Cognitive and Structural Problems

The two foundational principles of privacy are centred around the transparency of privacy and privacy self management. The first principle of consent describes acquiring an agreement on the collection, processing and disclosure of data between a data subject and the processing party. The second principle of purpose definition

demands the formulation of the purpose the data is collected for, processed and disclosed.

In practice, these principles are implemented in the form of privacy policies. Privacy policies are usually a unilateral proposal (from the service provider to the user) on the purpose of data collection, use and disclosure. The data subject is normally a user that wants to access an ICT system and who has to give his consent on that privacy policy. Until now, consent has rarely been demanded explicitly11_{. When the user starts using the system, he has implicitly given his}

consent.

Solove has analysed in [Sol12] these foundational principles from the point of view of practicability and has identified several cognitive and structural problems that hinder the proper application of both principles.

Cognitive Problems. Privacy protection is regarded as a compliance require- ment. Therefore privacy notifications are often formulated with the intention to comply with those requirements in contrast to their original purpose of notifying the users and to inform them about what will happen to their data. In consequence privacy policies are often covering requirements of privacy regulations in long, hardly legible text fragments.

According to Solove, legibility is only one cognitive problem. In general, users are uninformed of why privacy policies exist and what their context is. Uninformed users will access the system without reading privacy policies and even when forced to, they will skip through as the purpose of the policies itself remains unclear.

Legibility becomes a problem when users want to exercise their rights and read the policies, but ultimately give up on understanding the formal, legal statements that are described in them. Solove states that even when users understand the notifications, they often lack the background knowledge to make an informed choice as whether to consent to those policies or not.

The reader is reminded of the Schrems vs. Facebook case, where a highly educated law student was able to recognize incoherency in the privacy policies and the practices of Facebook. Schrems is a public example of users that can understand the privacy notifications, understand the implications of the policies. But even if this group of users exist, their decision can be skewed in various ways. For example, a service can suggest to be available at a special rate only for a limited time and draw the user in consenting in favour of economical value. Often, services offer a “all-or-nothing” deal, where consent rejection leads to the rejection of the whole service12_.

In the Internet of Things, service provision may be highly distributed among many subcontractors in several countries. The cognitive problems described by

12_{The reader is reminded of the introductory quote: “Necessity is blind until it becomes} conscious.”

Solove aggravate with every additional layer of providers. Providers maybe elicited dynamically, thus needing a on-demand notice on use, processing and disclosure.

IoT systems may also affect non-users, as described in Section 2.2. The notification of non-users or specifically, their identification and their execution is an additional challenge for privacy self-management. Also, the description and evaluation of multi-party consent in privacy policies is a novelty that cannot be represented by static, unilateral privacy policies made by the service provider.

In this thesis consent has been evaluated through a central management system. A proposal for a consent management system is presented in Section 4.2.2, although the statement in Section 3.2.1.2 still holds: multiple-party consent can only be clarified by new regulatory guidelines that consider ownership and possession13_.

Structural Problems. Solove further shows in [Sol12] that cognitive challenges can be generalized to show that consent and purpose mechanisms have structural problems as a consequence. This problems again aggravate for the Interent of Things.

Firstly, consent does not scale well. The cognitive problems described above apply per service provision or ICT system. In the case of IoT, where several services and applications might request a user’s consent for each service, service composition or similar, the user will be faced with one or several possibly very complex privacy policies. Technical solutions could help, such as a consent management assistant that supports the user to automatically reject or accept certain pre-defined purposes based on user defined policies. Prerequisites are standardised, machine readable privacy policies which are able to represent several layers of data processing. Some privacy policies have been proposed to be machine readable, see [Cra03], but no format has achieved general consensus, therefore machine readable policies remain a future challenge.

Secondly, consent mechanisms in the form of privacy notices do not aggregate well. Data collected by one IoT system maybe aggregated with data of many other systems to reveal information that was not seen before. The aggregation

13_{The reader is reminded of the problem with an example: a subject enters the car of another}

subject, where the car senses the comfort quality of the passengers by sensing their heart rate, transpiration, etc. If the owner of the car consents to the evaluation but the guest does not, how is the conflict solved?

may reveal also new personal information of subjects that has not been consented to by the respective person. Here, additional privacy principles like intervention, transparency and access can help to inform the subject about the new information that has been retrieved, even if the user has not consented to it. However, it remains to be evaluated how a technical implementation performs when several applications with respective subcontractors are in place.

Finally, the problem of assessing the harm of the disclosure of personal data centres as the main problem that leads also to many of the cognitive problems. Solove underlines privacy protection is the management of personal data over a long term. The possible effects are perceived to be none, if not immediately obvious (e.g. the consequence of the disclosure of embarrassing pictures). Users have to decide over privacy individually and far in advance, making the need for transparency more critical.

Next Steps. The cognitive and structural problems show that privacy self- management based on consent is problematic. Solove notes that consent is an undertheorized concept, see [Sol12] and proposes therefore four complementary directions:

Rethinking Consent. Solove formulates a proposal for law enforcement, where consent is not validated in a binary way (e.g., consent has been given or not), but as a concept with many nuances.

Developing Partial Privacy Self-Management. Solove argues that privacy self-management is needed for users that want to use privacy related services (such as social networks) and those that don’t want to. Solove sees a similarity between privacy aspects and safety aspects. Users have a wide range of freedom when buying goods that require safety (e.g. cars or food) but those goods are regulated, such that micromanagement of risks by users is not needed.

Adjusting Privacy’s Timing and Focus. Consent and purpose-binding are concepts that target the initial relation between users and service providers. But data may reveal more information about a user in a future point of the service provision where data analysis or aggregation took place. Solove calls

this the timing of privacy protection. He proposes that consent should not be asked for once and be valid in advance, but it should be required when the new data is becoming visible.

