Skip to main content
SpringerLink
Log in
SpringerLink
Log in

Elicitation of Privacy Requirements for the Internet of Things Using ACCESSORS

  • Conference paper
  • First Online:
Information Systems Security and Privacy (ICISSP 2018)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 977))

Included in the following conference series:

Abstract

Novel smart devices are equipped with various sensors to capture context data. The Internet of Things (IoT) connects these devices with each other in order to bring together data from various domains. Due to the IoT, new application areas come up continuously. For instance, the quality of life and living can be significantly improved by installing connected and remote-controlled devices in Smart Homes. Or the treatment of chronic diseases can be made more convenient for both, patients and physicians, by using Smart Health technologies.

For this, however, a large amount of data has to be collected, shared, and combined. This gathered data provides detailed insights into the user of the devices. Therefore, privacy is a key issue for such IoT applications. As current privacy systems for mobile devices focus on a single device only, they cannot be applied to a distributed and highly interconnected environment as the IoT. Therefore, we determine the special requirements towards a permission models for the IoT. Based on this requirements specification, we introduce ACCESSORS, a data-centric permission model for the IoT and describe how to apply such a model to two promising privacy systems for the IoT, namely the Privacy Management Platform (PMP) and PATRON.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We use the term “Thing” for any device equipped with sensors and Internet access.

  2. 2.

    A refined version of RTAndroid called emteria.OS is available at https://emteria.com.

  3. 3.

    A data processing unit is either a data producer or a data consumer (see Paragraph Data Abstraction).

  4. 4.

    If the access permission is denied, the particular code fragment is skipped in the app.

  5. 5.

    See http://patronresearch.de.

References

  1. Aggarwal, C.C., Ashish, N., Sheth, A.: The Internet of Things: a survey from the data-centric perspective. In: Aggarwal, C. (ed.) Managing and Mining Sensor Data, pp. 383–428. Springer, Boston (2013). https://doi.org/10.1007/978-1-4614-6309-2_12

    Chapter  Google Scholar 

  2. Agrawal, D., El Abbadi, A., Wang, S.: Secure and privacy-preserving data services in the cloud: a data centric view. Proc. VLDB Endow. 5(12), 2028–2029 (2012)

    Article  Google Scholar 

  3. Alpers, S., et al.: PRIVACY-AVARE: an approach to manage and distribute privacy settings. In: Proceedings of the 2017 3rd IEEE International Conference on Computer and Communications, ICCC 2017, pp. 1460–1468 (2017)

    Google Scholar 

  4. Aman, M.N., Chua, K.C., Sikdar, B.: Secure data provenance for the Internet of Things. In: Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security, IoTPTS 2017, pp. 11–14 (2017)

    Google Scholar 

  5. Backes, M., Gerling, S., Hammer, C., Maffei, M., von Styp-Rekowsky, P.: AppGuard – enforcing user requirements on Android apps. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp. 543–548. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36742-7_39

    Chapter  Google Scholar 

  6. Backes, M., Gerling, S., Hammer, C., Maffei, M., von Styp-Rekowsky, P.: AppGuard – fine-grained policy enforcement for untrusted Android applications. In: Garcia-Alfaro, J., Lioudakis, G., Cuppens-Boulahia, N., Foley, S., Fitzgerald, W.M. (eds.) DPM/SETOP -2013. LNCS, vol. 8247, pp. 213–231. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54568-9_14

    Chapter  Google Scholar 

  7. Barrera, D., Kayacik, H.G., van Oorschot, P.C., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to Android. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 73–84 (2010)

    Google Scholar 

  8. Bitsaki, M., et al.: An integrated mHealth solution for enhancing patients’ health online. In: Lacković, I., Vasic, D. (eds.) 6th European Conference of the International Federation for Medical and Biological Engineering. IP, vol. 45, pp. 695–698. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-11128-5_173

