Supporting users to take informed decisions on privacy settings of personal devices

Today, personal information has never been this prone to risk given the current advancement in technologies especially on personal devices. These devices are able to provide services to individuals; however, they also collect huge amount of personal information which may be used to infer sensitive private information. Among these personal devices, fitness trackers have the potential to capture the most personal user information. We conducted an analysis on fitness trackers and built a case study based on Fitbit wearables, its Android application, and the third party applications that provide further services by accessing Fitbit data and exchanging data with its application, given the user’s permission. Specifically, we analyzed the case of Lose It! third party application. Then, we applied a framework for user privacy protection in the IoT, which we have defined in our previous work, to this specific case and validated our design choices using controlled experiments. The contribution of the paper is twofold: showing the risks for privacy due to the possible correlation of shared data to infer undisclosed personal information and presenting an approach to support users in managing privacy configuration settings. The ultimate aim of this study is to outline new challenges for IoT development by (i) emphasizing the need to protect users against inference attacks coming from the supposedly trusted third parties and (ii) making the process of information sharing more informative and the users more aware of the related risks.

[1]  Hamed Haddadi,et al.  Personal Data: Thinking Inside the Box , 2015, Aarhus Conference on Critical Alternatives.

[2]  Marco Scutari,et al.  Learning Bayesian Networks with the bnlearn R Package , 2009, 0908.3817.

[3]  Alex Pentland,et al.  Decentralizing Privacy: Using Blockchain to Protect Personal Data , 2015, 2015 IEEE Security and Privacy Workshops.

[4]  Barbara Carminati,et al.  Enhancing User Control on Personal Data Usage in Internet of Things Ecosystems , 2016, 2016 IEEE International Conference on Services Computing (SCC).

[5]  Masatoshi Yoshikawa,et al.  Your neighbors are my spies: Location and other privacy concerns in dating apps , 2016, 2016 18th International Conference on Advanced Communication Technology (ICACT).

[6]  Dawn E. Holmes,et al.  Innovations in Bayesian Networks: Theory and Applications , 2010, Innovations in Bayesian Networks.

[7]  Narseo Vallina-Rodriguez,et al.  Haystack: In Situ Mobile Traffic Analysis in User Space , 2015, ArXiv.

[8]  Kevin B. Korb,et al.  Bayesian Artificial Intelligence , 2004, Computer science and data analysis series.

[9]  Lei Zhang,et al.  A survey of privacy protection techniques for mobile devices , 2017, Journal of Communications and Information Networks.

[10]  S. Julius,et al.  Heart rate and the cardiovascular risk , 1997, Journal of hypertension.

[11]  Robert P. Anderson,et al.  Maximum entropy modeling of species geographic distributions , 2006 .

[12]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[13]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[14]  Lakhmi C. Jain,et al.  Innovations in Bayesian Networks , 2008 .

[15]  Dorothy E. Denning,et al.  Inference Controls for Statistical Databases , 1983, Computer.

[16]  Yi Sun,et al.  A Comprehensive Investigation of User Privacy Leakage to Android Applications , 2016, 2016 25th International Conference on Computer Communication and Networks (ICCCN).

[17]  Pierangela Samarati,et al.  Protecting Privacy of User Information in Continuous Location-Based Services , 2012, 2012 IEEE 15th International Conference on Computational Science and Engineering.

[18]  Reihaneh Safavi-Naini,et al.  Privacy and Utility of Inference Control Mechanisms for Social Computing Applications , 2016, AsiaCCS.

[19]  Brian Caulfield,et al.  Automatic Prediction of Health Status Using Smartphone-Derived Behavior Profiles , 2017, IEEE Journal of Biomedical and Health Informatics.

[20]  Muttukrishnan Rajarajan,et al.  Android Security: A Survey of Issues, Malware Penetration, and Defenses , 2015, IEEE Communications Surveys & Tutorials.

[21]  Pern Hui Chia,et al.  Is this app safe?: a large scale study on application permissions and risk signals , 2012, WWW.

[22]  Alfred Kobsa,et al.  Dimensionality of information disclosure behavior , 2013, Int. J. Hum. Comput. Stud..

[23]  Hamed Haddadi,et al.  Privacy Leakage in Mobile Computing: Tools, Methods, and Characteristics , 2014, ArXiv.

[24]  Mani B. Srivastava,et al.  ipShield: A Framework For Enforcing Context-Aware Privacy , 2014, NSDI.

[25]  Arnaud Legout,et al.  ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic , 2015, MobiSys.

[26]  Michal Linial,et al.  Using Bayesian Networks to Analyze Expression Data , 2000, J. Comput. Biol..

[27]  Lei Zhang,et al.  A survey of privacy protection techniques for mobile devices , 2016 .

[28]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[29]  E. Jaynes Information Theory and Statistical Mechanics , 1957 .

