Design patterns have been proposed as a method to improve the consistent application of proven solutions across designs. Privacy in operational IoT blockchains today is mostly an attestation from the operator of the service based on IoT. Privacy testing in operational systems an opportunity for further improvement. Privacy risks, threat model and requirements are continuing to evolve and IoT systems will need to evolve with them. [Alqassam 2014]. Privacy threats need to be managed throughout the operational life cycle of the IoT blockchain including changing sensors, upgrading software, etc. Privacy patterns can help maintain consistency across these disruptions; though testing and attestations will also have a role to play.
Privacy patterns for IoT Blockchain Design
Developers often use the vocabulary of data security to approach privacy challenges, and software architectural patterns frame privacy solutions that are used throughout the development process [Hadar 2018]. There are over 100 IoT design patterns in the literature, but very little explicit identification of IoT design pattern reuse [Washizaki 2019]. As a “step” toward solving security and privacy concerns, [Bloom 2018] identified common input-output (I/O) design patterns that exist in Industrial IoT applications, but these design patterns don’t address the full scope of privacy threats, nor the blockchain aspects. [Xu 2018] collects blockchain design patterns, but these mainly identify privacy as an area for further improvement. [Wirth 2018] provides an initial blockchain and smart contracts architectural blueprint claiming GDPR compliance. [Pape 2018] considers privacy patterns in the IoT architecture, assuming a three-layer service delivery model based on fog computing, and does not consider blockchain aspects, nor an explicit data controller role. The privacy patterns [Pape 2018] identified included: personal data store, data isolation at different entities, decoupling content and location visibility, added noise measurement obfuscation, aggregation of data, data aggregation gateways, and single point of contact. A more comprehensive list of privacy patterns, though not targeted at IoT, is online at https://privacypatterns.org/patterns/. Privacy patterns abstract away from the detailed solution of specific PETs. At best, privacy design patterns align with specific privacy threat models, and the suite of patterns covers the full scope of privacy threats. Privacy design patterns can provide a useful common abstraction for communication between the designers and operators of IoT blockchain during its design and operational lifecycle.
Privacy Testing
Modern software development practices like devops, CI/CD, etc. have an emphasis on the availability of system tests to ensure key use cases remain valid during development. Some methodologies (e.g. Design for Testability) go further and require the development of tests before the development of the code. It would be helpful if privacy design patterns had industry consensus methods to verify correct implementation and operation.
Testing in the context of distributed architectures like IoT and blockchains adds additional complexity. [Pontes 2018] formalizes the notion of a pattern-based IoT testing method for systematizing and automating the testing of IoT ecosystems. It consists of a set of test strategies for recurring behaviors of the IoT system, which can be defined as IoT test patterns. Unfortunately, these did not address the scope of privacy concerns. Similarly, the blockchain literature has few examples of automated test suites (see e.g., [Gao 2019]). Neither of these test patterns is specific to privacy. [Muntes-Molero 2019] proposes an approach towards continuous monitoring for privacy risk control in trustworthy IoT systems. The assumption of trustworthy systems requires additional justification. Blockchains can be designed to achieve secure consensus results despite running on untrusted nodes in a peer-peer network. With little in the literature beyond penetration testing (e.g., [Probst 2012]), testing of assertions that privacy threats have been resolved seems an area for further research.
Given the scope of privacy concerns, privacy testing is unlikely to be accomplished by a single test. While many traditional notions of privacy focus on disclosure, recent regulatory initiatives have created new requirements for user controls. While those controls may be implemented with manual procedures in the short term, IoT blockchain architectures can be expected to evolve to provide automated support for these features, and that will need to be tested. An IoT blockchain may be assembled from different components, and will likely evolve over its operational life as new components are added, software updated, etc. Privacy testing will need to apply both at the component level and cumulatively across the larger architecture, and during run time operations.