    Chapter  Google Scholar 

  9. Brush, A.B., Lee, B., Mahajan, R., Agarwal, S., Saroiu, S., Dixon, C.: Home automation in the wild: challenges and opportunities. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2011, pp. 2115–2124 (2011)

    Google Scholar 

  10. Cao, J., Carminati, B., Ferrari, E., Tan, K.L.: ACStream: enforcing access control over data streams. In: Proceedings of the 2009 IEEE 25th International Conference on Data Engineering, ICDE 2009, pp. 1495–1498 (2009)

    Google Scholar 

  11. Chin, E., Felt, A.P., Sekar, V., Wagner, D.: Measuring user confidence in smartphone security and privacy. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, pp. 1:1–1:16 (2012)

    Google Scholar 

  12. Conti, M., Nguyen, V.T.N., Crispo, B.: CRePE: context-related policy enforcement for Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 331–345. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18178-8_29

    Chapter  Google Scholar 

  13. Cugola, G., Margara, A.: Processing flows of information: from data stream to complex event processing. ACM Comput. Surv. 44(3), 15:1–15:62 (2012)

    Article  Google Scholar 

  14. Davies, N., Taft, N., Satyanarayanan, M., Clinch, S., Amos, B.: Privacy mediators: helping IoT cross the chasm. In: Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications, HotMobile 2016, pp. 39–44 (2016)

    Google Scholar 

  15. Davis, B., Chen, H.: RetroSkeleton: retrofitting Android apps. In: Proceeding of the 11th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys 2013, pp. 181–192 (2013)

    Google Scholar 

  16. Davis, B., Sanders, B., Khodaverdian, A., Chen, H.: I-ARM-Droid: a rewriting framework for in-app reference monitors for Android applications. In: Proceedings of the 2012 IEEE Conference on Mobile Security Technologies, MoST 2012, pp. 28:1–28:9 (2012)

    Google Scholar 

  17. Dey, A.K.: Understanding and using context. Pers. Ubiquitous Comput. 5(1), 4–7 (2001)

    Article  Google Scholar 

  18. Enck, W., Ongtang, M., McDaniel, P.: Understanding Android security. IEEE Secur. Priv. 7(1), 50–57 (2009)

    Article  Google Scholar 

  19. Felt, A.P., Egelman, S., Wagner, D.: I’ve got 99 problems, but vibration ain’t one: a survey of smartphone users’ concerns. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2012, pp. 33–44 (2012)

    Google Scholar 

  20. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, pp. 3:1–3:14 (2012)

    Google Scholar 

  21. Fragkaki, E., Bauer, L., Jia, L., Swasey, D.: Modeling and enhancing Android’s permission system. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 1–18. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_1

    Chapter  Google Scholar 

  22. Google Inc.: Android Things, May 2018. https://developer.android.com/things

  23. Hamlen, K.W., Jones, M.: Aspect-oriented in-lined reference monitors. In: Proceedings of the Third ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, PLAS 2008, pp. 11–20(2008)

    Google Scholar 

  24. Harle, R.K., Tailor, S., Zidek, A.: Bellrock - anonymous proximity beacons from personal devices. In: Proceedings of the 2018 IEEE International Conference on Pervasive Computing and Communications, PerCom 2018, pp. 284–293 (2018)

    Google Scholar 

  25. He, Y., Barman, S., Wang, D., Naughton, J.F.: On the complexity of privacy-preserving complex event processing. In: Proceedings of the Thirtieth ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems, PODS 2011, pp. 165–174(2011)

    Google Scholar 

  26. Henrik, Z.J., Garcia, M.O., Klaus, W.: Privacy in the Internet of Things: threats and challenges. Secur. Commun. Netw. 7(12), 2728–2742 (2014)

    Article  Google Scholar 

  27. Hilty, M., Pretschner, A., Basin, D., Schaefer, C., Walter, T.: A policy language for distributed usage control. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 531–546. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74835-9_35

