The following relates to a protective device for protecting the privacy of a person, in particular in an IoT (Internet of Things) system.
Devices from all domains of daily life are increasingly interconnected. Communication among devices occurs by means of sensors, detectors and data networks that, for their part, form a global network by interlinking.
The so-called Internet of Things refers to the electronic networking of objects from people's daily life. In the Internet of Things, clearly identifiable physical objects and devices are linked with a data representation within the global network. In addition to the human subscribers and people, the subjects of this network also include objects and devices that communicate with each other. An IoT system can have a multitude of different IoT sensors, which record data in their respective environments. IoT sensors can record factors such as locations, temperatures or speed of movement and provide this information to a local or remote data processing unit for data evaluation. An Internet of Things or IoT system can be employed in a wide range of application areas, such as in the fields of electrical power supply, building automation, healthcare or logistics and transport. IoT applications can make many different services available to users. For example, an in-car service can support a user in the search for a parking spot within an urban area or can locate the nearest pharmacy for the user. For this purpose, the IoT sensors can be permanently mounted in a particular area, such as on a building, or can also be mobile. The clothing worn by users or persons is increasingly being outfitted with IoT sensors that transmit personal data to the IoT system.
In the traditional environment, personal data already include far more than just the name and address of a person, such as those explained in the article “Seven Types of Privacy” by Rachel L. Finn, David Wright and Michael Friedewald, in S. Gutwirth et al, “European Data Protection: Coming of Age,” Dordrecht: Springer Science and Business Media, 2013, (URL: http://works.bepress.com/michael_friedewald/60/).
Personal data encompass data that relate to human individuals and that make it possible to identify these individuals either directly or after analysis and evaluation and, if necessary, correlation and fusion with other sources of information that are actually or potentially available to the data processor, even without a name being associated with the data, and to draw conclusions about aspects of the individual, which are associated with his or her privacy, such as his or her physical person, behavior, activities, communications, images, thoughts, feelings, place of residence or contacts.
The “36th International Privacy Conference of the Data Protection and Privacy Commissioners”, Republic of Mauritius, website, October 2014, (URL: http://www.govmu.org/English/News/Pages/Mauritius-Hosts-36th-International-Conference-of-Data-Protection-and-Privacy-Commissioners.aspx), as well as the “Article 29 Data Protection Working Party, Opinion 8/2014 on the on Recent Developments on the Internet of Things”, Technical Report 14/EN WP 223, European Union, September 2014, (URL: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223 en.pdf), recommends considering all IoT sensor data as personal data and treating it accordingly from the start of data collection.
The increasing flood of personal data significantly limits people's privacy. People usually have no control over where the recorded personal data is saved and for what purposes it is analyzed.
US 2012/0 222 083 A1 discloses a network in which access rights to individual services and/or systems are granted or denied on the basis of profiles, so-called “privacy profiles”.
WO 2014/175 721 A1 likewise discloses a system in which a so-called “privacy access policy” is used to regulate access to data by services.
“The Internet of Things: A Survey from the Data-Centric Perspective” by C. C. Aggarwal provides an overview of the Internet of Things, which also includes the problem of data security.
A problem addressed by embodiments of the present invention is that of providing a device and a method for protecting the privacy of natural persons.
The implementation potential for respecting the wishes of said person in terms of his or her privacy depends upon the configuration of the concrete IoT system.
In one possible embodiment of the protective device according to embodiments of the invention, the protective device is a hardware token that can be carried by a person. This hardware token is preferably a hardware token that has been certified by a trustworthy authority.
In a further possible embodiment of the protective device according to embodiments of the invention, the signaling unit is an active signaling unit with a transmitter that emits a protection signal, which signals the approval or denial of permission by the person in question to record and/or process and/or store and/or disseminate and/or evaluate his or her personal data in general or for particular IoT applications.
