Abstract
With the popularization of the Internet of Things(IoT), as the IoT devices carry a large amount of sensitive information, more and more attention is paid to the privacy and security of the IoT. According to legal requirements, vendors are obliged to provide a privacy policy to inform users of their privacy practices and to ensure that actual behavior complies with the published privacy policy. However, we found that the reality is not the case. In this paper, we design an IoT privacy policy consistency detection framework that can automatically extract sensitive information in the request packets sent by IoT apps, and can detect whether the privacy policy declared by the vendor is consistent with the actual collection and sharing behavior. We create a sensitive word list and a sensitive field mapping dictionary in the IoT wearable scene. The sensitive word list contains almost all sensitive words representing sensitive information in the IoT wearable scene. The sensitive field mapping dictionary can realize the IoT wearable in the scenario, the special fields in the data packets sent by the APP to the cloud are mapped to the words in the sensitive word list. We tested 6 IoT platforms, including 9 devices and 14 APPs, and extracted a total of 245 items of sensitive information, of which 57 items of sensitive information were not claimed in their corresponding privacy policies. The test results showed that some representative IoT platforms (e.g. Huawei, Amazfit) have violated their user privacy policies to collect and share actual sensitive information, which prove that the inconsistence between platforms' privacy statement and actual behaviors is prevalent.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.