    Chapter  Google Scholar 

  28. Istepanian, R.S.H., Hu, S., Philip, N., Sungoor, A.: The potential of internet of m-health things “m-IoT” for non-invasive glucose level sensing. In: Proceedings of the 2011 Annual International Conference of the IEEE Engineering in Medicine and Biology Society, EMBS 2011, pp. 5264–5266 (2011)

    Google Scholar 

  29. Jordan, M., Mitchell, T.: Machine learning: trends, perspectives, and prospects. Science 349(6245), 255–260 (2015)

    Article  MathSciNet  Google Scholar 

  30. Kalkov, I., Franke, D., Schommer, J.F., Kowalewski, S.: A real-time extension to the Android platform. In: Proceedings of the 10th International Workshop on Java Technologies for Real-time and Embedded Systems, JTRES 2012, pp. 105–114(2012)

    Google Scholar 

  31. Khan, R., Khan, S.U., Zaheer, R., Khan, S.: Future internet: the Internet of Things architecture, possible applications and key challenges. In: Proceedings of the 2012 10th International Conference on Frontiers of Information Technology, FIT 2012, pp. 257–260 (2012)

    Google Scholar 

  32. Knöll, M.: Diabetes City: how urban game design strategies can help diabetics. In: Weerasinghe, D. (ed.) eHealth 2008. LNICST, vol. 0001, pp. 200–204. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00413-1_28

    Chapter  Google Scholar 

  33. Knöll, M.: “On the top of high towers ...” discussing locations in a mobile health game for diabetics. In: Proceedings of the 2010 IADIS International Conference Game and Entertainment Technologies, MCCSIS 2010, pp. 61–68 (2010)

    Google Scholar 

  34. Kovatchev, B.P., Gonder-Frederick, L.A., Cox, D.J., Clarke, W.L.: Evaluating the accuracy of continuous glucose-monitoring sensors. Diabetes Care 27(8), 1922–1928 (2004)

    Article  Google Scholar 

  35. Kozlov, D., Veijalainen, J., Ali, Y.: Security and privacy threats in IoT architectures. In: Proceedings of the 7th International Conference on Body Area Networks, BodyNets 2012, pp. 256–262 (2012)

    Google Scholar 

  36. Metzger, A., Cassales Marquezan, C.: Future internet apps: the next wave of adaptive service-oriented systems? In: Abramowicz, W., Llorente, I.M., Surridge, M., Zisman, A., Vayssière, J. (eds.) ServiceWave 2011. LNCS, vol. 6994, pp. 230–241. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24755-2_22

    Chapter  Google Scholar 

  37. Migliavacca, M., Papagiannis, I., Eyers, D.M., Shand, B., Bacon, J., Pietzuch, P.: DEFCON: high-performance event processing with information security. In: Proceedings of the 2010 USENIX Conference on USENIX Annual Technical Conference, USENIXATC 2010, pp. 1–15 (2010)

    Google Scholar 

  38. Mindermann, K., Riedel, F., Abdulkhaleq, A., Stach, C., Wagner, S.: Exploratory study of the privacy extension for system theoretic process analysis (STPA-Priv) to elicit privacy risks in eHealth. In: Proceedings of the 2017 IEEE 25th International Requirements Engineering Conference Workshops, REW 2017, pp. 90–96 (2017)

    Google Scholar 

  39. Nauman, M., Khan, S., Zhang, X.: Apex: extending Android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2010, pp. 328–332 (2010)

    Google Scholar 

  40. Park, J., Sandhu, R.: The UCON\(_{\text{ ABC }}\) usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)

    Article  Google Scholar 

  41. Perera, C., Zaslavsky, A., Christen, P.: Context aware computing for the Internet of Things: a survey. IEEE Commun. Surv. Tutor. 16(1), 414–454 (2014)

    Article  Google Scholar 

  42. Rasthofer, S., Arzt, S., Lovat, E., Bodden, E.: DroidForce: enforcing complex, data-centric, system-wide policies in Android. In: Proceedings of the 2014 Ninth International Conference on Availability, Reliability and Security, ARES 2014, pp. 40–49 (2014)

