Difference between revisions of "IoTSec:Privacy Label"

From its-wiki.no

Jump to: navigation, search
m (Privacy tomorrow)
(15 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
[[File:Energy_label.png|200px|right|Privacy Labelling for Apps og Dingser]]
 
[[File:Energy_label.png|200px|right|Privacy Labelling for Apps og Dingser]]
 
== Objective ==
 
== Objective ==
This page provides background for the need for a '''Privacy Label''' for Apps, Things and Services. The use of energy labels has successfully ''(i)'' enhanced the understanding of energy consumption of white goods like washing machines, freezers and others, ''(ii)'' promoted the extra costs of energy-effective white goods, and ''(iii)'' reduced the energy consumption from white goods.
+
{{TOCright}}This page provides background for the need for a '''Privacy Label''' for Apps, Things and Services. The use of energy labels has successfully ''(i)'' enhanced the understanding of energy consumption of white goods like washing machines, freezers and others, ''(ii)'' promoted the extra costs of energy-effective white goods, and ''(iii)'' reduced the energy consumption from white goods.
  
 
Privacy labels for applications (Apps), Things and Services similar to the energy labels (A++, A+, A, B,...F) will lead a better understanding of the value of privacy, and will allow for a market introduction of privacy-aware services. Customers in Europe have an understanding of these labels for white goods, and thus will appreciate similar labelling for privacy.
 
Privacy labels for applications (Apps), Things and Services similar to the energy labels (A++, A+, A, B,...F) will lead a better understanding of the value of privacy, and will allow for a market introduction of privacy-aware services. Customers in Europe have an understanding of these labels for white goods, and thus will appreciate similar labelling for privacy.
  
By applying the principles of the energy label to privacy, we can achieve
+
We have joined forces with Consumer Services ("Forbrukerrådet") in Norway to establish the guidelines for the ‘privacy labelling’ (A++, A+, A, B …F). Ongoing work analyses the use of data, and establishes a machine-readable (semantic) framework for the calculation of the labels.
• A set of guidelines for ‘privacy labelling’ (A++, A+, A, B …F) of apps, in agreement with at least one national authority (“Consumer Services”).
+
 
+
  
 
== Background ==
 
== Background ==
 
[[File:Appfail.png|200px|right|Appfail report from the Norwegian Consumer Services]]
 
[[File:Appfail.png|200px|right|Appfail report from the Norwegian Consumer Services]]
The Consumer Services of Norway (Forbrukerrådet) have established a report on privacy in Apps "App-Fail". In there they have found breach of privacy by apps. They identified a lack of "understandable privacy" as the main challenge. This thesis will
+
The Consumer Services of Norway (Forbrukerrådet) have established a report on privacy in Apps "App-Fail". In there they have found breach of privacy by apps. They identified a lack of "understandable privacy" as the main challenge, reason being that privacy rules are often written by lawyers, to be used in court cases. Some apps use as much as 250.000 words for their description of ''terms and conditions'', making an automatic analysis  cumbersome.
* analysis of privacy of home IoT devices
+
 
* starting from "privacy by design", and identifying input parameters for "privacy"
+
== Ongoing work==
 +
The ongoing work focusses on more easily to understand technical measures, and is amongst other supported through an ongoing PhD at the University of Oslo (UiO). The thesis  
 +
* performs an analysis of privacy of home IoT devices
 +
* starting from "privacy by design", and identifying input parameters for "privacy".
 
* Adopt the multi-metrics methodology for converting input parameters of privacy into measurable privacy
 
* Adopt the multi-metrics methodology for converting input parameters of privacy into measurable privacy
* suggestion for privacy classes, following the European energy labelling
+
* Provides suggestion for privacy classes, following the European energy labelling
 
* provide at least two usage scenarios of devices/applications, e.g. sporting device ("speedometer") or child doll
 
* provide at least two usage scenarios of devices/applications, e.g. sporting device ("speedometer") or child doll
 
* criteria and evaluation of privacy labels
 
* criteria and evaluation of privacy labels
  
This page provides background for Privacy Labelling,  
+
We are open for a Master Thesis in the area, e.g.  [[Privacy_labels_for_IoT_consumer_products]] to get the rules for privacy classes in place.
Measure, what you can measure - Make measurable, what you can’t measure” - Galileo
+
  
Privacy today
+
[[File:Privacy_Methodology.jpg|500px]]
based on lawyer terminology
+
250.000 words on app terms
and conditions
+
Privacy tomorrow
+
A++: sharing with no others
+
A: …
+
C: sharing with ….
+
The Privacy label for apps 
and devices
+
  
<!---- [[Linn Eirin Paulsen]] jobber i sin Masteroppgaven [[Privacy_labels_for_IoT_consumer_products]] for å få regler for personvern label.  --->
+
= Privacy tomorrow =
[[Linn Eirin Paulsen]] is working on her Master Thesis entitled  [[Privacy_labels_for_IoT_consumer_products]] to get the rules for privacy classes in place.
+
The suggested 'privacy labels' will come with short explanations showing the value for customers,  e.g.
  
