WO2022132146A1 - User information protection in iot devices - Google Patents

User information protection in iot devices Download PDF

Info

Publication number
WO2022132146A1
WO2022132146A1 PCT/US2020/065470 US2020065470W WO2022132146A1 WO 2022132146 A1 WO2022132146 A1 WO 2022132146A1 US 2020065470 W US2020065470 W US 2020065470W WO 2022132146 A1 WO2022132146 A1 WO 2022132146A1
Authority
WO
WIPO (PCT)
Prior art keywords
lot
data
devices
compliance
network
Prior art date
Application number
PCT/US2020/065470
Other languages
French (fr)
Inventor
Mordehai Margalit
Debmalya BISWAS
Nery Strasman
Seth Adrian Miller
Original Assignee
Funai Electric Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Funai Electric Co., Ltd. filed Critical Funai Electric Co., Ltd.
Priority to PCT/US2020/065470 priority Critical patent/WO2022132146A1/en
Publication of WO2022132146A1 publication Critical patent/WO2022132146A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/009Security arrangements; Authentication; Protecting privacy or anonymity specially adapted for networks, e.g. wireless sensor networks, ad-hoc networks, RFID networks or cloud networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]

Definitions

  • Data protection specifically personal information protection
  • Internet services such as websites and computer software are increasingly designed with data protection requirements in mind, smaller networked devices are often overlooked.
  • Internet of Things (loT) enabled wireless devices are used to monitor and control a wide variety of aspects of daily life ranging from security to environmental controls. Such devices perform specific operations and transmit data over various networks to other systems and devices.
  • the present disclosure generally describes techniques for data protection in loT devices.
  • a system for data protection compliance in Internet of Things (loT) devices may include a plurality of loT devices, each loT device configured to perform an operation and transmit data associated with the operation, and a compliance manager communicatively coupled to the plurality of loT devices.
  • the compliance manager may be configured to assign each loT device to a category based on a functionality associated with each loT device; provide an abstract data layer; store one or more data protection policies based on categories of the loT devices; and enforce the one or more data protection policies on the transmitted data by the loT devices through the abstract data layer constructed at the compliance manager.
  • a compliance manager to manage data protection compliance for Internet of Things (loT) devices may include a communication module configured to facilitate communications with a plurality of loT devices and one or more network devices over a network; a memory configured to store instructions; and a processor coupled to the communication module and the memory.
  • the processor in conjunction with the instructions stored in the memory, may be configured to assign each loT device to a category based on a functionality associated with each loT device; provide an abstract data layer; store one or more data protection policies based on categories of the loT devices; and enforce the one or more data protection policies on data transmitted by the loT devices through the abstract data layer constructed at the compliance manager.
  • a method to manage data protection compliance for Internet of Things (loT) devices may include assigning, at a compliance manager, each loT device of a plurality of loT devices at a particular location to a category based on a functionality associated with each loT device; providing an abstract data layer; storing one or more data protection policies based on categories of the loT devices; and enforcing the one or more data protection policies on data transmitted by the loT devices through the abstract data layer constructed at the compliance manager.
  • LoT Internet of Things
  • FIG. 1 includes an architectural illustration of a home, where Internet of Things (loT) wireless devices may transmit data over a network protected by a compliance manager;
  • LoT Internet of Things
  • FIG. 2 includes a conceptual illustration of a system according to embodiments with different implementations of a compliance manager
  • FIG. 3 includes an illustration of an example compliance manager categorizing different loT devices
  • FIG. 4 illustrates major components and actions of an example system for loT device data protection
  • FIG. 5 illustrates a computing device, which may be used to manage data protection in loT devices
  • FIG. 6 is a flow diagram illustrating an example method for data protection in loT devices that may be performed by a computing device such as the computing device in FIG. 5;
  • FIG. 7 illustrates a block diagram of an example computer program product, all of which are arranged in accordance with at least some embodiments described herein.
  • This disclosure is generally drawn, inter alia, to methods, apparatus, systems, devices, and/or computer program products related to data protection in loT devices through a compliance manager.
  • a system for controlling and ensuring compliance of loT devices data protection requirements may include loT devices to perform various functions and a compliance manager in communication with the loT devices and a network.
  • the compliance manager which may be implemented at a local hub or at the network, may categorize the loT devices according to their functionality and enforce data protection policies for user privacy protection based on categories.
  • An abstract data layer may store anonymized data from the loT device before it is transmitted to the network. Users may be enabled to set/adjust policies based on categories. Information about compliance status of loT devices may also be presented to the users.
  • FIG. 1 includes an architectural illustration of a home, where loT wireless devices may transmit data over a network protected by a compliance manager, arranged in accordance with at least some embodiments described herein.
  • Diagram 100 shows a home 102 with a smart television 104, security camera 108, smart refrigerator 112, lighting control 114, motion sensor 110, and temperature controller 116.
  • the home 102 also includes a local hub (or customer premises equipment “CPE”) 106, which may communicate wirelessly with base station 120.
  • Base station 120 may communicate with other devices such as servers 130 over one or more networks (e.g., a 5G cellular network).
  • Smart television 104, security camera 108, smart refrigerator 112, lighting control 114, motion sensor 110, and temperature controller 116 may communicate through wired or wireless means with the base station 120 directly or through the hub 106 and may be configured as loT devices having their respective IP addresses.
  • the loT devices may communicate status and other information associated with their respective operations to other devices through wireless communications. They may also receive instructions associated with their respective operations from other devices over the network.
  • the smart television 104, security camera 108, smart refrigerator 112, lighting control 114, motion sensor 110, and temperature controller 116 are illustrative examples of loT devices and do not constitute a limit on types of wireless devices according to embodiments.
  • Other examples may include, but are not limited to, control devices for managing a temperature, a humidity, an air flow speed, a lighting level, a lighting composition, a sound level, and/or a sound composition, sensors such as a temperature sensor, a humidity sensor, a sound sensor, a light detection sensor, an air flow sensor, a body sensor, or comparable input devices, for example.
  • the home 102 in diagram 100 is also an illustrative example for a location, where embodiments may be implemented, but is not intended to limit embodiments.
  • Other locations may include, but are not limited to, an office, a school, a health care facility, a hotel, a factory, or comparable buildings, as well as, a vehicle such as an automobile, a bus, a recreational vehicle, an airplane, a ship, and similar ones.
  • loT devices may communicate over wired networks such as local area networks (LANs), digital subscriber line (DSL) networks, optical networks, cable networks, others may communicate over wireless networks such as wireless LANs, cellular networks, terrestrial or satellite communication links, and comparable ones, which can provide sufficient bandwidth.
  • Wireless technologies such as 4G, LTE, 5G and any current or future cellular wireless technologies or satellite communication technologies may be used to communicate with loT devices along with microwave, whole-city Wifi®, and combinations of similar technologies.
  • 5G networks are digital cellular networks, in which the service area is divided into small geographical areas called cells. All 5G wireless devices in a cell exchange digital data with the Internet and the telephone network by radio waves through a local antenna in the cell. 5G networks provide greater bandwidth compared to previous standards allowing higher download speeds more than 10 gigabits per second (Gbit/s). This, in turn, allows cellular service providers to become Internet service providers interconnecting most user devices.
  • Gbit/s gigabits per second
  • 5G protocol replaces a number of the hardware components of the cellular network with software that “virtualizes” the network by using the common language of Internet Protocol (IP).
  • IP Internet Protocol
  • Low band 5G uses a similar frequency range to current 4G network in the 600-700 MHz range supporting download speeds a little higher than 4G (30-250 megabits per second).
  • Mid band 5G uses microwaves in the range of 2.5- 3.7 GHz allowing speeds of 100-900 Mbit/s with each cell tower providing service up to several miles in radius.
  • High band 5G uses frequencies in the range of 25-39 GHz, near the millimeter wave band, although higher frequencies may be used in the future.
  • the high band may achieve download speeds of a gigabit per second comparable to cable Internet.
  • 5G There are various versions of 5G.
  • embodiments may be implemented in 5G or 5G-compliant networks, which may have variations in different aspects of the protocol.
  • Data protection for user privacy protection regulations exist in varying forms across the world. However, data protection, especially configuration, control, and audit by users are typically not provided for loT devices such as those shown in diagram 100.
  • temperature data from temperature controller 116 may be transmitted to a service company, as well as, a manufacturer of the temperature controller.
  • a user may not wish their temperature data to be shared with the manufacturer. In a typical system, the user may not even be aware that the temperature controller 116 is sharing the data with the manufacturer.
  • a compliance manager may include an abstract data layer that includes anonymized data to be transmitted to the network such that only data permitted by the user to be shared with certain recipients is forwarded to those recipients.
  • the abstract data layer may contain processed data from the loT devices, or data to be provided to the loT devices, where processing may include, but is not limited to, anonymization of data or other means of obscuring the data source or loT device, implementing specific data privacy procedures compliance definitions, or data handling, preventing specific aspects of data to be presented to certain providers or loT devices, and providing device level categorization or grouping.
  • the abstract data layer may be implemented as volatile or non-volatile data storage, where the received (complete) data may be processed and stored (even if temporarily). In other implementations, the abstract data layer may also include rules for processing the data.
  • the compliance manager may control encryption of transmitted data and presentation of compliance status for each loT device to the user.
  • Anonymization may include hiding or obscuring a portion of data (such as data that may identify a user, a user’s image, a source identifier, a user’s voice, header information, and comparable ones).
  • anonymization may include selective hiding or obscuring of portions of data based on a recipient. For example, user identity may not be hidden from a service provider for a particular loT device (e.g., health monitoring device), but may be hidden from a manufacturer of the device.
  • loT device is a device that is connected to the Internet and passes data from itself to a secondary processor that is physically distinct.
  • loT devices may be categorized based on their functionality, their communication type (wired, wireless, cellular, WiFi, etc.), data storage capability, location, or any other user-defined category.
  • loT devices may perform a wide range of operations including, but not limited to, sensing (e.g., environment), detecting, managing a smart appliance, and others.
  • FIG. 2 includes a conceptual illustration of a system according to embodiments with different implementations of a compliance manager, arranged in accordance with at least some embodiments described herein.
  • Diagram 200 shows multiple loT devices 204 interacting with and receiving data from user 202 and communicating with other systems and devices 214 over a network 210 through local hub 208.
  • the diagram also shows three alternative implementations of a compliance manager: (1) as a separate on-premise device 206A, as part of the local hub (206B), or as part of a server 212 at the network 210 (206C).
  • a system for controlling and ensuring compliance of loT devices data protection requirements may include loT devices to perform various functions and a compliance manager in communication with the loT devices and a network.
  • the compliance manager which may be implemented at a local hub or at the network, may categorize the loT devices according to their functionality and enforce data protection policies for user privacy protection based on categories.
  • An abstract data layer may store anonymized data from the loT device before it is transmitted to the network. Users may be enabled to set/adjust policies based on categories. Information about compliance status of loT devices may also be presented to the users.
  • the abstract data layers may be constructed to comply with the data protection requirements and may be accessible to service providers and/or customers.
  • device-level categorization may define routing paths for transmitted data. Users may control from compliance manager configurations from any device. Compliance status of at least some loT devices may be presented through a physical or virtual mechanism at the loT device or through another device (e.g., a display device) to provide feedback to a user.
  • loT devices may present a challenge for data protection due to their size, type, and networking configurations. For example, in implementations employing 5G cellular network, some loT devices may communicate directly with the network bypassing any firewall or similar on-premise data protection measures. Some loT devices may be too small to provide a user interface for user to control data protection schemes. Furthermore, there may be a large number of loT devices at a location making individual management of such devices impractical by a user.
  • a compliance manager may be implemented as an egress physical or virtual device for loT devices at a particular location. The compliance manager may provide, among other things, two main functions: (1) policy definition - defining groups and data permissions; and (2) policy enforcement - enforcing data from loT devices to conform to a defined policy.
  • the compliance manager may be implemented as one or more devices (206A) within a premise network communicatively positioned between the loT devices 204 and local hub 208.
  • the compliance manager may be implemented (206B) as part of the local hub 208.
