On the Design of a Privacy-Centered Data Lifecycle for Smart Living Spaces

  • Joseph BugejaEmail author
  • Andreas JacobssonEmail author
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 576)


Many living spaces, such as homes, are becoming smarter and connected by using Internet of Things (IoT) technologies. Such systems should ideally be privacy-centered by design given the sensitive and personal data they commonly deal with. Nonetheless, few systematic methodologies exist that deal with privacy threats affecting IoT-based systems. In this paper, we capture the generic function of an IoT system to model privacy so that threats affecting such contexts can be identified and categorized at system design stage. In effect, we integrate an extension to so called Data Flow Diagrams (DFD) in the model, which provides the means to handle the privacy-specific threats in IoT systems. To demonstrate the usefulness of the model, we apply it to the design of a realistic use-case involving Facebook Portal. We use that as a means to elicit the privacy threats and mitigations that can be adopted therein. Overall, we believe that the proposed extension and categorization of privacy threats provide a useful addition to IoT practitioners and researchers in support for the adoption of sound privacy-centered principles in the early stages of the smart living design process.


IoT Data lifecycle Data Flow Diagrams Data privacy Privacy threats Smart connected home Smart living space Facebook Portal 



This work has been carried out within the research profile “Internet of Things and People,” funded by the Knowledge Foundation and Malmö University in collaboration with 10 industrial partners.