In an alternative embodiment, the signaling unit is a passive signaling unit that, upon receiving a query signal, sends back a protection signal, which signals the approval or denial of permission by the person in question to record and/or process and/or store and/or disseminate and/or evaluate his or her personal data.
In a further possible embodiment of the protective device according to embodiments of the invention, the signaling unit of the protective device can be activated or deactivated by a person via an interface.
In another possible embodiment of the protective device according to embodiments of the invention, the protection signal emitted by the signaling unit is a radio signal, the range of which corresponds substantially to the range of IoT sensors of a corresponding IoT system.
In a further possible embodiment of the protective device according to embodiments of the invention, the protection signal emitted by the person's protective device switches additional devices that are worn by the same person or that are or can be assigned to the person, in particular a mobile radio device or a fitness tracker, to a protective operating mode to protect the privacy of the person in question.
In one possible embodiment of the IoT system according to embodiments of the invention, the protection signal is emitted by a portable protective device to protect a person's privacy, wherein the protective device has a signaling unit, which signals the approval or denial of permission by a person to record and/or process and/or store and/or disseminate and/or evaluate his or her personal data that are detected by IoT sensors of the IoT system.
In a further possible embodiment of the IoT system according to embodiments of the invention, after detecting a protection signal emitted by a protective device, the IoT system switches to a protective operating mode to protect the person's privacy from the recording and/or processing and/or storage and/or dissemination and/or evaluation of the personal data of the person in question.
In another possible embodiment of the IoT system according to embodiments of the invention, the person's IoT system confirms the detection of the protection signal emitted by his or her protective device.
In a further possible embodiment of the IoT system according to embodiments of the invention, when in the protective operating mode, the IoT sensors of the IoT system detect data only coarsely and/or the IoT system stores data only briefly and/or analyzes these data only to a limited extent.
According to a further aspect, embodiments of the invention provides a data acquisition device for recording data.
In one possible embodiment of the data acquisition device according to embodiments of the invention, the data acquisition device is integrated into a smart meter measuring device or is associated with a smart meter measuring device for measuring the power consumption within a person's household.
In an additional possible embodiment of the data acquisition device according to embodiments of the invention, the data acquisition device is integrated into a fitness marker or is associated with a fitness tracker for measuring a person's body functions.
According to a further aspect, embodiments of the invention provides the user with a mobile radio device.
According to a further aspect, embodiments of the invention provides a protective signal detector for detecting a protection signal.
In one possible embodiment of the protective signal detector according to embodiments of the invention, the protective signal detector can be linked via a data interface to a portable device, in particular a portable mobile radio device or a portable data acquisition device. In another possible embodiment, the protective signal detector is integrated into or associated with an IoT sensor or data acquisition device.
According to a further aspect, embodiments of the invention also provides a method for protecting the privacy of a person.
Hereafter, possible embodiments of the various aspects of embodiments of the invention will be explained in greater detail with reference to the accompanying figures.
Some of the embodiments will be described in detail, with reference to the following figures, wherein like designations denote like members, wherein:
The protection signal SS signals the approval or denial of permission by the person P to record and/or process and/or store and/or disseminate and/or evaluate the personal data of person P that is detected by the IoT sensors 3-i. For example, a person P can attach a protective device 2 to his or her clothing at an entrance of a building so that it signals approval or denial of permission to evaluate his or her personal data during his or her movement within the building. In one possible embodiment variant, an attached protective device 2 signals a denial by the person P in question to evaluate his or her personal data by a data processing unit of the IoT system. In an alternative embodiment variant, a person P can also explicitly express or signal approval for further data evaluation of his or her personal data by attaching a protective device 2. In a further embodiment variant, a person P can choose between different types of protective devices and/or hardware tokens when entering a building, for instance, wherein a first type of protective devices signals an approval and another type signals a denial of permission to perform further data evaluation on the personal data. In another embodiment variant, the person P in question can actuate an input unit and/or a switch when attaching the protective device 2, wherein, depending upon the switch setting, either a protection signal is emitted to signal the person's approval or a protection signal is emitted to signal his or her denial of permission by means of a signaling unit of the protective device 2.
