Whether the sensitive information statement of the IoT privacy policy is consistent with the actual behavior

Abstract

With the popularization of the Internet of Things(IoT), as the IoT devices carry a large amount of sensitive information, more and more attention is paid to the privacy and security of the IoT. According to legal requirements, vendors are obliged to provide a privacy policy to inform users of their privacy practices and to ensure that actual behavior complies with the published privacy policy. However, we found that the reality is not the case. In this paper, we design an IoT privacy policy consistency detection framework that can automatically extract sensitive information in the request packets sent by IoT apps, and can detect whether the privacy policy declared by the vendor is consistent with the actual collection and sharing behavior. We create a sensitive word list and a sensitive field mapping dictionary in the IoT wearable scene. The sensitive word list contains almost all sensitive words representing sensitive information in the IoT wearable scene. The sensitive field mapping dictionary can realize the IoT wearable in the scenario, the special fields in the data packets sent by the APP to the cloud are mapped to the words in the sensitive word list. We tested 6 IoT platforms, including 9 devices and 14 APPs, and extracted a total of 245 items of sensitive information, of which 57 items of sensitive information were not claimed in their corresponding privacy policies. The test results showed that some representative IoT platforms (e.g. Huawei, Amazfit) have violated their user privacy policies to collect and share actual sensitive information, which prove that the inconsistence between platforms' privacy statement and actual behaviors is prevalent.