21 Privacy Threats in IoT

21.1 Learning Objectives

By the end of this chapter, you should be able to:

Classify the five categories of IoT privacy threats and distinguish them from security threats
Analyze real-world privacy violation case studies to extract root causes and mitigation lessons
Evaluate how data aggregation enables inference attacks from seemingly innocuous sensor readings
Detect location tracking and behavioral profiling risks in IoT system designs
Assess third-party data sharing implications and recommend privacy-preserving alternatives

Key Concepts

Data minimisation: Collecting only the data strictly necessary for the stated purpose — a core GDPR principle that reduces privacy risk by limiting what can be breached or misused.
Inference attack: An attack that derives sensitive information not directly collected — for example, inferring a person’s health condition from their smartwatch activity patterns or home occupancy schedule from energy usage.
Re-identification: The process of linking anonymised or pseudonymised data back to identifiable individuals using auxiliary information — a persistent risk for supposedly anonymous IoT datasets.
Surveillance creep: The gradual expansion of data collection beyond its original stated purpose, enabled by IoT data infrastructure originally deployed for legitimate operational reasons.
Consent fatigue: The tendency of users to accept all data collection terms without reading them because of the frequency and complexity of consent requests — undermining meaningful consent in IoT deployments.
Privacy impact assessment (PIA): A systematic evaluation of a proposed IoT data collection system’s privacy risks and mitigations, required by GDPR before deploying systems that process personal data at scale.

In 60 Seconds

IoT devices generate intimate data about people’s lives — location, health, behaviour, daily routines — creating privacy threats that go far beyond data breaches to include profiling, inference attacks, and loss of autonomy. The key principle is privacy by design: building privacy protections into IoT systems from the start rather than adding them as an afterthought.

Related Chapters

Privacy Fundamentals - Review Privacy Fundamentals for foundational concepts
Privacy Techniques - Continue to Privacy-Preserving Techniques for mitigation strategies
Security Threats - See Threats, Attacks, and Vulnerabilities for security perspective
Mobile Privacy - See Mobile Privacy for smartphone-specific concerns

Most Valuable Understanding (MVU)

IoT privacy threats are fundamentally different from security threats. A perfectly secure system can still violate privacy by collecting excessive data, enabling surveillance, or sharing information without user knowledge.

The Critical Insight: Privacy violations come from legitimate data collection being misused, not from hackers breaking in. Your smart thermostat recording temperature every 15 seconds is working exactly as designed - but that data reveals when you wake up, when you leave for work, and when your house is empty.

Remember: Security asks “Can attackers access your data?” Privacy asks “Should this data exist at all?”

Sensor Squad: Your Smart Devices Are Watching!

Hey there, privacy protectors! Let’s learn about privacy with the Sensor Squad!

Sammy the Sensor says: “Did you know your smart home devices are like little detectives? They notice EVERYTHING!”

The Detective Game:

Imagine your smart home devices are playing detective:

Device	What It Notices	What It Can Figure Out
Smart thermostat	Temperature changes	When you wake up and go to bed
Smart TV	What you watch	Your favorite shows and interests
Smart speaker	Voice commands	Who’s home and what they’re doing
Smart fridge	When door opens	Your eating schedule

Lila the LED explains: “When you turn me on and off, I’m keeping a little diary! If someone reads my diary for a whole week, they could know exactly when you’re home!”

Max the Microcontroller asks: “Is this bad?” Answer: Not always! But it’s important to know your devices are watching, so you can decide what to share.

The Telephone Game Gone Wrong:

You know the telephone game? Where you whisper a message and it gets passed around?

Your smart home is like that, but instead of your friends, your message goes to:

The device maker (like Amazon or Google)
Their partner companies (you’ve never heard of)
Advertisers (who want to sell you things)
Data collectors (who sell info to others)

Fun Fact: In one experiment, just 18 smart devices sent data to 56 DIFFERENT companies! That’s like playing telephone with 56 strangers!

Privacy Power-Up: Ask a grown-up to check which apps and devices can access your location. You might be surprised how many are tracking you!

For Beginners: Privacy vs. Security - What’s the Difference?

Analogy: Your House

Security = Locks on doors, alarm system, preventing break-ins
Privacy = Window curtains, deciding who can see inside

You can have great security (strong locks) but poor privacy (no curtains - everyone walks by and sees your living room).

In IoT Terms:

Security	Privacy
Encrypting data in transit	Deciding what data to collect at all
Strong passwords on devices	Limiting who can access collected data
Preventing hackers	Controlling legitimate data sharing
Protecting data from attackers	Protecting you from your own devices

Key Terms:

Term	Definition
Data minimization	Only collecting the data you actually need
Inference attack	Figuring out sensitive info from innocent-looking data
Data aggregation	Combining many small data points to learn big secrets
Third-party sharing	When companies share your data with other companies
Behavioral profiling	Building a detailed picture of your habits and preferences

The Privacy Mindset:

Instead of asking “How do I protect this data?” ask: 1. Do I really need to collect this data? 2. How long do I need to keep it? 3. Who else will see it? 4. What could someone learn from it?

21.2 Categories of Privacy Threats

Diagram showing the five categories of IoT privacy threats: unauthorized collection, data aggregation, location tracking, behavioral profiling, and third-party sharing — Figure 21.1: Five Categories of IoT Privacy Threats: From Unauthorized Collection to Third-Party Sharing

How It Works: The Aggregation Attack

Step 1: Collect Seemingly Harmless Individual Data Points

Smart thermostat logs temperature changes every 15 minutes
Smart lock records door unlock times
Motion sensors detect kitchen activity
Coffee maker tracks brew times
Individual readings appear innocuous (temperature = 68°F means nothing sensitive)

Step 2: Combine Data Across Devices Over Time

Thermostat temperature spike at 6:30 AM every weekday → User wakes up
Coffee maker activates at 6:35 AM → Morning routine
Motion sensor in kitchen 6:40-7:00 AM → Breakfast preparation
Smart lock unlocks at 7:45 AM → User leaves for work
No motion until 5:30 PM → House empty during day

Step 3: Infer Sensitive Patterns

Work schedule: Leaves 7:45 AM, returns 5:30 PM (Mon-Fri)
Weekend schedule: Different pattern (wakes 9 AM)
Vacation detection: 7-day absence = house is empty
Health indicators: CPAP machine continuous 80W overnight load
Security vulnerability: Optimal burglary window = 8 AM - 5 PM weekdays

Step 4: Monetize or Weaponize

Burglary: Physical break-in during known absence
Insurance: Deny health claim based on detected medical device
Targeted ads: Infer income level from energy usage patterns
Stalking: Know when victim is home vs away

Why It Works: Each device reveals a small piece. Combined, they reveal intimate life patterns. Users consent to thermometer “collecting temperature” but don’t realize it also reveals occupancy.

Defense: Data minimization (don’t collect), aggregation (15-min intervals → daily totals), differential privacy (add noise), edge processing (analyze locally, don’t upload raw data).

21.2.1 1. Unauthorized Collection

What it is: Collecting data without user knowledge or consent, beyond what’s necessary for the stated purpose.

Example	Privacy Impact
Smart TV with hidden microphone	Records private conversations without disclosure
Fitness tracker collecting contacts	Accesses unrelated personal information
Smart meter with 1-second granularity	Reveals individual appliance usage patterns

21.2.2 2. Data Aggregation

What it is: Combining individually harmless data points to reveal sensitive patterns.

The Aggregation Problem:

Individual data points (harmless):
- Thermostat: 68°F at 6:30 AM
- Smart lock: Unlocked at 7:45 AM
- Smart plug: Coffee maker on at 6:35 AM
- Motion sensor: Activity in kitchen at 6:40 AM

Aggregated inference (sensitive):
→ User wakes at 6:30 AM, makes coffee, leaves for work at 7:45 AM
→ House is empty from 7:45 AM until evening
→ Pattern repeats Mon-Fri
→ Burglary window: 8 AM - 5 PM weekdays

21.2.3 3. Location Tracking

What it is: Continuous monitoring of physical location through GPS, Wi-Fi, cellular, or proximity sensors.

Tracking Method	Accuracy	IoT Examples
GPS	3-5 meters	Fitness trackers, pet trackers, vehicle trackers
Wi-Fi positioning	15-40 meters	Smart home presence detection
Cell tower	100-300 meters	Cellular IoT devices
Bluetooth beacons	1-3 meters	Indoor positioning, retail tracking
Ultra-wideband (UWB)	10-30 cm	AirTags, precision tracking

Try It: Location Tracking Accuracy Explorer

Adjust the tracking technology to compare accuracy, range, power consumption, and privacy risk. See how more precise tracking creates greater privacy exposure.

Show code

viewof trackingMethod = Inputs.select(
  new Map([
    ["GPS (Satellite)", "gps"],
    ["Wi-Fi Positioning", "wifi"],
    ["Cell Tower Triangulation", "cell"],
    ["Bluetooth Beacons (BLE)", "ble"],
    ["Ultra-Wideband (UWB)", "uwb"]
  ]),
  {label: "Tracking Technology", value: "gps"}
)

Show code

{
  const specs = {
    gps:  {name: "GPS", accuracy: 4, range: 50000, power: "High", freq: 1, color: "#E74C3C", indoor: false, privacyBase: 9},
    wifi: {name: "Wi-Fi Positioning", accuracy: 25, range: 100, power: "Low", freq: 5, color: "#3498DB", indoor: true, privacyBase: 7},
    cell: {name: "Cell Tower", accuracy: 200, range: 35000, power: "Very Low", freq: 30, color: "#E67E22", indoor: false, privacyBase: 5},
    ble:  {name: "Bluetooth Beacon", accuracy: 2, range: 50, power: "Very Low", freq: 1, color: "#9B59B6", indoor: true, privacyBase: 8},
    uwb:  {name: "Ultra-Wideband", accuracy: 0.2, range: 30, power: "Medium", freq: 0.5, color: "#16A085", indoor: true, privacyBase: 10}
  };
  const s = specs[trackingMethod];
  const dataPoints = Math.round((trackDuration * 24 * 60) / s.freq);
  const privacyRisk = Math.min(10, s.privacyBase + Math.floor(trackDuration / 5));
  const riskColor = privacyRisk >= 8 ? "#E74C3C" : privacyRisk >= 5 ? "#E67E22" : "#16A085";
  const canInfer = [];
  if (s.accuracy <= 5) canInfer.push("Exact room or desk location");
  if (s.accuracy <= 40) canInfer.push("Specific building or store visited");
  if (s.accuracy <= 300) canInfer.push("Neighborhood or city block");
  if (trackDuration >= 3) canInfer.push("Daily commute route and workplace");
  if (trackDuration >= 7) canInfer.push("Weekly routine and social patterns");
  if (trackDuration >= 14) canInfer.push("Frequent visits (doctor, gym, religious sites)");
  if (trackDuration >= 21) canInfer.push("Social network from co-location analysis");

  const barWidth = 300;
  const accBar = Math.max(5, Math.round((1 - Math.min(s.accuracy, 500) / 500) * barWidth));
  const riskBar = Math.round((privacyRisk / 10) * barWidth);

  return html`<div style="background: var(--bs-light, #f8f9fa); padding: 1.2rem; border-radius: 8px; border-left: 4px solid ${s.color}; margin-top: 0.5rem;">
    <h4 style="color: ${s.color}; margin-top: 0;">${s.name}</h4>
    <div style="display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; margin-bottom: 1rem;">
      <div><strong>Accuracy:</strong> ${s.accuracy < 1 ? s.accuracy * 100 + ' cm' : s.accuracy + ' m'}</div>
      <div><strong>Range:</strong> ${s.range >= 1000 ? (s.range/1000) + ' km' : s.range + ' m'}</div>
      <div><strong>Power:</strong> ${s.power}</div>
      <div><strong>Indoor capable:</strong> ${s.indoor ? 'Yes' : 'No'}</div>
      <div><strong>Sample interval:</strong> ~${s.freq < 1 ? (s.freq * 60) + ' sec' : s.freq + ' min'}</div>
      <div><strong>Data points in ${trackDuration} days:</strong> ${dataPoints.toLocaleString()}</div>
    </div>
    <p style="margin-bottom: 0.3rem;"><strong>Precision:</strong></p>
    <div style="background: #ddd; border-radius: 4px; height: 18px; width: ${barWidth}px; margin-bottom: 0.8rem;">
      <div style="background: ${s.color}; border-radius: 4px; height: 18px; width: ${accBar}px;"></div>
    </div>
    <p style="margin-bottom: 0.3rem;"><strong>Privacy Risk: ${privacyRisk}/10</strong></p>
    <div style="background: #ddd; border-radius: 4px; height: 18px; width: ${barWidth}px; margin-bottom: 1rem;">
      <div style="background: ${riskColor}; border-radius: 4px; height: 18px; width: ${riskBar}px;"></div>
    </div>
    <p style="margin-bottom: 0.3rem;"><strong>What an attacker can infer from ${trackDuration} day(s):</strong></p>
    <ul style="margin-bottom: 0;">${canInfer.map(i => html`<li>${i}</li>`)}</ul>
  </div>`;
}

21.2.4 4. Behavioral Profiling

What it is: Creating detailed profiles of user habits, preferences, and patterns from IoT data.

Profile Components:

Behavior Category	IoT Data Source	Inference
Sleep patterns	Wearable, smart bed, thermostat	Health status, work schedule
Eating habits	Smart fridge, kitchen appliances	Diet, health conditions
Exercise routine	Fitness tracker, smart scale	Health goals, physical ability
Entertainment	Smart TV, speakers, gaming	Interests, political views
Social activity	Smart doorbell, calendar sync	Relationships, visitors

Try It: Behavioral Profile Builder

Select which IoT devices are present in a smart home to see how the combined data builds an increasingly detailed behavioral profile. Notice how each additional device contributes new inference categories.

Show code

viewof selectedDevices = Inputs.checkbox(
  new Map([
    ["Smart Thermostat", "thermostat"],
    ["Fitness Tracker", "fitness"],
    ["Smart TV", "tv"],
    ["Smart Speaker", "speaker"],
    ["Smart Fridge", "fridge"],
    ["Smart Lock", "lock"],
    ["Smart Light Bulbs", "lights"],
    ["Smart Vacuum (Roomba)", "vacuum"]
  ]),
  {label: "Devices in home", value: ["thermostat"]}
)

Show code

{
  const deviceInfo = {
    thermostat: {
      name: "Smart Thermostat",
      color: "#E67E22",
      inferences: ["Wake/sleep schedule", "Home/away patterns", "Comfort preferences", "Seasonal habits"]
    },
    fitness: {
      name: "Fitness Tracker",
      color: "#E74C3C",
      inferences: ["Exercise routine", "Heart rate / health status", "Sleep quality", "GPS location history"]
    },
    tv: {
      name: "Smart TV",
      color: "#3498DB",
      inferences: ["Entertainment preferences", "Political leanings (news channels)", "Viewing schedule", "Household composition (kids content)"]
    },
    speaker: {
      name: "Smart Speaker",
      color: "#9B59B6",
      inferences: ["Voice profiles (who is home)", "Shopping interests", "Music taste", "Questions asked (concerns, interests)"]
    },
    fridge: {
      name: "Smart Fridge",
      color: "#16A085",
      inferences: ["Eating schedule", "Dietary preferences", "Grocery spending", "Number of meals (household size)"]
    },
    lock: {
      name: "Smart Lock",
      color: "#2C3E50",
      inferences: ["Entry/exit times", "Visitor frequency", "Work schedule", "Vacation periods"]
    },
    lights: {
      name: "Smart Lights",
      color: "#7F8C8D",
      inferences: ["Room occupancy patterns", "Bedtime routine", "Which rooms used most", "Away simulation habits"]
    },
    vacuum: {
      name: "Smart Vacuum",
      color: "#E67E22",
      inferences: ["Home floor plan layout", "Furniture placement", "Room sizes", "Cleaning frequency (lifestyle)"]
    }
  };

  const active = selectedDevices || [];
  const allInferences = [];
  const deviceEntries = [];
  for (const d of active) {
    const info = deviceInfo[d];
    deviceEntries.push(info);
    for (const inf of info.inferences) {
      if (!allInferences.includes(inf)) allInferences.push(inf);
    }
  }
  const profileDepth = allInferences.length;
  const maxPossible = 32;
  const pct = Math.round((profileDepth / maxPossible) * 100);
  const threatLevel = profileDepth <= 4 ? "Low" : profileDepth <= 12 ? "Medium" : profileDepth <= 20 ? "High" : "Critical";
  const threatColor = profileDepth <= 4 ? "#16A085" : profileDepth <= 12 ? "#E67E22" : profileDepth <= 20 ? "#E74C3C" : "#8E44AD";

  const crossInferences = [];
  if (active.includes("thermostat") && active.includes("lock")) crossInferences.push("Precise work schedule (leave time + occupancy confirmation)");
  if (active.includes("fitness") && active.includes("fridge")) crossInferences.push("Health profile (exercise + diet correlation)");
  if (active.includes("tv") && active.includes("speaker")) crossInferences.push("Entertainment + purchasing intent profile");
  if (active.includes("lock") && active.includes("lights")) crossInferences.push("Precise home/away status with room-level tracking");
  if (active.includes("vacuum") && active.includes("lock")) crossInferences.push("Complete home layout + entry patterns for physical security risk");
  if (active.length >= 5) crossInferences.push("Near-complete daily life reconstruction possible");
  if (active.length >= 7) crossInferences.push("Intimate behavioral profile exceeds what close friends would know");

  return html`<div style="background: var(--bs-light, #f8f9fa); padding: 1.2rem; border-radius: 8px; border-left: 4px solid ${threatColor}; margin-top: 0.5rem;">
    <p><strong>Active devices:</strong> ${active.length} | <strong>Unique inferences:</strong> ${profileDepth} | <strong>Profile completeness:</strong> ${pct}%</p>
    <div style="background: #ddd; border-radius: 4px; height: 22px; width: 100%; margin-bottom: 1rem;">
      <div style="background: ${threatColor}; border-radius: 4px; height: 22px; width: ${pct}%; transition: width 0.3s; display: flex; align-items: center; justify-content: center; color: white; font-size: 0.85em; font-weight: bold;">
        ${threatLevel} Profiling Risk
      </div>
    </div>
    ${deviceEntries.length > 0 ? html`
      <table style="width: 100%; border-collapse: collapse; margin-bottom: 1rem;">
        <thead><tr style="border-bottom: 2px solid #2C3E50;">
          <th style="text-align: left; padding: 6px;">Device</th>
          <th style="text-align: left; padding: 6px;">What It Reveals</th>
        </tr></thead>
        <tbody>${deviceEntries.map(d => html`<tr style="border-bottom: 1px solid #ddd;">
          <td style="padding: 6px; color: ${d.color}; font-weight: bold;">${d.name}</td>
          <td style="padding: 6px;">${d.inferences.join(", ")}</td>
        </tr>`)}</tbody>
      </table>` : html`<p><em>Select devices above to see inferences.</em></p>`}
    ${crossInferences.length > 0 ? html`
      <p style="margin-bottom: 0.3rem;"><strong style="color: ${threatColor};">Cross-device inferences (data combination effects):</strong></p>
      <ul style="margin-bottom: 0;">${crossInferences.map(c => html`<li>${c}</li>`)}</ul>` : ""}
  </div>`;
}

21.2.5 5. Third-Party Sharing

What it is: Sharing user data with external entities, often without explicit user awareness.

Data Recipient	Data Type	Purpose	User Awareness
Advertising networks	Usage patterns, interests	Targeted advertising	Often hidden in ToS
Data brokers	Aggregated profiles	Resale to other companies	Rarely disclosed
Insurance companies	Health, driving data	Risk assessment	May be disclosed
Law enforcement	Location, communications	Investigations	Often without user knowledge
Academic researchers	Anonymized datasets	Research	Usually disclosed

21.2.6 Privacy Threat Interaction Model

The following diagram illustrates how the five threat categories interact and compound privacy risks:

Diagram showing how the five IoT privacy threat categories interact and compound: unauthorized collection feeds data aggregation, which enables behavioral profiling and location tracking, all amplified by third-party sharing — Privacy Threat Interaction Model

21.3 Case Study: “The House That Spied On Me”

21.3.1 The Experiment

In 2018, journalist Kashmir Hill and technologist Surya Mattu conducted an experiment: they filled a home with 18 popular smart devices and monitored all network traffic to see what data was being collected.

21.3.2 The Devices

Amazon Echo (voice assistant)
Smart TV (Samsung)
Smart thermostat (Nest)
Smart lightbulbs (Philips Hue)
Smart coffee maker
Smart toothbrush
Smart bed (Sleep Number)
Smart vacuum (Roomba)
And more…

21.3.3 What They Discovered

Diagram showing the data flow from 18 smart home devices to 56 different third-party companies, illustrating the extent of hidden data sharing in a connected home — Figure 21.2: The House That Spied: 18 Smart Devices Sending Data to 56 Different Companies

21.3.4 Key Findings

Discovery	Privacy Impact
56 different companies received data from 18 devices	Users have no relationship with most data recipients
Smart TV contacted Google, Facebook, Netflix even when not in use	Continuous surveillance regardless of activity
Sleep Number bed shared intimate health data with external servers	Sensitive health data leaves user control
Roomba created detailed floor plans of the home	Physical layout exposed to third parties
Traffic never stopped even when devices weren’t actively used	Always-on monitoring is default

21.3.5 The Lesson

Even “secure” devices from reputable companies were constantly transmitting data to dozens of third parties. Users had:

No visibility into data flows
No control over third-party sharing
No way to opt out without disabling devices
No understanding of data aggregation risks

Knowledge Check: Data Aggregation Risks

Question: A smart home has 18 devices (thermostat, TV, speaker, fridge, lights, etc.). Each device individually collects seemingly harmless data. Why is the combination of data from all 18 devices more dangerous than any single device’s data alone?

Click to reveal answer

Answer: Data aggregation creates a detailed behavioral profile that no single device could produce. The thermostat reveals sleep/wake times, the TV reveals interests and viewing habits, the smart lock reveals occupancy, and the fridge reveals eating patterns. Combined, these create an intimate portrait of daily life: when you are home, what you do, your health habits, and your routines. The “House That Spied On Me” experiment showed that 18 devices sent data to 56 different companies, each receiving fragments that together compose a complete behavioral dossier.

21.4 Real-World Privacy Violations

21.4.1 Strava Fitness App Reveals Military Bases (2018)

What happened: Strava published a global heat map showing where users exercised. In areas with low civilian activity, military personnel’s fitness tracking clearly outlined:

Secret military base layouts
Patrol routes
Guard schedules
Personnel numbers

Privacy failure: Aggregated “anonymous” location data revealed sensitive military intelligence.

Lesson: Anonymization fails when population is small or distinctive.

21.4.2 Ring Doorbell Surveillance Network (2019-2022)

What happened:

Ring partnered with 2,000+ police departments
Police could request footage from any Ring doorbell owner
Created de facto neighborhood surveillance network
Users not informed their footage was being requested

Privacy failure: Home security product became law enforcement surveillance tool without transparent disclosure.

Lesson: Data collected for one purpose easily repurposed for surveillance.

21.4.3 Fitbit Data Used in Murder Trial (2019)

What happened:

Woman’s Fitbit recorded her step count and activity patterns throughout the day
Data showed she was moving around the house at times when her husband claimed she had already been killed by an intruder
Husband convicted partly based on Fitbit evidence contradicting his timeline

Privacy implications:

Fitness data can be subpoenaed in legal proceedings
Users may not consider legal exposure when using wearables
Data intended for health became criminal evidence

Lesson: Consider all possible uses of collected data, not just intended purposes.

21.4.4 iRobot Roomba Floor Plans Sold (2017)

What happened:

Roomba vacuums create detailed maps of homes
iRobot CEO discussed selling floor plan data to smart home companies
Maps reveal room sizes, furniture placement, home layout

Privacy failure: Physical home layout became saleable data product.

Lesson: IoT devices collect data users don’t expect to be monetized.

21.5 The Aggregation Attack in Detail

21.5.1 Smart Meter Analysis: A Concrete Example

Beyond the multi-device aggregation scenario described above, even a single device can enable powerful inferences when data is collected at high granularity. Consider a smart meter recording power consumption:

Diagram showing how raw IoT data from multiple sensors is aggregated to reveal sensitive behavioral patterns, transforming innocuous temperature, motion, and power readings into detailed personal profiles — How Innocuous Data Becomes Sensitive Through Aggregation

Time	Power Usage	Inference
6:00 AM	50W → 2000W	Electric water heater on (morning shower)
6:30 AM	+1500W spike	Electric kettle (coffee/tea)
7:00 AM	+800W, 3 min	Toaster
7:15 AM	2000W → 200W	User left home (baseline power only)
5:30 PM	200W → 1500W	User returned home
11:00 PM	1500W → 50W	User went to bed

From one week of smart meter data alone:

Wake time: 6:00 AM (Mon-Fri), 9:00 AM (weekends)
Work schedule: 7:15 AM - 5:30 PM
Evening activities: TV (identifiable 150W power signature)
Vacation: House empty (baseline only) for 7 consecutive days
Health: Continuous 80W overnight load indicates medical equipment (e.g., CPAP)

This single-device example reinforces the key insight: the aggregation threat does not require multiple devices. Temporal aggregation of high-frequency data from any single sensor can reveal intimate behavioral patterns.

Try It: Smart Meter Granularity vs. Privacy

Adjust the sampling interval of a smart meter to see how data granularity affects what an attacker can infer. Higher frequency data reveals more intimate details about your daily life.

Show code

{
  const intervSec = samplingInterval;
  const readingsPerDay = Math.round(86400 / intervSec);
  const readingsPerWeek = readingsPerDay * 7;
  const dataSizeMBDay = (readingsPerDay * 32 / 1024 / 1024).toFixed(3);

  let intervalLabel;
  if (intervSec < 60) intervalLabel = intervSec + " seconds";
  else if (intervSec < 3600) intervalLabel = (intervSec / 60).toFixed(0) + " minutes";
  else intervalLabel = (intervSec / 3600).toFixed(1) + " hours";

  const inferences = [];
  let privacyScore = 0;
  if (intervSec <= 5) {
    inferences.push({text: "Individual appliance signatures (kettle, TV, CPAP)", risk: "Critical"});
    inferences.push({text: "Exact switch-on/off times for every device", risk: "Critical"});
    privacyScore = 10;
  }
  if (intervSec <= 15) {
    inferences.push({text: "Appliance usage patterns (cooking, entertainment)", risk: "High"});
    inferences.push({text: "Medical equipment detection (continuous loads)", risk: "High"});
    privacyScore = Math.max(privacyScore, 8);
  }
  if (intervSec <= 60) {
    inferences.push({text: "Activity transitions (wake, leave, return, sleep)", risk: "High"});
    privacyScore = Math.max(privacyScore, 7);
  }
  if (intervSec <= 300) {
    inferences.push({text: "General occupancy (home vs. away)", risk: "Medium"});
    privacyScore = Math.max(privacyScore, 5);
  }
  if (intervSec <= 900) {
    inferences.push({text: "Coarse daily pattern (morning/afternoon/evening)", risk: "Medium"});
    privacyScore = Math.max(privacyScore, 4);
  }
  if (intervSec <= 3600) {
    inferences.push({text: "Hourly usage trends", risk: "Low"});
    privacyScore = Math.max(privacyScore, 2);
  }
  if (intervSec > 3600) {
    inferences.push({text: "Daily consumption total only", risk: "Minimal"});
    privacyScore = 1;
  }

  const riskColor = privacyScore >= 8 ? "#E74C3C" : privacyScore >= 5 ? "#E67E22" : privacyScore >= 3 ? "#3498DB" : "#16A085";
  const barWidth = 300;
  const riskBar = Math.round((privacyScore / 10) * barWidth);

  return html`<div style="background: var(--bs-light, #f8f9fa); padding: 1.2rem; border-radius: 8px; border-left: 4px solid ${riskColor}; margin-top: 0.5rem;">
    <div style="display: grid; grid-template-columns: 1fr 1fr; gap: 0.8rem; margin-bottom: 1rem;">
      <div><strong>Sampling interval:</strong> ${intervalLabel}</div>
      <div><strong>Readings per day:</strong> ${readingsPerDay.toLocaleString()}</div>
      <div><strong>Readings per week:</strong> ${readingsPerWeek.toLocaleString()}</div>
      <div><strong>Data size per day:</strong> ${dataSizeMBDay} MB</div>
    </div>
    <p style="margin-bottom: 0.3rem;"><strong>Privacy Exposure: ${privacyScore}/10</strong></p>
    <div style="background: #ddd; border-radius: 4px; height: 20px; width: ${barWidth}px; margin-bottom: 1rem;">
      <div style="background: ${riskColor}; border-radius: 4px; height: 20px; width: ${riskBar}px; transition: width 0.3s;"></div>
    </div>
    <p style="margin-bottom: 0.3rem;"><strong>What an attacker can infer:</strong></p>
    <table style="width: 100%; border-collapse: collapse;">
      <thead><tr style="border-bottom: 2px solid #2C3E50;">
        <th style="text-align: left; padding: 4px 8px;">Inference</th>
        <th style="text-align: left; padding: 4px 8px;">Risk Level</th>
      </tr></thead>
      <tbody>${inferences.map(i => {
        const c = i.risk === "Critical" ? "#8E44AD" : i.risk === "High" ? "#E74C3C" : i.risk === "Medium" ? "#E67E22" : "#16A085";
        return html`<tr style="border-bottom: 1px solid #ddd;">
          <td style="padding: 4px 8px;">${i.text}</td>
          <td style="padding: 4px 8px; color: ${c}; font-weight: bold;">${i.risk}</td>
        </tr>`;
      })}</tbody>
    </table>
    <p style="margin-top: 1rem; margin-bottom: 0; color: #7F8C8D; font-style: italic;">
      <strong>Key insight:</strong> Moving from 15-second to 1-hour intervals reduces data points from ${Math.round(86400/15).toLocaleString()} to 24 per day -- a ${Math.round(86400/15/24)}x reduction -- while still supporting billing accuracy.
    </p>
  </div>`;
}

21.6 Data Flow Visualization: Where Does Your IoT Data Go?

Understanding the typical data flow from IoT devices to third parties helps identify privacy risks at each stage:

Data flow diagram showing how IoT data travels from smart home devices through cloud services and APIs to third-party recipients including advertisers, data brokers, insurance companies, and law enforcement — IoT Data Flow: From Smart Home Devices to Third-Party Recipients

Try It: Third-Party Data Sharing Chain

Explore how your data propagates through the sharing ecosystem. Select a device type and see how many entities receive your data at each hop, and what they learn.

Show code

viewof deviceType = Inputs.select(
  new Map([
    ["Smart Speaker (e.g., Echo)", "speaker"],
    ["Fitness Tracker (e.g., Fitbit)", "fitness"],
    ["Smart TV (e.g., Samsung)", "smarttv"],
    ["Smart Thermostat (e.g., Nest)", "thermostat"],
    ["Robot Vacuum (e.g., Roomba)", "vacuum"]
  ]),
  {label: "Device type", value: "speaker"}
)

Show code

{
  const chains = {
    speaker: {
      name: "Smart Speaker",
      color: "#9B59B6",
      hops: [
        {entity: "Device Manufacturer", count: 1, data: "Voice recordings, commands, device usage", color: "#2C3E50"},
        {entity: "Cloud Services (AWS, Google)", count: 2, data: "Processed voice data, user intent, NLP models", color: "#3498DB"},
        {entity: "Analytics Partners", count: 5, data: "Usage patterns, feature engagement, demographics", color: "#E67E22"},
        {entity: "Advertising Networks", count: 12, data: "Interest profiles, purchase intent signals", color: "#E74C3C"},
        {entity: "Data Brokers", count: 20, data: "Aggregated profiles sold to unknown buyers", color: "#8E44AD"}
      ]
    },
    fitness: {
      name: "Fitness Tracker",
      color: "#E74C3C",
      hops: [
        {entity: "Device Manufacturer", count: 1, data: "Heart rate, steps, GPS, sleep data", color: "#2C3E50"},
        {entity: "Health Analytics Platform", count: 3, data: "Health scores, activity classification, anomalies", color: "#3498DB"},
        {entity: "Research Partners", count: 4, data: "De-identified health trends, population studies", color: "#16A085"},
        {entity: "Insurance Companies", count: 6, data: "Risk scores, activity levels, health indicators", color: "#E67E22"},
        {entity: "Employer Wellness Programs", count: 8, data: "Aggregate fitness data, participation metrics", color: "#E74C3C"}
      ]
    },
    smarttv: {
      name: "Smart TV",
      color: "#3498DB",
      hops: [
        {entity: "TV Manufacturer", count: 1, data: "Viewing history, app usage, ACR fingerprints", color: "#2C3E50"},
        {entity: "Content Providers", count: 4, data: "Watch time, genre preferences, engagement", color: "#3498DB"},
        {entity: "Ad Tech Companies", count: 15, data: "Cross-device profiles, household demographics", color: "#E67E22"},
        {entity: "Political Campaigns", count: 8, data: "News preferences, political leaning signals", color: "#E74C3C"},
        {entity: "Data Brokers", count: 25, data: "Full media consumption profile, resold globally", color: "#8E44AD"}
      ]
    },
    thermostat: {
      name: "Smart Thermostat",
      color: "#E67E22",
      hops: [
        {entity: "Device Manufacturer", count: 1, data: "Temperature, humidity, occupancy, schedule", color: "#2C3E50"},
        {entity: "Energy Analytics", count: 3, data: "Usage patterns, efficiency scores, HVAC health", color: "#3498DB"},
        {entity: "Utility Companies", count: 2, data: "Demand response data, peak usage, grid load", color: "#16A085"},
        {entity: "Insurance Companies", count: 4, data: "Home occupancy patterns, maintenance indicators", color: "#E67E22"},
        {entity: "Real Estate Data Firms", count: 7, data: "Property efficiency ratings, home value indicators", color: "#E74C3C"}
      ]
    },
    vacuum: {
      name: "Robot Vacuum",
      color: "#16A085",
      hops: [
        {entity: "Device Manufacturer", count: 1, data: "Floor plans, room dimensions, furniture layout", color: "#2C3E50"},
        {entity: "Smart Home Platform", count: 3, data: "Room mapping, device placement, home topology", color: "#3498DB"},
        {entity: "Retail Partners", count: 6, data: "Room sizes (furniture recommendations), home type", color: "#E67E22"},
        {entity: "Real Estate Data Firms", count: 5, data: "Square footage, room count, layout quality", color: "#E74C3C"},
        {entity: "Security Companies", count: 4, data: "Entry points, room access patterns, floor plan", color: "#8E44AD"}
      ]
    }
  };

  const chain = chains[deviceType];
  const totalEntities = chain.hops.reduce((sum, h) => sum + h.count, 0);

  return html`<div style="background: var(--bs-light, #f8f9fa); padding: 1.2rem; border-radius: 8px; border-left: 4px solid ${chain.color}; margin-top: 0.5rem;">
    <h4 style="color: ${chain.color}; margin-top: 0;">${chain.name} Data Sharing Chain</h4>
    <p style="margin-bottom: 1rem;">Your data reaches <strong style="color: #E74C3C;">${totalEntities} entities</strong> across ${chain.hops.length} sharing hops:</p>
    ${chain.hops.map((hop, i) => {
      const barW = Math.round((hop.count / 30) * 250);
      return html`<div style="margin-bottom: 0.8rem; padding-left: ${i * 16}px;">
        <div style="display: flex; align-items: center; gap: 8px;">
          <span style="color: ${hop.color}; font-weight: bold; min-width: 24px;">${i === 0 ? "You" : "Hop " + i}:</span>
          <span style="font-weight: bold;">${hop.entity}</span>
          <span style="color: #7F8C8D;">(${hop.count} ${hop.count === 1 ? "entity" : "entities"})</span>
        </div>
        <div style="padding-left: 32px; margin-top: 4px;">
          <div style="background: #ddd; border-radius: 3px; height: 14px; width: 250px; display: inline-block; vertical-align: middle;">
            <div style="background: ${hop.color}; border-radius: 3px; height: 14px; width: ${Math.max(8, barW)}px;"></div>
          </div>
          <div style="color: #7F8C8D; font-size: 0.9em; margin-top: 2px;"><em>Data shared:</em> ${hop.data}</div>
        </div>
      </div>`;
    })}
    <div style="margin-top: 1rem; padding: 0.8rem; background: rgba(231,76,60,0.08); border-radius: 6px;">
      <strong>Key takeaway:</strong> From a single ${chain.name.toLowerCase()}, your data flows to ${totalEntities} separate entities. By hop ${chain.hops.length}, recipients have no direct relationship with you and may use your data in ways you never consented to.
    </div>
  </div>`;
}

21.7 Knowledge Check

Quiz: Privacy Threats

21.8 Concept Relationships

How Privacy Threat Categories Interconnect

Threat Category	Depends On	Amplifies	Mitigation Strategy
Unauthorized Collection	Insufficient user consent	All other threats	Data minimization - don’t collect unnecessary data
Data Aggregation	Collecting multiple small data points	Behavioral profiling, location tracking	Temporal/spatial aggregation - report daily totals not real-time
Location Tracking	GPS, Wi-Fi, cellular data collection	Behavioral profiling, stalking	Location obfuscation - reduce precision to city level
Behavioral Profiling	Aggregated data over time	Discrimination, targeted exploitation	Differential privacy - add statistical noise
Third-Party Sharing	Any data collection	All threats (data out of your control)	Contractual limits on sharing, user consent per recipient

Critical Insight: These threats compound. Unauthorized collection enables aggregation. Aggregation enables profiling. Profiling becomes more valuable when shared with third parties. Each threat multiplies the impact of others.

Example Chain: Smart meter collects 15-sec power readings (unauthorized granularity) → Aggregated to infer appliance usage (aggregation attack) → Reveals daily routine (behavioral profiling) → Sold to insurance company (third-party sharing) → Used to deny claim based on detected medical device (discrimination).

21.9 See Also

Foundation Concepts:

Privacy Fundamentals - Basic privacy principles and legal frameworks
Security vs Privacy - Understanding the distinction

Mitigation Techniques:

Privacy-Preserving Techniques - Differential privacy, k-anonymity, data minimization
Access Control - Limiting who can access collected data

Related Threats:

Threats and Vulnerabilities - Security threats vs privacy threats
Mobile Privacy - Smartphone-specific privacy concerns

Regulatory Context:

Privacy Regulations - Legal requirements for data collection
GDPR Compliance - GDPR safeguards and compliance

Match: Privacy Threats to Their Descriptions

Order: Privacy Risk Escalation from Low to High

Common Pitfalls

1. Treating privacy as a legal compliance problem rather than a design problem

Complying with GDPR requirements on paper without actually designing for privacy produces systems that technically satisfy legal requirements while collecting, retaining, and sharing more personal IoT data than users expect. Design for privacy as a user-value proposition.

2. Assuming aggregation anonymises data

Aggregating location data to city-level, or rounding GPS coordinates, does not anonymise data when combined with timestamps, device IDs, and contextual information. Demonstrate re-identification resistance mathematically, not just intuitively.

3. Collecting IoT data for operational purposes without considering secondary uses

Data collected for HVAC optimisation may later be used to infer employee work patterns, then sold to third parties. Define and enforce use limitations at collection time, not after the data has been accumulated.

4. Not notifying users about IoT data collection in shared spaces

Smart home devices that collect data about guests or visitors, and building IoT systems that collect data about employees, require clear disclosure beyond what a terms-of-service document buried in an app provides.

Label the Diagram

💻 Code Challenge

21.10 Summary

IoT privacy threats extend beyond traditional security concerns:

Threat Category	Description	Key Risk
Unauthorized Collection	Hidden sensors, excessive data gathering	Data exists that shouldn’t
Data Aggregation	Pattern inference from harmless data	Innocent data becomes sensitive
Location Tracking	Continuous monitoring via GPS/Wi-Fi/cellular	Movement history exposed
Behavioral Profiling	Detailed habit and preference mapping	Intimate profile creation
Third-Party Sharing	Data flows to unknown recipients	Loss of control over personal data

Key Insights:

The “House That Spied” showed 18 devices contacting 56 companies
Military bases revealed through aggregated fitness data
Floor plans, sleep patterns, and health data monetized without user awareness
Innocuous data (temperature, motion) enables powerful inferences
Privacy violations often stem from legitimate (not malicious) data collection

Worked Example: Privacy-Preserving Smart Meter Design

Scenario: A utility company deploys 50,000 smart meters collecting energy usage every 15 seconds (4 readings/minute × 1,440 min/day = 5,760 readings/day/household). Privacy researchers demonstrate they can infer when residents wake up, leave home, cook meals, watch TV, and use medical equipment from this granular data.

Initial Design (Privacy-Violating):

# Smart meter sends raw readings every 15 seconds
timestamp: 2024-10-26 06:30:00
household_id: 12345
power_watts: 2100  # Electric kettle (morning tea)

timestamp: 2024-10-26 06:31:00
household_id: 12345
power_watts: 50    # Kettle off, baseline power

# Privacy leak: Anyone with access sees:
# - Exact wake-up time (kettle usage spike)
# - Meal times (stove/microwave patterns)
# - TV watching (characteristic 150W signature)
# - Medical equipment usage (continuous 80W CPAP machine)
# - Vacation periods (baseline only for 7 days)

Problem Analysis:

Data Granularity	What Attacker Learns	Privacy Impact
15-second intervals	Individual appliances (kettle, TV, microwave)	High - lifestyle details
1-minute intervals	Activity patterns (cooking, cleaning)	High - behavioral profiling
15-minute intervals	General occupancy (home/away)	Medium - presence detection
1-hour intervals	Aggregate usage only	Low - no appliance details
Daily totals	Billing information only	Very low - legitimate purpose

Privacy-Preserving Redesign:

Step 1: Data Minimization (Reduce Collection)

# Collect only what's needed for billing
# Billing requires: Daily total kWh (not 15-second readings)

# Before: 5,760 readings/day × 50,000 households = 288M data points
# After: 1 reading/day × 50,000 households = 50K data points
# Reduction: 5,760× less data collected

# Smart meter stores 15-sec readings locally (for user)
# Sends only daily aggregate to utility
daily_reading = {
    'date': '2024-10-26',
    'household_id': 12345,
    'total_kwh': 32.5,  # Single daily value
    'peak_demand_kw': 4.2  # Max simultaneous load (for grid planning)
}

# Result: No appliance-level inference possible from daily totals

Step 2: Differential Privacy (Add Calibrated Noise)

import numpy as np

def add_laplace_noise(value, sensitivity, epsilon):
    """
    Add Laplace noise for differential privacy
    epsilon: Privacy budget (lower = more privacy)
    sensitivity: Maximum change in output
    """
    scale = sensitivity / epsilon
    noise = np.random.laplace(0, scale)
    return value + noise

# For 15-minute aggregates (if required by grid operator)
reading_15min = {
    'timestamp': '2024-10-26 06:30:00',
    'household_id': 12345,
    'avg_power_kw': add_laplace_noise(2.1, sensitivity=0.5, epsilon=1.0)
    # True value: 2.1 kW
    # Noisy value: 2.3 kW (noise: +0.2)
}

# Privacy guarantee: Individual reading reveals little
# Aggregate across 1000 homes: Noise cancels out, accurate total

Step 3: K-Anonymity (Remove Unique Identifiers)

# Before: household_id = 12345 (unique, traceable)
# After: Report by neighborhood, not individual home

neighborhood_reading = {
    'zip_code': '94102',  # 500 households
    'timestamp': '2024-10-26 06:00:00',
    'avg_power_kw': 1.8,  # Average of 500 homes
    'total_kwh': 900      # Sum of 500 homes
}

# Result: Cannot identify individual household
# Any individual record indistinguishable from 499 others (K=500)

Step 4: Edge Processing (Keep Data Local)

# Appliance disaggregation runs ON the smart meter (not cloud)
# User sees: "Your kettle used 0.2 kWh today"
# Utility sees: "Household used 32.5 kWh today" (aggregate only)

class SmartMeterEdgeProcessing:
    def __init__(self):
        self.appliance_db = load_appliance_signatures()
        self.daily_usage = {}

    def process_15sec_reading(self, power_watts):
        # Run locally on smart meter
        appliance = self.identify_appliance(power_watts)
        self.daily_usage[appliance] += power_watts * (15/3600)  # kWh

    def send_to_utility(self):
        # Only send aggregate (appliance breakdown stays local)
        total_kwh = sum(self.daily_usage.values())
        return {'total_kwh': total_kwh}  # No appliance details

Step 5: Anonymization with Temporal Aggregation

# Prevent timing correlation attacks
# Instead of: "Household X used kettle at 06:30 every weekday"
# Report: "Neighborhood morning usage peak 06:00-09:00"

temporal_aggregate = {
    'zip_code': '94102',
    'date': '2024-10-26',
    'morning_peak_kwh': 2400,      # 06:00-09:00 total
    'afternoon_usage_kwh': 1800,   # 09:00-18:00 total
    'evening_peak_kwh': 3200,      # 18:00-23:00 total
    'night_usage_kwh': 600         # 23:00-06:00 total
}

# Result: No per-household timing patterns visible

Privacy Impact Assessment:

Metric	Before (15-sec readings)	After (Privacy-Preserving)
Data points/day/home	5,760	1
Appliance inference	95% accurate	<5% (guessing)
Activity timing	Exact (±15 sec)	Coarse (±3 hours)
Vacation detection	100%	0% (noise obscures)
Medical equipment ID	Yes (CPAP, dialysis)	No (aggregated)
Utility billing accuracy	100%	99.8% (noise small)

Cost-Benefit Analysis:

Benefits:

Privacy compliance (GDPR, CCPA)
User trust (transparent data practices)
Reduced data breach impact (less sensitive data)
Lower storage costs (5,760× less data)

Costs:

Grid operators lose real-time appliance data (accept 15-min aggregates)
R&D investment ($500k for privacy-preserving algorithms)
Slightly noisier data for demand forecasting (99.8% vs 100% accuracy)

Key Lesson: Privacy by design doesn’t mean “collect no data”. It means “collect only what’s necessary, aggregate when possible, anonymize when required, and process locally when feasible.”

Verification:

# Test: Can attacker reconstruct daily routine from privacy-preserved data?
privacy_data = daily_aggregates  # 1 value per day
attack_result = infer_appliances(privacy_data)
# Result: <5% accuracy (random guessing baseline)

# Compare to raw data:
raw_data = readings_15sec  # 5,760 values per day
attack_result = infer_appliances(raw_data)
# Result: 95% accuracy (complete privacy loss)

Decision Framework: Assessing Privacy Risks in Your IoT System

Use this framework to systematically evaluate privacy risks and select appropriate mitigation strategies:

Stage	Question	Privacy Risk	Mitigation Strategy
1. Data Collection	What data do you collect?	High: PII, location, behavior	Data minimization (collect only necessary)
2. Granularity	How often do you sample?	High: <1 minute (enables inference)	Temporal aggregation (5-15 min intervals)
3. Identifiers	Do records include unique IDs?	High: User ID, device serial	K-anonymity or pseudonymization
4. Aggregation	Can individual records be isolated?	High: Per-device data streams	Aggregate across population
5. Inference	Can sensitive info be inferred?	High: Activity patterns, health	Differential privacy (add noise)
6. Sharing	Do you share data with third parties?	High: Advertisers, data brokers	Minimize sharing, anonymize before sharing
7. Storage	How long do you retain data?	Medium: >90 days enables profiling	Auto-delete after retention period
8. Access	Who can access raw data?	High: Broad access (developers, ops)	Role-based access control (RBAC)

Interactive Privacy Risk Scoring:

Use this calculator to assess the privacy risk of your IoT system across four dimensions (0-25 points each):

Show code

viewof dataSensitivity = Inputs.select(
  new Map([
    ["PII (names, email, biometrics) — 25 pts", 25],
    ["Location data (GPS, Wi-Fi) — 20 pts", 20],
    ["Behavioral data (usage patterns) — 15 pts", 15],
    ["Environmental only (temp, humidity) — 5 pts", 5],
    ["No sensitive data — 0 pts", 0]
  ]),
  {label: "Data Sensitivity (0-25)", value: 15}
)

Show code

viewof granularity = Inputs.select(
  new Map([
    ["< 1 minute (real-time) — 25 pts", 25],
    ["1-5 minutes — 15 pts", 15],
    ["5-60 minutes — 5 pts", 5],
    ["Hourly or less frequent — 0 pts", 0]
  ]),
  {label: "Sampling Granularity (0-25)", value: 15}
)

Show code

viewof identifiability = Inputs.select(
  new Map([
    ["Unique user/device ID — 25 pts", 25],
    ["Pseudonymized ID — 10 pts", 10],
    ["Aggregate data only — 0 pts", 0]
  ]),
  {label: "Identifiability (0-25)", value: 25}
)

Show code

viewof sharing = Inputs.select(
  new Map([
    ["Third-party sharing (advertisers, brokers) — 25 pts", 25],
    ["Internal use only — 5 pts", 5],
    ["No data sharing — 0 pts", 0]
  ]),
  {label: "Data Sharing (0-25)", value: 5}
)

Show code

{
  const riskScore = dataSensitivity + granularity + identifiability + sharing;
  const riskLevel = riskScore <= 25 ? "Low" : riskScore <= 50 ? "Medium" : riskScore <= 75 ? "High" : "Critical";
  const riskColor = riskScore <= 25 ? "#16A085" : riskScore <= 50 ? "#E67E22" : riskScore <= 75 ? "#E74C3C" : "#8E44AD";
  const mitigations = riskScore <= 25
    ? "Standard security (encryption, authentication)"
    : riskScore <= 50
    ? "Add data minimization and pseudonymization"
    : riskScore <= 75
    ? "Add differential privacy and K-anonymity"
    : "Full privacy-by-design with edge processing required";

  return html`<div style="background: var(--bs-light, #f8f9fa); padding: 1rem; border-radius: 8px; border-left: 4px solid ${riskColor}; margin-top: 0.5rem;">
    <p><strong>Privacy Risk Score:</strong> <span style="font-size: 1.4em; color: ${riskColor}; font-weight: bold;">${riskScore}/100</span></p>
    <p><strong>Risk Level:</strong> <span style="color: ${riskColor}; font-weight: bold;">${riskLevel}</span></p>
    <p style="margin-bottom: 0;"><strong>Required Mitigations:</strong> ${mitigations}</p>
  </div>`;
}

Example Risk Assessments:

Example 1: Smart Thermostat

Data: Temperature (non-PII), setpoint changes → +15
Granularity: Every 5 minutes → +15
Identifiers: Household ID → +25
Sharing: Cloud analytics → +15
Total: 70 (High Risk)
Mitigation: Pseudonymize IDs, aggregate to 15-min intervals, differential privacy on cloud analytics

Example 2: Fitness Tracker

Data: Heart rate, GPS location (sensitive) → +25
Granularity: Every 5 seconds → +25
Identifiers: User account (email) → +25
Sharing: Advertisers, insurance → +25
Total: 100 (Critical Risk)
Mitigation: Data minimization (ask user permission), location obfuscation, opt-out of sharing, local processing

Mitigation Selection Guide:

Your Risk Score	Required Mitigations	Effort	Result
0-25 (Low)	Standard security (encryption, auth)	Low	Compliant
26-50 (Medium)	+ Data minimization, Pseudonymization	Medium	Reduced risk to <25
51-75 (High)	+ Differential privacy, K-anonymity	High	Reduced risk to <35
76-100 (Critical)	+ Full privacy-by-design, edge processing	Very High	Reduced risk to <40

Checklist:

Privacy risk score calculated
Data collection minimized (only necessary fields)
Granularity reduced (coarser time intervals)
Identifiers removed or pseudonymized
Third-party sharing documented and minimized
Retention policy enforced (auto-delete after period)
User controls implemented (view data, delete data, opt-out)

Common Mistake: Believing Anonymization Alone Protects Privacy

The Mistake: An IoT company removes names and email addresses from smart home data, believing it’s now “anonymous” and safe to share with researchers. Privacy researchers re-identify 87% of households by cross-referencing publicly available data (address, ZIP code, household size).

Why It Happens:

Misunderstanding “anonymous” vs “de-identified”
Assuming removing PII (Personally Identifiable Information) is sufficient
Ignoring quasi-identifiers (ZIP code, age, gender) that combine to re-identify
Not testing re-identification risk before releasing data

Real-World Re-Identification Attack:

Step 1: “Anonymized” Smart Home Dataset

# Company releases this dataset (believes it's anonymous)
{
    'household_id': 'ANON_12345',  # Pseudonym (not real ID)
    'zip_code': '94102',
    'num_residents': 2,
    'has_children': False,
    'square_feet': 850,
    'hvac_usage_kwh': 420,
    'lighting_pattern': [0,0,0,0,0,1,1,1,1,1,0,0] # Hourly usage (lights on 6am-4pm)
}

# No names, no addresses → Company thinks this is anonymous

Step 2: Cross-Reference with Public Data

# Attacker queries public real estate database (Zillow, Redfin)
zillow_data = {
    'address': '123 Market St, San Francisco, CA 94102',
    'square_feet': 850,
    'bedrooms': 1,
    'sold_date': '2023-08-15'
}

# Match criteria:
# - ZIP code: 94102 (100 homes match)
# - Square feet: 850 (12 homes match)
# - Lighting pattern: Lights on 6am-4pm suggests 9-5 office workers (3 homes match)

# Result: Only 3 possible homes in entire dataset
# Check social media: LinkedIn shows 2 of 3 households have children
# → Eliminates 2 households
# → Re-identified: 123 Market St with 100% confidence

Step 3: Learn Sensitive Information

# Now attacker knows about 123 Market St residents:
# - Medical equipment usage (continuous 80W CPAP machine)
# - Vacation dates (7-day absence pattern)
# - Home security (motion detector offline 10pm-6am)
# - Financial status (high energy bills suggest poor insulation)

# Privacy fully compromised despite "anonymization"

Why Simple Anonymization Fails:

Quasi-Identifier	Uniqueness	Example
ZIP + Date of Birth + Gender	87% unique	94102 + 1990-03-15 + M → 1 of 12 people
ZIP + Birth month and day	63% unique	94102 + Dec 25 → 1 of 28 people
Location (home+work)	95% unique	Home: 94102, Work: 94105 → 1 of 8 people

The Fix: Multi-Layer Privacy Protection:

Layer 1: K-Anonymity (Generalization)

# Generalize quasi-identifiers until each record has K-1 twins

# Before: ZIP=94102, Age=34, Gender=M (unique)
# After:  ZIP=941**, Age=30-40, Gender=* (K=50 people match)

def generalize_for_k_anonymity(record, k=5):
    record['zip_code'] = record['zip_code'][:3] + '**'  # 94102 → 941**
    record['age'] = (record['age'] // 10) * 10 + '-' + str((record['age'] // 10) * 10 + 10)
    record['square_feet'] = round(record['square_feet'] / 100) * 100  # 850 → 800-900
    return record

# Result: Each record now matches 5+ other records (K=5)
# Cannot uniquely identify individual households

Layer 2: L-Diversity (Sensitive Attribute Protection)

# Ensure each K-anonymous group has diverse sensitive values
# Problem: If all K=5 homes in group use medical equipment, reveals info

def ensure_l_diversity(group, l=3):
    """Each group must have ≥L distinct sensitive values"""
    medical_equipment = [r['has_medical'] for r in group]
    if len(set(medical_equipment)) < l:
        # Suppress or generalize further
        return None
    return group

# Example: Group of 5 homes with K-anonymity
# Home 1: Medical equipment = Yes
# Home 2: Medical equipment = Yes
# Home 3: Medical equipment = Yes
# Home 4: Medical equipment = No
# Home 5: Medical equipment = No
# → Only 2 distinct values (Yes, No)
# → L-diversity violated (need L=3)
# → Suppress this group or generalize further

Layer 3: Differential Privacy (Statistical Noise)

def add_differential_privacy_noise(value, epsilon=1.0):
    """Add Laplace noise to protect individual contributions"""
    sensitivity = 1.0  # Max change in output
    scale = sensitivity / epsilon
    noise = np.random.laplace(0, scale)
    return value + noise

# Apply to aggregates
neighborhood_avg_usage = mean(household_usages)
noisy_avg = add_differential_privacy_noise(neighborhood_avg_usage)

# Privacy guarantee: Cannot determine if any individual
# household is in the dataset (within probability bound)

Layer 4: Data Minimization (Don’t Collect)

# Best privacy protection: Don't collect data in the first place

# Before: Collect lighting usage every minute (detailed patterns)
# After: Collect daily total lighting kWh only (no patterns)

data_to_collect = {
    'daily_total_kwh': 32.5,  # Useful for billing
    # REMOVED: hourly_usage_pattern (enabled re-identification)
    # REMOVED: individual_appliance_usage (lifestyle details)
}

Validation Test:

# Test re-identification risk before releasing data
def test_reidentification_risk(anonymized_data, public_data):
    matches = 0
    for anon_record in anonymized_data:
        for public_record in public_data:
            if records_match(anon_record, public_record):
                matches += 1
                break

    risk = matches / len(anonymized_data)
    print(f"Re-identification risk: {risk:.1%}")

    # Acceptable: <5% re-identification risk
    # Unacceptable: >20% risk
    assert risk < 0.05, "Re-identification risk too high!"

Checklist to Avoid This Mistake:

K-anonymity enforced (K≥5, each record matches 4+ others)
L-diversity verified (sensitive attributes diverse within groups)
Differential privacy applied (statistical noise added)
Re-identification attack tested (with public data sources)
Data minimization applied (collect only necessary fields)
Quasi-identifiers identified and generalized (ZIP, age, gender, etc.)
Legal review completed (GDPR, CCPA compliance)

Rule of Thumb: If your “anonymized” data includes 3+ quasi-identifiers (ZIP, age, gender, address, etc.), it’s probably re-identifiable. Test before releasing.

Putting Numbers to It: Re-identification Probability with Quasi-Identifiers

The probability that a supposedly anonymous record can be re-identified to a specific individual increases exponentially with the number of quasi-identifiers (QI) present.

\[P(\text{re-id}) = 1 - \prod_{i=1}^{k} (1 - U_i)\]

Where $U_i$ = uniqueness of quasi-identifier $i$ in the population, $k$ = number of quasi-identifiers

Working through an example:

Given: “Anonymized” smart home dataset with 3 quasi-identifiers in ZIP code 94102 (population 55,000)

Step 1: Calculate Individual QI Uniqueness

QI	Values in ZIP	Uniqueness $U_i$
Age (34 years)	1,200 people age 34	$U_1 = \frac{1{,}200}{55{,}000} = 0.0218$
Gender (M)	27,000 males	$U_2 = \frac{27{,}000}{55{,}000} = 0.4909$
Square footage (850 sqft)	420 homes 800-900 sqft	$U_3 = \frac{420}{55{,}000} = 0.0076$

Step 2: Calculate Combined Re-identification Probability

Without independence (actual intersection): \[\text{Matching households} = \frac{1{,}200 \times 420}{55{,}000} \approx 9 \text{ households}\]

With lighting pattern (on 6am-4pm = office workers): \[\text{Final candidates} = \frac{9}{3} = 3 \text{ households}\]

\[P(\text{re-id}) = \frac{1}{3} = 0.333 = 33.3\% \text{ chance per guess}\]

With social media check (2 of 3 have children): \[P(\text{re-id | no children}) = 100\% \text{ (only 1 household matches)}\]

Step 3: Calculate K-Anonymity Violation

K-anonymity requires each record be indistinguishable from $k-1$ others: \[K = \text{matching households} = 3\]

Required for compliance (GDPR): $K \geq 5$. This dataset violates k-anonymity.

Result: With just 3 quasi-identifiers (age, gender, square footage), an attacker narrows 55,000 people to 3 households (99.995% reduction). One additional data point (social media: no children) achieves 100% re-identification.

In practice: Smart home data contains dozens of quasi-identifiers: - Energy usage pattern (uniqueness ≈ 90%) - Device ownership (Nest + Ring + Philips Hue = rare combo) - Occupancy schedule (wake/leave/return times)

\[P(\text{re-id})_{\text{3 QI}} = 87\%, \quad P(\text{re-id})_{\text{5 QI}} = 99.6\%\]

Simple de-identification (removing name, address) provides zero privacy protection when 5+ quasi-identifiers remain.

Try it yourself – adjust the number of quasi-identifiers and population size to see how quickly re-identification becomes possible:

Show code

{
  // Model: each QI reduces candidate pool by a factor
  // With 1 QI: ~1/50 of population matches
  // Each additional QI reduces by factor of ~3-10
  const reductionPerQI = 0.15; // Each QI retains ~15% of candidates
  const candidates = Math.max(1, Math.round(popSize * Math.pow(reductionPerQI, numQI)));
  const reidentProb = Math.min(100, (1 / candidates) * 100);
  const kValue = candidates;
  const kCompliant = kValue >= 5;
  const reduction = ((1 - candidates / popSize) * 100).toFixed(3);
  const probColor = reidentProb > 50 ? "#E74C3C" : reidentProb > 10 ? "#E67E22" : "#16A085";

  return html`<div style="background: var(--bs-light, #f8f9fa); padding: 1rem; border-radius: 8px; border-left: 4px solid ${probColor}; margin-top: 0.5rem;">
    <p><strong>Matching candidates:</strong> ~${candidates.toLocaleString()} out of ${popSize.toLocaleString()} (${reduction}% reduction)</p>
    <p><strong>K-anonymity value:</strong> K = ${kValue} ${kCompliant ? "(compliant: K >= 5)" : "<span style='color: #E74C3C; font-weight: bold;'>(VIOLATION: K < 5)</span>"}</p>
    <p style="margin-bottom: 0;"><strong>Re-identification probability per guess:</strong> <span style="color: ${probColor}; font-weight: bold;">${reidentProb.toFixed(1)}%</span></p>
  </div>`;
}

21.11 What’s Next

Continue to Privacy-Preserving Techniques to learn how to mitigate these threats:

Data minimization at collection
Anonymization and pseudonymization
Differential privacy for analytics
Edge processing to keep data local

Understanding threats enables you to design appropriate countermeasures.

← Security Overview Foundations

Privacy-Preserving Techniques →