9  Privacy Patterns & Data Tiers

9.1 Learning Objectives

By the end of this chapter, you should be able to:

• Apply privacy design patterns: data minimization, aggregation, local processing, anonymization
• Classify IoT data using the Three-Tier Privacy Model
• Apply proportional protection mechanisms based on data sensitivity
• Implement tier-aware storage, sharing, and retention policies
• Design privacy-preserving data flows that minimize tier elevation
• Configure automated retention and access controls by privacy tier

In 60 Seconds

Privacy design patterns are reusable solutions to recurring privacy engineering problems — patterns like Minimal Footprint (collect only essential data), Informed Explicit Consent (meaningful user control), Anonymization (de-identification before sharing), and Privacy Dashboard (user data visibility). Applying established patterns reduces design time and avoids reinventing privacy controls.

Key Concepts

• Privacy Design Pattern: Reusable solution template for a recurring privacy engineering problem, similar to GoF design patterns but focused on privacy-preserving system design.
• Minimal Footprint Pattern: Design approach collecting, processing, and retaining the minimum personal data necessary; implemented through data schema design, retention automation, and feature scoping.
• Pseudonymization Pattern: Replacing direct identifiers with pseudonyms throughout processing; separating pseudonym mapping into a separate system with strict access controls.
• Privacy Dashboard Pattern: User-facing interface providing visibility into collected data, active consents, and controls for data deletion and export; enables meaningful user agency.
• Federated Identity Pattern: Authentication design where personal data stays with the identity provider rather than being shared with each relying party; reduces data exposure.
• Consent Management Pattern: Architecture for collecting granular purpose-specific consent, recording consent state, enforcing consent in processing, and supporting withdrawal.
• Data Lifecycle Pattern: Automated enforcement of data retention policies including collection timestamps, retention period tracking, scheduled deletion, and audit logging.

For Beginners: Privacy Patterns & Data Tiers

Privacy and compliance for IoT are about protecting people’s personal information and following the laws that govern data collection. Think of it like the rules a doctor follows to keep medical records confidential. IoT devices in homes, workplaces, and public spaces collect sensitive data about people’s lives, and there are strict requirements about how this data must be handled.

Sensor Squad: The Three-Tier Data System!

“Not all data is equally sensitive,” Max the Microcontroller explained. “The Three-Tier model sorts data into three levels: Tier 1 is anonymous aggregate data that anyone can see, Tier 2 is pseudonymous data for authorized users, and Tier 3 is personally identifiable data that needs the strongest protection.”

Sammy the Sensor gave an example. “If I measure the average temperature of a building – that is Tier 1, anonymous and safe to share. If I record temperature by room number but not by person – that is Tier 2, useful but could potentially identify someone. If I track which specific person set which temperature – that is Tier 3, definitely personal data!”

“Privacy patterns are proven design recipes,” Lila the LED said. “Data minimization: collect less. Purpose limitation: only use data for the stated purpose. Storage limitation: delete data when you no longer need it. These patterns are like building blocks that you combine to create a privacy-respecting system.”

“The key insight is that different tiers need different protections,” Bella the Battery summarized. “Tier 1 data can be stored openly. Tier 2 needs access controls and encryption. Tier 3 needs the strongest encryption, strict access, audit logging, and user consent. Design your system to keep data at the lowest tier possible – aggregate when you can, pseudonymize what you must keep, and only store identifiable data when absolutely necessary.”

Related Chapters, Products, and Tools

• Privacy Foundations - Review Privacy by Design: Foundations for the seven foundational principles
• Anti-Patterns - Continue to Privacy Anti-Patterns and Assessment for what to avoid and how to conduct Privacy Impact Assessments
• Encryption - Pair with Encryption Principles and Crypto Basics for implementing the encryption techniques referenced here

Key Takeaway

In one sentence: Privacy design patterns provide proven solutions to common privacy challenges, while the Three-Tier Privacy Model ensures proportional protection based on data sensitivity.

Remember this rule: Apply the privacy hierarchy - Eliminate data collection first, then Minimize, then Anonymize, then Encrypt. Not all data requires the same protection level.

9.2 Prerequisites

Before diving into this chapter, you should be familiar with:

• Privacy by Design: Foundations: Understanding of the seven foundational principles provides essential context for design patterns
• Introduction to Privacy: Knowledge of privacy concepts and GDPR requirements helps understand why these patterns matter

9.3 Privacy Design Patterns

Privacy design patterns are proven solutions to common privacy challenges in IoT systems.