  • the compliance manager may be implemented (206C) as an in-network, cloud-based device, for example, as part of a server within the network 210. While the compliance manager may ensure data protection compliance through the data abstract layer(s), it may also configure/instruct some loT devices to anonymize their data prior to transmission to the network. This may be applicable to loT devices communicating directly with the network.
  • a system may enable some of the loT devices to include physical or virtual mechanism for providing feedback to show that a device is under compliance (e.g., using a green light indicator when the device is in compliance, an icon, or a visual indicator on a screen or on an application user interface).
  • the system may also enable the user to define a data policy to ensure the loT devices comply with the data protection policy.
  • the compliance manager may include a control plane presented to the user on a dedicated screen, mobile device app, computer program, or voice control, where the control plane provides an option to determine type and format of data sharing (sharing all data, sharing anonymized data, etc.) for each of the loT device group, for example.
  • the compliance manager may monitor all egress points that allows access to a network (e.g., Wi-Fi, Lora®, Zigbee®, Bluetooth®, 5G modem, etc.).
  • FIG. 3 includes an illustration of an example compliance manager categorizing different loT devices, arranged in accordance with at least some embodiments described herein.
  • Diagram 300 in FIG. 3 shows an example compliance manager 304 with one or more data protection policies 306.
  • the compliance manager may manage data protection for loT devices D1-D4, which may be grouped according to functionality categories 322 and 324, for example.
  • a user 302 may interact (312) with the compliance manager defining or modifying policies, defining or modifying categories, and receiving compliance status information for specific loT devices.
  • Anonymized data 316 may be transmitted through the compliance manager to a network.
  • the compliance manager may have a record of all loT devices D1-D4 at a location and group the devices according to one or more categories 322, 324 based on functional aspects of each device.
  • a temperature sensor may be grouped as temperature sensor, air conditioning, and fire alarm.
  • the groups may change over time by input from a user, a device software provider, a device hardware provider, or by an loT service provider.
  • a new capability may be added to an loT device by its manufacturer as part of an update, and the device may be added to a new category.
  • the compliance manager may include a control plane, which may be presented to the user through a display on the compliance manager device, an application user interface on any computing device (communicatively coupled to the compliance manager), and/or voice control.
  • the control plane may provide an option to determine a type and format of data sharing for each loT device group. Examples may include sharing all the data, sharing only anonymized data, and sharing no data. The data sharing may be further controlled based on a recipient of the data sharing. For example, a user may define to share all data with maintenance service providers but share only anonymized data with the manufacturer of the loT device.
  • a compliance manager may associate a network address of source and destination of the data with a functional grouping.
  • a temperature sensor may not be a random IP address but grouped according to functionality.
  • the destination of the data may be defined by functionality.
  • the functionality tables may be maintained by trusted third parties similar to certificate providers in networks.
  • FIG. 4 illustrates major components and actions of an example system for loT device data protection, arranged in accordance with at least some embodiments described herein.
  • Diagram 400 shows loT devices D1-D6 grouped in categories 414, 416, 418, compliance manager 406, which includes policies 412, abstract data layer 410, and user interface 408.
  • the compliance manager 406 may provide loT data to a base station 402 of a network 404. In other examples, some loT devices may communicate directly with the network 404 complying with the data protection policies enforced by the compliance manager 406.
  • the compliance manager 406 may perform actions such as adding or removing loT devices to the list, defining compliance policies, alerting a user about non-compliant loT devices, and/or providing a transmission channel for data from at least some loT devices.
  • Alerting the user may include informing the user about a non-compliant loT device through a user interface on the compliance manager 406, a user device, transmission of a message (e.g., email, text, or voice message), or similar methods.
  • the loT devices and the compliance manager 406 may be communicatively coupled, that is, capable of communicating (e.g., exchanging data) via wired or wireless media.
  • the compliance manager 406 may provide egress data monitoring on the loT devices at the location.
  • the compliance manager 406 may be a hardware element or software residing in the egress hardware.
  • all loT devices may be registered with egress hardware to access the network 404 and the compliance manager 406 may monitor the data at the egress point. Examples of this approach relate to Wi-Fi, Lora®, Zigbee®, Bluetooth®, or other local wireless networks, which connect to an external network through an egress hardware.
  • Examples of egress hardware may include cable modems, DSL modems, 5G modems, and similar ones.
  • the loT devices may connect directly to the network 404 as envisioned in a 5G cellular network operation.
  • the compliance manager 406 may be implemented as a hardware, software, or virtual device located in a network communication device or as a cloud application in communication with the communication network.
  • the policy may enforced by having all data routed to the compliance manager 406, and then routing the data from the compliance manager 406 to the end location.
  • the data from the loT devices may be encoded, and differential keys may be provided to either network devices along the data path or the end destination of the data.
  • any system which wants to use the data may reach out to the compliance manager for the data key. In this manner the compliance manager may manage the data usage in real time.
  • the compliance manager 406 may be managed through a user interface 408.
  • the user may be a homeowner or office manager.
  • the user may be a company managing the hardware and software of a location.
  • the user interface 408 may provide at least three functions to the user: (1) adding or removing a device; (2) defining the compliance policy; and (3) alerting user of non-compliant devices at the location.
  • Addition or removal of a device may be performed by inputting device related information, using a camera to capture an image of the device, capturing a signal to identify a device signature, or similar means. Each loT device may be classified into a group based on user input, device parameters, or through machine learning.
  • Artificial Intelligence (Al) algorithms control any device that perceives its environment and takes actions that maximize its chance of successfully achieving predefined goals such as optimizing reception of backscatter signals from various loT devices, etc.
  • a subset of Al, machine learning (ML) algorithms build a mathematical model based on sample data (training data) in order to make predictions or decisions without being explicitly programmed to do so.
  • ML machine learning
  • an Al planning algorithm or a specific ML algorithm may be employed to determine communication settings.
  • Changes in device categories may be extended across the user database.
  • the compliance manager may also recommend a replacement device(s) based on its database, which may be data protection compliant and functionally equivalent to the deleted device.
  • the compliance policies may be defined according to groups.
  • the groups may be defined by any of, but not limited to, the users, network vendors, service providers, or loT manufacturers. Changes in groups may be reflected to all users. A user may start from a base policy defining a required level of protection and then amend the policy as needed.
  • loT devices may include a visual compliance indicator.
  • Examples of compliance indicator may include a constant or flashing light emitting diode (LED).
  • An icon or visual element on a display e.g., LCD screen, OLED screen, microLED screen or electrophoretic screen.
  • Alternative examples may include an icon or other visual mark on an application user interface presented to a user on the compliance manager hardware or through any computing device.
  • the compliance indicator may be an augmented reality indicator, which may be overlaid with the device in an augmented reality screen.
  • Examples of screens may include augmented reality glasses or a mobile device screen.
  • the user may scan the home or other location, or be guided by the augmented reality screen to find non- compliant loT devices.
  • FIG. 5 illustrates a computing device, which may be used to manage data protection in loT devices, arranged in accordance with at least some embodiments described herein.
  • the computing device 500 may include one or more processors 504 and a system memory 506.
  • a memory bus 508 may be used to communicate between the processor 504 and the system memory 506.
  • the basic configuration 502 is illustrated in FIG. 5 by those components within the inner dashed line.
  • the processor 504 may be of any type, including but not limited to a microprocessor (pP), a microcontroller (pC), a digital signal processor (DSP), or any combination thereof.
  • the processor 504 may include one or more levels of caching, such as a cache memory 512, a processor core 514, and registers 516.
  • the example processor core 514 may include an arithmetic logic unit (ALU), a floating point unit (FPU), a digital signal processing core (DSP core), or any combination thereof.
  • An example memory controller 518 may also be used with the processor 504, or in some implementations, the memory controller 518 may be an internal part of the processor 504.
  • the system memory 506 may be of any type including but not limited to volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.) or any combination thereof.
  • the system memory 506 may include an operating system 520, a communication application 522, and program data 524.
  • the communication application 522 may include a device management module 526 and a compliance module 527.
  • the communication application 522 may receive data from associated loT devices, anonymize the data in an abstract data layer, and forward to destination devices.
  • the compliance module 527 may also store (and allow modification of) data protection policies. In some examples, the compliance module 527 may enforce data protection policies on loT devices that communication with a network directly.
  • the program data 524 may include device management data 528 such as data types and formats for sharing, etc., among other data, as described herein.
  • the computing device 500 may have additional features or functionality, and additional interfaces to facilitate communications between the basic configuration 502 and any desired devices and interfaces.
  • a bus/interface controller 530 may be used to facilitate communications between the basic configuration 502 and one or more data storage devices 532 via a storage interface bus 534.
  • the data storage devices 532 may be one or more removable storage devices 536, one or more non-removable storage devices 538, or a combination thereof.
  • Examples of the removable storage and the non-removable storage devices include magnetic disk devices such as flexible disk drives and hard-disk drives (HDDs), optical disk drives such as compact disc (CD) drives or digital versatile disk (DVD) drives, solid state drives (SSDs), and tape drives to name a few.
  • Example computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data.
  • the system memory 506, the removable storage dev 536 and the non-removable storage devices 538 are examples of computer storage media.
  • Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD- ROM, digital versatile disks (DVDs), solid state drives (SSDs), or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which may be used to store the desired information and which may be accessed by the computing device 500. Any such computer storage media may be part of the computing device 500.
  • the computing device 500 may also include an interface bus 540 for facilitating communication from various interface devices (e.g., one or more output devices 542, one or more peripheral interfaces 550, and one or more communication devices 560) to the basic configuration 502 via the bus/interface controller 530.
  • interface devices e.g., one or more output devices 542, one or more peripheral interfaces 550, and one or more communication devices 560
  • Some of the example output devices 542 include a graphics processing unit 544 and an audio processing unit 546, which may be configured to communicate to various external devices such as a display or speakers via one or more A/V ports 548.
  • One or more example peripheral interfaces 550 may include a serial interface controller 554 or a parallel interface controller 556, which may be configured to communicate with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device, etc.) or other peripheral devices (e.g., printer, scanner, etc.) via one or more I/O ports 558.
  • An example communication device 560 includes a network controller 562, which may be arranged to facilitate communications with one or more other computing devices 566 over a network communication link via one or more communication ports 564.
  • the one or more other computing devices 566 may include servers at a datacenter, customer equipment, and comparable devices.
  • the network controller 562 may also control operations of a wireless communication module 568, which may facilitate communication with other devices via a variety of protocols using a number of frequency bands such as WiFi®, cellular (e.g., 4G, 5G), satellite link, terrestrial link, etc.
  • the network communication link may be one example of a communication media.
  • Communication media may be embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and may include any information delivery media.
  • a “modulated data signal” may be a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.
  • communication media may include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency (RF), microwave, infrared (IR) and other wireless media.
  • wireless media such as acoustic, radio frequency (RF), microwave, infrared (IR) and other wireless media.
  • RF radio frequency
  • IR infrared
  • computer readable media may include non- transitory storage media.
  • the computing device 500 may be implemented as a part of a specialized server, mainframe, or similar computer that includes any of the above functions.
  • the computing device 500 may also be implemented as a personal computer including both laptop computer and nonlaptop computer configurations.
  • FIG. 6 is a flow diagram illustrating an example method for data protection in loT devices that may be performed by a computing device such as the computing device in FIG. 5, arranged in accordance with at least some embodiments described herein.
  • Example methods may include one or more operations, functions, or actions as illustrated by one or more of blocks 622, 624, 626, and 628 may in some embodiments be performed by a computing device such as the computing device 600 in FIG. 6. Such operations, functions, or actions in FIG. 6 and in the other figures, in some embodiments, may be combined, eliminated, modified, and/or supplemented with other operations, functions or actions, and need not necessarily be performed in the exact sequence as shown.
