Privacy in the Internet of Things: Regulation vs Innovation

Cigdem Sengul
September 7, 2016


Every investor, innovator, and potential consumer of an IoT-based application asks the same set of questions: Is it useful? Does it work? Can I trust it? Among the three, the trust question is critical, as IoT extends to everyday items not normally considered computers, allowing them to generate, exchange and consume data with minimal human intervention [1].

Consumers must have confidence that their data is collected, stored and used in a manner that benefits them and does not jeopardize their privacy. Reducing risks and building trust is essential regardless of individuals' concern over their privacy, i.e., whether they are privacy fundamentalists or privacy unconcerned. Although not specifically for IoT, a number of guidelines and regulations already move towards this direction, e.g., Fair Information Practice Principles (FIPPs) [2], Privacy by Design [3], and, for European citizens, General Data Protection Regulation (GDPR) [4].

Complying with these principles and regulations requires a good understanding of the privacy risks in IoT systems. The privacy risks of a system are the product of three inputs: the personal data collected or generated, data actions performed on that information and the context surrounding the collection, generation, processing, disclosure and retention of this personal data [5]. Reducing the privacy risk of an IoT system means reducing risk within all three dimensions. To this end, the GDPR sets "necessity" and "data minimization" as requirements to process personal data. For data actions and context, the regulation seeks consumer agreement via the principles of "transparency and openness", "notice" and "consent".

However, as regulation marches ahead, both privacy and, consequently, security solutions for IoT need to play catch-up. Privacy solutions need to help consumers decide who should legitimately access and alter information. Security solutions need to implement those choices. Finally, these solutions must be developed without losing sight of the ultimate objective of IoT: the real vision and value to innovation lies in the data collected within an IoT system. Given the general challenges of IoT, such as scale, dynamic changes, device heterogeneity, and resource- constrained IoT devices, some thorny issues lie ahead. Next, these issues are discussed using the three dimensions of risk – personal data, data actions, and context.

Personal data: What is it and who owns it?

According to GDPR, personal data means any information relating to "an identified or identifiable natural person; directly or indirectly, by a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity" [4].

According to Ofcom, the UK communications regulator [6], personal data is:

  • Volunteered data that comes directly from the individual.
  • Observed data that is created as a result of a transaction between an individual and an organization.
  • Inferred data, also called derived data, that is the output of data analysis, combination or mining.

To support consumers to take ownership of their personal data, IoT systems need to be transparent. Consumers should be able to review when their personal data is collected and how it is used, and be able to give or withdraw consent [4]. More importantly, this consent should not only be "in or out" but be granular, i.e., consumers should be able to choose a subset of data they would like to share with an IoT system. As a consequence, IoT systems should have the means to cope with missing data.

In addition, security solutions need to ensure confidentiality, integrity and availability of personal data. This, for instance, requires encryption when data is in transit and at rest, which may be challenging to support at the resource-constrained IoT devices.

However, the main challenge stems from the personal data generated through indirect interactions. Like passive smoking, persons who are in the vicinity of others' smart devices may also find their personal data being passively collected. For instance, a home security camera filming a public space creates this problem. How consumers can claim ownership to personal data in these cases remains an open question.

Finally, even if systems do not directly collect personal data, they may end up with personal data in their hands, as the data collected may eventually be linked to individuals. Similarly, pseudonymized data can be identifiable with time, depending on its construction and persistence [4]. This requires to continuously monitor whether any collected data has become personal data.

Data actions: Which actions are allowed?

GDPR [4] requires that consumers must give consent "by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication" of agreement to process personal data. Consent should cover all processing activities on such personal data, and "silence, pre- ticked boxes or inactivity" cannot constitute consent. Consent should also be as easy to withdraw as to give.

Therefore, IoT systems that handle personal data need to implement consent. Here, authorisation frameworks will provide an answer. Significant steps have already been taken in standardisation, e.g., IETF ACE [7] and Kantara UMA [8], which transform the OAuth2 Web Authorisation Protocol to work in more IoT-like contexts. However, there is no silver bullet solution. This is because several issues arise from the very nature of IoT: applications, networks and devices are heterogeneous, have different capabilities, implementing different technologies and network architectures.