9.3.1 The Privacy Hierarchy: Eliminate, Minimize, Protect

Best to Worst privacy practices:

Figure 9.1: The Privacy Hierarchy: Eliminate, Minimize, Protect

Alternative View: Privacy Technique Comparison Matrix

This view compares privacy protection techniques across multiple dimensions to help select the right approach:

Figure 9.2: Privacy Technique Comparison

Technique Selection Guide:

Technique	Privacy Level	Complexity	Best For	Limitations
Elimination	Highest	Lowest	Non-essential data	Reduces functionality
Minimization	High	Low	Required data fields	Still collects some data
Aggregation	High	Medium	Statistical analysis	Loses individual precision
Anonymization	Medium	Medium	Research datasets	Re-identification risk
Encryption	Medium	High	Compliance needs	Key management burden
Policy Only	Lowest	Highest	Legacy systems	Trust-dependent, breach risk

Privacy by Design asks: “Do we NEED this data, or just WANT it?”

9.3.2 Pattern 1: Data Minimization

Principle: Collect only what’s absolutely necessary for the specified purpose.

Thermostat Example	Collect (Necessary)	Don’t Collect (Unnecessary)	Rationale
Core function	Temperature, timestamp	User ID, location, Wi-Fi networks	Anonymous device ID sufficient
Purpose	HVAC control	Behavioral profiling	Only collect for stated purpose
Granularity	Per-room temperature	Individual occupant tracking	Aggregate is sufficient

Implementation Checklist:

• Document purpose for EVERY data point collected
• Remove ALL optional fields from data collection
• Use anonymous/pseudonymous identifiers (not user IDs)
• Periodic review: “Do we still need this data?”

9.3.3 Pattern 2: Aggregation

Principle: Combine individual data points to prevent identification while preserving utility.

Raw Data (Privacy Risk)	Aggregated Data (Privacy-Preserving)	Utility Preserved?
[22.1, 22.3, 22.2, 22.4] per minute	Hourly average: 22.25	Yes (sufficient for optimization)
Entry/exit timestamps per person	% occupancy per hour	Yes (HVAC scheduling works)
Individual device MAC addresses	Number of devices in network	Yes (bandwidth management)

Aggregation Techniques:

• Temporal aggregation: Minute -> Hour -> Day averages
• Spatial aggregation: Room -> Floor -> Building averages
• Statistical aggregation: Individual values -> Mean/Median/Count

9.3.4 Pattern 3: Local Processing (Edge Computing)

Principle: Process sensitive data on-device; send only results to cloud.

Figure 9.3: Local vs Cloud Processing: Privacy-First Edge Computing Decision Flow

When to Use Local Processing:

Scenario	Local Processing	Cloud Processing	Recommendation
Voice wake word detection	Always	Privacy risk	Local only
HVAC control decisions	Sufficient	Unnecessary	Local preferred
ML model training	Federated learning	If anonymized	Depends on data sensitivity
Firmware updates	Needs cloud	Required	Cloud (minimal data shared)

9.3.5 Pattern 4: Anonymization and Pseudonymization

K-Anonymity: Make each record indistinguishable from at least k-1 other records.

Original Data (Identifiable)	K-Anonymized (k=5)	Privacy Gain
Age: 25, ZIP: 94102	Age: 20-30, ZIP: 941**	Each record matches >= 5 people
Name: John, Email: john@email.com	[Removed], [Removed]	Direct identifiers eliminated
Precise location: 37.7749, -122.4194	City: San Francisco	Coarse location sufficient

Anonymization Techniques:

Technique	Example	Use Case	Strength
Generalization	Age 25 -> “20-30”	Demographics	Moderate (can be reversed with auxiliary data)
Suppression	Remove name, email	Direct identifiers	Strong (irreversible if done correctly)
Pseudonymization	User_12345 -> Random_ABC789	Temporary unlinkability	Weak (reversible with key)
Differential Privacy	Add statistical noise	ML training data	Strong (mathematically proven)

9.4 Data Privacy Tiers for IoT Systems

IoT systems generate diverse data types with vastly different privacy implications. A Three-Tier Privacy Model provides a structured framework for classifying data and applying appropriate protection mechanisms.

