoT systems and their protocol can be leveraged to carry the information required for declaration and consent. In this section, we focus on the BLE technology, but other wireless technologies could be used in a similar way.

Bluetooth Low Energy (BLE) features a discovery mechanism that allows the detection and identification of devices as well as the transmission of small amounts of data. This mechanism can be used to implement direct communications between the DC and the DS Gateway Device. In the following we refer to the element implementing this mechanism on the DC side as the BLE Privacy beacon.

In Bluetooth Low Energy (BLE), device discovery is implemented using Advertisement Packets [bluetooth_sig_specification_2016, Part C, sec. 11] that are broadcast at regular intervals and can be received by any BLE device in range. Those packets can be configured to carry data necessary for the declaration of DC devices (parameters of the declare operation). A DS Gateway Device in the range of the DC BLE Privacy beacon will thus be able to passively retrieve the declaration data by collecting the advertising packets and extracting the relevant information.

Another feature offered by BLE is the Attribute Protocol (ATT) [bluetooth_sig_specification_2016, Part A, sec. 6.4] that allows the exposure of services and the transmission of small amounts of information through a lightweight connection. With ATT, a BLE device can have a set of profiles, each of them exposing a list of attributes that can support read and write operations. This feature can be leveraged to implement the communication of consent: the DS Gateway Device connects to the BLE Privacy Beacon (this is a lightweight process) and send the consent data (parameters of the define operation) using the ATT protocol.

Direct communications have several benefits: first, they do not require an Internet connectivity. Also, the locality of the communications reduces the risk of further tracking by a remote entity. From the point of view of the DS, the information part is collected passively by collecting the data transmitted by the BLE Privacy Beacon; this means that, in order to be informed, the DS does not expose his presence. They also raise several challenges. First, all devices should be able to declare themselves. Tracking systems involving passive devices thus need to be enhanced (for example with a beacon) to enable these declarations. Also, the communication protocol should support the communication of the parameters of the and operations. In addition, the communication range of the declaration should match the operational range of the data collection by the device. Finally, all the above features should be possible at reasonable cost and without disrupting existing services.

4.2 Indirect communications

Another option to implement information and consent is to use a registry (hereinafter “indirect communication”). Registries can be used both by DC (implementation of the declare operation) and by DS (implementation of the define operation). A DC registry is a database freely accessible through the Internet, storing all relevant information about DC devices, including the parameters of the operation. The DC registry declaring a DC device must be accessible to any DS device (or the paired Gateway Device) before it enters the range of this DC device (i.e. when if is the location of and and are respectively the location and range of ), for example via a web site or through an application. They must provide the required information in machine-readable format, for instance a structured format such as JSON provided through an API. They should also include a human-readable version that can be consulted directly by DS.

Indirect communications through DC registries have several advantages compared to direct communications: (1) they enable the visualization of DC policies regardless of the location of DS, which means that DS can be informed about the collection of data before visiting an area, (2) they provide a flexible management approach for DC policies — they do not require a specific infrastructure or particular capabilities of the devices except for an Internet connection888Therefore, they can be well-suited to passive devices such as cameras., and (3) they do not require the implementation of interactions with DS when a legal ground other than consent is considered.

However, their implementation raises several challenges: (1) DS devices must always be aware of all surrounding devices; therefore, inconspicuous or difficult to access registries are not acceptable. (2) registries must be properly managed, up-to-date and accurate in order to meet the requirements defined in the previous section. Managing a registry can be achieved in different ways: it can be centralized or distributed, and contributions can be restricted to authenticated parties.

In the same spirit, DS registries can be used by DC to retrieve the consents provided by DS. DC should be able to prove that the retrieved consents have effectively been provided by the right DS. This proof of identity could be implemented by using an authentication mechanism (e.g. with tokens).

4.3 Personal Data Custodian

The interactions described in the previous sections involve a variety of devices. However, the ultimate recipients of DC policies and original sources of DS policies are the DS themselves. In order to describe the interactions between DS and their devices, we assume that a software tool, called the Personal Data Custodian (hereinafter “PDC”), is installed on DS Gateway Devices. The roles of the PDC are the following:

  • Interact with the DS to allow him to consult the information received from DC devices (pursuant to the operation).

  • Interact with the DS to allow him to express his privacy choices (implementation of the operation).

  • Interact with DC devices to communicate personal data with their DS policies (implementation of the operation) or to reject collection requests from DC devices when the associated DC privacy policy does not comply with the DS privacy policy.

