Framing the Privacy Challenge for IoT Blockchains

Legal principles and regulations are generally concerned with the technology-independent classification of events. Privacy principles have been proposed as a step beyond legal classifications of privacy violations, but these still remain difficult for many IoT blockchain developers to apply. Privacy Impact Assessments (PIAs) have also been proposed to expose privacy issues, but these have not been widely adopted.

Privacy Principles and Frameworks for IoT Blockchains

Principles have been proposed as implementation and operation guidance on privacy. The OECD guidelines [OECD 1980], are perhaps the most widely known privacy principles. These eight principles, intended for nations to apply to trans-border data flows, are: (1) collection limitation principle, (2) data quality principle, (3) purpose specification principle, (4) use limitation principle, (5) security safeguards principle, (6) openness principle, (7) individual participation principle, and (8) accountability principle. More recently the GDPR has endorsed Privacy by Design (PbD). PbD [Cavoukian 2010] builds on seven foundational principles: (1) proactive not reactive; (2) privacy as the default; (3) privacy embedded in the design; (4) full functionality- positive-sum, not zero-sum; (5) end-to-end life cycle protection; (6) visibility and transparency; (7) respect for user privacy. While OECD principles apply in the context of nations managing data flows, PbD principles are intended in the context of IT systems; as such these two sets of principles are complementary.

While the privacy principles are helpful in moving beyond classifying privacy violations they are not necessarily easily applicable to specific architectural contexts (e.g. IoT blockchains), or software development methodologies [Omoronyia 2019], [Perera 2019], and further refinement may be required for practical adoption. Principles present too abstract a framework to inform design; and are often applied after many critical design decisions have been made in defining the business opportunity. [Edwards 2016]. Both the OECD principles and the Policy by design principles provide a step forward from Solove’s privacy threat taxonomy to provide guidance to the developers and operators of information systems. There is no simple mapping between the privacy threat taxonomy and the privacy policies to validate their completeness. The privacy threat taxonomy provides a static view, classifying events after they have happened, while the policies are intended to be more proactive and preventative, applying to ongoing operations and data flows.

There is a lack of comprehensive, widely adopted frameworks to address privacy issues for IoT applications [Thorburn 2019] (for example, [Panagiotou 2018] only considers some cryptography aspects, [Cha 2018] focused only on informed consent). For privacy engineering, the availability and usage of standards, analysis methodologies, and software tools are relatively weaker than for safety and security, reflecting the fact that privacy engineering is an emerging concern for practitioners [Shan 2019]. If detailed technical standards existed, they could provide a framework for IoT Blockchain developers to work from. [ISO 2009] defines information security in terms of preservation of confidentiality, integrity, and availability of information, but notes that other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved, but other principles like privacy and non-repudiation don’t fit cleanly into this famous triad. [ISO 2011] added a privacy framework, [ISO 2014] added a code of practice for handling Personally Identifiable Information, [ISO 2017] added guidelines for privacy impact assessments and [ISO 2019] provided guidelines and requirements for privacy information management. While providing some guidance, these ISO standards are neither complete nor customized for an IoT blockchain architectural context.  There are a number of more specific IoT standards [Miloslavskaya 2019], but they do not address privacy in detail. [NIST 2019] starts to separate IoT privacy concerns from other security concerns; but, does not provide detailed guidance. Blockchain standards, today, seem to be evolving in open source (see e.g., Ethereum RFCs) at the level of APIs, but do not provide a larger view of the privacy impacts. ISO TC/307 is still developing formal specifications on blockchain technologies. While more comprehensive standards may exist in the future, the standards available at present do not provide a comprehensive framework for privacy in IoT blockchains.

IoT Blockchain is by its nature a distributed architecture; this implies that privacy threats can attack multiple points (in motion and at rest) within the architecture.  Understanding the data flows, becomes a prerequisite to analyzing privacy across the IoT blockchain architecture. Recall the OECD principles were developed in the context of data flows between nations; data flows in IoT blockchains, however, are not technically restricted by national borders. Data flows for business processes are often modelled to capture stakeholder collaboration in business processes supported by technology/ automation. [Pullonen 2019] proposed Privacy Enhanced Business Process Modelling Notation (PE-BPMN) to capture the use of PETs along the flow of private information. Such notations may be helpful in discussing the end-end privacy management processes of IoT blockchain architectures.

Identifying privacy Impacts

When analyzing IoT privacy requirements, it can be challenging to identify what information should be protected, when it should be protected, and to whom access should be granted.

IoT consists of diverse technologies and the integration of these technologies can lead to unknown risks. Not all the data collected by IoT architectures is necessarily implicated by privacy concerns; data related to legal entities (e.g. data about people and their possessions), however, may be implicated. For example, IoT sensor data from personal fitness devices, or personal vehicles may be used to infer a person’s location which they may wish to keep private. [Ni 2017] identifies four categories of privacy relevant IoT data: (1) identity, (2) usage, (3) location, and (4) other miscellaneous data (e.g., user preferences, sensor data). It is not only the data collected by IoT architectures that may be problematic for privacy; privacy threats may arise from the linkages [Madaan 2018] between IoT data streams (ie. the information processing aggregation privacy threats in Solove’s taxonomy).

PIAs have been proposed for information systems generally (see e.g., [ISO 2017]. If required, these are typically developed manually at an early[1] stage of the project to scope and shape the development of the solution architecture. Conducting a PIA remains a complicated and bewildering task, mainly due to the lack of detailed, practical guidance on how to carry out such an assessment. The available guidance is mainly at the level of legal, policy, or academic proposals [Vemou 2018] rather than targeted for software developers of other technologists designing and implementing IoT blockchain systems. Even for the ISO standard in PIAs, there are proposals (e.g., [Vemou 2019] for extensions to make the PIA process more tractable for practitioners, but these are still not specialized for the IoT Blockchain context. There are not many published examples of PIAs for IoT architectures in the literature. The EU at one stage had required the development of PIAs for RFID applications [EU 2011]. [Pribadi 2017] provides an example PIA for a smart health care services IoT.  