9.4.1 The Three Privacy Tiers

Principle: Not all data requires the same level of protection. Classify data into privacy tiers and apply proportional safeguards.

Tier	Data Type	Examples	Protection Level
Tier 1: Public	Aggregate, anonymized	City traffic counts, weather averages, pollution levels	Minimal (transparency focus)
Tier 2: Sensitive	Identifiable patterns	Energy usage, location history, device MAC addresses	Encryption, access control
Tier 3: Critical	Biometric, health, financial	Heart rate, blood glucose, payment data, video/audio	End-to-end encryption, explicit consent

9.4.2 Processing Rules by Tier

Different privacy tiers require different handling throughout the data lifecycle:

Tier	Storage	Sharing	Retention	Consent Required
Tier 1	Cloud OK	Open data (public APIs)	Indefinite (archival value)	Implicit (opt-out)
Tier 2	Cloud encrypted	Partners only (contractual agreements)	1-3 years (compliance)	Opt-out (notification required)
Tier 3	Edge preferred (minimize cloud transmission)	Never shared (user controls only)	Minimal (7-30 days)	Explicit opt-in (granular consent)

9.4.3 Privacy Tier Decision Flowchart

Figure 9.4: Decision flowchart for classifying IoT data into three privacy tiers

9.4.4 Real-World Examples: Multi-Tier Data in IoT Systems

Most IoT devices generate data across all three tiers. Understanding which tier each data type belongs to is critical for privacy-by-design implementation.

9.4.4.1 Example 1: Smart Energy Meter

Data Element	Raw Value	Privacy Tier	Rationale	Protection Applied
Total kWh (hourly)	3.2 kWh at 14:00	Tier 1	Aggregate consumption, no behavior inference	Cloud storage OK, public reporting
Appliance signatures	Dishwasher: 1.8 kW, 90 min cycle	Tier 2	Reveals behavioral patterns (when you cook, clean)	Encrypted storage, access logs
Occupancy patterns	Nobody home 9am-5pm weekdays	Tier 3	Security risk (reveals vacancy for burglars)	Edge processing only, explicit consent

Privacy-by-Design Implementation:

• Tier 1 data: Transmitted hourly to utility for billing (aggregate OK)
• Tier 2 data: Processed locally, only share with explicit user consent for “efficiency tips”
• Tier 3 data: NEVER transmitted; occupancy detection runs on-device only for automation

9.4.4.2 Example 2: Fitness Tracker

Data Element	Raw Value	Privacy Tier	Rationale	Protection Applied
Daily step count	8,347 steps	Tier 1	General activity level, hard to de-anonymize	Cloud sync OK, leaderboard sharing
GPS location history	Route from home to office	Tier 2	Identifies home/work addresses, patterns	Encrypted, user controls sharing
Heart rate variability (HRV)	65ms RMSSD	Tier 3	Medical diagnostic data, health status	Edge processing, medical-grade encryption

Privacy-by-Design Implementation:

• Tier 1 data: Synced to cloud for goal tracking, social features
• Tier 2 data: Encrypted before transmission, user controls public/friends/private
• Tier 3 data: Processed on-device using edge ML, never uploaded without explicit medical consent

9.4.4.3 Example 3: Smart Home Camera

Data Element	Raw Value	Privacy Tier	Rationale	Protection Applied
Motion event count	12 events today	Tier 1	Anonymous activity level	Dashboard display, cloud analytics
Motion event timestamps	Motion at 07:23, 08:15, 12:34	Tier 2	Reveals daily routines	Encrypted storage, 30-day retention
Video footage with faces	Recording of family members	Tier 3	Biometric identifiers, surveillance data	Local storage only, end-to-end encryption if cloud backup

Privacy-by-Design Implementation:

• Tier 1 data: Aggregate motion statistics for “home activity” dashboard
• Tier 2 data: Encrypted timestamps for forensic review if needed
• Tier 3 data: Local storage by default, optional encrypted cloud backup with explicit consent

9.4.5 Privacy Tier Comparison Table

Building on the processing rules above, this table provides a comprehensive comparison across all privacy dimensions, including encryption standards, access control models, and regulatory mappings:

