Day: 8 September 2020

PhD Defence: “Enhancing Transparency and Consent in the IoT”, Victor Morel, 24th of September 2020 at 3PM

Title

Enhancing Transparency and Consent in the IoT

 

Abstract

In an increasingly connected world, the Internet permeates every aspect of our lives. The number of devices connected to the global network is rising, with prospects foreseeing 75 billions devices by 2025. The Internet of Things envisioned twenty years ago is now materializing at a fast pace, but this growth is not without consequence. The increasing number of devices raises the possibility of surveillance to a level never seen before. A major step has been taken in 2018 to safeguard privacy, with the introduction of the General Data Protection Regulation (GDPR) in the European Union. It imposes obligations to data controllers on the content of information about personal data collection and processing, and on the means of communication of this information to data subjects. This information is all the more important that it is required for consent, which is one of the legal grounds to process personal data. However, the Internet of Things can pose difficulties to implement lawful information communication and consent management. The tension between the requirements of the GDPR for information and consent and the Internet of Things cannot be easily solved. It is however possible. The goal of this thesis is to provide a solution for information communication and consent management in the Internet of Things from a technological point of view. To do so, we introduce a generic framework for information communication and consent management in the Internet of Things. This framework is composed of a protocol to communicate and negotiate privacy policies, requirements to present information and interact with data subjects, and requirements over the provability of consent. We support the feasibility of this generic framework with different options of implementation. The communication of information and consent through privacy policies can be implemented in two different manners: directly and indirectly. We then propose ways to implement the presentation of information and the provability of consent. A design space is also provided for systems designers, as a guide for choosing between the direct and the indirect implementations. Finally, we present fully functioning prototypes devised to demonstrate the feasibility of the framework’s implementations. We illustrate how the indirect implementation of the framework can be developed as a collaborative website named Map of Things. We then sketch the direct implementation combined with the agent presenting information to data subjects under the mobile application CoIoT.

 

 

Jury

  • Patricia Serrano Alvarado, Maître de conférences HDR à l’Université de Nantes, rapporteur
  • Gerardo Schneider, Professor at the University of Gothenburg, rapporteur
  • Félicien Vallet, Docteur ingénieur au sein du service de l’expertise technologique de la CNIL, examinateur
  • Hervé Rivano, Professeur des universités à l’Insa de Lyon, examinateur
  • Daniel Le Métayer, Directeur de recherche à Inria, Directeur de thèse
  • Claude Castelluccia, Directeur de recherche à Inria, co-Directeur de thèse

PhD Defence: “Privacy Challenges in Wireless Communications of the Internet of Things”, Guillaume Celosia, 22th of September 2020 at 9.30AM

Title

Privacy Challenges in Wireless Communications of the Internet of Things

 

Abstract

Also known as the Internet of Things (IoT), the proliferation of connected objects offers unprecedented opportunities to consumers. From fitness trackers to medical assistants, through smarthome appliances, the IoT objects are evolving in a plethora of application fields. However, the benefits that they can bring to our society increase along with their privacy implications. Continuously communicating valuable information via wireless links such as Bluetooth and Wi-Fi, those connected devices support their owners within their activities. Most of the time emitted on open channels, and sometimes in the absence of encryption, those information are then easily accessible to any passive attacker in range. In this thesis, we explore two major privacy concerns resulting from the expansion of the IoT and its wireless communications: physical tracking and inference of users information. Based on two large datasets composed of radio signals from Bluetooth/BLE devices, we first defeat existing anti-tracking features prior to detail several privacy invasive applications. Relying on passive and active attacks, we also demonstrate that broadcasted messages contain cleartext information ranging from the devices technical characteristics to personal data of the users such as e-mail addresses and phone numbers. In a second time, we design practical countermeasures to address the identified privacy issues. In this direction, we provide recommendations to manufacturers, and propose an approach to verify the absence of flaws in the implementation of their protocols. Finally, to further illustrate the investigated privacy threats, we implement two demonstrators. As a result, Venom introduces a visual and experimental physical tracking system, while Himiko proposes a human interface allowing to infer information on IoT devices and their owners.

 

Jury

  • Kasper Rasmussen – Associate Professor, University of Oxford – Rapporteur
  • Bernard Tourancheau – Professeur des Universités, Université Grenoble Alpes – Rapporteur
  • Sonia Ben Mokhtar – Directeur de Recherche, CNRS – Examinateur
  • Jean-Marie Gorce – Professeur des Universités, INSA Lyon – Examinateur
  • Vincent Nicomette – Professeur des Universités, INSA Toulouse – Examinateur
  • Valérie Viet Triem Tong – Professeur des Universités, CentraleSupélec Rennes – Examinateur
  • Daniel Le Métayer – Directeur de Recherche, Inria – Directeur de thèse
  • Mathieu Cunche – Maître de Conférences, INSA Lyon – co Directeur de thèse