The protective device 2 carried by the person P is preferably a light-weight hardware token that is integrated within a housing and that has a signaling unit located inside it. In one possible embodiment of the protective device 2 according to embodiments of the invention, the signaling unit that is integrated in the hardware token is an active signaling unit, which contains a transmitter that emits at least one protection signal SS. In one possible embodiment, the protective hardware token 2 is a certified token. For example, the protective device 2 can be certified by an appropriate control authority. In one possible embodiment of the protective device 2 according to embodiments of the invention, the transmitter in the signaling unit transmits an anonymous protection signal SS, which can be detected by the corresponding detectors 6-i of the IoT system 1. Thereby, the protection signal in one possible embodiment can be formed by a radio signal, the range of which substantially corresponds to the range of the IoT sensors 3-i of the IoT system 1.
In one possible embodiment, the protection signal SS that is emitted by the protective device 2 of the person P can switch other devices carried by the person P to a protective operating mode and/or can influence them in order to protect the privacy of the person P. For instance, if the person P is carrying a mobile radio device, one possible embodiment of this mobile radio device provides that it is likewise automatically switched to a protective operating mode by an integrated or attached detector when the protection signal SS is detected in order to protect the privacy of the person P. In this way, a person P can move anonymously within a building without geolocation data, for example, being transmitted by the mobile radio device.
The IoT system 1 has a multitude of different IoT sensors 3-i for recording data, which can be evaluated by at least one data evaluation unit of the IoT system 1.
In order to protect the privacy of the person P in question, one possible embodiment of the IoT system provides that, after detecting a predetermined protection signal SS emitted by a protective device 2 of a person P, it automatically switches from a normal operating mode to a protective operating mode, in which the recording and/or processing and/or storage and/or dissemination and/or evaluation of the personal data of the person P in question either ceases completely or continues only to a limited extent.
In one possible embodiment of the IoT system 1 shown in
In one possible embodiment of the IoT system according to embodiments of the invention, data are detected only coarsely by the IoT sensors 3-i after switching to the protective operating mode. For example, location data about the place of residence of the person P are coarsely detected with low local resolution and/or evaluated by the IoT system 1. For example, the location data detected by sensors can indicate that the person P is in a particular larger region or building but not the exact location.
In the embodiment variant shown in
In a first step S1, a protection signal SS is sent out by a protective device 2 carried by a person P. In the process, the transmitted protection signal SS signals the approval or denial of permission by the person P to record and/or process and/or store and/or disseminate and/or evaluate the personal data of the person P.
In a further step S2, the transmitted protection signal SS is detected by a signal detector 6 of an IoT system 1, whereupon said IoT system 1 switches to a protective operating mode to protect the privacy of the person P in question.
The method and the system according to embodiments of the invention are versatile. A person P and/or user who enters the detection range of an IoT sensor of an IoT system 1 is usually unaware of the fact, and so data detection by an IoT sensor normally cannot be prevented without the use of a protective hardware token 2 according to embodiments of the invention. The system according to embodiments of the invention makes it possible for a person P to declare whether he or she fundamentally approves or denies permission for any measured values originating from or significantly influenced by him or her to be recorded by sensors and then processed and/or stored and/or disseminated and/or analyzed, without thereby having to reveal his or her identity.
In a manner of speaking, the portable protective device 2 according to embodiments of the invention represents a privacy protector or a consent/non-consent token, with which the person P can declare to any IoT system his or her approval or denial of permission to record and/or process and/or store and/or disseminate and/or evaluate his or her personal data. The protective hardware token 2 signals to an IoT system 1 and its sensors that an unidentified data object and/or unidentified person P is located within its detection range and has either declared their agreement or, conversely, expressly denied permission to collect and evaluate data. The protective devices 2 permit the IoT system to be able to react appropriately to the presence of different persons P. Some of the persons present might be carrying a protective device 2 for protecting their own privacy, while another portion of the persons present might not have a protective device 2 with them to protect their respective privacy.