  • the operations described in the blocks 622-628 may be implemented through execution of computer-executable instructions stored in a computer-readable medium such as a computer-readable medium 620 of a computing device 610.
  • An example process for data protection in loT devices may begin with block 622, “ASSIGN EACH IOT DEVICE OF A PLURALITY OF IOT DEVICES AT A PARTICULAR LOCATION TO A CATEGORY BASED ON A FUNCTIONALITY ASSOCIATED WITH EACH IOT DEVICE”, where loT devices at a home, office, school, hospital, or similar locations may be categorized based on their functionality. In some scenarios, a single loT device may be assigned to multiple categories.
  • Block 622 may be followed by block 624, “PROVIDE AN ABSTRACT DATA LAYER”, where a compliance manager may provide an abstract data layer for anonymization of data from loT devices.
  • the anonymization may be based on data protection policies, which may define who can receive what type and/or what format of data based on categories of devices.
  • Block 624 may be followed by block 626, “STORE ONE OR MORE DATA PROTECTION POLICIES BASED ON CATEGORIES OF THE IOT DEVICES”, where data protection policies may be defined, stored, and modified as needed by the compliance manager.
  • the compliance manager using a machine learning algorithm, may modify existing policies or create new ones.
  • a user may be enabled, through a user interface, to define new policies, delete or modify existing ones.
  • Block 626 may be followed by block 628, “ENFORCE THE ONE OR MORE DATA PROTECTION POLICIES ON DATA TRANSMITTED BY THE IOT DEVICES THROUGH THE ABSTRACT DATA LAYER CONSTRUCTED AT THE COMPLIANCE MANAGER”, where the compliance manager may enforce the policies on transmitted data by anonymizing the data prior to transmittal or ensuring loT devices that communicate with the network directly comply with the policies.
  • process 600 The operations included in process 600 are for illustration purposes. Data protection in loT devices may be implemented by similar processes with fewer or additional operations, as well as in different order of operations using the principles described herein.
  • the operations described herein may be executed by one or more processors operated on one or more computing devices, one or more processor cores, and/or specialized processing devices, among other examples.
  • parallel processing may be employed, computations or the execution of processes may be carried out simultaneously by one or more processors dividing large tasks into smaller ones and solving at the same time. Tasks split for parallel processing may be controlled by necessary elements. Different types of parallel processing such as bit-level, instruction-level, data, and task parallelism may be used.
  • FIG. 7 illustrates a block diagram of an example computer program product, arranged in accordance with at least some embodiments described herein.
  • a computer program product 700 may include a signal bearing medium 702 that may also include one or more machine readable instructions 704 that, in response to execution by, for example, a processor may provide the functionality described herein.
  • the communication application 522 may perform or control performance of one or more of the tasks shown in FIG. 7 in response to the instructions 704 conveyed to the processor 504 by the signal bearing medium 702 to perform actions associated with data protection in loT devices as described herein.
  • Some of those instructions may include, for example, assign each loT device of a plurality of loT devices at a particular location to a category based on a functionality associated with each loT device; provide an abstract data layer; store one or more data protection policies based on categories of the loT devices; and/or enforce the one or more data protection policies on data transmitted by the loT devices through the abstract data layer constructed at the compliance manager, according to some embodiments described herein.
  • the signal bearing medium 702 depicted in FIG. 7 may encompass computer-readable medium 706, such as, but not limited to, a hard disk drive (HDD), a solid state drive (SSD), a compact disc (CD), a digital versatile disk (DVD), a digital tape, memory, and comparable non-transitory computer-readable storage media.
  • the signal bearing medium 702 may encompass recordable medium 708, such as, but not limited to, memory, read/write (R/W) CDs, R/W DVDs, etc.
  • the signal bearing medium 702 may encompass communications medium 710, such as, but not limited to, a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communication link, a wireless communication link, etc.).
  • communications medium 710 such as, but not limited to, a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communication link, a wireless communication link, etc.).
  • the computer program product 700 may be conveyed to one or more modules of the processor 504 by an RF signal bearing medium, where the signal bearing medium 702 is conveyed by the communications medium 710 (e.g., a wireless communications medium conforming with the IEEE 802.11 standard or 5G protocol).
  • a system for data protection compliance in Internet of Things (loT) devices may include a plurality of loT devices, each loT device configured to perform an operation and transmit data associated with the operation, and a compliance manager communicatively coupled to the plurality of loT devices.
  • the compliance manager may be configured to assign each loT device to a category based on a functionality associated with each loT device; provide an abstract data layer; store one or more data protection policies based on categories of the loT devices; and enforce the one or more data protection policies on the transmitted data by the loT devices through the abstract data layer constructed at the compliance manager.
  • the compliance manager may be further configured to provide a user interface to allow a user to one or more of: add an loT device, remove an loT device, add a data protection policy, remove a data protection policy, modify a data protection policy, add a category, remove a category, or modify a category.
  • the compliance manager may be further configured to provide a user interface to alert a user about one or more non-compliant loT devices or provide a user interface to alert a user about compliance status of one or more loT devices.
  • the compliance manager may be further configured to anonymize at least a portion of the data transmitted by each loT device in the abstract data layer; and forward the at least partially anonymized data to a network.
  • the compliance manager may also be configured to encrypt the at least partially anonymized data prior to transmission to the network.
  • the compliance manager may be further configured to instruct each loT device to anonymize at least a portion of the data prior to transmittal to a network directly by each loT device.
  • the compliance manager may also be configured to instruct each loT device to encrypt the at least partially anonymized data prior to transmission to the network.
  • the category assigned to an loT device may define a routing for data transmitted by the loT device.
  • the compliance manager may be implemented as part of a local hub device communicatively coupled to loT devices in a vicinity of the local hub device.
  • the compliance manager may be implemented as part of a device in a network through which the plurality of loT devices communicate.
  • the network may be a 5G-compliant cellular network.
  • a compliance manager to manage data protection compliance for Internet of Things (loT) devices may include a communication module configured to facilitate communications with a plurality of loT devices and one or more network devices over a network; a memory configured to store instructions; and a processor coupled to the communication module and the memory.
  • the processor in conjunction with the instructions stored in the memory, may be configured to assign each loT device to a category based on a functionality associated with each loT device; provide an abstract data layer; store one or more data protection policies based on categories of the loT devices; and enforce the one or more data protection policies on data transmitted by the loT devices through the abstract data layer constructed at the compliance manager.
  • the processor may be further configured to provide a user interface to allow a user to one or more of: add an loT device, remove an loT device, add a data protection policy, remove a data protection policy, modify a data protection policy, add a category, remove a category, or modify a category.
  • the processor may be further configured to provide one or more of: a user interface to alert a user about one or more non-compliant loT devices or a user interface to alert the user about compliance status of one or more loT devices.
  • the processor may be further configured to anonymize at least a portion of the data transmitted by each loT device in the abstract data layer; and forward the at least partially anonymized data to the network.
  • the processor may be further configured to encrypt the at least partially anonymized data prior to transmission to the network.
  • the processor may be further configured to instruct each loT device to anonymize at least a portion of the data prior to transmittal to the network directly by each loT device.
  • the processor may be further configured to instruct each loT device to encrypt the at least partially anonymized data prior to transmission to the network.
  • the category assigned to an loT device may define a routing for data transmitted by the loT device.
  • the compliance manager may be implemented as part of a local hub device communicatively coupled to loT devices in a vicinity of the local hub device.
  • the compliance manager may be implemented as part of a device in the network.
  • a method to manage data protection compliance for Internet of Things (loT) devices may include assigning, at a compliance manager, each loT device of a plurality of loT devices at a particular location to a category based on a functionality associated with each loT device; providing an abstract data layer; storing one or more data protection policies based on categories of the loT devices; and enforcing the one or more data protection policies on data transmitted by the loT devices through the abstract data layer constructed at the compliance manager.
  • LoT Internet of Things
  • the method may also include providing a user interface to allow a user to one or more of: add an loT device, remove an loT device, add a data protection policy, remove a data protection policy, modify a data protection policy, add a category, remove a category, or modify a category.
  • the method may further include providing one or more of: a user interface to alert a user about one or more non-compliant loT devices or a user interface to alert the user about compliance status of one or more loT devices.
  • the method may also include anonymizing at least a portion of the data transmitted by each loT device in the abstract data layer; and forwarding the at least partially anonymized data to the network.
  • the method may also include encrypting the at least partially anonymized data prior to transmission to the network.
  • the method may further include instructing each loT device to anonymize at least a portion of the data prior to transmittal to the network directly by each loT device; instructing each loT device to encrypt the at least partially anonymized data prior to transmission to the network; or determining a routing for data transmitted by each loT device based on a category assigned to each loT device.
  • Examples of a signal bearing medium include, but are not limited to, the following: a recordable type medium such as a floppy disk, a hard disk drive (HDD), a compact disc (CD), a digital versatile disk (DVD), a digital tape, a computer memory, a solid state drive (SSD), etc.; and a transmission type medium such as a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communication link, a wireless communication link, etc.).
  • a recordable type medium such as a floppy disk, a hard disk drive (HDD), a compact disc (CD), a digital versatile disk (DVD), a digital tape, a computer memory, a solid state drive (SSD), etc.
  • a transmission type medium such as a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communication link, a wireless communication link, etc.).
  • a data processing system may include one or more of a system unit housing, a video display device, a memory such as volatile and non-volatile memory, processors such as microprocessors and digital signal processors, computational entities such as operating systems, drivers, graphical user interfaces, and applications programs, one or more interaction devices, such as a touch pad or screen, and/or control systems including feedback loops and control motors.
  • a data processing system may be implemented utilizing any suitable commercially available components, such as those found in data computing/communi cation and/or network computing/communication systems.
  • the herein described subject matter sometimes illustrates different components contained within, or connected with, different other components.
  • Such depicted architectures are merely exemplary, and in fact, many other architectures may be implemented which achieve the same functionality.
  • any arrangement of components to achieve the same functionality is effectively “associated” such that the desired functionality is achieved.
  • any two components herein combined to achieve a particular functionality may be seen as “associated with” each other such that the desired functionality is achieved, irrespective of architectures or intermediate components.
  • any two components so associated may also be viewed as being “operably connected”, or “operably coupled”, to each other to achieve the desired functionality, and any two components capable of being so associated may also be viewed as being “operably couplable”, to each other to achieve the desired functionality.
  • operably couplable include but are not limited to physically connectable and/or physically interacting components and/or wirelessly interactable and/or wirelessly interacting components and/or logically interacting and/or logically interactable components.
  • ranges disclosed herein also encompass any and all possible subranges and combinations of subranges thereof. Any listed range can be easily recognized as sufficiently describing and enabling the same range being broken down into at least equal halves, thirds, quarters, fifths, tenths, etc. As a non-limiting example, each range discussed herein can be readily broken down into a lower third, middle third and upper third, etc. As will also be understood by one skilled in the art all language such as “up to,” “at least,” “greater than,” “less than,” and the like include the number recited and refer to ranges which can be subsequently broken down into subranges as discussed above. Finally, a range includes each individual member. Thus, for example, a group having 1-3 cells refers to groups having 1, 2, or 3 cells. Similarly, a group having 1-5 cells refers to groups having 1, 2, 3, 4, or 5 cells, and so forth.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Technologies are generally described for data protection in IoT devices through a compliance manager. A system for controlling and ensuring compliance of IoT devices data protection requirements may include IoT devices to perform various functions and a compliance manager in communication with the IoT devices and a network. The compliance manager, which may be implemented at a local hub or at the network, may categorize the IoT devices according to their functionality and enforce data protection policies for user privacy protection based on categories. An abstract data layer may store anonymized data from the IoT device before it is transmitted to the network. Users may be enabled to set/adjust policies based on categories. Information about compliance status of IoT devices may also be presented to the users.

