The Quest for Privacy in the Consumer IoT

Privacy remains among the toughest challenges for the consumer-facing Internet of Things (IoT). Privacy-by-Design (PbD) is the most recent attempt to address it. Thereby, privacy goals become part of the technical specification and are resolved directly in the development process. This contemplation opposes existing approaches that retrofit protection measures as an afterthought, often even after the introduction of the “things” in the market. PbD is not solely a technological approach; it is directly addressed by the European General Data Protection Regulation (GDPR) that is presumably going to come into force in 2018. In this paper, we highlight the drawbacks of the retrofit approach when applied to IoT, using as a case the IPv6, one of IoT’s key networking technologies. We argue that PbD is a resolution of specific significance (if not by now the only one) promising to directly solve the privacy challenges. Nevertheless, we identify a significant omission: neither legislation nor technology mandate the consumer involvement.