Chang Kai-Chih, Niu Haoran, Kim Brian, Barber Suzanne
Department of Electrical and Computer Engineering, The University of Texas at Austin, Austin, TX 78712, USA.
Entropy (Basel). 2024 Jun 29;26(7):561. doi: 10.3390/e26070561.
A user's devices such as their phone and computer are constantly bombarded by IoT devices and associated applications seeking connection to the user's devices. These IoT devices may or may not seek explicit user consent, thus leaving the users completely unaware the IoT device is collecting, using, and/or sharing their personal data or, only marginal informed, if the user consented to the connecting IoT device but did not read the associated privacy policies. Privacy policies are intended to inform users of what personally identifiable information (PII) data will be collected about them and the policies about how those PII data will be used and shared. This paper presents novel tools and the underlying algorithms employed by the Personal Privacy Assistant app (UTCID PPA) developed by the University of Texas at Austin Center for Identity to inform users of IoT devices seeking to connect to their devices and to notify those users of potential privacy risks posed by the respective IoT device. The assessment of these privacy risks must deal with the uncertainty associated with sharing the user's personal data. If privacy risk (R) equals the consequences (C) of an incident (i.e., personal data exposure) multiplied by the probability (P) of those consequences occurring (C × P), then efforts to control risks must seek to reduce the possible consequences of an incident as well as reduce the uncertainty of the incident and its consequences occurring. This research classifies risk according to two parameters: expected value of the incident's consequences and uncertainty (entropy) of those consequences. This research calculates the entropy of the privacy incident consequences by evaluating: (1) the data sharing policies governing the IoT resource and (2) the type of personal data exposed. The data sharing policies of an IoT resource are scored by the UTCID PrivacyCheck, which uses machine learning to read and score the IoT resource privacy policies against metrics set forth by best practices and international regulations. The UTCID Identity Ecosystem uses empirical identity theft and fraud cases to assess the entropy of privacy incident consequences involving a specific type of personal data, such as name, address, Social Security number, fingerprint, and user location. By understanding the entropy of a privacy incident posed by a given IoT resource seeking to connect to a user's device, UTCID PPA offers actionable recommendations enhancing the user's control over IoT connections, interactions, their personal data, and, ultimately, user-centric privacy control.
用户的手机和电脑等设备不断受到物联网设备及相关应用程序的轰炸,这些设备试图连接到用户的设备。这些物联网设备可能会也可能不会寻求用户的明确同意,从而使用户完全不知道物联网设备正在收集、使用和/或共享他们的个人数据,或者,如果用户同意连接物联网设备但没有阅读相关隐私政策,他们只是略有了解。隐私政策旨在告知用户将收集哪些关于他们的个人身份信息(PII)数据,以及关于这些PII数据将如何使用和共享的政策。本文介绍了德克萨斯大学奥斯汀分校身份中心开发的个人隐私助手应用程序(UTCID PPA)所采用的新颖工具和底层算法,以告知用户有哪些物联网设备试图连接到他们的设备,并通知这些用户各自的物联网设备可能带来的隐私风险。对这些隐私风险的评估必须应对与共享用户个人数据相关的不确定性。如果隐私风险(R)等于事件(即个人数据泄露)的后果(C)乘以这些后果发生的概率(P)(C×P),那么控制风险的努力必须寻求减少事件的可能后果,以及降低事件及其后果发生的不确定性。本研究根据两个参数对风险进行分类:事件后果的期望值和这些后果的不确定性(熵)。本研究通过评估以下内容来计算隐私事件后果的熵:(1)管理物联网资源的数据共享政策;(2)暴露的个人数据类型。物联网资源的数据共享政策由UTCID PrivacyCheck评分,该工具使用机器学习根据最佳实践和国际法规设定的指标来读取和评分物联网资源隐私政策。UTCID身份生态系统使用身份盗窃和欺诈的实际案例来评估涉及特定类型个人数据(如姓名、地址、社会保障号码、指纹和用户位置)的隐私事件后果的熵。通过了解给定的试图连接到用户设备的物联网资源所带来的隐私事件的熵,UTCID PPA提供可操作的建议,以增强用户对物联网连接、交互、其个人数据的控制,并最终实现以用户为中心的隐私控制。
