A Privacy-By-Design Architecture for Indoor Localization Systems
The availability of mobile devices has led to an arising development of indoor location services collecting a large amount of sensitive information. However, without accurate and verified management, such information could become severe back-doors for sec
- PDF / 409,909 Bytes
- 9 Pages / 439.37 x 666.142 pts Page_size
- 65 Downloads / 262 Views
Abstract. The availability of mobile devices has led to an arising development of indoor location services collecting a large amount of sensitive information. However, without accurate and verified management, such information could become severe back-doors for security and privacy issues. We propose in this paper a novel Location-Based Service (LBS) architecture in line with the GDPR’s provisions. For feasibility purposes and considering a representative use-case, a reference implementation, based on the popular Telegram app, is also presented. Keywords: Access control systems · GDPR · Indoor Localization Systems · Location-Based Services · Privacy-by-design
1
Introduction
The wide availability of mobile devices has led to an arising development of (indoor/outdoor) Location-Based Services (LBSs) for improving users’ daily life and works. More specifically, a high number of stakeholders are exploiting such systems for providing commercial solutions, selling products, tracking facilities, social apps, and services. Most of the previously cited systems are supposed to acquire and store personal data such as IP address, the user’s localization and the history of locations visited as well as a timestamp of such visits. As a result, the final users disseminate kinds of digital crumbs that might potentially disclose sensitive information without being aware of the actual risk. Beyond Snowden [9] and the recent adoption in May 2018 of the General Data Protection Regulation (GDPR) [7], people sensitiveness about personal privacy, fortunately, has been increasing. However, in the context of Indoor Localization Systems (ILSs), there is still the missing of a standardized reference architecture that takes care of the security and privacy enforcement. In this paper, we describe a novel LBS architecture in line with the GDPR provisions, i.e., able to strengthen the rights of individuals over their personal data and to make organizations more accountable regarding the regulation. The c Springer Nature Switzerland AG 2020 M. Shepperd et al. (Eds.): QUATIC 2020, CCIS 1266, pp. 358–366, 2020. https://doi.org/10.1007/978-3-030-58793-2_29
A Privacy-By-Design Architecture for Indoor Localization Systems
359
provided solution relies on the innovative idea of integrating a GDPR-based Access Control (AC) system inside the localization architecture. We argue that the AC represents a promising technique for developing adequate and finegrained mechanisms taking into account legal requirements, such as the data usage purpose, the management of the user’s consents as well as enforcing the data retention period [4,17,18]. Thus, the main contribution of this paper is to schematize an Indoor Localization System (ILS) reference architecture. We define the purposes of the data management, the management of the user’s consents, and the rights related to privacy and data protection correctly enforced so as to guarantee the privacy-by-design GDPR compliance. To the best of our knowledge, our solution is the first proposal that integrates three key
Data Loading...