Small scale IoT device privacy evaluation using Petri net modeling

Abstract

Most Small Scale IoT (SSIoT) devices on the market gather a significant amount of sensitive information, yet many lack privacy controls, introducing significant privacy and safety risk to users. Such risks stem from the lack of privacy integration into the system development process. No formalized SSIoT data flow model currently integrates privacy elements for evaluation during the system development lifecycle (SDLC). This work aims to review current data flow modeling techniques, used in most SSIoT System Development Lifecycle (SDLC), to identify privacy gaps and assess requisite privacy controls necessary to improve user privacy. To verify this, we designed a simulation experiment using Petri net to evaluate the current privacy controls and hotspots during SSIoT data transitions. We assess our Petri net model using a Barbie Smart connected toy user interaction. The results show that Petri net has unique privacy elements and verification schemes over all other data flow modeling techniques. Further, it provides privacy assurance, evaluates privacy by identifying privacy hotspots needing controls, and minimizes privacy-related risks such as breach of personally identifiable information and interaction data during SSIoT device use.