Cardiff University | Prifysgol Caerdydd ORCA
Online Research @ Cardiff 
WelshClear Cookie - decide language by browser settings

Evaluating compliance of the actual behaviour of IoT devices with their privacy policy agreement

Subahi, Alanoud 2020. Evaluating compliance of the actual behaviour of IoT devices with their privacy policy agreement. PhD Thesis, Cardiff University.
Item availability restricted.

[thumbnail of PhD Thesis]
PDF (PhD Thesis) - Accepted Post-Print Version
Download (4MB) | Preview
[thumbnail of Cardiff University Electronic Publication Form] PDF (Cardiff University Electronic Publication Form) - Supplemental Material
Restricted to Repository staff only

Download (91kB)


In the past few years, Internet of Things (IoT) devices have emerged and spread everywhere. IoT has the potential to make people’s lives more comfortable and more efficient. Many people use smart home devices, and such devices can communicate with each other without user intervention. To control, configure, and interface with the IoT device, a companion mobile application comes with each IoT device, which needs to be installed on the user’s smartphone or tablet. IoT devices send information in three different ways. The first way is from the IoT Device to the Cloud (D-C). Through this way, the device can send the user’s data to the IoT device’s cloud. The second way is from the IoT app to the IoT Device (AD). In this way, the IoT app sends a command(s) to the IoT device to work based on this specific command. The third way is from the IoT app to the IoT Cloud (AC). Through this way, the device can also send user’s data to the IoT device’s cloud. Despite the importance of the privacy risk, the majority of IoT users don’t understand what kind of information is being collected about them or their environment. Privacy is not only limited to encryption and access authorization, but also related to the kind of transmitted information, how it’s being used, and with whom it will be shared. Accordingly, many researchers have been motivated to study the security and privacy issues of those devices due to the sensitive information they carry about their owners. However, the limitation of existing methods are: 1. They only study the security and privacy issues by analyzing the traffic that goesdirectly from the IoT device to the IoT cloud (i.e. D-C). 2. They never study the privacy violations between the IoT traffic with its PPA, i.e., compliance violations. In contrast, this research aims to study the privacy violations through analyzing the alternate path, i.e. (A-C). In particular, we consider the compliance issues between the data sent from the IoT mobile app to the IoT cloud and what the manufacturer of this IoT device states about the data that they collect about its users. IoT manufacturers are compelled to issue Privacy Policy Agreements (PPA) for their respective devices as well as ensure that the actual behavior of such devices complies with the issued PPA. To evaluate this compliance, we make the following contributions: The first contribution is investigating issues around IoT privacy in general and the compliance violations between the IoT devices with their PPA in particular. To do so, we need to implement two stages. The first stage is read and study, manually, the PPA of eleven IoT manufacturers. The results of this stage reveal that half of those IoT manufacturers do not have an adequate privacy policy specifically for their IoT devices. Consequently, we create eight main criteria, based on the GDPR, that any IoT manufacturer should implement when designing its PPA. Also, we argue that the IoT manufacturer should apply these criteria as well as adhere to them when they issue their new IoT products. While the second stage is design a testbed to capture the traffic of two IoT devices (i.e., Tp-link smart plug and Belkin NetCam). Then, we analyze the collected traffic to find out the type of data transferred from the devices to their manufacturer’s cloud. Finally, we evaluate the compliance of the actual behavior of the IoT devices (Tp-link smart plug and Belkin NetCam) with their PPAs as well as with our eight criteria. The results of this stage prove that the data sent from the two IoT devices to their clouds does not comply with what they stated in their PPA. The second contribution is a tool that automatically infers the actual behavior (i.e. the type of the transmitted data) of an IoT device from its encrypted network traffic. In particular, the tool infers three critical things; first of all, the tool reveals from the traffic the interaction type between the user and his/her IoT device through the IoT device’s app (e.g., the user login to the IoT app to control the device). Second, it reveals whether the IoT device sends sensitive Personal Identifiable Information (PII) about the user to its cloud. Finally, the tool reveals the content type of such sensitive information (e.g., user’s location detail). This information helps IoT users to make rational decisions regarding their privacy risks. We implement this tool using supervised machine learning algorithm, we obtain the following classification accuracy values of inferring the three types of information, as mentioned above, respectively: 99.4%, 99.8%, and 99.8%. This high accuracy proves the reliability of our proposed method. The third contribution is a method to analyze the text of IoT PPAs. In this method, we aim to imitate the way that an ordinary person, with an average education level, reads and understands such long policies. To do so, we implement a text-mining tool to read and extract specific type of information using a supervised machine learning algorithm. Our goal is to determine the types of personal information that the PPA mentions are collected about the IoT end users. Furthermore, we categorize such information according to its sensitivity level to either sensitive personal information or non-sensitive personal information. Using our tool, we analyze and label 31,661 sentences from 50 IoT PPAs. The high accuracy achieved by the classifier (i.e. 98.8%) proves the validity and reliability of our proposed method. Finally, we combine the second and the third contributions to investigate whether there is a mismatch between the actual data sent to the IoT manufacturer cloud with what the manufacturer states in its PPA. The experimental results demonstrated in this thesis confirm our hypothesis that most IoT manufacturers don’t provide sufficient information in their PPA or they don’t comply with what they state in their PPA.

Item Type: Thesis (PhD)
Date Type: Completion
Status: Unpublished
Schools: Computer Science & Informatics
Date of First Compliant Deposit: 23 March 2021
Last Modified: 10 Nov 2021 02:26

Actions (repository staff only)

Edit Item Edit Item


Downloads per month over past year

View more statistics