Privacy Verification Chains for IoT

The present paper establishes foundations for implementing Privacy and Security by Design in the scope of the Internet of Things (IoT) by using a new paradigm namely the Privacy Verification Chains (PVC). PVCs will act as a “privacy ledgers” allowing participating entities to prove that they are entitled to hold privacy-related information, regardless of how this information is handled or stored. Furthermore, the PVC structure provides the two following benefits: In case of a security breach resulting in a user data leak, the affected company may browse all the relevant PVCs in order to identify the users affected and trigger the corresponding informative and corrective measures. The PVC will also provide support for bidirectional browsing which means that the data owner will be capable of browsing all the PVCs involving the data he owns in order to find out all the data processors that hold his personal information. From a wider perspective, we enforce a strict separation between data providers and data controllers, where providers are managers of their data privacy, and controllers are accountable for the privacy and protection of the data provided. This role separation will be ensured by a data controller of a so-called Smart Data System (SDS). The SDS handles information along with its privacy settings (metadata), defined by the data owner. In order to control this privacy-preserving framework, our system introduces a Forensic and Auditing System that will enforce the data protection from the processor to a third party. This component will also provide a comprehensive logging functionality that will constitute a legally-binding support to respond to audit procedures, police investigations and(or) law enforcement obligations.