Dimension	Tier 1: Public	Tier 2: Sensitive	Tier 3: Critical
Examples	Traffic counts, weather, pollution	Energy patterns, MAC addresses	Biometrics, health, video
Encryption	Optional (integrity)	Required (AES-256 at rest/transit)	End-to-end + hardware security module
Storage Location	Cloud preferred	Cloud encrypted acceptable	Edge preferred, cloud only with consent
Sharing	Open APIs, public datasets	Contractual partners only	Never (user controls exceptions)
Retention	Indefinite (archival)	1-3 years (compliance)	7-30 days (minimize exposure)
Consent	Implicit (opt-out)	Notification (opt-out)	Explicit opt-in (granular)
Access Control	Public	Role-based (RBAC)	Attribute-based (ABAC) + MFA
Deletion	On request	Automatic after retention	Automatic + secure erasure
Audit Logging	Optional	Required	Mandatory real-time
Anonymization	Already anonymous	K-anonymity (k>=5)	Not sufficient (avoid collection)
Regulatory	Minimal compliance	GDPR Article 32 (security)	GDPR Article 9 (special categories)

9.4.6 Implementation Guidance: Building Tier-Aware Systems

Step 1: Data Classification at Collection

Tag every data point with its privacy tier when first collected:

# Example: Privacy-aware data collection (pseudocode)
class SensorData:
    def __init__(self, value, data_type):
        self.value = value
        self.data_type = data_type
        self.privacy_tier = self.classify_privacy_tier()
        self.timestamp = now()

    def classify_privacy_tier(self):
        if self.data_type in ['aggregate_count', 'anonymous_stats']:
            return PrivacyTier.PUBLIC  # Tier 1
        elif self.data_type in ['location', 'usage_pattern', 'device_id']:
            return PrivacyTier.SENSITIVE  # Tier 2
        elif self.data_type in ['biometric', 'health', 'video', 'audio']:
            return PrivacyTier.CRITICAL  # Tier 3
        else:
            return PrivacyTier.CRITICAL  # Default to most restrictive

Step 2: Automate Retention Policies by Tier

Configure automatic deletion based on privacy tier:

Privacy Tier	Default Retention	Automated Action	User Override
Tier 1	Indefinite	Archive after 1 year (compressed)	User can request deletion
Tier 2	1 year	Auto-delete after 1 year	User can extend to 3 years max
Tier 3	30 days	Auto-delete after 30 days	User can reduce to 7 days

Step 3: Audit Access by Tier (Logging and Accountability)

Tier 3 data requires comprehensive access logging:

Privacy Tier	Access Logging	Audit Frequency	Alert Threshold
Tier 1	Optional (performance optimization)	Annual	N/A (public data)
Tier 2	Required (who accessed, when, why)	Quarterly	Unusual access patterns
Tier 3	Mandatory (full audit trail)	Real-time	EVERY access logged + user notification

Step 4: Design Data Flows to Minimize Tier Elevation

Anti-Pattern (Tier Elevation):

Tier 1 (step count) + Tier 2 (location) -> Tier 3 (exact home address)

When combining data creates higher-sensitivity information, the result inherits the highest tier of any input.

Privacy-by-Design Solution:

• Separate storage: Store Tier 1 and Tier 2 data in separate databases
• Delayed aggregation: Aggregate location to city-level (Tier 1) before combining
• User consent gates: Require explicit consent before combining tiers

9.4.7 Case Study: Smart City Parking System

A smart city deploys parking sensors to optimize urban parking. How should data be classified?

Data Classification:

Data Type	Privacy Tier	Collection Method	Protection Applied
Total spaces available	Tier 1	Aggregate count across all sensors	Public API, mobile app display
Per-block occupancy	Tier 1	Block-level aggregation (10+ spaces)	Public dataset for urban planning
Individual space status	Tier 2	Per-sensor binary (occupied/empty)	Encrypted, city parking enforcement only
License plate recognition	Tier 3	Camera + OCR (if deployed)	Edge processing only, no storage

Privacy-by-Design Architecture:

Figure 9.5: Smart city parking system architecture with three-tier data classification

Privacy Benefits:

• Public transparency: Tier 1 data drives citizen apps, reduces circling for parking
• Operational efficiency: Tier 2 data helps city optimize enforcement routes
• Privacy protection: Tier 3 license plates NEVER stored, processed only for real-time violation detection

9.4.8 Best Practices: Tier-Aware Privacy Architecture

Privacy Tier Implementation Checklist

Design Phase:

• Document privacy tier for EVERY data element in system design
• Create data flow diagrams showing tier segregation
• Design separate storage systems for different tiers (defense in depth)
• Default to Tier 3 if classification is uncertain

Implementation Phase:

• Tag data with privacy tier at collection (metadata tagging)
• Automate retention policies by tier (no manual cleanup)
• Implement tier-appropriate encryption (Tier 3 requires end-to-end)
• Configure access controls by tier (Tier 3 requires MFA + audit)

Operations Phase:

• Monitor for tier violations (Tier 3 data in Tier 1 systems)
• Audit access patterns (especially Tier 3 access)
• User transparency (show users what tier each data type belongs to)
• Periodic review (ensure tier classifications remain accurate)

Compliance Phase:

• Map tiers to regulatory requirements (GDPR Article 9 = Tier 3)
• Document tier justifications for auditors
• Provide tier-specific privacy notices (explain why Tier 3 needs consent)
• Enable user-initiated deletion by tier (separate controls)

Common Mistakes to Avoid:

Mistake	Why It’s Wrong	Correct Approach
Treating all data equally	Over-protects Tier 1 (wasted resources), under-protects Tier 3 (compliance risk)	Proportional protection by tier
Tier elevation without consent	Combining Tier 1+2 -> Tier 3 without user awareness	Require consent before combining tiers
Single database for all tiers	Tier 1 breach exposes Tier 3 data	Separate databases, separate encryption keys
No tier metadata	Cannot automate retention, access control	Tag every data point with tier at collection
Default to Tier 1	Assumes data is safe until proven sensitive	Default to Tier 3, downgrade only with justification

Tradeoff: Data Minimization vs Analytics Capability

Option A: Collect only essential data required for core functionality, maximizing privacy protection

Option B: Collect broader data to enable analytics, personalization, and product improvement

Decision Factors: Choose aggressive minimization when processing sensitive categories (Tier 3), when regulatory scrutiny is high, or when breach costs outweigh analytics value. Choose broader collection when analytics directly improve user experience, when users explicitly consent for personalization, or when aggregate insights benefit all users. Key questions: Can the same insight be derived from aggregated or anonymized data? Can processing happen on-device instead of cloud?

Tradeoff: Edge Processing for Privacy vs Cloud Processing for Capability

Option A: Process sensitive data on-device/edge - eliminates cloud transmission of raw PII, GDPR data minimization compliance, latency ~5-20ms, limited ML model size (50-500MB), higher device cost (+$5-15 per unit)

Option B: Cloud processing with encrypted transmission - enables large ML models (GB-scale), cross-device learning, centralized compliance monitoring, latency ~100-500ms, requires robust consent framework

Decision Factors: Choose edge processing when handling Tier 3 critical data, when regulatory requirements mandate local processing, when network reliability is uncertain, or when real-time response is safety-critical. Choose cloud processing when ML model complexity exceeds edge capability, when cross-user pattern analysis provides significant benefit, or when device cost constraints prevent edge compute hardware.

Putting Numbers to It: K-Anonymity and L-Diversity

K-anonymity ensures each record is indistinguishable from at least k-1 other records. L-diversity requires at least l distinct values for sensitive attributes within each k-anonymous group.

K-Anonymity: For a dataset D, every record must be identical to at least k-1 other records on quasi-identifiers (age, zip code, gender).

L-Diversity Entropy: Within each k-anonymous group, the entropy of sensitive attribute S must satisfy: \[H(S) = -\sum_{i=1}^{l} p_i \log_2(p_i) \geq \log_2(l)\]

where \(p_i\) is the proportion of records with sensitive value \(i\).

Working through an example: Given: Hospital IoT patient monitoring system with 10,000 patients. Data includes: Age, ZIP code, Heart rate monitoring frequency. Apply k=5 anonymity and l=3 diversity.

