**2.2 Legal aspects of privacy in IoT era**

Government organizations are taking significant interest in IoT security, privacy and interoperability from legal aspects. This is in alignment with the studies which advocated further collaboration and dialogs between the regulators and manufacturers of IoT devices to develop appropriate methods to tackle the relevant problems [24]. From regulatory perspective, some of the most important legislative requirements are HIPAA for healthcare, MA risk for supply chain management, California's Senate Bill 327, IoT Cybersecurity Improvement Act of 2017 and General Data Protection Regulation (GDPR).

Data privacy requirements are complex and differ by jurisdictions in regard to the definition of data and the relevant laws/regulations. In Europe, GDPR was introduced on May 25, 2018. GDPR is a new regulation approved by EU parliament, Council and European Commission. It aims to safeguard the personal data rights of EU citizens and residents in this era of new technological advancements. As per GDPR, organizations are required to


GDPR non-compliance instances may incur penalties up to 2–4% of global revenue or 20 million Euros [25] to organizations based on the infringement. GDPR applies to any company, irrespective of their geographic location, that offers goods and services to European citizens and handles their data including IoT ecosystemgenerated data.

In USA, California Senate Bill 327 [26] was introduced recently which allows the State of California ability to bring enforcement complaints against those companies that do not build adequate security safeguards into their Internet-connected IoT

devices [27]. It provides the state the right to hold IoT device makers more accountable for consumer's data security. IoT Cybersecurity Improvement Act of 2017 [28] requires: (i) that IoT devices are patchable, (ii) that devices do not contain known vulnerabilities, (iii) that devices rely on standard protocols, (iv) that devices do not contain hard-coded password and (v) technical aspects of privacy in IoT era.

At present, different privacy-enhancing technologies (PETs) exist to protect privacy. Prevention, by means of access restrictions, is an effective way to safeguard customer privacy. In [29], the authors put forward a concept of using access control list (ACL) and data classification model, to classify data according to its sensitivity and assign tag value to each category. In [30], the authors presented the idea of using Certification Authority (CA)-based encryption to confirm the authenticity of sensor. Some authors argue that it adds overheads and hence it cannot be used as a viable solution. Instead, they proposed incorporating a chaos-based cryptographic scheme and Message Authentication Codes (MAC) for data transmission. In a recent research, authors from IT service firm Tata Consultancy Services recommended that the IoT stakeholders can adopt Preventive Privacy (3P) Framework [31] in order to build trust and confidence among end users.

Privacy by Design (PbD) is defined as another popular approach that enables privacy to be "built in" to the design of the information systems and business processes, ensuring that privacy is considered before, and throughout, the development and implementation of all initiatives that involve personal information [32]. Dr. Ann Cavoukian first proposed it in Canada in the 1990s. PbD is one of the highly recommended approaches to protect individual's privacy [31, 33] concerns in IoT. Unfortunately, even though the USA Federal Trade commission (FTC) and the European Commission accepted PbD to be effective [34], not all manufacturers consider PbD when developing IoT devices and applications.

## **2.3 People aspects of privacy in IoT era**

According to a survey conducted by Cisco in 2017, "human factors" such as organization, culture and leadership contributed to the success of IoT implementations 75% of the time—which was higher than technical aspects [35]. A number of stakeholders are involved in IoT digital ecosystem such as the end users, product suppliers, Internet service providers, cloud storage functionalities and retailers. As mentioned earlier, a significant aspect of the value of IoT for consumers refers to: aggregating data collected from many source systems, generating new knowledge and making fact-based choices. The utilization of data to add value is best explained by the well-known DIKW hierarchy from Ackoff [36]. DIKW is a fourlayer hierarchy comprising of data, information, knowledge and wisdom where each layer adds certain characteristics over and above the previous one. **Table 3** shows DIKW in an IoT context.


**15**

**Figure 3.**

*Privacy of IoT-Enabled Smart Home Systems DOI: http://dx.doi.org/10.5772/intechopen.84338*

While IoT organizations are aware of the need for adopting PET and incorporating PbD, there is little guidance available on how to do so. Though there are PbD-driven frameworks available [34], no concrete solutions to establish auditing

**Figure 3** summarizes: what can be done, at the minimal level, by consumer to safeguard his/her privacy. This provides the basis for the further development of

**Pre-purchase Setup/post purchase Decommission**

• Setting up, configuring and registering to IoT services • Signing Consents authorizing data to be collected and used by IoT service provider. • Update Firmware and mobile applications

• Remove authoriza-tion of IoT vendor to use your data

• Deregister and destroy

data.

mechanism or control method systems have been developed (**Table 4**). The lifecycle of an IoT service or product is shown in **Figure 2**.

**Research + solution purchase Use + feedback**

• Products which provide audit mechanism while dealing with PII [20] • Products which notify user to provide dynamic consent for data use [37] • Products which stop working properly when consent is not given by user [38] • Firmware upgrade and patchability of IoT devices [24] are available. • Products transparent on how disclosed data are used by the developer of the IoT system or application [39] • Established reputed product with no or negligible data breach history

**3. Consumer-centric approach**

**Awareness omni channels**

• Web • Social • Mobile • In-store • Media • Advertising • Direct Marketing

**Table 4.**

**Figure 2.**

*IoT product lifecycle.*

*Consumer's perspective of IoT product lifespan.*

*Mitigation options for consumers (based on [31, 46, 47]).*

**Table 3.** *DIKW in an IoT context.*