[30]  Naixue Xiong,et al.  Android platform-based individual privacy information protection system , 2016, Personal and Ubiquitous Computing.

[31]  Eric Pardede,et al.  Controlling privacy disclosure of third party applications in online social networks , 2016, Int. J. Web Inf. Syst..

[32]  Sun Young Park,et al.  Technological and Organizational Adaptation of EMR Implementation in an Emergency Department , 2015, TCHI.

[33]  Karsten Sohr,et al.  Understanding the implemented access control policy of Android system services with slicing and extended static checking , 2015, International Journal of Information Security.

[34]  Ian Witten,et al.  Data Mining , 2000 .

[35]  J. Pearl Causality: Models, Reasoning and Inference , 2000 .

[36]  Panagiotis Papadimitratos,et al.  Android privacy C(R)ache: reading your external storage and sensors for fun and profit , 2016, PAMCO '16.

[37]  Yongji Wang,et al.  POSTER: biTheft: Stealing Your Secrets by Bidirectional Covert Channel Communication with Zero-Permission Android Application , 2015, CCS.

[38]  Pamela J. Wisniewski,et al.  Making privacy personal: Profiling social network users to inform privacy education and nudging , 2017, Int. J. Hum. Comput. Stud..

[39]  Ilaria Torre,et al.  User data discovery and aggregation: The CS-UDD algorithm , 2014, Inf. Sci..

[40]  Heather Richter Lipford,et al.  Mapping User Preference to Privacy Default Settings , 2015, TCHI.

[41]  Jean-Baptiste Denis,et al.  Bayesian Networks , 2014 .

[42]  Hamed Haddadi,et al.  Quantified Self and the Privacy Challenge , 2014 .

[43]  อนิรุธ สืบสิงห์,et al.  Data Mining Practical Machine Learning Tools and Techniques , 2014 .

[44]  J. A. Grant,et al.  The Solution of Polynomial Equations in Interval Arithmetic , 1973, Comput. J..

[45]  Annie I. Antón,et al.  Privacy Impacts of IoT Devices: A SmartTV Case Study , 2016, 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW).

[46]  Michael Backes,et al.  Boxify: Full-fledged App Sandboxing for Stock Android , 2015, USENIX Security Symposium.

[47]  G. Loewenstein,et al.  The Impact of Relative Standards on the Propensity to Disclose , 2012 .

[48]  Nan Zhang,et al.  Privacy Disclosure from Wearable Devices , 2015, PAMCO '15.

[49]  Klara Nahrstedt,et al.  Identity, location, disease and more: inferring your secrets from android public resources , 2013, CCS.

[50]  Ian H. Witten,et al.  Data mining: practical machine learning tools and techniques, 3rd Edition , 1999 .

[51]  Norman M. Sadeh,et al.  Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing , 2012, UbiComp.

[52]  Ahmad-Reza Sadeghi,et al.  DroidAuditor: Forensic Analysis of Application-Layer Privilege Escalation Attacks on Android (Short Paper) , 2016, Financial Cryptography.

[53]  R B D'Agostino,et al.  Probability of stroke: a risk profile from the Framingham Study. , 1991, Stroke.

[54]  Hamed Haddadi,et al.  Enabling the new economic actor: data protection, the digital economy, and the Databox , 2016, Personal and Ubiquitous Computing.

[55]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[56]  Luis M. de Campos,et al.  A comparison of learning algorithms for Bayesian networks: a case study based on data from an emergency medical service , 2004, Artif. Intell. Medicine.

[57]  Corrado Moiso,et al.  Building an Eco-System of Trusted Services via User Control and Transparency on Personal Data , 2015, IFIPTM.

[58]  Dimitris Gritzalis,et al.  Assessing Privacy Risks in Android: A User-Centric Approach , 2013, RISK@ICTSS.

[59]  Kevin B. Korb,et al.  Bayesian Artificial Intelligence, Second Edition , 2010 .

[60]  Ilaria Torre,et al.  A framework for personal data protection in the IoT , 2016, 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST).

[61]  Agata Filipowska,et al.  Managing Personal Information : A Telco Perspective , 2016 .

[62]  Bhavani M. Thuraisingham,et al.  Preventing Private Information Inference Attacks on Social Networks , 2013, IEEE Transactions on Knowledge and Data Engineering.

[63]  Evangelos Kalogerakis,et al.  RisQ: recognizing smoking gestures with inertial sensors on a wristband , 2014, MobiSys.

[64]  Adam W. Hoover,et al.  A New Method for Measuring Meal Intake in Humans via Automated Wrist Motion Tracking , 2012, Applied Psychophysiology and Biofeedback.

[65]  Yunchuan Sun,et al.  Constructing the Web of Events from raw data in the Web of Things , 2014, Mob. Inf. Syst..

[66]  M. Karagas,et al.  Overview of Bayesian network approaches to model gene-environment interactions and cancer susceptibility , 2012 .