Original dataset sample: | Patient | Age | ZIP | HR Frequency | Diagnosis | |———|—–|—–|————–|———–| | P001 | 42 | 94102 | High | Arrhythmia | | P002 | 43 | 94102 | High | Arrhythmia | | P003 | 42 | 94103 | Low | Healthy |

Step 1: Apply k=5 generalization - Age: 42 → “40-45”, 43 → “40-45” - ZIP: 94102 → “941”, 94103 → ”941”

K-anonymous groups (each has ≥5 members): | Group | Age Range | ZIP | HR Frequency | Count | |——-|———–|—–|————–|——-| | G1 | 40-45 | 941** | High | 8 patients | | G2 | 40-45 | 941** | Low | 5 patients |

Step 2: Check l-diversity for Group G1 (8 patients with High HR monitoring) - Diagnoses in G1: Arrhythmia (5), Heart Failure (2), Healthy (1) - Distribution: p₁=5/8, p₂=2/8, p₃=1/8 - Entropy: \(H = -(5/8)\log_2(5/8) - (2/8)\log_2(2/8) - (1/8)\log_2(1/8)\) - \(H = -(0.625)(-0.678) - (0.25)(-2) - (0.125)(-3)\) - \(H = 0.424 + 0.5 + 0.375 = 1.299\) bits

Step 3: Verify l-diversity requirement - Required: \(H \geq \log_2(3) = 1.585\) bits - Actual: \(H = 1.299\) bits - FAILS l=3 diversity (dominated by Arrhythmia)

Step 4: Fix by suppressing Group G1 or merging with another group - Merge G1 with similar group to increase diagnosis diversity - New merged group has 6 distinct diagnoses - New entropy: \(H = 2.1\) bits > 1.585 bits ✓

Result: K=5 anonymity achieved with generalization. L=3 diversity required merging groups to prevent diagnosis inference from quasi-identifiers.

In practice: K-anonymity alone fails when sensitive attributes are homogeneous (all patients with high HR monitoring have heart conditions). L-diversity ensures that even knowing someone is in a k-anonymous group doesn’t reveal their sensitive attribute. For IoT health data (Tier 3), l≥3 diversity is the minimum to prevent inference attacks via background knowledge.

9.4.9 Interactive: L-Diversity Entropy Calculator

Adjust the number of records with each diagnosis to explore how the distribution affects entropy and whether l-diversity requirements are met.

viewof diagnosisA = Inputs.range([0, 20], {value: 5, step: 1, label: "Diagnosis A count"})
viewof diagnosisB = Inputs.range([0, 20], {value: 2, step: 1, label: "Diagnosis B count"})
viewof diagnosisC = Inputs.range([0, 20], {value: 1, step: 1, label: "Diagnosis C count"})
viewof lRequired = Inputs.range([2, 5], {value: 3, step: 1, label: "Required l-diversity (l)"})

{
  const total = diagnosisA + diagnosisB + diagnosisC;
  if (total === 0) {
    return html`<div style="padding: 16px; background: #f8f9fa; border-radius: 8px; border-left: 4px solid #7F8C8D; font-family: Arial, sans-serif;">
      <p style="color: #2C3E50; font-weight: bold;">Add at least one record to calculate entropy.</p>
    </div>`;
  }

  const counts = [diagnosisA, diagnosisB, diagnosisC].filter(c => c > 0);
  const distinctValues = counts.length;
  const probs = counts.map(c => c / total);
  const entropy = -probs.reduce((sum, p) => sum + p * Math.log2(p), 0);
  const threshold = Math.log2(lRequired);
  const passes = entropy >= threshold;
  const statusColor = passes ? "#16A085" : "#E74C3C";
  const statusText = passes ? "PASSES" : "FAILS";