Privacy Attestation
Some [Wirth 2018], [Bansal 2008] have noted that trademarks and certification seals may be useful for consumers to identify and trust products and services that provide privacy assertions (e.g., conformance to privacy regulations such as the GDPR). Certification schemes usually require independent verification/ testing to assure the quality of certified goods/services. While privacy testing regimes are still in early stages of development, attestations by entities operating services based on IoT blockchains may provide some interim assurance. This may require similar assurances and indemnification through the component supply chain.
The scope of the attestations that consumers may require to protect their privacy and build trust needs further consideration. Solove’s taxonomy is now incomplete as it does not include the more recent regulatory initiatives like GDPR that mandate some degree of control of the data by the data subject. Traditional data access controls (Create/Read/Update/Delete) are helpful, but more nuanced controls may be required to constrain privacy threats from information processing and secondary uses. GDPR takes a step in this direction by identifying the data controller role and imposing privacy-related obligations on data controllers. IoT blockchain architectures could support a limited set of more nuanced operations on private data through SMC. The SMC code could be open-sourced and inspectable to provide assurances of correct operation. Moving the computing algorithms to the data like this may reduce the amount of attestation required to build trust.
Privacy is an ongoing operational concern, not just a design-time objective. The IoT blockchain architecture, though, it will need adequate capabilities to be designed in so that operators of services based on them will be able to make adequate assurances to their customers, and perhaps their regulators as well. While attestations may provide assurances in the short term, ultimately adequate privacy testing regimes will be required to demonstrate the integrity of the solutions.
References
[Alqassam 2014] I.Alqassem, et.al., “A taxonomy of security and privacy requirements for the Internet of Things (IoT).” 2014 IEEE International Conference on Industrial Engineering and Engineering Management. IEEE, 2014.
[Bansal 2008] G. Bansal, et.al., “The moderating influence of privacy concern on the efficacy of privacy assurance mechanisms for building trust: A multiple-context investigation.” ICIS 2008 Proceedings (2008)
[Bloom 2018] G. Bloom, et al. “Design patterns for the industrial Internet of Things.” 2018 14th IEEE International Workshop on Factory Communication Systems (WFCS). IEEE, 2018.
[Gao 2019] J. Gao, et al., “Towards automated testing of blockchain-based decentralized applications.” Proc. of the 27th Int’l Conf. on Program Comprehension. IEEE, 2019.
[Hadar 2018] I. Hadar, et al. “Privacy by designers: software developers’ privacy mindset.” Empirical Software Engineering 23.1 (2018): 259-289.
[Muntes-Molero 2019] V. Muntés-Mulero, et al. “Model-driven Evidence-based Privacy Risk Control in Trustworthy Smart IoT Systems.” (2019).
[Pape 2018] Pape, Sebastian, and Kai Rannenberg. “Applying Privacy Patterns to the Internet of Things’(IoT) Architecture.” Mobile Networks and Applications 24.3 (2019): 925-933.
[Pontes 2018] P. Pontes, et. al., “Test patterns for IoT.” Proceedings of the 9th ACM SIGSOFT International Workshop on Automating TEST Case Design, Selection, and Evaluation. ACM, 2018.
[Probst 2012] W. Probst, et al. “Privacy penetration testing: How to establish trust in your cloud provider.” European Data Protection: In Good Health?. Springer, Dordrecht, 2012. 251-265.
[Washizaki 2019] H. Washizaki, et al. “Landscape of IoT Patterns.” arXiv preprint arXiv:1902.09718 (2019).
[Wirth 2018] C. Wirth, et. al., “Privacy by blockchain design: a blockchain-enabled GDPR-compliant approach for handling personal data.” Proceedings of 1st ERCIM Blockchain Workshop 2018. European Society for Socially Embedded Technologies (EUSSET), 2018.
[Xu 2018] Xu, Xiwei, et al. “A pattern collection for blockchain-based applications.” Proceedings of the 23rd European Conference on Pattern Languages of Programs. ACM, 2018.