Abstract
Today, personal information has never been this prone to risk given the current advancement in technologies especially on personal devices. These devices are able to provide services to individuals; however, they also collect huge amount of personal information which may be used to infer sensitive private information. Among these personal devices, fitness trackers have the potential to capture the most personal user information. We conducted an analysis on fitness trackers and built a case study based on Fitbit wearables, its Android application, and the third party applications that provide further services by accessing Fitbit data and exchanging data with its application, given the user’s permission. Specifically, we analyzed the case of Lose It! third party application. Then, we applied a framework for user privacy protection in the IoT, which we have defined in our previous work, to this specific case and validated our design choices using controlled experiments. The contribution of the paper is twofold: showing the risks for privacy due to the possible correlation of shared data to infer undisclosed personal information and presenting an approach to support users in managing privacy configuration settings. The ultimate aim of this study is to outline new challenges for IoT development by (i) emphasizing the need to protect users against inference attacks coming from the supposedly trusted third parties and (ii) making the process of information sharing more informative and the users more aware of the related risks.
Similar content being viewed by others
Notes
In the present study, we used only the option of either private or not private data even though the framework is designed to manage privacy preferences on scale and using thresholds to provide alert to the user.
References
Cisco Systems, Inc (2016) Cisco visual networking index: forecast and methodology, 2015–2020. White Paper 1–22
The Nielsen Company (US) (2015) LLC, so many apps, so much more time for entertainment
Ge Y, Deng B, Sun Y, Tang L, Sheng D, Zhao Y, Xie G, Salamatian K (2016) A comprehensive investigation of user privacy leakage to android applications. In: Proceedings of the 25th IEEE international conference on computer communication and networks (ICCCN), pp 1–6
Mayer JR, Mitchell JC (2012) Third-party web tracking: policy and technology. In: IEEE symposium on security and privacy (SP), pp 413–427
Pultier A, Harrand N, Brandtzæg PB (2016) Privacy in mobile apps. In: SINTEF ICT networked systems and services, pp 1–24
Rutledge R, Massey A, Antón A (2016) Privacy impacts of IoT devices: a SmartTV case study. In: Proceedings of the 24th IEEE international requirements engineering conference workshops (REW), pp 261–270
Tomy S, Pardede E (2016) Controlling privacy disclosure of third party applications in online social networks. International Journal of Web Information Systems 12(2):215–241
Hoang NP, Asano Y, Yoshikawa M (2016) Your neighbors are my spies: location and other privacy concerns in dating apps. In: Proceedings of the 18th IEEE international conference on advanced communication technology (ICACT), pp 715–721
Torre I, Koceva F, Sanchez OR, Adorni G (2016) A framework for personal data protection in the IoT. In: Proceedings of the 11th IEEE international conference on internet technology and secured transactions (ICITST), pp 384–391
Haris M, Haddadi H, Hui P (2014) Privacy leakage in mobile computing: tools, methods, and characteristics. arXiv:1410.4978, pp 1–22
Wu J, Wu Y, Yang M, Wu Z, Luo T, Wang Y (2015) POSTER: biTheft: stealing your secrets by bidirectional covert channel communication with zero-permission android application. In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, pp 1690–1692
Faruki P, Bharmal A, Laxmi V, Ganmoor V, Gaur MS, Conti M, Rajarajan M (2015) Android security: a survey of issues, malware penetration, and defenses. IEEE Commun Surv Tutorials 17(2):998–1022
Heuser S, Negro M, Pendyala PK, Sadeghi AR (2016) Droidauditor: forensic analysis of application-layer privilege escalation attacks on android. In: Proceedings of the 20th international conference on financial cryptography and data security, pp 1–12
Mustafa T, Sohr K (2015) Understanding the implemented access control policy of Android system services with slicing and extended static checking. Int J Inf Secur 14(4):347–366
Backes M, Bugiel S, Hammer C, Schranz O, von Styp-Rekowsky P (2015) Boxify: full-fledged app sandboxing for stock android. In: USENIX security, pp 691–706
Zhang W, Li X, Xiong N, Vasilakos AV (2016) Android platform-based individual privacy information protection system. Pers Ubiquit Comput 20(6):875–884
Li L, Bartel A, Bissyandé TF, Klein J, Le Traon Y, Arzt S, Rasthofer S, Bodden E, Octeau D, McDaniel P (2015) Iccta: detecting inter-component privacy leaks in android apps. In: Proceedings of the 37th IEEE press international conference on software engineering, vol 1, pp 280–291