    Google Scholar 

  43. Russello, G., Crispo, B., Fernandes, E., Zhauniarovich, Y.: YAASE: yet another Android security extension. In: Proceeding of the 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing, PASSAT 2011, pp. 1033–1040 (2011)

    Google Scholar 

  44. Sarkar, S., Misra, S.: Theoretical modelling of fog computing: a green computing paradigm to support IoT applications. IET Netw. 5(2), 23–29 (2016)

    Article  Google Scholar 

  45. Schreckling, D., Posegga, J., Hausknecht, D.: Constroid: data-centric access control for Android. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing, SAC 2012, pp. 1478–1485 (2012)

    Google Scholar 

  46. Scoccia, G.L., Malavolta, I., Autili, M., Di Salle, A., Inverardi, P.: User-centric Android flexible permissions. In: Proceedings of the 2017 IEEE/ACM 39th International Conference on Software Engineering Companion, ICSE-C 2017, pp. 365–367 (2017)

    Google Scholar 

  47. Sekar, L.P., Gankidi, V.R., Subramanian, S.: Avoidance of security breach through selective permissions in Android operating system. ACM SIGSOFT Softw. Eng. Notes 5(37), 1–9 (2012)

    Article  Google Scholar 

  48. Sellwood, J., Crampton, J.: Sleeping Android: the danger of dormant permissions. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, SPSM 2013, pp. 55–66 (2013)

    Google Scholar 

  49. Sicari, S., Rizzardi, A., Grieco, L.A., Coen-Porisini, A.: Security, privacy and trust in Internet of Things: the road ahead. Comput. Netw. 76(C), 146–164 (2015)

    Article  Google Scholar 

  50. Siewiorek, D.: Generation smartphone. IEEE Spectr. 49(9), 54–58 (2012)

    Article  Google Scholar 

  51. Stach, C.: How to assure privacy on Android phones and devices? In: Proceedings of the 2013 IEEE 14th International Conference on Mobile Data Management, MDM 2013, pp. 350–352 (2013)

    Google Scholar 

  52. Stach, C.: Secure Candy Castle – a prototype for privacy-aware mHealth apps. In: Proceedings of the 2016 IEEE 17th International Conference on Mobile Data Management, MDM 2016, pp. 361–364 (2016)

    Google Scholar 

  53. Stach, C., et al.: The AVARE PATRON: a holistic privacy approach for the Internet of Things. In: Proceedings of the 15th International Conference on Security and Cryptography, SECRYPT 2018, pp. 372–379 (2018)

    Google Scholar 

  54. Stach, C., et al.: PATRON – Datenschutz in Datenstromverarbeitungssystemen. In: Informatik 2017: Digitale Kulturen, Tagungsband der 47. Jahrestagung der Gesellschaft für Informatik e.V. (GI), 25 September–29 September 2017, Chemnitz. LNI, vol. 275, pp. 1085–1096 (2017, in German)

    Google Scholar 

  55. Stach, C., Dürr, F., Mindermann, K., Palanisamy, S.M., Wagner, S.: How a pattern-based privacy system contributes to improve context recognition. In: Proceedings of the 2018 IEEE International Conference on Pervasive Computing and Communications Workshops, CoMoRea 2018, pp. 238–243 (2018)

    Google Scholar 

  56. Stach, C., Mitschang, B.: Privacy management for mobile platforms - a review of concepts and approaches. In: Proceedings of the 2013 IEEE 14th International Conference on Mobile Data Management, MDM 2013, pp. 305–313 (2013)

    Google Scholar 

  57. Stach, C., Mitschang, B.: Design and implementation of the Privacy Management Platform. In: Proceedings of the 2014 IEEE 15th International Conference on Mobile Data Management, MDM 2014, pp. 69–72 (2014)

