Ensuring GDPR Compliance in IoT Network With a Glass Box Security Guard System

This paper addresses the challenges of General Data Protection Regulation (GDPR) compliance posed by the growing prevalence of Internet of Things (IoT) devices, which exacerbate privacy concerns. GDPR mandates data controllers to protect personal data and requires explicit consent for data processin...

Full description

Saved in:
Bibliographic Details
Published inIEEE Transactions on Privacy Vol. 2; pp. 27 - 40
Main Authors Yang, Yi-Chun, Lu, Kuan-Fu, Chen, Yong-Xuan, Tsay, Ren-Song
Format Journal Article
LanguageEnglish
Published IEEE 2025
Subjects
Access control
accountability
blockchain
Blockchains
Data collection
data ownership
data privacy
Electronic equipment
Flight recording
General Data Protection Regulation
general data protection regulation (GDPR)
Glass box
Internet of Things
Internet of Things (IoT)
Law
Privacy
Reliability
Online AccessGet full text
ISSN2836-208X
2836-208X
DOI10.1109/TP.2025.3546854

Cover

Abstract This paper addresses the challenges of General Data Protection Regulation (GDPR) compliance posed by the growing prevalence of Internet of Things (IoT) devices, which exacerbate privacy concerns. GDPR mandates data controllers to protect personal data and requires explicit consent for data processing, but centralized approaches create opaque closed box systems prone to misuse. Although recent solutions utilize blockchain for access control by recording data subject consents, they focus solely on transaction-level activities, but overlook user devices controlled by enterprises, leaving closedbox issues unresolved. To address these challenges, we propose data protection guard (GDPR-Guard), a novel transparent glass box solution that shifts control from enterprises to users, enhancing transparency and accountability by auditing the entire device lifecycle, including manufacturing, which existing solutions often neglect. The supervisory authority oversees manufacturing, ensuring each device integrates a secure GDPR-Guard to log certified device manufacture, controlled application deployment, reliable ownership transfer, and consent-based data collection or application update using tamper-proof digital signatures. This enables reliable investigations throughout the device's lifecycle. The paper also offers a comprehensive access control and auditing protocol, presents a proof-of-concept implementation, evaluates security with concrete threat models, and demonstrating the reliability and acceptable performance of the solution for GDPR compliance.
AbstractList This paper addresses the challenges of General Data Protection Regulation (GDPR) compliance posed by the growing prevalence of Internet of Things (IoT) devices, which exacerbate privacy concerns. GDPR mandates data controllers to protect personal data and requires explicit consent for data processing, but centralized approaches create opaque closed box systems prone to misuse. Although recent solutions utilize blockchain for access control by recording data subject consents, they focus solely on transaction-level activities, but overlook user devices controlled by enterprises, leaving closedbox issues unresolved. To address these challenges, we propose data protection guard (GDPR-Guard), a novel transparent glass box solution that shifts control from enterprises to users, enhancing transparency and accountability by auditing the entire device lifecycle, including manufacturing, which existing solutions often neglect. The supervisory authority oversees manufacturing, ensuring each device integrates a secure GDPR-Guard to log certified device manufacture, controlled application deployment, reliable ownership transfer, and consent-based data collection or application update using tamper-proof digital signatures. This enables reliable investigations throughout the device's lifecycle. The paper also offers a comprehensive access control and auditing protocol, presents a proof-of-concept implementation, evaluates security with concrete threat models, and demonstrating the reliability and acceptable performance of the solution for GDPR compliance.