Description

USER INFORMATION PROTECTION IN IOT DEVICES
BACKGROUND
[0001] Unless otherwise indicated herein, the materials described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
[0002] Data protection, specifically personal information protection, is not just a desire by consumers, but in many countries, required by law. While Internet services such as websites and computer software are increasingly designed with data protection requirements in mind, smaller networked devices are often overlooked. With the proliferation of computing and networking technologies, ever increasing number and decreasing size of various special purpose devices are found commonly around homes, offices, and other locations. For example, Internet of Things (loT) enabled wireless devices are used to monitor and control a wide variety of aspects of daily life ranging from security to environmental controls. Such devices perform specific operations and transmit data over various networks to other systems and devices.
SUMMARY
[0003] The present disclosure generally describes techniques for data protection in loT devices.
[0004] According to some examples, a system for data protection compliance in Internet of Things (loT) devices may include a plurality of loT devices, each loT device configured to perform an operation and transmit data associated with the operation, and a compliance manager communicatively coupled to the plurality of loT devices. The compliance manager may be configured to assign each loT device to a category based on a functionality associated with each loT device; provide an abstract data layer; store one or more data protection policies based on categories of the loT devices; and enforce the one or more data protection policies on the transmitted data by the loT devices through the abstract data layer constructed at the compliance manager. [0005] According to other examples, a compliance manager to manage data protection compliance for Internet of Things (loT) devices may include a communication module configured to facilitate communications with a plurality of loT devices and one or more network devices over a network; a memory configured to store instructions; and a processor coupled to the communication module and the memory. The processor, in conjunction with the instructions stored in the memory, may be configured to assign each loT device to a category based on a functionality associated with each loT device; provide an abstract data layer; store one or more data protection policies based on categories of the loT devices; and enforce the one or more data protection policies on data transmitted by the loT devices through the abstract data layer constructed at the compliance manager.
[0006] According to further examples, a method to manage data protection compliance for Internet of Things (loT) devices may include assigning, at a compliance manager, each loT device of a plurality of loT devices at a particular location to a category based on a functionality associated with each loT device; providing an abstract data layer; storing one or more data protection policies based on categories of the loT devices; and enforcing the one or more data protection policies on data transmitted by the loT devices through the abstract data layer constructed at the compliance manager.
[0007] The foregoing summary is illustrative only and is not intended to be in any way limiting. In addition to the illustrative aspects, embodiments, and features described above, further aspects, embodiments, and features will become apparent by reference to the drawings and the following detailed description.
BRIEF DESCRIPTION OF THE DRAWINGS
[0008] The foregoing and other features of this disclosure will become more fully apparent from the following description and appended claims, taken in conjunction with the accompanying drawings. Understanding that these drawings depict only several embodiments in accordance with the disclosure and are, therefore, not to be considered limiting of its scope, the disclosure will be described with additional specificity and detail through use of the accompanying drawings, in which: FIG. 1 includes an architectural illustration of a home, where Internet of Things (loT) wireless devices may transmit data over a network protected by a compliance manager;
FIG. 2 includes a conceptual illustration of a system according to embodiments with different implementations of a compliance manager;
FIG. 3 includes an illustration of an example compliance manager categorizing different loT devices;
FIG. 4 illustrates major components and actions of an example system for loT device data protection;
FIG. 5 illustrates a computing device, which may be used to manage data protection in loT devices;
FIG. 6 is a flow diagram illustrating an example method for data protection in loT devices that may be performed by a computing device such as the computing device in FIG. 5; and
FIG. 7 illustrates a block diagram of an example computer program product, all of which are arranged in accordance with at least some embodiments described herein.
DETAILED DESCRIPTION
[0009] In the following detailed description, reference is made to the accompanying drawings, which form a part hereof. In the drawings, similar symbols typically identify similar components, unless context dictates otherwise. The illustrative embodiments described in the detailed description, drawings, and claims are not meant to be limiting. Other embodiments may be utilized, and other changes may be made, without departing from the spirit or scope of the subject matter presented herein. The aspects of the present disclosure, as generally described herein, and illustrated in the Figures, can be arranged, substituted, combined, separated, and designed in a wide variety of different configurations, all of which are explicitly contemplated herein.
[0010] This disclosure is generally drawn, inter alia, to methods, apparatus, systems, devices, and/or computer program products related to data protection in loT devices through a compliance manager.
[0011] Briefly stated, technologies are generally described for data protection in loT devices through a compliance manager. A system for controlling and ensuring compliance of loT devices data protection requirements may include loT devices to perform various functions and a compliance manager in communication with the loT devices and a network. The compliance manager, which may be implemented at a local hub or at the network, may categorize the loT devices according to their functionality and enforce data protection policies for user privacy protection based on categories. An abstract data layer may store anonymized data from the loT device before it is transmitted to the network. Users may be enabled to set/adjust policies based on categories. Information about compliance status of loT devices may also be presented to the users.
[0012] FIG. 1 includes an architectural illustration of a home, where loT wireless devices may transmit data over a network protected by a compliance manager, arranged in accordance with at least some embodiments described herein.
[0013] Diagram 100 shows a home 102 with a smart television 104, security camera 108, smart refrigerator 112, lighting control 114, motion sensor 110, and temperature controller 116. The home 102 also includes a local hub (or customer premises equipment “CPE”) 106, which may communicate wirelessly with base station 120. Base station 120 may communicate with other devices such as servers 130 over one or more networks (e.g., a 5G cellular network). Smart television 104, security camera 108, smart refrigerator 112, lighting control 114, motion sensor 110, and temperature controller 116 may communicate through wired or wireless means with the base station 120 directly or through the hub 106 and may be configured as loT devices having their respective IP addresses. The loT devices may communicate status and other information associated with their respective operations to other devices through wireless communications. They may also receive instructions associated with their respective operations from other devices over the network.
[0014] The smart television 104, security camera 108, smart refrigerator 112, lighting control 114, motion sensor 110, and temperature controller 116 are illustrative examples of loT devices and do not constitute a limit on types of wireless devices according to embodiments. Other examples may include, but are not limited to, control devices for managing a temperature, a humidity, an air flow speed, a lighting level, a lighting composition, a sound level, and/or a sound composition, sensors such as a temperature sensor, a humidity sensor, a sound sensor, a light detection sensor, an air flow sensor, a body sensor, or comparable input devices, for example. [0015] The home 102 in diagram 100 is also an illustrative example for a location, where embodiments may be implemented, but is not intended to limit embodiments. Other locations may include, but are not limited to, an office, a school, a health care facility, a hotel, a factory, or comparable buildings, as well as, a vehicle such as an automobile, a bus, a recreational vehicle, an airplane, a ship, and similar ones.
[0016] While some loT devices may communicate over wired networks such as local area networks (LANs), digital subscriber line (DSL) networks, optical networks, cable networks, others may communicate over wireless networks such as wireless LANs, cellular networks, terrestrial or satellite communication links, and comparable ones, which can provide sufficient bandwidth. Wireless technologies such as 4G, LTE, 5G and any current or future cellular wireless technologies or satellite communication technologies may be used to communicate with loT devices along with microwave, whole-city Wifi®, and combinations of similar technologies.
[0017] Fifth generation technology(5G) standard for cellular networks is the most recent network. 5G networks are digital cellular networks, in which the service area is divided into small geographical areas called cells. All 5G wireless devices in a cell exchange digital data with the Internet and the telephone network by radio waves through a local antenna in the cell. 5G networks provide greater bandwidth compared to previous standards allowing higher download speeds more than 10 gigabits per second (Gbit/s). This, in turn, allows cellular service providers to become Internet service providers interconnecting most user devices.
[0018] 5G protocol replaces a number of the hardware components of the cellular network with software that “virtualizes” the network by using the common language of Internet Protocol (IP). The increased speed/bandwidth is achieved in 5G networks partly by using higher- frequency radio waves than current cellular networks. Low band 5G uses a similar frequency range to current 4G network in the 600-700 MHz range supporting download speeds a little higher than 4G (30-250 megabits per second). Mid band 5G uses microwaves in the range of 2.5- 3.7 GHz allowing speeds of 100-900 Mbit/s with each cell tower providing service up to several miles in radius. High band 5G uses frequencies in the range of 25-39 GHz, near the millimeter wave band, although higher frequencies may be used in the future. The high band may achieve download speeds of a gigabit per second comparable to cable Internet. There are various versions of 5G. Thus, embodiments may be implemented in 5G or 5G-compliant networks, which may have variations in different aspects of the protocol. [0019] Data protection for user privacy protection regulations exist in varying forms across the world. However, data protection, especially configuration, control, and audit by users are typically not provided for loT devices such as those shown in diagram 100. For example, temperature data from temperature controller 116 may be transmitted to a service company, as well as, a manufacturer of the temperature controller. However, a user may not wish their temperature data to be shared with the manufacturer. In a typical system, the user may not even be aware that the temperature controller 116 is sharing the data with the manufacturer.
[0020] In a system according to embodiments, a compliance manager may include an abstract data layer that includes anonymized data to be transmitted to the network such that only data permitted by the user to be shared with certain recipients is forwarded to those recipients. The abstract data layer may contain processed data from the loT devices, or data to be provided to the loT devices, where processing may include, but is not limited to, anonymization of data or other means of obscuring the data source or loT device, implementing specific data privacy procedures compliance definitions, or data handling, preventing specific aspects of data to be presented to certain providers or loT devices, and providing device level categorization or grouping. The abstract data layer may be implemented as volatile or non-volatile data storage, where the received (complete) data may be processed and stored (even if temporarily). In other implementations, the abstract data layer may also include rules for processing the data. Furthermore, the compliance manager may control encryption of transmitted data and presentation of compliance status for each loT device to the user.
[0021] Anonymization may include hiding or obscuring a portion of data (such as data that may identify a user, a user’s image, a source identifier, a user’s voice, header information, and comparable ones). In other examples, anonymization may include selective hiding or obscuring of portions of data based on a recipient. For example, user identity may not be hidden from a service provider for a particular loT device (e.g., health monitoring device), but may be hidden from a manufacturer of the device.