  1. 1.
    Alshammari, M., Simpson, A.: Privacy architectural strategies: an approach for achieving various levels of privacy protection. In: Proceedings of the 2018 Workshop on Privacy in the Electronic Society, pp. 143–154. ACM (2018)Google Scholar
  2. 2.
    Altman, I.: The environment and social behavior: privacy, personal space, territory, and crowding (1975)Google Scholar
  3. 3.
    Antignac, T., Scandariato, R., Schneider, G.: A privacy-aware conceptual model for handling personal data. In: Margaria, T., Steffen, B. (eds.) ISoLA 2016. LNCS, vol. 9952, pp. 942–957. Springer, Cham (2016). Scholar
  4. 4.
    Antón, A.I., Earp, J.B.: A requirements taxonomy for reducing web site privacy vulnerabilities. Requirements Eng. 9(3), 169–185 (2004)CrossRefGoogle Scholar
  5. 5.
    Bettini, C., Riboni, D.: Privacy protection in pervasive systems: state of the art and technical challenges. Pervasive Mob. Comput. 17(PB), 159–174 (2015)CrossRefGoogle Scholar
  6. 6.
    Bugeja, J., Jacobsson, A., Davidsson, P.: An empirical analysis of smart connected home data. In: Georgakopoulos, D., Zhang, L.-J. (eds.) ICIOT 2018. LNCS, vol. 10972, pp. 134–149. Springer, Cham (2018). Scholar
  7. 7.
    California Senate Judiciary Committee et al.: California consumer privacy act: Ab 375 legislative history (2018)Google Scholar
  8. 8.
    Cavoukian, A.: Privacy by design. Technical report (2009).
  9. 9.
    Cavoukian, A.: Privacy by design in law, policy and practice. A white paper for regulators, decision-makers and policy-makers (2011)Google Scholar
  10. 10.
    Chen, Y.T., Huang, C.C.: Determining information security threats for an iot-based energy internet by adopting software engineering and risk management approaches. Inventions 4(3), 53 (2019)MathSciNetCrossRefGoogle Scholar
  11. 11.
    D’Acquisto, G., Domingo-Ferrer, J., Kikiras, P., Torra, V., de Montjoye, Y.A., Bourka, A.: Privacy by design in big data: an overview of privacy enhancing technologies in the era of big data analytics. arXiv preprint arXiv:1512.06000 (2015)
  12. 12.
    Danezis, G., et al.: Privacy and data protection by design-from policy to engineering. arXiv preprint arXiv:1501.03726 (2015)
  13. 13.
    Miorandi, D., Sicari, S., De Pellegrini, F., Chlamtac, I.: Internet of things: vision, application areas and research challenges. Ad Hoc Netw. 10, 1497–1516 (2012)CrossRefGoogle Scholar
  14. 14.
    Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requirements Eng. 16, 3–32 (2011)CrossRefGoogle Scholar
  15. 15.
    Dwork, C., Roth, A.: The algorithmic foundations of differential privacy. Foundations Trends® Theor. Comput. Sci. 9(3–4), 211–407 (2014)MathSciNetCrossRefGoogle Scholar
  16. 16.
    European Commission: Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation) (2017).
  17. 17.
    European Union: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. Technical report (2016).
  18. 18.
    Friedewald, M., Wright, D., Gutwirth, S., Mordini, E.: Privacy, data protection and emerging sciences and technologies: towards a common framework. Innov. Eur. J. Soc. Sci. Res. 23(1), 61–67 (2010)CrossRefGoogle Scholar
  19. 19.
    Hoepman, J.-H.: Privacy design strategies. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IAICT, vol. 428, pp. 446–459. Springer, Heidelberg (2014). Scholar
  20. 20.
    Hu, F., Jeyanthi, N.: Internet of Things (IoT) as Interconnection of Threats (IoT). In: Security and Privacy in Internet of Things (IoTs) (2016)Google Scholar
  21. 21.
    ISO: ISO 29100 Privacy Framework 2011, 1–21 (2011)Google Scholar
  22. 22.
    Jacobsson, A., Boldt, M., Carlsson, B.: A risk analysis of a smart home automation system. Future Gener. Comput. Syst. 56, 719–733 (2016)CrossRefGoogle Scholar
  23. 23.
    Langheinrich, M.: Privacy by design—principles of privacy-aware ubiquitous systems. In: Abowd, G.D., Brumitt, B., Shafer, S. (eds.) UbiComp 2001. LNCS, vol. 2201, pp. 273–291. Springer, Heidelberg (2001). Scholar
  24. 24.
    Li, C., Palanisamy, B.: Privacy in internet of things: from principles to technologies. IEEE Internet of Things J. 6, 1–18 (2018)Google Scholar
  25. 25.
    Luna, J., Suri, N., Krontiris, I.: Privacy-by-design based on quantitative threat modeling. In: 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS), pp. 1–8. IEEE (2012)Google Scholar
  26. 26.
    Perera, C., Mccormick, C., Bandara, A.K., Price, B.A., Nuseibeh, B.: Privacy-by-design framework for assessing internet of things applications and platforms (2016)Google Scholar
  27. 27.
    Solove, D.J.: A taxonomy of privacy. U. Pa. L. Rev. 154, 477 (2005)CrossRefGoogle Scholar
  28. 28.
    Spiekermann, S., Cranor, L.: Privacy engineering. IEEE Trans. Softw. Eng. 35(1), 67–82 (2009)CrossRefGoogle Scholar
  29. 29.
    Tao, Y., Kung, C.: Formal definition and verification of data flow diagrams. J. Syst. Softw. 16(1), 29–36 (1991)CrossRefGoogle Scholar
  30. 30.
    Warren, S.D., Brandeis, L.D.: The Right to Privacy. Wadsworth Publishing Company, Belmont (1985)Google Scholar
  31. 31.
    Westin, A.F.: Privacy and freedom. Wash. Lee Law Rev. 25(1), 166 (1968)Google Scholar
  32. 32.
    Yu, S.: Big privacy: challenges and opportunities of privacy study in the age of big data. IEEE Access 4, 2751–2763 (2016)CrossRefGoogle Scholar
  33. 33.
    Zhou, B., et al.: The carpet knows: identifying people in a smart environment from a single step. In: 2017 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops), pp. 527–532. IEEE (2017)Google Scholar
  34. 34.
    Ziegeldorf, J.H., Morchon, O.G., Wehrle, K.: Privacy in the internet of things: threats and challenges. Secur. Commun. Netw. 7(12), 2728–2742 (2013)CrossRefGoogle Scholar
  35. 35.
    Zwingelberg, H., Hansen, M.: Privacy protection goals and their implications for eID systems. In: Camenisch, J., Crispo, B., Fischer-Hübner, S., Leenes, R., Russello, G. (eds.) Privacy and Identity 2011. IAICT, vol. 375, pp. 245–260. Springer, Heidelberg (2012). Scholar

Copyright information

© IFIP International Federation for Information Processing 2020

Authors and Affiliations

  1. 1.Internet of Things and People Research Center, Department of Computer Science and Media TechnologyMalmö UniversityMalmöSweden

Personalised recommendations