Automated Approach to Improve IoT Privacy Policies
This work addresses privacy issues for IoT users by improving policy readability and compliance, but it appears incremental as it builds on existing analysis techniques without introducing a new paradigm.
The authors tackled the problem of ineffective IoT privacy policies by developing methodologies to analyze and reduce policy length and organize content for better user understanding, and to detect inconsistencies between devices and their policies, though no concrete numbers were provided.
The massive growth of the Internet of Things (IoT) as a network of interconnected entities [18], brings up new challenges in terms of privacy and security requirements to the traditional software engineering domain [4]. To protect the individuals' privacy, the FTC's Fair Information Practice Principles (FIPPs) [6] proposes to companies to give notice to the consumer about their data practices, provide them with choices and give them means to have control over their own data.. Using privacy policy is the most common way for this type of notices. However, privacy policies are not generally effective due to two main reasons: first, privacy policies are long and full of legal jargon which are not understandable by a normal user; second, it is not guaranteed that an IoT device behave as it is explained in its privacy policy. In this technical report, we propose and discuss our methodologies to analyze privacy policies. By the help of this analysis, we reduce the length of a privacy policy and make it organized based on privacy practices to improve understanding level for the user. We also come up with a method to find the inconsistencies between IoT devices and their privacy policies.