As discussed in Section 2, consent is valid only if it is freely given, specific, informed and unambiguous. Each of these conditions brings forward strong requirements on the PDC and the language used to express privacy policies:

  • Consent must be freely given: any personal data and privacy policy communicated by the PDC should reflect the genuine choices of the DS.

  • Consent must be specific: the privacy policy language must be rich enough to allow DS to express granular choices, for example about types of data, data controllers or authorized purposes.

  • Consent must be informed: the PDC must not disclose personal data to a DC device that has not communicated its privacy policy.

  • Consent must be unambiguous: in order to avoid any ambiguity, the privacy policy language should be endowed with a formal semantics and the interface used to interact with the DS should not give rise to any misunderstanding.

A privacy policy language meeting these requirements is described in a companion paper [pilot2018]. In the present paper, we focus on the PDC itself and its interactions with the DS. The main challenge is to find the appropriate level of automation and type of interaction to meet the GDPR requirements while avoiding information fatigue. If the level of automation is low and interactions too frequent, consents may apparently meet all the GDPR requirements but in fact result from routine, mechanical, acceptance from DS, as already observed on the web. If the level of automation is high, the reason may be that privacy policy rules are defined in a very coarse way (for example, “always accept the disclosure of my MAC-address”) which would not meet the GDPR requirements. Careful PDC design choices can help resolve this tension. For example, DS should be able to express positive rules (conditions in which they agree to communicate a type of personal data) and negative rules (conditions in which they refuse to communicate a type of personal data). The PDC would then interact with the DS only in situations for which it has not received any instruction (for example when an unknown category of DC device requests personal data). If the privacy language makes it possible to define choices at different levels of granularity, the DS can exploit this possibility to express generic consents (such as “always accept the disclosure of my MAC-address to a DC of category Museum for the purpose Counting-visitors only”. The PDC should then be able to instantiate this generic consent to a specific consent for a given museum visited by the DS.

DS should also have the possibility to give their consent or dissent once for a particular occasion, but to be requested for future occurrences. A PDC should then propose to express temporary rules, regardless of the privacy language used.

Different choices can also be made regarding the user interface provided to the DS. One option is to rely on a dashboard on which the DS can consult the DC declarations and express his consent through drop-down menus. Another option is to use a natural language version of the privacy policy language that can be easily understood by the DS as suggested in [lemetayer-simple-2008, pilot2018]. This type of language can also be used to display DC declarations in a readable form.

5 Case studies

In order to illustrate the versatility of our framework and the technical options introduced in Section 4, we present their application to a challenging vehicle tracking case study in Section 5.1. We discuss more briefly other applications in Section 5.2. We emphasize that all the solutions proposed here apply without any registration phase or assumption about prior contacts between DS and DC.

5.1 Vehicle tracking

Vehicles may be subject to passive data collection by systems that detect and record their presence. One of the main technologies allowing this data collection is Automatic Number Plate Recognition (ANPR) [du_automatic_2013] based on images captured by CCTV cameras. This technology has found many applications (e.g. law enforcement, road monitoring, parking billing and targeted advertisement). However, it has also triggered serious privacy concerns as it involves the collection of large amounts of mobility data [noauthor_automated_2017].

Depending on the purpose of the ANPR system, the requirements regarding information and consent may vary. For instance, when used for billing purpose, consent is not required because contract can be considered as the legal ground for data processing. However, consent would be required for ANPR systems collecting data for additional purposes such as profiling users to provide personalized services999For example, suggestions about parking places or routes.. Even though they can be implemented independently, we consider in the following that both information and consent are required.

Let us consider a driving area (road section or parking lot) in which an ANPR system is operating, i.e. all the vehicles in this area can have their plate number recorded and associated with other data (time, location, etc.). Let us further assume that the DC in charge of the ANPR system has no prior link with the DS. This means that, before the DS enters the area, the DC and the DS have not been able to communicate and that any exchange of information must be done on the spot. For what concerns the information of the DS, written signs could be displayed on the side of the road but they might remain unnoticed and would not convey the level of information required in this context. In this challenging situation, the technical solutions presented in Section 4 can be used to implement mechanisms for seamless information and consent.

The first option to address this case is to use direct communications via BLE Privacy Beacons as presented in Section 4.1. Such beacons can be deployed in the ANPR area and around it in order to inform DS as soon as they enter the area. Furthermore, if the DS has configured his PDC with the relevant identifier (in this case the vehicle plate number), the PDC will also be able to use direct communications with the beacon in order to transmit a potential consent to the DC. The scenario is the following (see Figure 2): when entering the location, the PDC of the DS will automatically detect the BLE Privacy Beacon and retrieve the privacy policy of the ANPR system thanks to the direct communication mechanism. If this DC privacy policy complies with the DS privacy policy, the PDC of the DS automatically sends the consent through the Bluetooth direct communication channel. This consent contains the plate number, which is the identifier of the DS in the context of this data collection. Once this consent is received and securely stored, the ANPR system is allowed to collect data on the vehicle identified by this plate number. By default, the ANPR system discards any data for which it has not obtained consent.

Figure 2: Illustration of an ANPR system augmented with a BLE-based direction communication mechanism. If the privacy policy received from the DC complies with the DS privacy policy, the PDC of the DS automatically sends the consent (with the plate number) through the Bluetooth direct communication channel.

Another option to deal with APNR systems is to rely on indirect communications as described in section 4.2. In this case, the DS is informed of the presence of the ANPR system through a DC registry: the DS Gateway Device regularly sends requests with its current localization to a dedicated server in order to get the list of nearby systems and the associated DC privacy policies. If the DC privacy policy complies with the DS privacy policy, the PDC sends the DS consent automatically to the dedicated online DS registry.

5.2 Other applications

Wi-Fi/Bluetooth tracking in shopping mall: System monitoring the visitors of a shopping mall through Wi-Fi or Bluetooth are becoming commonplace. These systems passively collect the identifiers (MAC addresses) found in the messages broadcast by portable devices [demir:hal-00983363]. Any person entering the mall should be informed and should be able to easily provide his consent. This is particularly challenging in this kind of venue where there is generally no existing link between visitors and the managing entity; as a a result visitors are currently informed of those tracking system via posters and consent requirement is simply ignored. This use case is challenging but it can be addressed in our framework either in the direct mode or in the indirect mode. In both cases, DS can be informed that Wi-Fi/Bluetooth data collection is taking place and can in turn send their consent, including their radio identifiers, through their PDC (if their own privacy policy allows for this collection).

Smart Meeting-room: Smart meeting-rooms are equipped with a variety of sensors and actuators in order to provide services to their hosts [waibel_smart:2003]. For instance, video cameras can record the position and movement of guests in the room, microphones can record the ambient sound to infer the nature of the discussion. We assume that this data can be collected only if all people in the room have provided their consent. The challenge here is to ensure that consent is retrieved from all guests, and that this consent is communicated with as little effort as possible. In this context, our approach could be applied as follows. Individual information and potential consents would be transmitted through direct or indirect communications as described in Section 4. In parallel, a counting sensor is used to maintain an accurate number of guests in the room. The collection and processing of data within the room do not take place unless the DC has received a consent from as many people as there are in the room. In addition, if someone leaves or enters the room, the counting sensor is able to take the evolution into account and check the condition again.

We note that applying the indirect communication approach would yield in a solution similar to the one of Sadeh et. al [sadeh_privacy_2017]. However, the direct communication approach would be significantly differ as all the exchanges of information will happen in the vicinity of the room, removing the need for network connectivity and the exposure of information to a third party.

6 Prototype implementation

In this section, we briefly describe our prototype implementation of the direct communication solution presented in Section 4.1. We use a BLE Privacy beacon combined with a mobile application running on an Android phone implementing the PDC presented in Section 4.3. The BLE Privacy beacon is based on a low cost (less than $6) hardware (Espressif ESP32101010https://www.espressif.com/en/products/hardware/esp32/overview) that implement the information and consent mechanisms (code of this BLE privacy beacon is available online 111111https://github.com/cunchem/BLE_Privacy_Beacon.git.).

The mobile application acts as a PDC and enables the definition of DS privacy policies in a user-friendly manner. So far, only the positive rules mentioned in Section 4.3 are implemented. DS can add, update and delete rules through a scroll-down menu. The applications implements the direct communications to exchange privacy policies and consent with BLE Privacy beacon. Upon reception, the DC policy is compared to the current DS policy, and the PDC issues a consent message in case of compliance.

Our BLE device has been tested with 46 bytes long DC privacy policies. BLE devices are detected more than 10 meters away in indoor environment comprising load-bearing walls, and DC privacy policies are retrieved in less than 1 second after the PDC comes in range. The PDC is able to compare privacy policies and sends consent if the DC privacy policy complies with the DS privacy policy.