Developers of IoT blockchains need more detailed guidance on how to apply privacy principles in their context. Privacy frameworks and standards are emerging, but still incomplete. PIAs are not guidance for IoT blockchain developers, rather these are created by the IoT blockchain developers for external audiences to understand the scope of privacy threats, and the mitigations supported within their architectures. While not trivial to implement, PIAs may be actionable by IoT blockchain developers to provide more insight for regulators, and the operators and users of services built on IoT blockchains, about potential exposures to privacy threats.

If you are looking for a book that provides a detailed overview of the legal implications of blockchain technology and smart contracts, then “Blockchains, Smart Contracts, and the Law” is the perfect choice for you. This book is written clearly and concisely, making it easy to understand even for those who are new to the topic.

References

[Cavoukian 2010] A.Cavoukian, “Privacy by design: the definitive workshop. A foreword by Ann Cavoukian, Ph. D.” Identity in the Information Society 3.2 (2010): 247-251.

[Cha 2018] S.Cha, et al. “A user-friendly privacy framework for users to achieve consents with nearby BLE devices.” IEEE Access 6 (2018): 20779-20787.

[EU 2011] European Commission, Privacy and Data Protection Impact Assessment Framework for RFID Applications, 12 January 2011

[Edwards 2016] L. Edwards, et. al., “From privacy impact assessment to social impact assessment.” 2016 IEEE Security and Privacy Workshops (SPW). IEEE, 2016.

[ISO 2009] ISO, “Information technology — Security techniques — Information security management systems — Overview and vocabulary” ISO/IEC 27000:2009

[ISO 2011] ISO, “Information technology — Security techniques — Privacy framework” ISO/IEC 29100:2011

[ISO 2014] ISO, “Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors”, ISO/IEC 27018:2014

[ISO 2017] ISO, “Information technology — Security techniques — Guidelines for privacy impact assessment” ISO/IEC 29134:2017

[ISO 2019] ISO, “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines” ISO/IEC 27701:2019

[Madaan 2018] N. Madaan, et.al., “Data integration in IoT ecosystem: Information linkage as a privacy threat.” Computer law & security review 34.1 (2018): 125-133.

[Miloslavskaya 2019] N. Miloslavskaya, et al. “Standardization Issues for the Internet of Things.” World Conference on Information Systems and Technologies. Springer, Cham, 2019.

[Ni 2017] Ni, Jianbing, et al. “Securing fog computing for internet of things applications: Challenges and solutions.” IEEE Communications Surveys & Tutorials 20.1 (2017): 601-628.

[NIST 2019] NIST, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks” NISTIR 8228, June 2019.

[OECD 1980] OECD, “Guidelines governing the protection of privacy and transborder flows of personal data” Annex to the recommendation of the council 23rd Sept.1980

[Omoronyia 2019] I.Omoronyia, “Why is Baking Privacy into Software Design Hard?.” ITNOW 61.3 (2019): 44-45.

[Panagiotou 2018] P. Panagiotou, et. al.., “Design and Implementation of a Privacy Framework for the Internet of Things (IoT).” 2018 21st Euromicro Conf. on Digital System Design (DSD). IEEE, 2018.

[Perera 2019] C.Perera, et al. “Designing privacy-aware internet of things applications.” Information Sciences (2019).

[Pribadi 2017] I. Pribadi, et. al., “Regulatory recommendations for IoT smart-health care services by using privacy impact assessment (PIA).” 2017 15th Int’l Conf. on Quality in Research (QiR): International Symposium on Electrical and Computer Engineering. IEEE, 2017

[Pullonen 2019] P. Pullonen, et. al., “Privacy-enhanced BPMN: enabling data privacy analysis in business processes models.” Software & Systems Modeling (2019): 1-30.

[Shan 2019] Shan, Lijun, et al. “A Survey on the Applicability of Safety, Security and Privacy Standards in Developing Dependable Systems.” International Conference on Computer Safety, Reliability, and Security. Springer, Cham, 2019.

[Thorburn 2019] R. Thorburn, et. al., “Towards an integrated privacy protection framework for IoT: contextualising regulatory requirements with industry best practices.” (2019)

[Vemou 2018] K. Vemou, et. al., “An Evaluation Framework for Privacy Impact Assessment Methods.” (2018).

[Vemou 2019] K. Vemou, et.al., “Evaluating privacy impact assessment methods: guidelines and best practice.” Information & Computer Security (2019).

[1] See e.g., https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-undertaking-privacy-impact-assessments/

Posted on
Categories: Business, Technical
Disclosure of Material Connection: Some of the links in the post above are “affiliate links.” This means if you click on the link and purchase the item, I will receive an affiliate commission. Regardless, I only recommend products or services I use personally orbelieve will add value to my readers. I am disclosing this in accordance with the Federal Trade Commission’s 16 CFR, Part 255: “Guides Concerning the Use of Endorsements and Testimonials in Advertising.” The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience of the reader, user or browser; drstevenawright.com does not recommend or endorse the contents of the third-party sites. Readers of this website should contact their attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, or Dr. Steven A. Wright. All liability with respect to actions taken or not taken based on the contents of this site are hereby expressly disclaimed. The content on this posting is provided "as is;" no representations are made that the content is error-free. This website is owned and operated by Macadamia Solutions LLC.