Evaluating compliance of the actual behaviour of IoT devices with their Privacy Policy Agreemen
Abstract
In the past few years, Internet of Things (IoT) devices have emerged and spread everywhere. IoT has the potential to make people’s lives more comfortable and more efficient. Many people use smart home devices, and such devices can communicate with
each other without user intervention. To control, configure, and interface with the IoT
device, a companion mobile application comes with each IoT device, which needs to
be installed on the user’s smartphone or tablet.
IoT devices send information in three different ways. The first way is from the IoT
Device to the Cloud (D-C). Through this way, the device can send the user’s data to
the IoT device’s cloud. The second way is from the IoT app to the IoT Device (AD). In this way, the IoT app sends a command(s) to the IoT device to work based
on a specific command. The third way is from the IoT app to the IoT Cloud (AC). Through this way, the device can also send user’s data to the IoT device’s cloud.
Despite the importance of the privacy risk, the majority of IoT users don’t understand
what kind of information is being collected about them or their environment. Privacy
is not only limited to encryption and access authorization, but also related to the kind
of transmitted information, how it’s being used, and with whom it will be shared.
Accordingly, many researchers have been motivated to study the security and privacy
issues of those devices due to the sensitive information they carry about their owners.
Thus The limitation of existing methods are:
1. They only study the security and privacy issues by analyzing the traffic that goes directly from the IoT device to the IoT cloud (i.e. D-C).
2. They never study the privacy violations between the IoT traffic with its PPA, i.e.,
compliance violations.
In contrast, this research aims to study the privacy violations through analyzing the
alternate path, i.e. (A-C). In particular, we consider the compliance issues between the
data sent from the IoT mobile app to the IoT cloud and what the manufacturer of this
IoT device states about the data that they collect about its users. IoT manufacturers
are compelled to issue Privacy Policy Agreements (PPA) for their respective devices as
well as ensure that the actual behavior of such devices complies with the issued PPA.
To evaluate this compliance, we make the following contributions:
The first contribution is investigating issues around IoT privacy in general and the
compliance violations between the IoT devices with their PPA. To do so, we need to
implement two stages. The first stage is to read and study, manually, the PPA of eleven
IoT manufacturers. The results reveal that half of those IoT manufacturers do not have
an adequate privacy policy specifically for their IoT devices. Consequently, we create
eight main criteria, based on the GDPR, that any IoT manufacturer should implement
when designing its PPA. Also, we argue that the IoT manufacturer should apply these
criteria as well as adhere to them when they issue their new IoT products. While the
second stage is to design a testbed to capture the traffic of two IoT devices (i.e., Tp-link
smart plug and Belkin NetCam). Then, we analyze the collected traffic to find out the
type of data transferred from the devices to their manufacturer’s cloud. Finally, we
evaluate the compliance of the actual behavior of the IoT devices (Tp-link smart plug
and Belkin NetCam) with their PPAs as well as with our eight criteria. The results
prove that the data sent from the two IoT devices to their clouds does not comply with
what they stated in their PPA.
The second contribution is a tool that automatically infers the actual behavior (i.e. the
type of the transmitted data) of an IoT device from its encrypted network traffic. In particular, the tool infers three critical things; first of all, the tool reveals from the tra