Author Tsay, Ren-Song
Lu, Kuan-Fu
Chen, Yong-Xuan
Yang, Yi-Chun
Author_xml – sequence: 1
  givenname: Yi-Chun
  orcidid: 0000-0002-9676-7788
  surname: Yang
  fullname: Yang, Yi-Chun
  email: k16272002@gmail.com
  organization: Department of Computer Science, National Tsing Hua University, Hsinchu, Taiwan
– sequence: 2
  givenname: Kuan-Fu
  orcidid: 0009-0002-5101-3584
  surname: Lu
  fullname: Lu, Kuan-Fu
  organization: Department of Computer Science, National Tsing Hua University, Hsinchu, Taiwan
– sequence: 3
  givenname: Yong-Xuan
  surname: Chen
  fullname: Chen, Yong-Xuan
  organization: Department of Computer Science, National Tsing Hua University, Hsinchu, Taiwan
– sequence: 4
  givenname: Ren-Song
  orcidid: 0000-0002-8997-0219
  surname: Tsay
  fullname: Tsay, Ren-Song
  organization: Department of Computer Science, National Tsing Hua University, Hsinchu, Taiwan
BookMark eNpNkE1PwkAURScGExFZu3Exf6Awn53OUhErCUEiTXTXPNpXnVhaMlOi_HshsGB17-Keuzi3pNe0DRJyz9mIc2bH2XIkmNAjqVWcaHVF-iKRcSRY8tm76DdkGIJbMy0N08wkfbKYNmHnXfNF0-flO520m23toCmQuobO2owusPtt_Q_9cN03BZrWEAJ9av_oCosD2O1pugNf0tU-dLi5I9cV1AGH5xyQ1cs0m7xG87d0NnmcR0XMVSSs4LGScg2aYaJQlFYB6NhaMHGlihitqGRRmTUkSjN9LGA1ByhLY1AOyPj0Wvg2BI9VvvVuA36fc5YffeTZMj_6yM8-DsTDiXCIeLG2zFij5D-6RV0e
CODEN ITPEB5
Cites_doi 10.1109/TSC.2020.2999559
10.1109/TSMC.2019.2895123
10.1145/3098954.3098958
10.2139/ssrn.3160404
10.17487/rfc7158
10.1016/j.jestch.2018.05.010
10.1145/3576842.3582379
10.1109/JPROC.2017.2714641
10.1007/978-3-319-57959-7
10.1109/OBD.2016.11
10.1145/3558766
10.3233/SW-210438
10.1007/978-3-031-55561-9
10.1109/ICBC48266.2020.9169432
10.17487/rfc6749
10.1016/j.jisa.2017.11.002
10.1109/ACCESS.2022.3154106
10.2307/j.ctt1trkk7x
10.1016/j.sysarc.2021.102240
10.1109/ACCESS.2018.2851611
10.1016/j.comnet.2016.11.007
10.17487/rfc7049
10.24251/hicss.2019.821
10.1016/j.cose.2019.101653
10.1109/TII.2021.3100152
10.1109/BigData47090.2019.9006455
10.3390/s21237994
10.1109/ACCESS.2023.3242605
10.1093/cybsec/tyy001
10.1109/access.2018.2806881
10.1109/jiot.2020.3015432
10.1007/0-387-23483-7
10.1109/JIOT.2019.2958788
10.1016/j.jnca.2023.103695
10.1109/SPW.2015.27
10.1109/ACCESS.2021.3069877
10.1109/TrustCom/BigDataSE.2018.00183
10.17487/rfc9200
10.1007/s00766-013-0195-2
10.1016/j.ipm.2021.102511
10.1109/TIFS.2019.2948287
10.1109/TC.2017.2647955
10.2139/ssrn.3212210
10.1007/978-3-030-12942-2_23
10.1016/j.comcom.2023.11.017
10.1007/s12243-019-00709-7
ContentType Journal Article
DBID 97E
ESBDL
RIA
RIE
AAYXX
CITATION
DOI 10.1109/TP.2025.3546854
DatabaseName IEEE All-Society Periodicals Package (ASPP) 2005-present
IEEE Open Access Journals
IEEE All-Society Periodicals Package (ASPP) 1998-Present
IEEE Electronic Library (IEL)
CrossRef
DatabaseTitle CrossRef
DatabaseTitleList
Database_xml – sequence: 1
  dbid: RIE
