Supporting users to take informed decisions on privacy settings of personal devices

Today, personal information has never been this prone to risk given the current advancement in technologies especially on personal devices. These devices are able to provide services to individuals; however, they also collect huge amount of personal information which may be used to infer sensitive private information. Among these personal devices, fitness trackers have the potential to capture the most personal user information. We conducted an analysis on fitness trackers and built a case study based on Fitbit wearables, its Android application, and the third party applications that provide further services by accessing Fitbit data and exchanging data with its application, given the user's permission. Specifically, we analyzed the case of Lose It! third party application. Then, we applied a framework for user privacy protection in the IoT, which we have defined in our previous work, to this specific case and validated our design choices using controlled experiments. The contribution of the paper is twofold: showing the risks for privacy due to the possible correlation of shared data to infer undisclosed personal information and presenting an approach to support users in managing privacy configuration settings. The ultimate aim of this study is to outline new challenges for IoT development by (i) emphasizing the need to protect users against inference attacks coming from the supposedly trusted third parties and (ii) making the process of information sharing more informative and the users more aware of the related risks.