Gisdakis S, Giannetsos T, Papadimitratos P (2016) Android privacy C (R) ache: reading your external storage and sensors for fun and profit. In: Proceedings of the 1st ACM workshop on privacy-aware mobile computing, pp 1–10
Mylonas A, Theoharidou M, Gritzalis D (2013) Assessing privacy risks in android: a user-centric approach. International workshop on risk assessment and risk-driven testing. Springer International Publishing, pp 21–37
Chia PH, Yamamoto Y, Asokan N (2012) Is this app safe?: a large scale study on application permissions and risk signals. In: Proceedings of the 21st ACM international conference on world wide web, pp 311–320
Zhou X, Demetriou S, He D, Naveed M, Pan X, Wang X, Gunter CA, Nahrstedt K (2013) Identity, location, disease and more: inferring your secrets from android public resources. In: Proceedings of the 20th ACM conference on computer & communications security, pp 1017–1028
Felt AP, Ha E, Egelman S, Haney A, Chin E, Wagner D (2012) Android permissions: user attention, comprehension, and behavior. In: Proceedings of the eighth ACM symposium on usable privacy and security (SOUPS), pp 1–14
Carminati B, Colombo P, Ferrari E, Sagirlar G (2016) Enhancing user control on personal data usage in internet of things ecosystems. In: Proceedings of the IEEE international conference in services computing (SCC), pp 291–298
Crabtree A, Lodge T, Colley J, Greenhalgh C, Mortier R, Haddadi H (2016) Enabling the new economic actor: data protection, the digital economy, and the databox. Journal of Personal and Ubiquitous Computing 20(6):947–957
Denning DE, Schlorer J (1983) Inference controls for statistical databases. Comput J 16(7):69–82
Heatherly R, Kantarcioglu M, Thuraisingham B (2013) Preventing private information inference attacks on social networks. IEEE Trans Knowl Data Eng 25(8):1849–1862
Carmagnola F, Osborne F, Torre I (2014) User data discovery and aggregation: the CS-UDD algorithm. J Inf Sci 270:41–72
Ahmadinejad SH, Fong PW, Safavi-Naini R (2016) Privacy and utility of inference control mechanisms for social computing applications. In: Proceedings of the 11th ACM Asia conference on computer and communications security, pp 9–840
Yan T, Lu Y, Zhang N (2015) Privacy disclosure from wearable devices. In: Proceedings of the ACM Workshop on Privacy-Aware Mobile Computing (PAMCO’15), pp 13–18
Parate EA, Chiu MC, Chadowitz C, Ganesan D, Kalogerakis E (2014) Risq: Recognizing smoking gestures with inertial sensors on a wristband. In: Proceedings of the ACM 12th annual international conference on mobile systems, applications, and services, pp 149–161
Dong Y, Hoover A, Scisco J, Muth E (2012) A new method for measuring meal intake in humans via automated wrist motion tracking. Journal on Applied Psychophysiology and Biofeedback 37(3):205–215
Kelly D, Curran K, Caulfield B (2017) Automatic prediction of health status using smartphone derived behaviour profiles. IEEE Journal of Biomedical and Health Informatics pp 1–10
Haddadi H, Brown I (2014) Quantified self and the privacy challenge. SCL Technology Law Futures Forum pp 1–2
Motahari SG, Jones Q (2013) System and method for protecting user privacy using social inference protection techniques, google patents. https://www.google.com/patents/US8504481
Chakraborty S, Shen C, Raghavan KR, Shoukry Y, Millar M, Srivastava MB (2014) Ipshield: a framework for enforcing context-aware privacy. In: Proceedings of the 11th USENIX symposium on networked systems design and implementation (NSDI), pp 143–156
Razaghpanah A, Vallina-Rodriguez N, Sundaresan S, Kreibich C, Gill P, Allman M, Paxson V (2015) Haystack: in situ mobile traffic analysis in user space. arXiv:1510.01419v1, pp 1–13
Ren J, Rao A, Lindorfer M, Legout A, Choffnes D (2016) Recon: revealing and controlling PII leaks in mobile network traffic. In: Proceedings of the 14th annual international conference on ACM mobile systems, applications, and services, pp 361–374
Ardagna CA, Livraga G, Samarati P (2012) Protecting privacy of user information in continuous location-based services. In: Proceedings of 15th IEEE international conference on computational science and engineering (CSE), pp 162–169
Acquisti A, John LK, Loewenstein G (2012) The impact of relative standards on the propensity to disclose. J Mark Res 49(2):160–174
Watson J, Lipford HR, Besmer A (2015) Mapping user preference to privacy default settings. ACM Transactions on Computer-Human Interaction (TOCHI) 22(6):1–20. Art.32
Vescovi M, Moiso C, Pasolli M, Cordin L, Antonelli F (2015) Building an eco-system of trusted services via user control and transparency on personal data. In: IFIP international conference on trust management. Springer International Publishing, pp 240– 250