Moving Toward Substance over Neutrality. Solove underlines that consent can be used to “[waive] many constitutional rights”. Consent can be used to equally accept many forms of risk. Solove proposes to use a form to codification similar to the Uniform Commercial Code (UCC) to rate risk more precisely and to base consent on it. The UCC categorizes different responsibilities and risks in sales and commercial transactions, see [Hil76]. The proposals by Solove can be directly transferred to privacy engineering in IoT. The application of consent has been targeted by privacy enhancing technologies in the form of policies, where privacy policies and privacy agents try to capture the nuances of consent in languages like Extensible Access Control Markup Language (XACML). A proposal for the architectural integration privacy policies in IoT is presented in Section 4.2.4. The problem with XACML and similar policy definition languages is that the languages are complex and heterogeneous, thus often fail to find practice. A legislative definition of fine grained consent could help as a foundation for further refinement and a common understanding of privacy policies.

Privacy agents target partial self-management. Agents act in the name of the user and constantly monitor the privacy requests and data flows of the user. The agent’s decisions are based on the user’s policies and inquire the action of the user only when policies are unclear, a technical proposal is given in the “activator/deactivator of data collection”, see [RER15]. Evidently, agents act according to the user’s decisions. If the user is unaware of certain risks, the agents will not prevent him from miss-assessing the risk. Technical and legal solutions to partial privacy self-management are therefore complimentary and cannot advance without the other.

Timing of privacy has direct relevance to IoT. Data aggregation by a service provider is a focus topic of IoT. Consequently, the renewal of consent at the time of privacy related revelation of information is a duty of the service provider and can be introduced and motivated by law and compliance.

Solove does not go into technical details, but as formulated above, for most reg- ulatory foundations, respective technical representations are needed. As mentioned in Section 2.19, IoT has several constraints where traditional privacy enhancing technologies cannot be used. In turn, that means that even with new regulation, privacy could not be engineered into systems because required technology is not present.

In this thesis several technologies have been evaluated as a proof of concept to allow privacy enhanced technologies in IoT. The constraints have been introduced in Section 2.6.1, the technologies are based on the use cases of Rerum, see [RER14a] and are detailed in Chapter 4.

Chapter 4

Privacy Enhancing Technologies

for the Internet of Things

Chapter 3 firstly mentioned the need for privacy enhancing technologies in the General Data Protection Regulation and in the proposed privacy development lifecylce, see Section 3.3.

This Chapter introduces several technologies based on the requirements of the Rerum use cases1_.

The technologies are categorized according to Güerses et al. proposal, see [Gür14], namely privacy technologies for control, practice and confidentiality. The technologies serve as a proof of concept. Their elicitation, development and evaluation aimed at the implementation of the Rerum trial use cases and follow the same constraints as described in Section 2.6.1. The Rerum use cases can be found in [RER14a], they comprise UC-O1 Smart Transportation, UC-O2 Environmental Monitoring, UC-I1 Home Energy Management and UC-I2 Comfort Quality Management. Their economical background is described in Section 2.1.

1_{Note: the content of this Chapter has been previously published in [SWC}+_{15] before. Some}

of these technologies have become intellectual property of Siemens AG, an additional note will be given in the respective Section.

4.1

Categorization of Privacy Enhancing Tech-

nologies

The technologies presented in this thesis are categorized according to Gürses work in [Gür14] and according to the “hard” and “soft” privacy control definition of [SWC+15].

Gürses describes the three categories of privacy research as follows:

Privacy as Confidentiality. Gürses characterizes privacy as confidentiality with three principles, data minimization, avoidance of a single point of failure and openness to scrutiny. Data minimization enhances privacy by minimizing the acquisition information. Avoidance of a single point of failure means an architectural decision to avoid any single point of data acquisition within an ICT system. Openness to scrutiny denotes the openness of the design of PETs to the public eye in order to increase the maturation and the trust in the respective technology. A wide known technology in this regard is the TOR network, see [MBG+_08].

Privacy as Control. This type of privacy research supports methods to inform users about the purpose for which they are consenting personal data col- lection, which data is exactly collected and the period the data is stored. Related technologies are access control mechanisms, policies and dashboards. Privacy as Practice. This research category analyses the mediation between

transparency and feedback mechanisms in IT systems, and privacy related decisions of users. The central assumption is that the higher the privacy awareness is of a user and the higher the feedback is of a system to a user, the better is the user’s decisions concerning his privacy. One example comes from online social networks where a user might or might not post an image if he realizes that it will be publicly visible.

Hard and soft privacy controls are categorized as follows:

Hard privacy controls. Hard privacy mechanisms enforce privacy as confiden- tiality and privacy as control with technical means. The mechanisms are verifiable and are often under the control of the data subject (e.g. the user). Such mechanisms can provide data minimization (e.g. reduce granularity

of data), anonymization (hide a user’s identity) and unlinkability (several actions of one user are not linkable by a thrid party) among other concepts. Soft privacy controls. In Gürses description of privacy as confidentiality, the

second principle detailed the avoidance of a single point of failure, i.e., the avoidance of a single point of data storage and the “trust” that this point confiably protects that data. If this principle cannot be achieved due to some constraint (e.g. scenario specific), controls are applied that are denominated as soft privacy controls. That means, that the controls cannot be verified or enforced, but they are merely a supporting mechanism for the data controller. One example are sticky policies that travel with data of a user and state under which circumstances the data is allowed to be processed. In this case, the policies cannot be technically enforced, the data controller is assumed to be trusted in following the policies.