UC Irvine

New technology domains, such as the Internet of Things (IoT), are adding a large number of new devices with Internet connectivity to the spaces where we work and live. These devices are accelerating the collection of user data at an unprecedented rate. On the other hand, new data privacy regulations are emerging all around the globe to protect people's privacy (such as the California Consumer Privacy Act CCPA, European General Data Protection Regulation GDPR, and Brazilian LGPD, among many others). These regulations have put forward stringent requirements on organizations with respect to what should be done when user data is handled. Organizations have been scrambling to adapt their infrastructure in response to these regulations and many have been punished with hefty fines for improper handling of data.

Data Management Systems are at the core of organizations collecting such data. They handle its capture, retention, processing, and sharing. To protect people's privacy, Data Management Systems require, among others, to be able to enforce individuals' privacy preferences. These issues become even more challenging given the scale at which data is captured in new domains such as the IoT. This thesis presents various solutions to support fine-grained privacy policies for data protection when dealing with upcoming IoT applications.

In particular, this thesis outlines framework to enable people to communicate their privacy preferences/policies to smart spaces to address the challenge of Policy-based Privacy-by-design Smart Spaces. This includes a language which allows users to define who, and under which circumstances, can access their data collected by IoT systems. Supporting the definition of such user-defined fine-grained IoT policies in Data Management Systems can lead to scenarios where a large number of them have to be enforced in real-time. The thesis presents a system to answer queries efficiently while enforcing a very large number (hundreds of thousands) of user policies to address the challenge of Scalability of Policy Enforcement. In modern DBMS and particularly in IoT settings, data exists at different semantic levels where dependencies capture the constraints that exist within the data. This thesis describes an approach to prevent leakages through various different dependencies on access controlled data.

The prototypes built as part of the solutions for the above challenges have been integrated into two IoT Systems deployed at UC Irvine. The first is an IoT test bed entitled TIPPERS and the second is privacy preserving middleware called PE-IoT. These integrations show the feasibility of the approaches presented to specify and efficiently enforce privacy policies for supporting IoT applications.