Chaudhry A, Crowcroft J, Howard H, Madhavapeddy A, Mortier R, Haddadi H, McAuley D (2015) Personal data: thinking inside the box. In: Proceedings of the fifth decennial aarhus conference on critical alternatives. Aarhus University Press, pp 29– 32
Zyskind G, Nathan O (2015) Decentralizing privacy: using blockchain to protect personal data. IEEE Security and Privacy Workshops (SPW), pp 180–184
Wisniewski PJ, Knijnenburg BP, Lipford HR (2017) Making privacy personal: profiling social network users to inform privacy education and nudging. Int J Hum Comput Stud 98:95–108
Knijnenburg BP, Kobsa A, Jin H (2013) Dimensionality of information disclosure behavior. Int J Hum Comput Stud 71(12):1144–1162
Lin J, Amini S, Hong JI, Sadeh N, Lindqvist J, Zhang J (2012) Expectation and purpose: understanding users’ mental models of mobile app privacy through crowdsourcing. In: Proceedings of the 14th ACM conference on ubiquitous computing, pp 501–510
Cisco Systems, Inc (2016) The Zettabyte Era: trends and analysis. White Paper
Fitbit Inc (2017) Fitbit surge fitness super watch. https://www.fitbit.com/us/shop/surge
Garmin Ltd. (2017) Sports & recreation—health & fitness. https://buy.garmin.com/en-US/US/p/548743
Jawbone (2017) We’re taking trackers where they’ve never been before. https://jawbone.com/fitness-tracker/up4
Misfit (2017) Misfit shine 2. https://misfit.com/products/misfit-shine-2-limited-edition-poketo
Szczekocka E, Gromada J, Filipowska A, Jankowiak P, Kałuzny P, Brun A, Portugal JM, Staiano J (2016) Managing personal information: a telco perspective. In: Proceedings of the 19th international innovations in clouds, internet and networks (ICIN), pp 1–8
Sun Y, Yan H, Lu C, Bie R, Zhou Z (2014) Constructing the web of events from raw data in the web of things. Journal of Mobile Information Systems 10:105–125
Pearl J (1985) Bayesian networks: a model of self-activated memory for evidential reasoning, University of California (Los Angeles). In: Proceedings of the 7th annual conference of the cognitive science society, pp 1–22
Acid S, de Campos LM, Fernández-Luna JM, Rodríguez S, Rodríguez JM, Salcedo JL (2004) A comparison of learning algorithms for Bayesian networks: a case study based on data from an emergency medical service. ACM Journal of Artificial Intelligence in Medicine 30(3):215–232
Holmes D, Jain L (2008) Innovations in Bayesian networks: theory and applications, studies in computational intelligence, vol 156. Springer, New York, USA
Friedman N, Linial M, Nachman I, Pe’er D (2000) Using Bayesian networks to analyze expression data. J Comput Biol 7(3-4):601–620
Scutari M (2010) Learning Bayesian networks with the bnlearn r package. J Stat Softw 35(3)
Korb KB, Nicholson AE (2010) Bayesian artificial intelligence. CRC Press
Neapolitan RE (2004) Learning Bayesian networks, vol 38. Pearson Prentice Hall, Upper Saddle River, NJ
Pearl J (2000) Causality: models, reasoning and inference. Cambridge University Press, Cambridge, UK, p 384
Su C, Andrew A, Karagas M, Borsuk ME (2012) Overview of Bayesian network approaches to model gene-environment interactions and cancer susceptibility. (Doctoral dissertation, International Environmental Modelling and Software Society (iEMSs)), pp 1–7
Scutari M, Denis JB (2014) Bayesian networks: with examples in R. CRC Press
Furberg R, Brinton J, Keating M, Ortiz A (2016) Crowd-sourced fitbit datasets 03.12.2016-05.12.2016 data set. Zenodo. https://doi.org/10.5281/zenodo.53894
Witten I, Frank E (2005) Data mining: practical machine learning tools and techniques, 2nd edn. Elsevier Inc.
Jaynes E (1957) Information theory and statistical mechanics. American Physical Society (APS) Journals 620–630
Phillips S, Anderson R, Schapire R (2006) Maximum entropy modeling of species geographic distributions. International Journal on Ecological Modelling and Systems Ecology 190(3–4):231–259
Wolf PA, D’agostino RB, Belanger AJ, Kannel WB (1991) Probability of stroke: a risk profile from the Framingham study. J Am Heart Assoc 22(3):312–318
Palatini P, Julius S (1997) Heart rate and the cardiovascular risk. J Hypertens 15(1):3–17
Nauman M, Khan S, Zhang X (2010) Apex: extending android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM symposium on information, computer and communications security, pp 328–332
Garson D (2012) Creating simulated datasets. Asheboro: North Carolina State University and G, David Garson and Statistical Associates Publishing, pp 1–15
Zhang L, Zhu D, Yang Z, Sun L, Yang M (2016) A survey of privacy protection techniques for mobile devices. Journal of Communications and Information Networks, Springer 1(4):86–92
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Torre, I., Sanchez, O., Koceva, F. et al. Supporting users to take informed decisions on privacy settings of personal devices. Pers Ubiquit Comput 22, 345–364 (2018). https://doi.org/10.1007/s00779-017-1068-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00779-017-1068-3