  name: IEEE Electronic Library (IEL)
  url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/
  sourceTypes: Publisher
DeliveryMethod fulltext_linktorsrc
Discipline Law
EISSN 2836-208X
EndPage 40
ExternalDocumentID 10_1109_TP_2025_3546854
10907974
Genre orig-research
GrantInformation_xml – fundername: General Research Project of the National Science and Technology
  grantid: NSTC 112-2634-F-007-001-MBK
GroupedDBID 97E
ALMA_UNASSIGNED_HOLDINGS
ESBDL
M43
RIA
RIE
AAYXX
CITATION
ID FETCH-LOGICAL-c614-29216433ba50e84e2d94aa5699a76f4c6e92f3cf7ba84505f7baa951aadd77e3
IEDL.DBID RIE
ISSN 2836-208X
IngestDate Tue Jul 01 05:17:21 EDT 2025
Wed Apr 02 05:44:37 EDT 2025
IsDoiOpenAccess true
IsOpenAccess true
IsPeerReviewed true
IsScholarly true
Language English
License https://creativecommons.org/licenses/by-nc-nd/4.0
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c614-29216433ba50e84e2d94aa5699a76f4c6e92f3cf7ba84505f7baa951aadd77e3
ORCID 0000-0002-9676-7788
0000-0002-8997-0219
0009-0002-5101-3584
OpenAccessLink https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/document/10907974
PageCount 14
ParticipantIDs crossref_primary_10_1109_TP_2025_3546854
ieee_primary_10907974
ProviderPackageCode CITATION
AAYXX
PublicationCentury 2000
PublicationDate 20250000
2025-00-00
PublicationDateYYYYMMDD 2025-01-01
PublicationDate_xml – year: 2025
  text: 20250000
PublicationDecade 2020
PublicationTitle IEEE Transactions on Privacy
PublicationTitleAbbrev TP
PublicationYear 2025
Publisher IEEE
Publisher_xml – name: IEEE
References ref13
ref57
ref56
ref15
ref14
ref11
ref10
ref17
ref16
ref19
ref18
(ref46) 2012
ref50
(ref53) 2019
ref42
ref41
(ref48) 2014
ref44
(ref45) 2019
ref43
(ref51) 2014
ref49
ref8
ref7
ref9
ref4
Robinson (ref28) 2009; 9
ref3
ref6
ref5
ref40
ref35
ref34
ref37
ref36
Wirth (ref12)
ref31
ref30
ref33
ref32
ref2
ref1
ref39
ref38
(ref54) 2019
(ref55) 2022
ref24
ref23
ref26
ref25
ref20
ref22
ref21
ref27
ref29
(ref47) 2019
(ref52) 2019
References_xml – ident: ref17
  doi: 10.1109/TSC.2020.2999559
– ident: ref34
  doi: 10.1109/TSMC.2019.2895123
– ident: ref11
  doi: 10.1145/3098954.3098958
– ident: ref56
  doi: 10.2139/ssrn.3160404
– ident: ref49
  doi: 10.17487/rfc7158
– ident: ref6
  doi: 10.1016/j.jestch.2018.05.010
– ident: ref23
  doi: 10.1145/3576842.3582379
– ident: ref38
  doi: 10.1109/JPROC.2017.2714641
– year: 2019
  ident: ref47
  article-title: Pybluezpybluez: Bluetooth python extension module
– ident: ref1
  doi: 10.1007/978-3-319-57959-7
– ident: ref8
  doi: 10.1109/OBD.2016.11
– ident: ref29
  doi: 10.1145/3558766
– ident: ref36
  doi: 10.3233/SW-210438
– ident: ref39
  doi: 10.1007/978-3-031-55561-9
– ident: ref16
  doi: 10.1109/ICBC48266.2020.9169432
– ident: ref30
  doi: 10.17487/rfc6749
– ident: ref5
  doi: 10.1016/j.jisa.2017.11.002