    Google Scholar 

  58. Stach, C., Mitschang, B.: ACCESSORS: a data-centric permission model for the Internet of Things. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy, ICISSP 2018, pp. 30–40 (2018)

    Google Scholar 

  59. Stach, C., Schlindwein, L.F.M.: Candy Castle – a prototype for pervasive health games. In: Proceedings of the 2012 IEEE International Conference on Pervasive Computing and Communications Workshops, PerCom 2012, pp. 501–503 (2012)

    Google Scholar 

  60. Stach, C., Steimle, F., Mitschang, B.: The Privacy Management Platform: an enabler for device interoperability and information security in mHealth applications. In: Proceedings of the 11th International Conference on Health Informatics, HEALTHINF 2018, pp. 27–38 (2018)

    Google Scholar 

  61. Stach, C., Steimle, F., Franco da Silva, A.C.: TIROL: the extensible interconnectivity layer for mHealth applications. In: Damaševičius, R., Mikašytė, V. (eds.) ICIST 2017. CCIS, vol. 756, pp. 190–202. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67642-5_16

    Chapter  Google Scholar 

  62. Svangren, M.K., Skov, M.B., Kjeldskov, J.: The connected car: an empirical study of electric cars as mobile digital devices. In: Proceedings of the 19th International Conference on Human-Computer Interaction with Mobile Devices and Services, MobileHCI 2017, pp. 6:1–6:12 (2017)

    Google Scholar 

  63. Takabi, H., Joshi, J.B.D., Ahn, G.J.: Security and privacy challenges in cloud computing environments. IEEE Secur. Priv. 8(6), 24–31 (2010)

    Article  Google Scholar 

  64. The European Parliament and the Council of the European Union: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official journal of the european union, European Union (2016)

    Google Scholar 

  65. Vashist, S.K., Schneider, E.M., Luong, J.H.: Commercial smartphone-based devices and smart applications for personalized healthcare monitoring and management. Diagnostics 4(3), 104–128 (2014)

    Article  Google Scholar 

  66. Wei, X., Gomez, L., Neamtiu, I., Faloutsos, M.: Permission evolution in the Android ecosystem. In: Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC 2012, pp. 31–40 (2012)

    Google Scholar 

  67. Weiser, M.: The computer for the 21st century. Sci. Am. 265(3), 94–105 (1991)

    Article  Google Scholar 

  68. Xie, X., Ray, I., Adaikkalavan, R., Gamble, R.: Information flow control for stream processing in clouds. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, SACMAT 2013, pp. 89–100 (2013)

    Google Scholar 

  69. Zeevi, D., et al.: Personalized nutrition by prediction of glycemic responses. Cell 163(5), 1079–1094 (2015)

    Article  Google Scholar 

Download references

Acknowledgments

This paper is part of the PATRON research project which is commissioned by the Baden-Württemberg Stiftung gGmbH. The authors would like to thank the BW-Stiftung for the funding of this research.

Author information

Authors and Affiliations

  1. Institute for Parallel and Distributed Systems, University of Stuttgart, Universitätsstraße 38, 70569, Stuttgart, Germany

    Christoph Stach & Bernhard Mitschang

Authors
  1. Christoph Stach
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bernhard Mitschang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christoph Stach .

Editor information

Editors and Affiliations

  1. IIT-CNR, Pisa, Italy

    Paolo Mori

  2. Plymouth University, Plymouth, UK

    Steven Furnell

  3. MODESTE/ESEO, Angers Cedex 02, France

    Olivier Camp

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Stach, C., Mitschang, B. (2019). Elicitation of Privacy Requirements for the Internet of Things Using ACCESSORS. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems Security and Privacy. ICISSP 2018. Communications in Computer and Information Science, vol 977. Springer, Cham. https://doi.org/10.1007/978-3-030-25109-3_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-25109-3_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-25108-6

  • Online ISBN: 978-3-030-25109-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation