Data Protection for the Internet of Things

Item type:	Thesis of the University of Regensburg (PhD)
Open Access Type:	Primary Publication
Date:	17 May 2018
Referee:	Prof. Dr. Günther Pernul
Date of exam:	26 February 2018
Institutions:	Business, Economics and Information Systems > Institut für Wirtschaftsinformatik Business, Economics and Information Systems > Institut für Wirtschaftsinformatik > Lehrstuhl für Wirtschaftsinformatik I - Informationssysteme (Prof. Dr. Günther Pernul) Informatics and Data Science > Department Information Systems > Lehrstuhl für Wirtschaftsinformatik I - Informationssysteme (Prof. Dr. Günther Pernul)
Keywords:	Internet of Things, Cyber Security, Privacy, Privacy by Design, GDPR, General Data Protection Regulation
Dewey Decimal Classification:	000 Computer science, information & general works > 004 Computer science 300 Social sciences > 330 Economics
Status:	Published
Refereed:	Yes, this version has been refereed
Created at the University of Regensburg:	Yes
Item ID:	37113

Abstract (English)

The Internet of Things (abbreviated: “IoT”) is acknowledged as one of the most important disruptive technologies with more than 16 billion devices forecasted to interact autonomously by 2020. The idea is simple, devices will help to measure the status of physical objects. The devices, containing sensors and actuators, are so small that they can be integrated or attached to any object in order to ...

Abstract (English)

The Internet of Things (abbreviated: “IoT”) is acknowledged as one of the most important disruptive technologies with more than 16 billion devices forecasted to interact autonomously by 2020. The idea is simple, devices will help to measure the status of physical objects. The devices, containing sensors and actuators, are so small that they can be integrated or attached to any object in order to measure that object and possibly change its status accordingly. A process or work ﬂow is then able to interact with those devices and to control the objects physically. The result is the collection of massive data in a ubiquitous form. This data can be analysed to gain new insights, a benefit propagated by the “Big Data” and “Smart Data” paradigms. While governments, cities and industries are heavily involved in the Internet of Things, society’s privacy awareness and the concerns over data protection in IoT increase steadily. The scale of the collection, processing and dissemination of possibly private information in the Internet of Things has long begun to raise privacy concerns. The problem is a fundamental one, it is the massive data collection that benefits the investment on IoT, while it contradicts the interest on data minimization coming from privacy advocates. And the challenges go even further, while privacy is an actively researched topic with a mature variety of privacy preserving mechanisms, legal studies and surveillance studies in specific contexts, investigations of how to apply this concepts in the constrained environment of IoT have merely begun. Thus the objective of this thesis is threefold and tackles several topics, looking at them in a differentiated way and later bringing them together for one of the first, (more) complete pictures of privacy in IoT. The first starting point is the throughout study of stakeholders, impact areas and proposals on an architectural reference model for IoT. At the time of this writing, IoT was adversed heavily by several companies, products and even governments, creating a blurred picture of what IoT really is. This thesis surveys stakeholders, scenarios, architecture paradigms and definitions to find a working definition for IoT which adequately describes the intersection between all of the aforementioned topics. In a further step, the definition is applied exemplary on two scenarios to identify the common building blocks of those scenarios and of IoT in general. The building blocks are then verified against a similar approach by the IoT-A and Rerum projects and unified to an IoT domain model. This approach purposefully uses notions and paradigms provided in related scientific work and European projects in order to benefit from existing eﬀorts and to achieve a common understanding. In this thesis, the observation of so called cyber-physical properties of IoT leads to the conclusion that IoT proposals miss a core concept of physical interaction in the “real world”. Accordingly, this thesis takes a detour to jurisdiction and identifies ownership and possession as a main concept of “human-to-object” relationships. The analysis of IoT building blocks ends with an enhanced IoT domain model. The next step breaks down “privacy by design”. Notably hereby is that privacy by design has been well integrated in to the new European General Data Protection Regulation (GDPR). This regulation heavily aﬀects IoT and thus serves as the main source of privacy requirements. Gürses et al.’s privacy paradigm (privacy as confidentiality, privacy as control and privacy as practice) is used for the breakdown, preceded by a survey of relevant privacy proposals, where relevancy was measured upon previously identified IoT impact areas and stakeholders. Independently from IoT, this thesis shows that privacy engineering is a task that still needs to be well understood. A privacy development lifecycle was therefore sketched as a first step in this direction. Existing privacy technologies are part of the survey. Current research is summed up to show that while many schemes exist, few are adequate for actual application in IoT due to their high energy or computational consumption and high implementation costs (most notably caused by the implementation of special arithmetics). In an eﬀort to give a first direction on possible new privacy enhancing technologies for IoT, new technical schemes are presented, formally verified and evaluated. The proposals comprise schemes, among others, on relaxed integrity protection, privacy friendly authentication and authorization as well as geo-location privacy. The schemes are presented to industry partners with positive results. This technologies have thus been published in academia and as intellectual property items. This thesis concludes by bringing privacy and IoT together. The final result is a privacy enhanced IoT domain model accompanied by a set of assumptions regarding stakeholders, economic impacts, economic and technical constraints as well as formally verified and evaluated proof of concept technologies for privacy in IoT. There is justifiable interest in IoT as it helps to tackle many future challenges found in several impact areas. At the same time, IoT impacts the stakeholders that participate in those areas, creating the need for unification of IoT and privacy. This thesis shows that technical and economic constraints do not impede such a process, although the process has merely begun.

Translation of the abstract (German)

Das Internet der Dinge (abgekürzt: „IoT“) hat einen geschätzten Marktwert von mehreren Billionen Euro und wird als eine der disruptivsten Technologien unserer Zeit betrachtet. Die durch das IoT generierten Daten leisten einen erheblichen Anteil an dem Erfolg des IoT. Diese Daten ermöglichen neue Handlungsräume in Anwendungsbereiche wie Städten (Smart Cities), Verkehr (Smart Traffic) und ...

Translation of the abstract (German)

Das Internet der Dinge (abgekürzt: „IoT“) hat einen geschätzten Marktwert von mehreren Billionen Euro und wird als eine der disruptivsten Technologien unserer Zeit betrachtet.
Die durch das IoT generierten Daten leisten einen erheblichen Anteil an dem Erfolg des IoT. Diese Daten ermöglichen neue Handlungsräume in Anwendungsbereiche wie Städten (Smart Cities), Verkehr (Smart Traffic) und Energieversorgung (Smart Grid) und befeuern ebenfalls andere Konzepte wie die des Smart- und Big Data. Wenn diese Daten, die mehrere Lebensbereiche umfassen, gesammelt und ausgewertet werden, können daraus sensitive Informationen ersehen werden, die die Privatsphäre der Teilnehmer dieser Anwendungsbereiche betreffen. Der Datenschutz, der die Prinzipien der Datenminimierung, Zustimmung und Zweckbindung zum Fokus hat, wird zum fundamentalen Widerspruch zu den Kernkompetenzen des IoT und der Smart-/Big Data Paradigmen, die sich Datensammlung und Identifikation unbekannter Strukturen in diesen Daten zum Ziel setzten. Die vorliegende Dissertation widmet sich diesem fundamentalen Widerspruch und stellt sich die Frage, ob und wie das IoT und der Schutz personenbezogener Daten zusammengebracht werden können.

Details

Preview

Export bibliographical data

Abstract (English)

Abstract (English)

Translation of the abstract (German)

Translation of the abstract (German)

Download Statistics

Downloads

More literature (via CORE)

University Library