Just answering where to begin with authorisation is challenging. IoT devices present higher risks, as they are resource-constrained and highly connected with each other and the cloud.

Therefore, IETF ACE solutions target the device, but do the devices have enough resources to support such authorisation? Not always. The next best place may be a client authorisation manager, a hub, a gateway or a resource server outside the device. The right answer will depend on device capabilities as much as the control IoT application providers can exert into systems.

A second complexity arises from various communication protocols in use. Current authorisation solutions focus on web style communication (e.g., HTTP in UMA [8], or CoAP in ACE [7]), but other communication models need to be supported. In fact, in developer surveys, MQTT, a publish-subscribe protocol, appears in the top two most used messaging protocols for IoT [9]. A second example emerges from smart lighting solutions which, for instance, dim a group of lights. This requires group (multicast) communication, which is again not well-addressed in existing authorisation frameworks.

In summary, IoT systems may need to deploy more than one authorisation solution to address requirements in different parts of their systems.

Context: How to achieve context-aware privacy?

Privacy is context-dependent and therefore, authorisation should be also. An appropriate access control method that can represent context is Attribute-Based Access Control (ABAC). In ABAC, a subject's request to perform operations on objects is granted or denied based on attributes of the subject and the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.

High-granularity policies are possible, for instance, using eXtensible Access Control Markup Language (XACML), describing exactly who interacts with the data, when, how and to what end. However, an authorisation system that considers all possible interactions in an IoT system, and collects consent for them, is challenging at best and detrimental at worst. Such policies would require input from the consumers, creating a significant burden on consumers and system developers alike. Nevertheless, this should not be seen as a reason to accept a trade-off between usability and privacy [10]. We believe IoT systems need to use privacy dashboards, notices, and recommendation systems in an effective way to guide and nudge their consumers.

Finally, building context-awareness into authorisation systems may have direct consequences on privacy. For instance, if a person was granted access to another's data based on context, e.g., proximity to a location, the fact that the person obtained access is equivalent to knowing the location of the person. Therefore, one person's context-awareness should not come up at the price of another's privacy.

The road ahead

Innovation and regulation drive each other – innovation led to data protection regulation, and now regulation demands innovation to achieve privacy in IoT systems.

However, there are many challenges IoT systems need to overcome to comply with regulation. In this article, we discussed the core challenges based on the privacy risk of an IoT system. IoT systems desperately need privacy solutions that rely on strong security practices and privacy-by- design. We believe that this needs to be complemented with innovations in user interface design and human-computer interaction to reduce the mental load on consumers, and to achieve scalable privacy for IoT.



1. Internet Society, "The Internet of Things: An Overview, Understanding the Issues and Challenges of a More Connected World,",2015

2. B. Gellman, "Fair Information Processing Practices," 2012

3. A. Cavoukian, "Privacy by Design and the Emerging Personal Data Ecosystem," Information and Privacy Commissioner (IPC), Ontario, Canada, 2012

4. European Parliament and Council, "General Data Protection Regulation," Official Journal of the European Union, Brussels, 2016

5. JNIST (National Institute of Standards and Technology), "Privacy Engineering Objectives and Risk Model," Kantara Initiative IoT workshop, 2014

6. OFCOM, "Promoting Investment and Innovation in the Internet of Things," OFCOM, London, 2015

7. IETF, "Authentication and Authorization for Constrained Environments (ACE),"

8. Kantara Initiative, "User Managed Access (UMA),"

9. Eclipse IoT Working Group partnered with AGILE-IoT and IEEE IoT, "IoT Developer Survey,"2016

10. Ctrl-Shift, "A New Paradigm for Personal Data - Five Shifts to Drive Trust and Growth,", 2016



Cigdem SengulCigdem Sengul is a senior researcher at Nominet and works on privacy in the Internet of Things. She has 10 years of experience in wireless and mobile networks both in academic and R&D roles. She has a Master's degree in Computer Science and received her PhD on energy-efficient wireless networks, both from the University of Illinois, Urbana-Champaign. She is a member of the IEEE and the ACM.