– ident: ref26
  doi: 10.1109/ACCESS.2022.3154106
– ident: ref27
  doi: 10.2307/j.ctt1trkk7x
– ident: ref41
  doi: 10.1016/j.sysarc.2021.102240
– ident: ref10
  doi: 10.1109/ACCESS.2018.2851611
– ident: ref32
  doi: 10.1016/j.comnet.2016.11.007
– ident: ref50
  doi: 10.17487/rfc7049
– ident: ref13
  doi: 10.24251/hicss.2019.821
– ident: ref24
  doi: 10.1016/j.cose.2019.101653
– ident: ref18
  doi: 10.1109/TII.2021.3100152
– ident: ref20
  doi: 10.1109/BigData47090.2019.9006455
– ident: ref19
  doi: 10.3390/s21237994
– ident: ref21
  doi: 10.1109/ACCESS.2023.3242605
– year: 2019
  ident: ref53
  article-title: FIPS 140-3: Security requirements for cryptographic modules
– ident: ref3
  doi: 10.1093/cybsec/tyy001
– volume: 9
  start-page: 1
  year: 2009
  ident: ref28
  article-title: Review of the European data protection directive
  publication-title: Rand Europe
– ident: ref57
  doi: 10.1109/access.2018.2806881
– start-page: 1
  volume-title: Proc. 1st ERCIM Blockchain Workshop, 2018: Eur. Soc. Socially Embedded Technol.
  ident: ref12
  article-title: Privacy by blockchain design: A blockchain-enabled GDPR-compliant approach for handling personal data
– ident: ref2
  doi: 10.1109/jiot.2020.3015432
– ident: ref42
  doi: 10.1007/0-387-23483-7
– ident: ref43
  doi: 10.1109/JIOT.2019.2958788
– year: 2014
  ident: ref48
  article-title: Pycacryptography: A package designed to expose cryptographic primitives and recipes to Python developers
– year: 2014
  ident: ref51
  article-title: ARM trusted firmware
– year: 2012
  ident: ref46
  article-title: Raspberry pi operating system
– ident: ref37
  doi: 10.1016/j.jnca.2023.103695
– ident: ref7
  doi: 10.1109/SPW.2015.27
– ident: ref35
  doi: 10.1109/ACCESS.2021.3069877
– ident: ref9
  doi: 10.1109/TrustCom/BigDataSE.2018.00183
– ident: ref31
  doi: 10.17487/rfc9200
– ident: ref44
  doi: 10.1007/s00766-013-0195-2
– ident: ref25
  doi: 10.1016/j.ipm.2021.102511
– year: 2019
  ident: ref45
  article-title: Raspberry Pi 4 model B
– year: 2022
  ident: ref55
  article-title: FIDO device onboard specification 1.1
– ident: ref14
  doi: 10.1109/TIFS.2019.2948287
– year: 2019
  ident: ref52
  article-title: PSA certified: IoT security framework and certification
– year: 2019
  ident: ref54
  article-title: SESIP: The security evaluation standard for IoT platforms
– ident: ref40
  doi: 10.1109/TC.2017.2647955
– ident: ref4
  doi: 10.2139/ssrn.3212210
– ident: ref15
  doi: 10.1007/978-3-030-12942-2_23
– ident: ref22
  doi: 10.1016/j.comcom.2023.11.017
– ident: ref33
  doi: 10.1007/s12243-019-00709-7
SSID ssib053705078
ssib053545991
Score 2.2789886
Snippet This paper addresses the challenges of General Data Protection Regulation (GDPR) compliance posed by the growing prevalence of Internet of Things (IoT)...