[[File:Privacy_Methodology.jpg|500px]]
+
:A+: No privacy related data is transferred from product/service
 +
:A: sharing only with your mobile phone or other personal devices, or a configurable list of people
 +
:B: Only context data (e.g. device location) is transferred
 +
:C: Personal data is transferred, easy configuration of
 +
::  data selection with respect to direct value to the user
 +
::  data is shared with specific 3rd parties or other people
 +
:D: GDPR compliant
 +
:F: failed to be GDPR compliant
 +
 
 +
If you want to join, please spread the word, and contact [[Elahe Fazeldehkordi]] or any member of the [[IoTSec:About|IoTSec project team]]
 +
 
 +
Our work integrates well into the ''Trusted IoT Label'' work from DigitalEurope.org, addressing [http://www.digitaleurope.org/Document-Download/Command/Core_Download/EntryId/2365&usg=AFQjCNF2iTYU-iEAJoIDozNpK47p1tYmjw DIGITALEUROPE’s views on Cybersecurity Certification and Labelling Schemes].
 +
 
 +
IoTSec discussion on [[IoTSec:Privacy_Label_explanation]] and SCOTT activities in [[SCOTT:BB26.G]] on Methodlogies
 +
 
 +
== Good examples/Related work ==
 +
Forbrukerrådet (Consumer Services) has established a report on the GPS-watches for children, indicating lacks both with respect to security and privacy: https://www.forbrukerradet.no/siste-nytt/elendig-sikkerhet-i-smartklokker-for-barn (''in Norwegian'')
 +
 
 +
Online Trust Alliance has created an IoT ecosystem built on trust and innovation, by prioritizing safety, privacy and security
 +
* https://otalliance.org/initiatives/internet-things
 +
* https://www.helpnetsecurity.com/2017/01/05/iot-trust-framework/
 +
 
 +
 
 +
Here we add some examples of companies providing very good declarations for privacy:
 +
* Zoho - https://www.zoho.com/privacy-policy-changes-19032015-30092016.html
 +
* ...
  
A main goal of the work
+
and not to forget the privacy policy established by the [[GravidPluss:Home|GravidPluss project]] for medical data used in apps, developed in conjunction and agreed with hospitals and health authorities (''Helse Sør-Øst'') in Norway.
 +
* EN: http://privacy.GravidPluss.org and NO: http://privacy.GravidPluss.no

Revision as of 14:49, 24 January 2019

Security in IoT for Smart Grids
Home Research Security Centre Publications Student corner About
English-Language-icon.png

Towards Measurable Privacy - Privacy Labelling

Privacy Labelling for Apps og Dingser

Objective

This page provides background for the need for a Privacy Label for Apps, Things and Services. The use of energy labels has successfully (i) enhanced the understanding of energy consumption of white goods like washing machines, freezers and others, (ii) promoted the extra costs of energy-effective white goods, and (iii) reduced the energy consumption from white goods.

Privacy labels for applications (Apps), Things and Services similar to the energy labels (A++, A+, A, B,...F) will lead a better understanding of the value of privacy, and will allow for a market introduction of privacy-aware services. Customers in Europe have an understanding of these labels for white goods, and thus will appreciate similar labelling for privacy.

We have joined forces with Consumer Services ("Forbrukerrådet") in Norway to establish the guidelines for the ‘privacy labelling’ (A++, A+, A, B …F). Ongoing work analyses the use of data, and establishes a machine-readable (semantic) framework for the calculation of the labels.

Background

Appfail report from the Norwegian Consumer Services

The Consumer Services of Norway (Forbrukerrådet) have established a report on privacy in Apps "App-Fail". In there they have found breach of privacy by apps. They identified a lack of "understandable privacy" as the main challenge, reason being that privacy rules are often written by lawyers, to be used in court cases. Some apps use as much as 250.000 words for their description of terms and conditions, making an automatic analysis cumbersome.

Ongoing work

The ongoing work focusses on more easily to understand technical measures, and is amongst other supported through an ongoing PhD at the University of Oslo (UiO). The thesis

  • performs an analysis of privacy of home IoT devices
  • starting from "privacy by design", and identifying input parameters for "privacy".
  • Adopt the multi-metrics methodology for converting input parameters of privacy into measurable privacy
  • Provides suggestion for privacy classes, following the European energy labelling
  • provide at least two usage scenarios of devices/applications, e.g. sporting device ("speedometer") or child doll
  • criteria and evaluation of privacy labels

We are open for a Master Thesis in the area, e.g. Privacy_labels_for_IoT_consumer_products to get the rules for privacy classes in place.

Privacy Methodology.jpg

Privacy tomorrow

The suggested 'privacy labels' will come with short explanations showing the value for customers, e.g.

A+: No privacy related data is transferred from product/service
A: sharing only with your mobile phone or other personal devices, or a configurable list of people
B: Only context data (e.g. device location) is transferred
C: Personal data is transferred, easy configuration of
data selection with respect to direct value to the user
data is shared with specific 3rd parties or other people
D: GDPR compliant
F: failed to be GDPR compliant

If you want to join, please spread the word, and contact Elahe Fazeldehkordi or any member of the IoTSec project team

Our work integrates well into the Trusted IoT Label work from DigitalEurope.org, addressing DIGITALEUROPE’s views on Cybersecurity Certification and Labelling Schemes.

IoTSec discussion on IoTSec:Privacy_Label_explanation and SCOTT activities in SCOTT:BB26.G on Methodlogies

Good examples/Related work

Forbrukerrådet (Consumer Services) has established a report on the GPS-watches for children, indicating lacks both with respect to security and privacy: https://www.forbrukerradet.no/siste-nytt/elendig-sikkerhet-i-smartklokker-for-barn (in Norwegian)

Online Trust Alliance has created an IoT ecosystem built on trust and innovation, by prioritizing safety, privacy and security


Here we add some examples of companies providing very good declarations for privacy:

and not to forget the privacy policy established by the GravidPluss project for medical data used in apps, developed in conjunction and agreed with hospitals and health authorities (Helse Sør-Øst) in Norway.