**2. Review of privacy literature with specific IoT focus**

Privacy is defined by Clarke as the attention that individuals have in sustaining a personal space, free from interference by other people and organizations [17]. An intrinsic part of privacy issue is the exposure of sensitive data such as Personal Identifiable Information (PII) to non-intended recipients. Personal Identifiable Information (PII) comprises of details such as title, first name, last name, date of birth, address, and phone number, constituting some of the sensitive personal information (SPI). In addition, financial and health details and the geophysical location of an IoT user are also considered as sensitive information.

Internet of Things devices may collect data including sensitive data and store the data for further use for commercial purposes. It comprises of several stakeholders such as customer whose PII is collected; manufacturers who develop the sensors and other networking components and third parties who create IoT mobile apps or use the data for commercial advantage. According to McKinsey global report from 2015 [18], consumers are cautious about embracing IoT-based systems, particularly due to lack of privacy and the data at risk. OECD reported [19] that privacy incidents are growing in both number and sophistication. Similar concerns are expressed by several academic articles which suggest lack of privacy including unauthorized surveillance or eavesdropping [20] as a major concern for individuals.

Some researchers or practitioners confuse privacy with security. While security deals with the management of controlling who can access information, privacy is predominantly focused on granular control of what data can be collected, who can access what, when they can access specific data, and how long the data should be retained.

Protecting user's privacy comprises of technical, human and legal aspects. Other relevant aspects can also be considered.

#### **2.1 Potential scenarios of privacy violation in smart home**

Smart home segment comprises of connected appliances like TV set, thermostat, refrigerator, oven, home security, self-guided vacuum cleaners, cleaning and maintenance devices. Additionally, cameras, motion sensors and light sensors also collect data. Most of these data contain private and/or sensitive information such as locations, addresses, pictures and network access information. The data can be accessible to device manufacturer, mobile application owner, third-party vendors or public depending on use cases. There are several scenarios involving data collection such as:


There are very few contributions that address privacy in the context of smart home [22]. While several studies conducted surveys and interviews with IoT end user consumers to investigate the factors affecting privacy including data processing and information risk [23], none proposed a feasible solution to fix them.

**13**

generated data.

*Privacy of IoT-Enabled Smart Home Systems DOI: http://dx.doi.org/10.5772/intechopen.84338*

**2.2 Legal aspects of privacy in IoT era**

*Key data exchanges in smart home.*

**Figure 1.**

Protection Regulation (GDPR).

GDPR, organizations are required to

forgotten by customer.

• Maintain records of processing activities.

Government organizations are taking significant interest in IoT security, privacy and interoperability from legal aspects. This is in alignment with the studies which advocated further collaboration and dialogs between the regulators and manufacturers of IoT devices to develop appropriate methods to tackle the relevant problems [24]. From regulatory perspective, some of the most important legislative requirements are HIPAA for healthcare, MA risk for supply chain management, California's Senate Bill 327, IoT Cybersecurity Improvement Act of 2017 and General Data

Data privacy requirements are complex and differ by jurisdictions in regard to the definition of data and the relevant laws/regulations. In Europe, GDPR was introduced on May 25, 2018. GDPR is a new regulation approved by EU parliament, Council and European Commission. It aims to safeguard the personal data rights of EU citizens and residents in this era of new technological advancements. As per

• Get explicit and affirmative consent before processing personal data. This includes

• Notify within 72 hours to the regulator and individual about any data breaches.

• Facilitate customers and employees' right to the removal of data from their system.

• Give the right of portability, and increased right of access and right to be

GDPR non-compliance instances may incur penalties up to 2–4% of global revenue or 20 million Euros [25] to organizations based on the infringement. GDPR applies to any company, irrespective of their geographic location, that offers goods and services to European citizens and handles their data including IoT ecosystem-

In USA, California Senate Bill 327 [26] was introduced recently which allows the State of California ability to bring enforcement complaints against those companies that do not build adequate security safeguards into their Internet-connected IoT

financial, economic and health data and online information.

*Internet of Things (IoT) for Automated and Smart Applications*

**2. Review of privacy literature with specific IoT focus**

location of an IoT user are also considered as sensitive information.

surveillance or eavesdropping [20] as a major concern for individuals.

**2.1 Potential scenarios of privacy violation in smart home**

as Abilify MyCite, and Bluetooth-enabled oximeter [18].

geophysical data) to third party without explicit consent [21].

• Search query of user shows his preference traits (**Figure 1**).

relevant aspects can also be considered.

camera and GPS tracker.

• Monitoring of actions of customers.

Privacy is defined by Clarke as the attention that individuals have in sustaining a personal space, free from interference by other people and organizations [17]. An intrinsic part of privacy issue is the exposure of sensitive data such as Personal Identifiable Information (PII) to non-intended recipients. Personal Identifiable Information (PII) comprises of details such as title, first name, last name, date of birth, address, and phone number, constituting some of the sensitive personal information (SPI). In addition, financial and health details and the geophysical

Internet of Things devices may collect data including sensitive data and store the data for further use for commercial purposes. It comprises of several stakeholders such as customer whose PII is collected; manufacturers who develop the sensors and other networking components and third parties who create IoT mobile apps or use the data for commercial advantage. According to McKinsey global report from 2015 [18], consumers are cautious about embracing IoT-based systems, particularly due to lack of privacy and the data at risk. OECD reported [19] that privacy incidents are growing in both number and sophistication. Similar concerns are expressed by several academic articles which suggest lack of privacy including unauthorized

Some researchers or practitioners confuse privacy with security. While security deals with the management of controlling who can access information, privacy is predominantly focused on granular control of what data can be collected, who can access what, when they can access specific data, and how long the data should be retained. Protecting user's privacy comprises of technical, human and legal aspects. Other

Smart home segment comprises of connected appliances like TV set, thermostat, refrigerator, oven, home security, self-guided vacuum cleaners, cleaning and maintenance devices. Additionally, cameras, motion sensors and light sensors also collect data. Most of these data contain private and/or sensitive information such as locations, addresses, pictures and network access information. The data can be accessible to device manufacturer, mobile application owner, third-party vendors or public depending on use cases. There are several scenarios involving data collection such as:

• Movement of individuals (unauthorized surveillance) using motion sensors,

• Sharing of health data publicly from wearable devices or implantable devices such

• Sharing of data (e.g., financial, health, PII, Payment Card Information and

There are very few contributions that address privacy in the context of smart home [22]. While several studies conducted surveys and interviews with IoT end user consumers to investigate the factors affecting privacy including data processing and information risk [23], none proposed a feasible solution to fix them.

**12**

**Figure 1.** *Key data exchanges in smart home.*