SourceID crossref
ieee
SourceType Index Database
Publisher
StartPage 27
SubjectTerms Access control
accountability
blockchain
Blockchains
Data collection
data ownership
data privacy
Electronic equipment
Flight recording
General Data Protection Regulation
general data protection regulation (GDPR)
Glass box
Internet of Things
Internet of Things (IoT)
Law
Privacy
Reliability
Title Ensuring GDPR Compliance in IoT Network With a Glass Box Security Guard System
URI https://ieeexplore.ieee.org/document/10907974
Volume 2
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV1LS8QwEA52T158rrg-lhw8eGm3TdOmOeq6D8Uti1txbyVNE1yEVrSL4sHfbpJ2cRUEb6EkJcwMnW-mM98AcOajnCDEuJ0hj9kYZ6FNqcS24CSnCsJmkut8xyQOx_f4Zh7Mm2Z10wsjhDDFZ8LRS_MvPy_5UqfKerqIkCgAbAFLRW51s9bKeAJfYQH6TfwS-MRVWCdq6HzU0V4yVfEgChy1M4wC_MMTrY1WMZ5luA3i1Z3qgpInZ1llDv_4Rdf470vvgK0GY8KL2ih2wYYo9oB1y972QTwoXk1jIhxdTe9g3xSUa8XDRQGvywTGdVk4fFhUj5DBkQbX8LJ8h7Nm0B00RgVrpvM2mA0HSX9sNyMVbK78sI0oUuGR72cscEWEBcopZiwIKWUklJiHgiLpc0kyFmGFjfSCKQzG1FeQEOEfgFZRFuIQQKLegGnIOEJCE_RkHpfcDZEnPSGRFB1wvhJu-lzzZqQm3nBpmkxTrYe00UMHtLXU1rbVAjv64_kx2NTH6zzICWhVL0txqpBBlXWBNfkcdI1dfAH0m7Ul
linkProvider IEEE
linkToHtml http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV3NS8MwFA9uHvTi58T5mYMHL-26NG2ao8596VaGq7hbSdMEh9CKdij-9SZph1MQvIWQhJD36Pu91_d-D4ALF6UEIcatBLWZhXHiW5RKbAlOUqogbCK5jneMQ3_wgG9n3qwqVje1MEIIk3wmbD00__LTnC90qKylkwiJAsA1sO7patyyXGupPp6rJuk39YvnEkehnaAi9FGbW9FEeYTIs9VKP_DwD1u00lzF2JbeNgiXtypTSp7tRZHY_PMXYeO_r70DtiqUCa9KtdgFayLbA7URe98HYTd7M6WJsH8zuYcdk1KuRQ_nGRzmEQzLxHD4OC-eIIN9Da_hdf4Bp1WrO2jUCpZc5w0w7XWjzsCqmipYXFliC1GkHCTXTZjniAALlFLMmOdTyogvMfcFRdLlkiQswAod6QFTKIyp7yAhwj0A9SzPxCGARJ2Aqc84QkJT9CRtLrnjo7ZsC4mkaILL5ePGLyVzRmw8DofG0STWcogrOTRBQ7_ayrLywY7-mD8HG4NoPIpHw_DuGGzqo8qoyAmoF68LcapwQpGcGe34Ak1-tzw
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Ensuring+GDPR+Compliance+in+IoT+Network+With+a+Glass+Box+Security+Guard+System&rft.jtitle=IEEE+Transactions+on+Privacy&rft.au=Yang%2C+Yi-Chun&rft.au=Lu%2C+Kuan-Fu&rft.au=Chen%2C+Yong-Xuan&rft.au=Tsay%2C+Ren-Song&rft.date=2025&rft.issn=2836-208X&rft.eissn=2836-208X&rft.volume=2&rft.spage=27&rft.epage=40&rft_id=info:doi/10.1109%2FTP.2025.3546854&rft.externalDBID=n%2Fa&rft.externalDocID=10_1109_TP_2025_3546854
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2836-208X&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2836-208X&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2836-208X&client=summon