The protective device 2 preferably has the form of an anonymous, unidentifiable and untraceable physical hardware token. By carrying this hardware token 2, the bearer or person P signals his or her permission or express denial of permission for particular or moreover any IoT applications. In one possible embodiment, the protective device 2 also allows a person P to use different IoT applications on the protective device, for instance by placing it on a corresponding reader/writer of the IoT system 1. The protective device can then address these IoT applications in a dedicated fashion in one possible embodiment. In one possible embodiment, corresponding protective signal detectors 6 of the IoT system 1 receive the signals emitted by the protective hardware token 2 and forward them to IoT applications. As a rule, the protective signal detectors 6 are integrated in or combined with the sensors 3-i of the IoT system 1. Alternatively, separate protective signal detectors 6 can be applied in a particular area.
The protection signal SS emitted by the protective device 2 preferably does not contain any recognizable identity features of the person P. In order to give data subjects or persons P who deny permission sufficient assurance that the protective hardware token 2 transmits only required data and no other data, the protective device 2 is preferably certified by an appropriate trustworthy control or service authority.
In one possible embodiment, an operator of an IoT system 1 informs potential data subjects or persons P about the coverage area of its IoT application. Moreover, the IoT application or IoT system operator can inform potential data subjects about where said data subject or person P can get appropriate protective devices 2 to protect his or her privacy. A person P who knows that he or she is entering the coverage area of an IoT application or IoT system 1 can obtain suitable protective devices 2 in the location indicated and subsequently can carry them with him or her. If an IoT application or one of the protective signal detectors 6 receives a protection signal SS from a portable protective device 2, the IoT application can react in accordance with agreements and rules and, for example, does not record any personal data or else handles recorded personal data appropriately, such as deleting it, and/or does not process the data or processes the data only to a limited extent. This permits the IoT application to respect and protect the privacy of the person P accordingly.
Should there be a desire to temporarily suppress the signal transmission of the protection signal SS and thus to temporarily suspend privacy protection, protective covers can be used, for example, which cannot be penetrated by the radio signals of the hardware token 2. Alternatively, a switch provided for this purpose can be included on the protective device.
The IoT system 1 according to embodiments of the invention allows people to signal their consent or denial of permission to record, store, process, disseminate and analyze data by a particular IoT application or by the IoT system 1 as a whole in a way that is machine-detectable and simple, with a manageable level of complexity and without media discontinuities. Reliably determining the permission status of the present persons P by an explicit declaration and signaling then allows an IoT application of an IoT system 1 to comply with these wishes of the persons on the premises and thus to proceed in accordance with agreements and rules. In so doing, the IoT system 1 can adapt the degree of detail with which the data is recorded, stored and processed as a function of the permission status of the data subjects or persons in question. In particular, the unregulated data evaluation of selective personal data can be limited and/or prevented by the IoT system 1 according to embodiments of the invention.
Although the invention has been illustrated and described in greater detail with reference to the preferred exemplary embodiment, the invention is not limited to the examples disclosed, and further variations can be inferred by a person skilled in the art, without departing from the scope of protection of the invention.
For the sake of clarity, it is to be understood that the use of “a” or “an” throughout this application does not exclude a plurality, and “comprising” does not exclude other steps or elements.
Number | Date | Country | Kind |
---|---|---|---|
10 2015 222 794.4 | Nov 2015 | DE | national |
This application claims priority to PCT Application No. PCT/EP2016/075768, having a filing date of Oct. 26, 2016, based on German Application No. 10 2015 222 794.4, having a filing date of Nov. 18, 2015, the entire contents both of which are hereby incorporated by reference.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2016/075768 | 10/26/2016 | WO | 00 |