[0022] An loT device is a device that is connected to the Internet and passes data from itself to a secondary processor that is physically distinct. loT devices may be categorized based on their functionality, their communication type (wired, wireless, cellular, WiFi, etc.), data storage capability, location, or any other user-defined category. loT devices may perform a wide range of operations including, but not limited to, sensing (e.g., environment), detecting, managing a smart appliance, and others.
[0023] FIG. 2 includes a conceptual illustration of a system according to embodiments with different implementations of a compliance manager, arranged in accordance with at least some embodiments described herein.
[0024] Diagram 200 shows multiple loT devices 204 interacting with and receiving data from user 202 and communicating with other systems and devices 214 over a network 210 through local hub 208. The diagram also shows three alternative implementations of a compliance manager: (1) as a separate on-premise device 206A, as part of the local hub (206B), or as part of a server 212 at the network 210 (206C).
[0025] A system for controlling and ensuring compliance of loT devices data protection requirements may include loT devices to perform various functions and a compliance manager in communication with the loT devices and a network. The compliance manager, which may be implemented at a local hub or at the network, may categorize the loT devices according to their functionality and enforce data protection policies for user privacy protection based on categories. An abstract data layer may store anonymized data from the loT device before it is transmitted to the network. Users may be enabled to set/adjust policies based on categories. Information about compliance status of loT devices may also be presented to the users. The abstract data layers may be constructed to comply with the data protection requirements and may be accessible to service providers and/or customers. Moreover, device-level categorization may define routing paths for transmitted data. Users may control from compliance manager configurations from any device. Compliance status of at least some loT devices may be presented through a physical or virtual mechanism at the loT device or through another device (e.g., a display device) to provide feedback to a user.
[0026] loT devices may present a challenge for data protection due to their size, type, and networking configurations. For example, in implementations employing 5G cellular network, some loT devices may communicate directly with the network bypassing any firewall or similar on-premise data protection measures. Some loT devices may be too small to provide a user interface for user to control data protection schemes. Furthermore, there may be a large number of loT devices at a location making individual management of such devices impractical by a user. A compliance manager according to embodiments may be implemented as an egress physical or virtual device for loT devices at a particular location. The compliance manager may provide, among other things, two main functions: (1) policy definition - defining groups and data permissions; and (2) policy enforcement - enforcing data from loT devices to conform to a defined policy.
[0027] In some examples, the compliance manager may be implemented as one or more devices (206A) within a premise network communicatively positioned between the loT devices 204 and local hub 208. In other examples, the compliance manager may be implemented (206B) as part of the local hub 208. In yet other examples, the compliance manager may be implemented (206C) as an in-network, cloud-based device, for example, as part of a server within the network 210. While the compliance manager may ensure data protection compliance through the data abstract layer(s), it may also configure/instruct some loT devices to anonymize their data prior to transmission to the network. This may be applicable to loT devices communicating directly with the network.
[0028] A system according to embodiments may enable some of the loT devices to include physical or virtual mechanism for providing feedback to show that a device is under compliance (e.g., using a green light indicator when the device is in compliance, an icon, or a visual indicator on a screen or on an application user interface). The system may also enable the user to define a data policy to ensure the loT devices comply with the data protection policy. In some examples, the compliance manager may include a control plane presented to the user on a dedicated screen, mobile device app, computer program, or voice control, where the control plane provides an option to determine type and format of data sharing (sharing all data, sharing anonymized data, etc.) for each of the loT device group, for example. The compliance manager may monitor all egress points that allows access to a network (e.g., Wi-Fi, Lora®, Zigbee®, Bluetooth®, 5G modem, etc.).
[0029] FIG. 3 includes an illustration of an example compliance manager categorizing different loT devices, arranged in accordance with at least some embodiments described herein.
[0030] Diagram 300 in FIG. 3 shows an example compliance manager 304 with one or more data protection policies 306. The compliance manager may manage data protection for loT devices D1-D4, which may be grouped according to functionality categories 322 and 324, for example. A user 302 may interact (312) with the compliance manager defining or modifying policies, defining or modifying categories, and receiving compliance status information for specific loT devices. Anonymized data 316 may be transmitted through the compliance manager to a network.
[0031] The compliance manager may have a record of all loT devices D1-D4 at a location and group the devices according to one or more categories 322, 324 based on functional aspects of each device. For example, a temperature sensor may be grouped as temperature sensor, air conditioning, and fire alarm. The groups may change over time by input from a user, a device software provider, a device hardware provider, or by an loT service provider. For example, a new capability may be added to an loT device by its manufacturer as part of an update, and the device may be added to a new category. To define a policy, the compliance manager may include a control plane, which may be presented to the user through a display on the compliance manager device, an application user interface on any computing device (communicatively coupled to the compliance manager), and/or voice control. In some examples, the control plane may provide an option to determine a type and format of data sharing for each loT device group. Examples may include sharing all the data, sharing only anonymized data, and sharing no data. The data sharing may be further controlled based on a recipient of the data sharing. For example, a user may define to share all data with maintenance service providers but share only anonymized data with the manufacturer of the loT device.
[0032] In contrast to network data protection devices such as firewalls, a compliance manager according to embodiments may associate a network address of source and destination of the data with a functional grouping. Hence a temperature sensor may not be a random IP address but grouped according to functionality. In the same manner, the destination of the data may be defined by functionality. The functionality tables may be maintained by trusted third parties similar to certificate providers in networks.
[0033] FIG. 4 illustrates major components and actions of an example system for loT device data protection, arranged in accordance with at least some embodiments described herein.
[0034] Diagram 400 shows loT devices D1-D6 grouped in categories 414, 416, 418, compliance manager 406, which includes policies 412, abstract data layer 410, and user interface 408. The compliance manager 406 may provide loT data to a base station 402 of a network 404. In other examples, some loT devices may communicate directly with the network 404 complying with the data protection policies enforced by the compliance manager 406. The compliance manager 406 may perform actions such as adding or removing loT devices to the list, defining compliance policies, alerting a user about non-compliant loT devices, and/or providing a transmission channel for data from at least some loT devices. Alerting the user may include informing the user about a non-compliant loT device through a user interface on the compliance manager 406, a user device, transmission of a message (e.g., email, text, or voice message), or similar methods. The loT devices and the compliance manager 406 may be communicatively coupled, that is, capable of communicating (e.g., exchanging data) via wired or wireless media.
[0035] To enforce a defined policy, the compliance manager 406 may provide egress data monitoring on the loT devices at the location. In one example, the compliance manager 406 may be a hardware element or software residing in the egress hardware. In this example, all loT devices may be registered with egress hardware to access the network 404 and the compliance manager 406 may monitor the data at the egress point. Examples of this approach relate to Wi-Fi, Lora®, Zigbee®, Bluetooth®, or other local wireless networks, which connect to an external network through an egress hardware. Examples of egress hardware may include cable modems, DSL modems, 5G modems, and similar ones. In another example, the loT devices may connect directly to the network 404 as envisioned in a 5G cellular network operation. In this example, the compliance manager 406 may be implemented as a hardware, software, or virtual device located in a network communication device or as a cloud application in communication with the communication network.
[0036] In one example the policy may enforced by having all data routed to the compliance manager 406, and then routing the data from the compliance manager 406 to the end location. In another example, the data from the loT devices may be encoded, and differential keys may be provided to either network devices along the data path or the end destination of the data. In the latter example, any system which wants to use the data, may reach out to the compliance manager for the data key. In this manner the compliance manager may manage the data usage in real time.
[0037] The compliance manager 406 may be managed through a user interface 408. In one example the user may be a homeowner or office manager. In another example the user may be a company managing the hardware and software of a location. The user interface 408 may provide at least three functions to the user: (1) adding or removing a device; (2) defining the compliance policy; and (3) alerting user of non-compliant devices at the location. [0038] Addition or removal of a device may be performed by inputting device related information, using a camera to capture an image of the device, capturing a signal to identify a device signature, or similar means. Each loT device may be classified into a group based on user input, device parameters, or through machine learning.
[0039] Artificial Intelligence (Al) algorithms control any device that perceives its environment and takes actions that maximize its chance of successfully achieving predefined goals such as optimizing reception of backscatter signals from various loT devices, etc. A subset of Al, machine learning (ML) algorithms build a mathematical model based on sample data (training data) in order to make predictions or decisions without being explicitly programmed to do so. In some examples, an Al planning algorithm or a specific ML algorithm may be employed to determine communication settings.
[0040] Changes in device categories may be extended across the user database. In the event of a device deletion, the compliance manager may also recommend a replacement device(s) based on its database, which may be data protection compliant and functionally equivalent to the deleted device. The compliance policies may be defined according to groups. The groups may be defined by any of, but not limited to, the users, network vendors, service providers, or loT manufacturers. Changes in groups may be reflected to all users. A user may start from a base policy defining a required level of protection and then amend the policy as needed.
[0041] In a further example, loT devices may include a visual compliance indicator. Examples of compliance indicator may include a constant or flashing light emitting diode (LED). An icon or visual element on a display (e.g., LCD screen, OLED screen, microLED screen or electrophoretic screen). Alternative examples may include an icon or other visual mark on an application user interface presented to a user on the compliance manager hardware or through any computing device. In a further example, the compliance indicator may be an augmented reality indicator, which may be overlaid with the device in an augmented reality screen.
Examples of screens may include augmented reality glasses or a mobile device screen. The user may scan the home or other location, or be guided by the augmented reality screen to find non- compliant loT devices.
[0042] FIG. 5 illustrates a computing device, which may be used to manage data protection in loT devices, arranged in accordance with at least some embodiments described herein. [0043] In an example basic configuration 502, the computing device 500 may include one or more processors 504 and a system memory 506. A memory bus 508 may be used to communicate between the processor 504 and the system memory 506. The basic configuration 502 is illustrated in FIG. 5 by those components within the inner dashed line.
