Designing Privacy-Aware IoT Applications for Unregulated Domains

Abstract

Internet of Things (IoT) applications (apps) are challenging to design because of the heterogeneous systems on which they are deployed. IoT devices and apps may collect and analyse sensitive personal data, which is often protected by data privacy laws, some within highly regulated domains such as healthcare. Privacy-by-design (PbD) schemes can be used by developers to consider data privacy at the design stage. However, software developers are not widely adopting these approaches due to difficulties in understanding and interpreting them. There are currently a limited number of tools available for developers to use in this context. We believe that a successful PbD tool should be able to (i) assist developers in addressing privacy requirements in less regulated domains, as well as (ii) help them learn about privacy as they use the tool. The findings of two controlled lab studies are presented, involving 42 developers. We discuss how such a PbD tool can help novice IoT developers comply with privacy laws (e.g., GDPR) and follow privacy guidelines (e.g., privacy patterns). Based on our findings, such tools can help raise awareness of data privacy requirements at design. This increases the likelihood that subsequent designs will be more aware of data privacy requirements.