7 Related Work

In  [pappachan_towards_2017] the authors introduced the concept of IoT Resource Registries (IRRs) that broadcast data collection policies and sharing practices of the local IoT systems. Our direct communication mode has some similarities with this proposal. However, in contrast with [pappachan_towards_2017], we provide technical solutions for its implementation and demonstrate an actual prototype. Furthermore, our approach is not limited to information since it also includes consent.

The Privacy Assistant project led by the Carnegie-Mellon University (CMU) is an example of use of registries to declare and retrieve privacy policies of IoT devices [Das2018]. A prototype has been deployed on the CMU campus, where DS are able to locate cameras. Combined with an assistant on a mobile phone, subjects are warned about personal data collection in their vicinity. Our contributions with respect to this work are threefold: first, we present in Section 3 a generic framework that can be instantiated in different ways as shown in Section 4. The registries proposed in [Das2018] represent one of the possible technical options. Also, we emphasize the control of DS over the disclosure of their personal data through their Gateway Devices (rather than through external privacy enforcement points). Last but not least, our first motivation is the implementation of the GDPR requirements in the context of IoT. As argued in Section 3, the design choices of our framework are driven by this objective, especially the need to ensure that the criteria for valid consent are met.

Another example of registry dedicated to the declaration privacy choices is the Smart Places121212https://smart-places.org/ service proposed by the Future of Privacy Forum (FPF). With this service a data subject can provide his Wi-Fi or Bluetooth MAC address in order to opt-out from tracking by participating companies.

Previous work has also been done on privacy assistants[Das2018], including the PawS architecture[Marc2002] and IoTA[Das2018, Das2017]. In contrast with previous work in this area, our framework does not make any assumption about policy enforcement points and prior contact (e.g. through registration) between DS and DC: beacons announce themselves for direct communications, and registries are automatically retrieved by the PDC for indirect communications. Our framework enables local communications: DS policies does not have to be disclosed. In addition, our framework and privacy policies rely on a formal semantics which makes it possible to reason about privacy policies and provide further guidance to DS (for example abut the risks related to their policies)[pilot2018].

In a nutshell, the main contributions of this paper with respect to previous work are the following:

  • Our framework is generic, including both direct and indirect communication modes, for both information and consent.

  • It is able to deal with the situation, which is common in the IoT, where DS do not have any prior contact with DC.

  • It relies on a formal semantics which makes it possible to avoid ambiguities and to provide formal guarantees.

  • It has been devised to meet the requirements for information and consent in the GDPR and to enhance local control of the DS over the collection of their personal data.

8 Conclusion

Beyond GDPR compliance, we believe that the adoption of the measures suggested in this paper would contribute to reduce the imbalance of powers between DC and DS without introducing prohibitive costs or unacceptable constraints for DC. The effectiveness of these solutions also depends on organizational and regulatory measures. For example, DC deploying or using IoT devices must have the legal obligation to declare their devices (with the required information) using electronic means 131313The use of electronic means is not required by the GDPR and, so far, the WP29 seems to consider signposts as an acceptable information means.. These solutions also require a standardization effort (e.g. about the declaration protocol and the privacy policy language).

On the technical side, further work is required to improve the user-friendliness of the interface of our PDC and also to make it easier for DC to declare their devices. The fact that our framework and privacy policy languages are endowed with formal semantics also paves the way for richer user interfaces. For example, we suggest in a companion paper [pilot2018] the verification of properties based on different risk assumptions. This facility could be useful to enhance DS awareness and to allow them to make better informed decisions.

The proposals made in this paper are also very relevant to the ongoing discussions about the future ePrivacy Regulation [eprivacy-2017]. As stated by the WP29 [wp29-eprivacy-2017], the current draft “gives the impression that organisations may collect information emitted by terminal equipment to track the physical movements of individuals (such as Wi-Fi-tracking or Bluetooth-tracking) without the consent of the individual concerned.”The text is still evolving but this would be all the more unacceptable that, as discussed in this paper, solutions can be developed to make information and consent more effective, without introducing excessive constraints neither for data controllers nor for data subjects.

Acknowledgments

This work has been partially funded by the CHIST-ERA project UPRISE-IoT, and by the INSA Lyon - SPIE ICS chair on the Internet of Things.

References