[0044] Depending on the desired configuration, the processor 504 may be of any type, including but not limited to a microprocessor (pP), a microcontroller (pC), a digital signal processor (DSP), or any combination thereof. The processor 504 may include one or more levels of caching, such as a cache memory 512, a processor core 514, and registers 516. The example processor core 514 may include an arithmetic logic unit (ALU), a floating point unit (FPU), a digital signal processing core (DSP core), or any combination thereof. An example memory controller 518 may also be used with the processor 504, or in some implementations, the memory controller 518 may be an internal part of the processor 504.
[0045] Depending on the desired configuration, the system memory 506 may be of any type including but not limited to volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.) or any combination thereof. The system memory 506 may include an operating system 520, a communication application 522, and program data 524. The communication application 522 may include a device management module 526 and a compliance module 527. The communication application 522 may receive data from associated loT devices, anonymize the data in an abstract data layer, and forward to destination devices. The compliance module 527 may also store (and allow modification of) data protection policies. In some examples, the compliance module 527 may enforce data protection policies on loT devices that communication with a network directly. The program data 524 may include device management data 528 such as data types and formats for sharing, etc., among other data, as described herein.
[0046] The computing device 500 may have additional features or functionality, and additional interfaces to facilitate communications between the basic configuration 502 and any desired devices and interfaces. For example, a bus/interface controller 530 may be used to facilitate communications between the basic configuration 502 and one or more data storage devices 532 via a storage interface bus 534. The data storage devices 532 may be one or more removable storage devices 536, one or more non-removable storage devices 538, or a combination thereof. Examples of the removable storage and the non-removable storage devices include magnetic disk devices such as flexible disk drives and hard-disk drives (HDDs), optical disk drives such as compact disc (CD) drives or digital versatile disk (DVD) drives, solid state drives (SSDs), and tape drives to name a few. Example computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data.
[0047] The system memory 506, the removable storage dev 536 and the non-removable storage devices 538 are examples of computer storage media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD- ROM, digital versatile disks (DVDs), solid state drives (SSDs), or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which may be used to store the desired information and which may be accessed by the computing device 500. Any such computer storage media may be part of the computing device 500.
[0048] The computing device 500 may also include an interface bus 540 for facilitating communication from various interface devices (e.g., one or more output devices 542, one or more peripheral interfaces 550, and one or more communication devices 560) to the basic configuration 502 via the bus/interface controller 530. Some of the example output devices 542 include a graphics processing unit 544 and an audio processing unit 546, which may be configured to communicate to various external devices such as a display or speakers via one or more A/V ports 548. One or more example peripheral interfaces 550 may include a serial interface controller 554 or a parallel interface controller 556, which may be configured to communicate with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device, etc.) or other peripheral devices (e.g., printer, scanner, etc.) via one or more I/O ports 558. An example communication device 560 includes a network controller 562, which may be arranged to facilitate communications with one or more other computing devices 566 over a network communication link via one or more communication ports 564. The one or more other computing devices 566 may include servers at a datacenter, customer equipment, and comparable devices. The network controller 562 may also control operations of a wireless communication module 568, which may facilitate communication with other devices via a variety of protocols using a number of frequency bands such as WiFi®, cellular (e.g., 4G, 5G), satellite link, terrestrial link, etc. [0049] The network communication link may be one example of a communication media. Communication media may be embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and may include any information delivery media. A “modulated data signal” may be a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media may include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency (RF), microwave, infrared (IR) and other wireless media. The term computer readable media as used herein may include non- transitory storage media.
[0050] The computing device 500 may be implemented as a part of a specialized server, mainframe, or similar computer that includes any of the above functions. The computing device 500 may also be implemented as a personal computer including both laptop computer and nonlaptop computer configurations.
[0051] FIG. 6 is a flow diagram illustrating an example method for data protection in loT devices that may be performed by a computing device such as the computing device in FIG. 5, arranged in accordance with at least some embodiments described herein.
[0052] Example methods may include one or more operations, functions, or actions as illustrated by one or more of blocks 622, 624, 626, and 628 may in some embodiments be performed by a computing device such as the computing device 600 in FIG. 6. Such operations, functions, or actions in FIG. 6 and in the other figures, in some embodiments, may be combined, eliminated, modified, and/or supplemented with other operations, functions or actions, and need not necessarily be performed in the exact sequence as shown. The operations described in the blocks 622-628 may be implemented through execution of computer-executable instructions stored in a computer-readable medium such as a computer-readable medium 620 of a computing device 610.
[0053] An example process for data protection in loT devices may begin with block 622, “ASSIGN EACH IOT DEVICE OF A PLURALITY OF IOT DEVICES AT A PARTICULAR LOCATION TO A CATEGORY BASED ON A FUNCTIONALITY ASSOCIATED WITH EACH IOT DEVICE”, where loT devices at a home, office, school, hospital, or similar locations may be categorized based on their functionality. In some scenarios, a single loT device may be assigned to multiple categories.
[0054] Block 622 may be followed by block 624, “PROVIDE AN ABSTRACT DATA LAYER”, where a compliance manager may provide an abstract data layer for anonymization of data from loT devices. The anonymization may be based on data protection policies, which may define who can receive what type and/or what format of data based on categories of devices.
[0055] Block 624 may be followed by block 626, “STORE ONE OR MORE DATA PROTECTION POLICIES BASED ON CATEGORIES OF THE IOT DEVICES”, where data protection policies may be defined, stored, and modified as needed by the compliance manager. In some examples, the compliance manager, using a machine learning algorithm, may modify existing policies or create new ones. In other examples, a user may be enabled, through a user interface, to define new policies, delete or modify existing ones.
[0056] Block 626 may be followed by block 628, “ENFORCE THE ONE OR MORE DATA PROTECTION POLICIES ON DATA TRANSMITTED BY THE IOT DEVICES THROUGH THE ABSTRACT DATA LAYER CONSTRUCTED AT THE COMPLIANCE MANAGER”, where the compliance manager may enforce the policies on transmitted data by anonymizing the data prior to transmittal or ensuring loT devices that communicate with the network directly comply with the policies.
[0057] The operations included in process 600 are for illustration purposes. Data protection in loT devices may be implemented by similar processes with fewer or additional operations, as well as in different order of operations using the principles described herein. The operations described herein may be executed by one or more processors operated on one or more computing devices, one or more processor cores, and/or specialized processing devices, among other examples. In further examples, parallel processing may be employed, computations or the execution of processes may be carried out simultaneously by one or more processors dividing large tasks into smaller ones and solving at the same time. Tasks split for parallel processing may be controlled by necessary elements. Different types of parallel processing such as bit-level, instruction-level, data, and task parallelism may be used.
[0058] FIG. 7 illustrates a block diagram of an example computer program product, arranged in accordance with at least some embodiments described herein. [0059] In some examples, as shown in FIG. 7, a computer program product 700 may include a signal bearing medium 702 that may also include one or more machine readable instructions 704 that, in response to execution by, for example, a processor may provide the functionality described herein. Thus, for example, referring to the processor 504 in FIG. 5, the communication application 522 may perform or control performance of one or more of the tasks shown in FIG. 7 in response to the instructions 704 conveyed to the processor 504 by the signal bearing medium 702 to perform actions associated with data protection in loT devices as described herein. Some of those instructions may include, for example, assign each loT device of a plurality of loT devices at a particular location to a category based on a functionality associated with each loT device; provide an abstract data layer; store one or more data protection policies based on categories of the loT devices; and/or enforce the one or more data protection policies on data transmitted by the loT devices through the abstract data layer constructed at the compliance manager, according to some embodiments described herein.
[0060] In some implementations, the signal bearing medium 702 depicted in FIG. 7 may encompass computer-readable medium 706, such as, but not limited to, a hard disk drive (HDD), a solid state drive (SSD), a compact disc (CD), a digital versatile disk (DVD), a digital tape, memory, and comparable non-transitory computer-readable storage media. In some implementations, the signal bearing medium 702 may encompass recordable medium 708, such as, but not limited to, memory, read/write (R/W) CDs, R/W DVDs, etc. In some implementations, the signal bearing medium 702 may encompass communications medium 710, such as, but not limited to, a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communication link, a wireless communication link, etc.). Thus, for example, the computer program product 700 may be conveyed to one or more modules of the processor 504 by an RF signal bearing medium, where the signal bearing medium 702 is conveyed by the communications medium 710 (e.g., a wireless communications medium conforming with the IEEE 802.11 standard or 5G protocol).
[0061] According to some examples, a system for data protection compliance in Internet of Things (loT) devices may include a plurality of loT devices, each loT device configured to perform an operation and transmit data associated with the operation, and a compliance manager communicatively coupled to the plurality of loT devices. The compliance manager may be configured to assign each loT device to a category based on a functionality associated with each loT device; provide an abstract data layer; store one or more data protection policies based on categories of the loT devices; and enforce the one or more data protection policies on the transmitted data by the loT devices through the abstract data layer constructed at the compliance manager.
[0062] According to other examples, the compliance manager may be further configured to provide a user interface to allow a user to one or more of: add an loT device, remove an loT device, add a data protection policy, remove a data protection policy, modify a data protection policy, add a category, remove a category, or modify a category. The compliance manager may be further configured to provide a user interface to alert a user about one or more non-compliant loT devices or provide a user interface to alert a user about compliance status of one or more loT devices. The compliance manager may be further configured to anonymize at least a portion of the data transmitted by each loT device in the abstract data layer; and forward the at least partially anonymized data to a network. The compliance manager may also be configured to encrypt the at least partially anonymized data prior to transmission to the network.
[0063] According to further examples, the compliance manager may be further configured to instruct each loT device to anonymize at least a portion of the data prior to transmittal to a network directly by each loT device. The compliance manager may also be configured to instruct each loT device to encrypt the at least partially anonymized data prior to transmission to the network. The category assigned to an loT device may define a routing for data transmitted by the loT device. The compliance manager may be implemented as part of a local hub device communicatively coupled to loT devices in a vicinity of the local hub device. The compliance manager may be implemented as part of a device in a network through which the plurality of loT devices communicate. The network may be a 5G-compliant cellular network.
[0064] According to other examples, a compliance manager to manage data protection compliance for Internet of Things (loT) devices may include a communication module configured to facilitate communications with a plurality of loT devices and one or more network devices over a network; a memory configured to store instructions; and a processor coupled to the communication module and the memory. The processor, in conjunction with the instructions stored in the memory, may be configured to assign each loT device to a category based on a functionality associated with each loT device; provide an abstract data layer; store one or more data protection policies based on categories of the loT devices; and enforce the one or more data protection policies on data transmitted by the loT devices through the abstract data layer constructed at the compliance manager.
[0065] According to further examples, the processor may be further configured to provide a user interface to allow a user to one or more of: add an loT device, remove an loT device, add a data protection policy, remove a data protection policy, modify a data protection policy, add a category, remove a category, or modify a category. The processor may be further configured to provide one or more of: a user interface to alert a user about one or more non-compliant loT devices or a user interface to alert the user about compliance status of one or more loT devices. The processor may be further configured to anonymize at least a portion of the data transmitted by each loT device in the abstract data layer; and forward the at least partially anonymized data to the network. The processor may be further configured to encrypt the at least partially anonymized data prior to transmission to the network.
[0066] According to some examples, the processor may be further configured to instruct each loT device to anonymize at least a portion of the data prior to transmittal to the network directly by each loT device. The processor may be further configured to instruct each loT device to encrypt the at least partially anonymized data prior to transmission to the network. The category assigned to an loT device may define a routing for data transmitted by the loT device. The compliance manager may be implemented as part of a local hub device communicatively coupled to loT devices in a vicinity of the local hub device. The compliance manager may be implemented as part of a device in the network.
[0067] According to further examples, a method to manage data protection compliance for Internet of Things (loT) devices may include assigning, at a compliance manager, each loT device of a plurality of loT devices at a particular location to a category based on a functionality associated with each loT device; providing an abstract data layer; storing one or more data protection policies based on categories of the loT devices; and enforcing the one or more data protection policies on data transmitted by the loT devices through the abstract data layer constructed at the compliance manager.
[0068] According to other examples, the method may also include providing a user interface to allow a user to one or more of: add an loT device, remove an loT device, add a data protection policy, remove a data protection policy, modify a data protection policy, add a category, remove a category, or modify a category. The method may further include providing one or more of: a user interface to alert a user about one or more non-compliant loT devices or a user interface to alert the user about compliance status of one or more loT devices. The method may also include anonymizing at least a portion of the data transmitted by each loT device in the abstract data layer; and forwarding the at least partially anonymized data to the network. The method may also include encrypting the at least partially anonymized data prior to transmission to the network. The method may further include instructing each loT device to anonymize at least a portion of the data prior to transmittal to the network directly by each loT device; instructing each loT device to encrypt the at least partially anonymized data prior to transmission to the network; or determining a routing for data transmitted by each loT device based on a category assigned to each loT device.
[0069] There are various vehicles by which processes and/or systems and/or other technologies described herein may be affected (e.g., hardware, software, and/or firmware), and the preferred vehicle will vary with the context in which the processes and/or systems and/or other technologies are deployed. For example, if an implementer determines that speed and accuracy are paramount, the implementer may opt for mainly hardware and/or firmware vehicle; if flexibility is paramount, the implementer may opt for mainly software implementation; or, yet again alternatively, the implementer may opt for some combination of hardware, software, and/or firmware.
[0070] The foregoing detailed description has set forth various embodiments of the devices and/or processes via the use of block diagrams, flowcharts, and/or examples. Insofar as such block diagrams, flowcharts, and/or examples contain one or more functions and/or operations, each function and/or operation within such block diagrams, flowcharts, or examples may be implemented, individually and/or collectively, by a wide range of hardware, software, firmware, or virtually any combination thereof. In one embodiment, several portions of the subject matter described herein may be implemented via application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), digital signal processors (DSPs), or other integrated formats. However, t some aspects of the embodiments disclosed herein, in whole or in part, may be equivalently implemented in integrated circuits, as one or more computer programs executing on one or more computers (e.g., as one or more programs executing on one or more computer systems), as one or more programs executing on one or more processors (e.g., as one or more programs executing on one or more microprocessors), as firmware, or as virtually any combination thereof, and that designing the circuitry and/or writing the code for the software and/or firmware are possible in light of this disclosure.
[0071] The present disclosure is not to be limited in terms of the particular embodiments described in this application, which are intended as illustrations of various aspects. Many modifications and variations can be made without departing from its spirit and scope. Functionally equivalent methods and apparatuses within the scope of the disclosure, in addition to those enumerated herein, are possible from the foregoing descriptions. Such modifications and variations are intended to fall within the scope of the appended claims. The present disclosure is to be limited only by the terms of the appended claims, along with the full scope of equivalents to which such claims are entitled. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting.
[0072] In addition, the mechanisms of the subject matter described herein are capable of being distributed as a program product in a variety of forms, and that an illustrative embodiment of the subject matter described herein applies regardless of the particular type of signal bearing medium used to actually carry out the distribution. Examples of a signal bearing medium include, but are not limited to, the following: a recordable type medium such as a floppy disk, a hard disk drive (HDD), a compact disc (CD), a digital versatile disk (DVD), a digital tape, a computer memory, a solid state drive (SSD), etc.; and a transmission type medium such as a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communication link, a wireless communication link, etc.).
[0073] It is common within the art to describe devices and/or processes in the fashion set forth herein, and thereafter use engineering practices to integrate such described devices and/or processes into data processing systems. That is, at least a portion of the devices and/or processes described herein may be integrated into a data processing system via a reasonable amount of experimentation. A data processing system may include one or more of a system unit housing, a video display device, a memory such as volatile and non-volatile memory, processors such as microprocessors and digital signal processors, computational entities such as operating systems, drivers, graphical user interfaces, and applications programs, one or more interaction devices, such as a touch pad or screen, and/or control systems including feedback loops and control motors. [0074] A data processing system may be implemented utilizing any suitable commercially available components, such as those found in data computing/communi cation and/or network computing/communication systems. The herein described subject matter sometimes illustrates different components contained within, or connected with, different other components. Such depicted architectures are merely exemplary, and in fact, many other architectures may be implemented which achieve the same functionality. In a conceptual sense, any arrangement of components to achieve the same functionality is effectively "associated" such that the desired functionality is achieved. Hence, any two components herein combined to achieve a particular functionality may be seen as "associated with" each other such that the desired functionality is achieved, irrespective of architectures or intermediate components. Likewise, any two components so associated may also be viewed as being "operably connected", or "operably coupled", to each other to achieve the desired functionality, and any two components capable of being so associated may also be viewed as being "operably couplable", to each other to achieve the desired functionality. Specific examples of operably couplable include but are not limited to physically connectable and/or physically interacting components and/or wirelessly interactable and/or wirelessly interacting components and/or logically interacting and/or logically interactable components.
[0075] With respect to the use of substantially any plural and/or singular terms herein, those having skill in the art can translate from the plural to the singular and/or from the singular to the plural as is appropriate to the context and/or application. The various singular/plural permutations may be expressly set forth herein for sake of clarity.
[0076] In general, terms used herein, and especially in the appended claims (e.g., bodies of the appended claims) are generally intended as “open” terms (e.g., the term “including” should be interpreted as “including but not limited to,” the term “having” should be interpreted as “having at least,” the term “includes” should be interpreted as “includes but is not limited to,” etc.). It will be further understood by those within the art that if a specific number of an introduced claim recitation is intended, such an intent will be explicitly recited in the claim, and in the absence of such recitation, no such intent is present. For example, as an aid to understanding, the following appended claims may contain usage of the introductory phrases "at least one" and "one or more" to introduce claim recitations. However, the use of such phrases should not be construed to imply that the introduction of a claim recitation by the indefinite articles "a" or "an" limits any particular claim containing such introduced claim recitation to embodiments containing only one such recitation, even when the same claim includes the introductory phrases "one or more" or "at least one" and indefinite articles such as "a" or "an" (e.g., “a” and/or “an” should be interpreted to mean “at least one” or “one or more”); the same holds true for the use of definite articles used to introduce claim recitations. In addition, even if a specific number of an introduced claim recitation is explicitly recited, those skilled in the art will recognize that such recitation should be interpreted to mean at least the recited number (e.g., the bare recitation of "two recitations," without other modifiers, means at least two recitations, or two or more recitations).
[0077] For any and all purposes, such as in terms of providing a written description, all ranges disclosed herein also encompass any and all possible subranges and combinations of subranges thereof. Any listed range can be easily recognized as sufficiently describing and enabling the same range being broken down into at least equal halves, thirds, quarters, fifths, tenths, etc. As a non-limiting example, each range discussed herein can be readily broken down into a lower third, middle third and upper third, etc. As will also be understood by one skilled in the art all language such as “up to,” “at least,” “greater than,” “less than,” and the like include the number recited and refer to ranges which can be subsequently broken down into subranges as discussed above. Finally, a range includes each individual member. Thus, for example, a group having 1-3 cells refers to groups having 1, 2, or 3 cells. Similarly, a group having 1-5 cells refers to groups having 1, 2, 3, 4, or 5 cells, and so forth.
[0078] While various aspects and embodiments have been disclosed herein, other aspects and embodiments are possible. The various aspects and embodiments disclosed herein are for purposes of illustration and are not intended to be limiting, with the true scope and spirit being indicated by the following claims.

Claims

CLAIMS WHAT IS CLAIMED IS:
1. A system for data protection compliance in Internet of Things (loT) devices, the system comprising: a plurality of loT devices, each loT device configured to perform an operation and transmit data associated with the operation; a compliance manager communicatively coupled to the plurality of loT devices, the compliance manager configured to: assign each loT device to a category based on a functionality associated with each loT device; provide an abstract data layer; store one or more data protection policies based on categories of the loT devices; and enforce the one or more data protection policies on the transmitted data by the loT devices through the abstract data layer constructed at the compliance manager.
2. The system of claim 1, wherein the compliance manager is further configured to: provide a user interface to allow a user to one or more of: add an loT device, remove an loT device, add a data protection policy, remove a data protection policy, modify a data protection policy, add a category, remove a category, or modify a category.
3. The system of claim 1, wherein the compliance manager is further configured to: provide a user interface to alert a user about one or more non-compliant loT devices.
4. The system of claim 1, wherein the compliance manager is further configured to: provide a user interface to alert a user about compliance status of one or more loT devices.
5. The system of claim 1, wherein the compliance manager is further configured to:
23 anonymize at least a portion of the data transmitted by each loT device in the abstract data layer; and forward the at least partially anonymized data to a network.
6. The system of claim 5, wherein the compliance manager is further configured to: encrypt the at least partially anonymized data prior to transmission to the network.
7. The system of claim 1, wherein the compliance manager is further configured to: instruct each loT device to anonymize at least a portion of the data prior to transmittal to a network directly by each loT device.
8. The system of claim 7, wherein the compliance manager is further configured to: instruct each loT device to encrypt the at least partially anonymized data prior to transmission to the network.
9. The system of claim 1 , wherein the category assigned to an loT device defines a routing for data transmitted by the loT device.
10. The system of claim 1, wherein the compliance manager is implemented as part of a local hub device communicatively coupled to loT devices in a vicinity of the local hub device.
11. The system of claim 1 , wherein the compliance manager is implemented as part of a device in a network through which the plurality of loT devices communicate.
12. The system of claim 11, wherein the network is a 5G-compliant cellular network.
13. A compliance manager to manage data protection compliance for Internet of Things (loT) devices, the compliance manager comprising: a communication module configured to facilitate communications with a plurality of loT devices and one or more network devices over a network; a memory configured to store instructions; and a processor coupled to the communication module and the memory, the processor, in conjunction with the instructions stored in the memory, configured to: assign each loT device to a category based on a functionality associated with each loT device; provide an abstract data layer; store one or more data protection policies based on categories of the loT devices; and enforce the one or more data protection policies on data transmitted by the loT devices through the abstract data layer constructed at the compliance manager.
14. The compliance manager of claim 13, wherein the processor is further configured to: provide a user interface to allow a user to one or more of: add an loT device, remove an loT device, add a data protection policy, remove a data protection policy, modify a data protection policy, add a category, remove a category, or modify a category.
15. The compliance manager of claim 13, wherein the processor is further configured to provide one or more of: a user interface to alert a user about one or more non-compliant loT devices or a user interface to alert the user about compliance status of one or more loT devices.
16. The compliance manager of claim 13, wherein the processor is further configured to: anonymize at least a portion of the data transmitted by each loT device in the abstract data layer; and forward the at least partially anonymized data to the network.
17. The compliance manager of claim 16, wherein the processor is further configured to: encrypt the at least partially anonymized data prior to transmission to the network.
18. The compliance manager of claim 13, wherein the processor is further configured to: instruct each loT device to anonymize at least a portion of the data prior to transmittal to the network directly by each loT device.
19. The compliance manager of claim 18, wherein the processor is further configured to: instruct each loT device to encrypt the at least partially anonymized data prior to transmission to the network.
20. The compliance manager of claim 13, wherein the category assigned to an loT device defines a routing for data transmitted by the loT device.
21. The compliance manager of claim 13, wherein the compliance manager is implemented as part of a local hub device communicatively coupled to loT devices in a vicinity of the local hub device.
22. The compliance manager of claim 13, wherein the compliance manager is implemented as part of a device in the network.
23. A method to manage data protection compliance for Internet of Things (loT) devices, the method comprising: assigning, at a compliance manager, each loT device of a plurality of loT devices at a particular location to a category based on a functionality associated with each loT device; providing an abstract data layer; storing one or more data protection policies based on categories of the loT devices; and enforcing the one or more data protection policies on data transmitted by the loT devices through the abstract data layer constructed at the compliance manager.
24. The method of claim 23, further comprising: providing a user interface to allow a user to one or more of: add an loT device, remove an loT device, add a data protection policy, remove a data protection policy, modify a data protection policy, add a category, remove a category, or modify a category.
25. The method of claim 23, further comprising:
26 providing one or more of: a user interface to alert a user about one or more non-compliant loT devices or a user interface to alert the user about compliance status of one or more loT devices.
26. The method of claim 23, further comprising: anonymizing at least a portion of the data transmitted by each loT device in the abstract data layer; and forwarding the at least partially anonymized data to the network.
27. The method of claim 26, further comprising: encrypting the at least partially anonymized data prior to transmission to the network.
28. The method of claim 23, further comprising: instructing each loT device to anonymize at least a portion of the data prior to transmittal to the network directly by each loT device.
29. The method of claim 28, further comprising: instructing each loT device to encrypt the at least partially anonymized data prior to transmission to the network.
30. The method of claim 23, further comprising: determining a routing for data transmitted by each loT device based on a category assigned to each loT device.
27
PCT/US2020/065470 2020-12-17 2020-12-17 User information protection in iot devices WO2022132146A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2020/065470 WO2022132146A1 (en) 2020-12-17 2020-12-17 User information protection in iot devices

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2020/065470 WO2022132146A1 (en) 2020-12-17 2020-12-17 User information protection in iot devices

Publications (1)

Publication Number Publication Date
WO2022132146A1 true WO2022132146A1 (en) 2022-06-23

Family

ID=82059767

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2020/065470 WO2022132146A1 (en) 2020-12-17 2020-12-17 User information protection in iot devices

Country Status (1)

Country Link
WO (1) WO2022132146A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160248812A1 (en) * 2012-04-13 2016-08-25 Zscaler, Inc. Secure and lightweight traffic forwarding systems and methods to cloud based network security systems
US20170230832A1 (en) * 2016-02-04 2017-08-10 StarHome Mach GmbH Data security for internet of things (iot) devices

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160248812A1 (en) * 2012-04-13 2016-08-25 Zscaler, Inc. Secure and lightweight traffic forwarding systems and methods to cloud based network security systems
US20170230832A1 (en) * 2016-02-04 2017-08-10 StarHome Mach GmbH Data security for internet of things (iot) devices

Similar Documents

Publication Publication Date Title
US11503042B2 (en) Distributed network security using a logical multi-dimensional label-based policy model
US10897403B2 (en) Distributed network management using a logical multi-dimensional label-based policy model
US11601455B2 (en) Artificial intelligence method and system for detecting anomalies in a computer network
US9838391B2 (en) Systems and methods for privately performing application security analysis
US9935981B2 (en) Dynamic tuple for intrusion prevention systems
US20220103597A1 (en) Dynamic optimization of client application access via a secure access service edge (sase) network optimization controller (noc)
GB2606466A (en) Endpoint security
JP2023522199A (en) mobile management system
US10255446B2 (en) Clipboard management
US20220337555A1 (en) Firewall offloading
WO2012087296A1 (en) Dummy information for location privacy in location based services
EP3750289B1 (en) Method, apparatus, and computer readable medium for providing security service for data center
US20220311769A1 (en) Stateful access control of data
KR20220125251A (en) Programmable Switching Device for Network Infrastructures
EP4260234A1 (en) Passively powered iot devices
US10367703B2 (en) Analysis of network traffic rules at a network visibility node
US11337155B2 (en) Event-driven policy based management of wireless beacon and tag devices
WO2010087845A1 (en) Dynamically applying a control policy to a network
WO2022132146A1 (en) User information protection in iot devices
EP3066581A2 (en) Distributed network security using a logical multi-dimensional label-based policy model
US11303575B2 (en) Network traffic control based on application feature
US11960944B2 (en) Interprocessor procedure calls
US20230319081A1 (en) Risk driven planning and simulation for a computer network
US20230208848A1 (en) Centralized network response to mitigate a data-based security risk

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20966140

Country of ref document: EP

Kind code of ref document: A1