IoTSec:Privacy Label
From its-wiki.no
Security in IoT for Smart Grids | |||||||
---|---|---|---|---|---|---|---|
|
Towards Measurable Privacy - Privacy Labelling
Objective
Privacy labels for applications (Apps), Things and Services similar to the energy labels (A++, A+, A, B,...F) will lead a better understanding of the value of privacy, and will allow for a market introduction of privacy-aware services. Customers in Europe have an understanding of these labels for white goods, and thus will appreciate similar labelling for privacy.
We have joined forces with Consumer Services ("Forbrukerrådet") in Norway to establish the guidelines for the ‘privacy labelling’ (A++, A+, A, B …F). Ongoing work analyses the use of data, and establishes a machine-readable (semantic) framework for the calculation of the labels.
Background
The Consumer Services of Norway (Forbrukerrådet) have established a report on privacy in Apps "App-Fail". In there they have found breach of privacy by apps. They identified a lack of "understandable privacy" as the main challenge, reason being that privacy rules are often written by lawyers, to be used in court cases. Some apps use as much as 250.000 words for their description of terms and conditions, making an automatic analysis cumbersome.
Ongoing work
During the Privacy Labelling Workshop in March2020 in Oslo, we discussed on how we can make Privacy Labels happening.
- Involve players to perform a self-assessment' and establish their structured privacy statement, using the PrivacyLabel.org. Note: the handbook for the Privacy Label manual, including images and description is at: https://www.privacylabel.org/learn/userfiles/media/privacylabel.org/instruction_manual_privacy_label_manager.pdf
- Create labels (A-F) based on the input from the privacy labels self-assessment. Options are to use AI on language processing, or other accumulative methods - a topic for ongoing and future scientific work.
- Join forces for a regulatory framework to make the self-assessment mandatory for products and services. A way ahead is to invite the consumer organisations from Netherlands, LUX, NO, SE,... to ask for a common position, based on examples of privacy statements using the self-assessment tool
UiO work
The ongoing work focusses on more easily to understand technical measures, and is amongst other supported through an ongoing PhD at the University of Oslo (UiO). The thesis
- performs an analysis of privacy of home IoT devices
- starting from "privacy by design", and identifying input parameters for "privacy".
- Adopt the multi-metrics methodology for converting input parameters of privacy into measurable privacy
- Provides suggestion for privacy classes, following the European energy labelling
- provide at least two usage scenarios of devices/applications, e.g. sporting device ("speedometer") or child doll
- criteria and evaluation of privacy labels
Christoffer Ramsvig Thambirajah performed a Master Thesis on Assessment_of_Measurable_Privacy_for_IoT_Consumer_Products to get the rules for privacy classes in place. If you are interested in Master Thesis work in this area, please let us know.
Privacy tomorrow
The suggested 'privacy labels' will come with short explanations showing the value for customers, e.g.
- A+: No privacy related data is transferred from product/service
- A: sharing only with your mobile phone or other personal devices, or a configurable list of people
- B: Only context data (e.g. device location) is transferred
- C: Personal data is transferred, easy configuration of
- data selection with respect to direct value to the user
- data is shared with specific 3rd parties or other people
- D: GDPR compliant
- F: failed to be GDPR compliant
If you want to join, please spread the word, and contact Elahe Fazeldehkordi or any member of the IoTSec project team
Our work integrates well into the Trusted IoT Label work from DigitalEurope.org, addressing DIGITALEUROPE’s views on Cybersecurity Certification and Labelling Schemes.
IoTSec discussion on IoTSec:Privacy_Label_explanation and SCOTT activities in SCOTT:BB26.G on Methodologies
Good examples/Related work
Forbrukerrådet (Consumer Services) has established a report on the GPS-watches for children, indicating lacks both with respect to security and privacy: https://www.forbrukerradet.no/siste-nytt/elendig-sikkerhet-i-smartklokker-for-barn (in Norwegian)
Online Trust Alliance has created an IoT ecosystem built on trust and innovation, by prioritising safety, privacy and security
- https://otalliance.org/initiatives/internet-things
- https://www.helpnetsecurity.com/2017/01/05/iot-trust-framework/
Here we add some examples of companies providing very good declarations for privacy:
and not to forget the privacy policy established by the GravidPluss project for medical data used in apps, developed in conjunction and agreed with hospitals and health authorities (Helse Sør-Øst) in Norway.