  return html`<div style="padding: 20px; background: #f8f9fa; border-radius: 8px; border-left: 4px solid ${statusColor}; font-family: Arial, sans-serif;">
    <h4 style="margin-top: 0; color: #2C3E50;">L-Diversity Analysis</h4>
    <table style="width: 100%; border-collapse: collapse; margin-bottom: 12px;">
      <tr style="border-bottom: 1px solid #ddd;">
        <td style="padding: 6px; color: #7F8C8D;">Total records in group</td>
        <td style="padding: 6px; font-weight: bold; color: #2C3E50;">${total}</td>
      </tr>
      <tr style="border-bottom: 1px solid #ddd;">
        <td style="padding: 6px; color: #7F8C8D;">Distinct sensitive values</td>
        <td style="padding: 6px; font-weight: bold; color: #2C3E50;">${distinctValues}</td>
      </tr>
      <tr style="border-bottom: 1px solid #ddd;">
        <td style="padding: 6px; color: #7F8C8D;">Distribution</td>
        <td style="padding: 6px; font-weight: bold; color: #2C3E50;">${counts.map((c, i) => `p${i+1}=${(c/total).toFixed(3)}`).join(", ")}</td>
      </tr>
      <tr style="border-bottom: 1px solid #ddd;">
        <td style="padding: 6px; color: #7F8C8D;">Entropy H(S)</td>
        <td style="padding: 6px; font-weight: bold; color: #3498DB;">${entropy.toFixed(3)} bits</td>
      </tr>
      <tr style="border-bottom: 1px solid #ddd;">
        <td style="padding: 6px; color: #7F8C8D;">Required: log2(${lRequired})</td>
        <td style="padding: 6px; font-weight: bold; color: #E67E22;">${threshold.toFixed(3)} bits</td>
      </tr>
      <tr>
        <td style="padding: 6px; color: #7F8C8D;">Result</td>
        <td style="padding: 6px; font-weight: bold; color: ${statusColor};">${statusText} l=${lRequired} diversity (${entropy.toFixed(3)} ${passes ? ">=" : "<"} ${threshold.toFixed(3)})</td>
      </tr>
    </table>
    <p style="color: #7F8C8D; font-size: 0.9em; margin-bottom: 0;"><strong>Try it:</strong> Set counts to 5, 2, 1 with l=3 to reproduce the textbook example (entropy = 1.299, fails). Then adjust to a more uniform distribution to see it pass.</p>
  </div>`;
}

9.4.10 Interactive: Privacy Tier Classifier

Use this tool to classify a data element into the appropriate privacy tier based on its characteristics.

viewof identifiable = Inputs.select(["No", "Possibly", "Yes (device ID)", "Yes (biometric/medical)"], {label: "Is the data identifiable?", value: "No"})
viewof behavioral = Inputs.select(["No", "Limited inference", "Yes (routines/patterns)", "Yes (health/financial)"], {label: "Enables behavioral inference?", value: "No"})
viewof regulatory = Inputs.select(["None", "GDPR personal data", "GDPR Art. 9 / HIPAA"], {label: "Regulatory category", value: "None"})

{
  let score = 0;
  if (identifiable === "Possibly") score += 1;
  else if (identifiable === "Yes (device ID)") score += 2;
  else if (identifiable === "Yes (biometric/medical)") score += 3;

  if (behavioral === "Limited inference") score += 1;
  else if (behavioral === "Yes (routines/patterns)") score += 2;
  else if (behavioral === "Yes (health/financial)") score += 3;

  if (regulatory === "GDPR personal data") score += 2;
  else if (regulatory === "GDPR Art. 9 / HIPAA") score += 3;

  let tier, tierColor, tierLabel, protection;
  if (score <= 1) {
    tier = 1; tierColor = "#16A085"; tierLabel = "Tier 1: Public";
    protection = "Cloud storage OK, open sharing via public APIs, indefinite retention, implicit consent (opt-out).";
  } else if (score <= 4) {
    tier = 2; tierColor = "#3498DB"; tierLabel = "Tier 2: Sensitive";
    protection = "Encrypted cloud storage (AES-256), partner-only sharing with contracts, 1-3 year retention, RBAC access control.";
  } else {
    tier = 3; tierColor = "#9B59B6"; tierLabel = "Tier 3: Critical";
    protection = "Edge processing preferred, end-to-end encryption + HSM, never share externally, 7-30 day retention, explicit opt-in consent, ABAC + MFA.";
  }

  return html`<div style="padding: 20px; background: #f8f9fa; border-radius: 8px; border-left: 4px solid ${tierColor}; font-family: Arial, sans-serif;">
    <h4 style="margin-top: 0; color: ${tierColor};">${tierLabel}</h4>
    <p style="color: #2C3E50; margin-bottom: 8px;"><strong>Recommended protection:</strong> ${protection}</p>
    <p style="color: #7F8C8D; font-size: 0.9em; margin-bottom: 0;">Risk score: ${score}/9. When uncertain, default to the higher tier.</p>
  </div>`;
}

Chapter Summary

Privacy design patterns provide proven solutions to common IoT privacy challenges:

Four Core Patterns:

1. Data Minimization: Collect only necessary information, remove optional fields, use pseudonymous identifiers
2. Aggregation: Combine data temporally, spatially, or statistically to prevent individual identification
3. Local Processing: Process on-device first, send only results to cloud when necessary
4. Anonymization: Apply K-anonymity, differential privacy, or pseudonymization based on use case

Three-Tier Privacy Model:

• Tier 1 (Public): Aggregate/anonymous data - cloud storage OK, open sharing, indefinite retention
• Tier 2 (Sensitive): Identifiable patterns - encrypted cloud, partner sharing only, 1-3 year retention
• Tier 3 (Critical): Biometric/health/financial - edge processing, never share externally, 7-30 day retention

Key Implementation Guidance:

• Tag data with privacy tier at collection
• Automate retention by tier
• Design separate storage for different tiers
• Monitor for tier violations (combining data that elevates sensitivity)
• Default to Tier 3 when classification is uncertain

Worked Example: Applying Three-Tier Model to Smart Building HVAC

Scenario: Design data classification for 100-building smart HVAC system serving 10,000 employees.

Tier 1 (Public): Building-wide temperature averages (hourly) - Safe for public dashboards, energy audits Tier 2 (Sensitive): Floor-level occupancy patterns - Encrypted, access-controlled, 1-year retention Tier 3 (Critical): Individual office occupancy (reveals who works late, early arrivals, absences) - Edge-only processing, never stored

Result: 90% of data stays Tier 1 (aggregated), 9% Tier 2 (coarse), 1% Tier 3 (processed locally only). Privacy budget managed per tier.

Decision Framework: Tier Classification for New IoT Data Types

Data Element	Identifiable?	Behavioral Inference?	Regulatory Category	Recommended Tier	Rationale
Aggregate device count (building-level)	No	No	None	Tier 1	Cannot identify individuals
MAC address	Yes (device ID)	Yes (presence patterns)	GDPR personal data	Tier 2	Pseudonymous identifier
GPS coordinates (precise)	Yes (home/work inference)	Yes (routines, relationships)	GDPR personal data / ePrivacy	Tier 3	4 points = 95% re-identification
Health vitals (heart rate, blood glucose)	Yes (medical data)	Yes (health conditions)	HIPAA/GDPR Art. 9	Tier 3	Medical data, highest protection
Energy usage (hourly aggregates)	Possibly (behavioral patterns)	Yes (occupancy, appliances)	GDPR personal data	Tier 2	Non-intrusive disaggregation prevents Tier 3
Video footage (faces visible)	Yes (biometric)	Yes (activities, associations)	GDPR Art. 9 biometric	Tier 3	Facial recognition = biometric data

Common Mistake: Static Tier Classification (Tier Elevation Risk)

The Mistake: Classifying data tiers at collection but failing to recognize when combining Tier 1+2 creates Tier 3.

Example: Tier 1 (step count: 8,000 steps) + Tier 2 (GPS city: San Francisco) = Tier 3 (exact home address inferred from daily start location).

Correct Approach: Audit data combinations, require consent before tier elevation, store tiers in separate databases with separate encryption keys.

9.5 Knowledge Check

Quiz: Privacy Patterns & Data Tiers

Match the Key Concepts

Order the Steps

Common Pitfalls

1. Applying Patterns Mechanically Without Understanding Purpose

Privacy design patterns are tools, not requirements. Applying pseudonymization everywhere regardless of necessity adds complexity without proportional benefit. Understand what privacy threat each pattern addresses and apply it only where that threat exists.

2. Not Combining Patterns for Layered Protection

Single privacy patterns provide partial protection. Combining Minimal Footprint (reducing data collected) with Pseudonymization (protecting retained data) with Privacy Dashboard (user control) provides substantially stronger protection than any single pattern alone.

3. Implementing Patterns Inconsistently Across System Components

Applying the Pseudonymization Pattern in the main application but not in analytics dashboards, admin tools, or log pipelines creates inconsistent privacy protection. Privacy patterns must be applied consistently across all system components that touch personal data.

4. Ignoring Pattern Performance Implications

Privacy patterns have performance costs: encryption adds latency, pseudonymization adds lookup overhead, consent checking adds per-request overhead. Profile performance impact of privacy patterns during design and include performance testing in privacy implementation testing.

Label the Diagram

9.6 What’s Next

Continue to Privacy Anti-Patterns and Assessment where you’ll learn:

• Dark patterns and manipulative UX to avoid
• Privacy theater vs genuine protection
• Privacy Impact Assessment (PIA) framework
• LINDDUN threat modeling for privacy
• Development lifecycle integration

← Privacy by Design Foundations

Privacy Assessment →

💻 Code Challenge