Technical Field

The present disclosure relates to a Lightweight Machine to Machine (LwM2M) client device and to a LwM2M management server device. The present disclosure also relates to methods performed by a LwM2M client device and a LwM2M management server device, and to a corresponding computer program, a corresponding carrier, and a corresponding computer program product.

Background

The “Internet of Things” (loT) refers to systems of devices enabled for communication network connectivity, so that these devices may be remotely managed, and data collected or required by the devices may be exchanged between individual devices and between devices and application servers. A popular vision of loT comprises large numbers of such small autonomous devices, transmitting and receiving small amounts of data, typically relatively infrequently. loT devices, examples of which may include sensors and actuators, are often although not necessarily, subject to limitations on processing power, storage capacity, energy supply, device complexity and/or network connectivity, imposed by their operating environment or situation, and may consequently be referred to as constrained devices. Constrained devices may operate according to a range of protocols, including widely used protocols such as Internet Protocol (IP) v4 or IPv6, and dedicated protocols for constrained devices, including for example the Constrained Application Protocol (CoAP).

CoAP is a generic Representational state transfer (REST) application protocol for constrained devices, defined in RFC 7252. CoAP is designed to be used over the User Datagram Protocol (UDP), defined in RFC 768, for communication over the Internet.

Lightweight M2M (LwM2M) is an application layer protocol for managing resource- constrained devices (loT devices) using CoAP. LwM2M is defined by the Open Mobile Alliance (OMA) standardisation body, and Version 1.2 of the Core Technical Specification has been published recently (OMA-TS-LightweightM2M_Core-V1_2- 20201110-A). LwM2M defines a protocol between a LwM2M Server and a LwM2M Client. According to the above referenced LwM2M Core Technical Specification, a LwM2M client is a component running on a device implementing the client-side functionality of the LwM2M protocol for interacting with a LwM2M Server and a LwM2M Bootstrap-Server. LwM2M Clients are often implemented in loT devices and gateways. A LwM2M server is a component implementing the server-side functionality of the LwM2M protocol for interacting with a LwM2M Client. LwM2M Server software is often, although not necessarily, running on a non-loT device, such as an on-premise server or in a cloud-based infrastructure. A LwM2M device is a computing device that operates a LwM2M client or LwM2M server.

LwM2M provides various measures to ensure security, including authentication and encryption as well as secure communication. However, the infrastructure of LwM2M allows for the involvement of multiple third parties who have access to the data that is exchanged between a LwM2M device and its end-user. The large quantities of data produced and collected by loT devices raise privacy concerns, owing to the sensitive information that can be inferred from them.

Privacy Enhancing Technologies (PETs) are collections of tools and techniques that can be employed and embedded in loT applications to enable, enhance and preserve confidentiality and privacy. A taxonomy for such technologies is proposed by Johannes Heurix et al. in “A taxonomy for privacy enhancing technologies”, Computers & Security, Volume 53, 2015, Pages 1-17, https://doi.Org/10.1016/j.cose.2015.05.002. While the presence of PET functionality on an loT device may assist with the above noted privacy concerns, the availability of PET functionality on a given device is difficult to determine, and its management is cumbersome. Even small changes such as activating or deactivating privacy enhancing functionality on devices are mostly carried out through firmware upgrades, making the devices inflexible to changes in application requirements.

Summary

It is an aim of the present disclosure to provide solutions which at least partially address one or more of the challenges discussed above. In particular, it is an aim of the present disclosure to provide a LwM2M client device, a LwM2M management server device, corresponding methods, a corresponding computer program, a corresponding carrier, and a corresponding computer program product, which cooperate to facilitate configuration and management of one or more PET functions executable by a LwM2M client device. According to a first aspect of the present disclosure, there is provided a LwM2M client device. The LwM2M client device comprises processing circuitry configured to cause the LwM2M client device to receive, from a LwM2M management server device, configuration information for a Privacy Enhancing Technology (PET) function data object that is associated with a PET function, which PET function is executable by the LwM2M client device. The processing circuitry is further configured to cause the LwM2M client device to configure the PET function data object on the LwM2M client device in accordance with the received configuration information, and to execute the PET function in accordance with the configured PET function data object.

According to another aspect of the present disclosure, there is provided a LwM2M management server device. The LwM2M management server device comprises processing circuitry configured to cause the LwM2M management server device to generate configuration information for a PET function data object that is associated with a PET function, which PET function is executable by a LwM2M client device. The processing circuitry is further configured to cause the LwM2M management server device to send the generated configuration information to the LwM2M client device.

According to another aspect of the present disclosure, there is provided a method for operating a LwM2M client device. The method, performed by the LwM2M client device, comprises receiving, from a LwM2M management server device, configuration information for a PET function data object that is associated with a PET function, which PET function is executable by the LwM2M client device. The method further comprises configuring the PET function data object on the LwM2M client device in accordance with the received configuration information, and executing the PET function in accordance with the configured PET function data object.

According to another aspect of the present disclosure, there is provided a method for operating a LwM2M management server device. The method, performed by the LwM2M management server device, comprises generating configuration information for a PET function data object that is associated with a PET function, which PET function is executable by a LwM2M client device. The method further comprises sending the generated configuration information to the LwM2M client device. According to another aspect of the present disclosure, there is provided a computer program comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out a method according to the preceding aspects or examples of the present disclosure.

According to another aspect of the present disclosure, there is provided a carrier containing a computer program according to the preceding aspect of the present disclosure, wherein the carrier comprises one of an electronic signal, optical signal, radio signal or computer readable storage medium.

According to another aspect of the present disclosure, there is provided a computer program product comprising non transitory computer readable media having stored thereon a computer program according to a preceding aspect of the present disclosure.

Examples of the present disclosure may thus provide a mechanism to configure privacy enhancing functionality on LwM2M client devices. The mechanism involves the use of a PET function data object, associated with a PET function that is executable by the LwM2M client device, and via which a LwM2M management server device may configure, activate, deactivate, etc. the PET function. The PET function data object may also assist with discovery of PET capabilities.

Brief Description of the Drawings

For a better understanding of the present disclosure, and to show more clearly how it may be carried into effect, reference will now be made, by way of example, to the following drawings in which:

Figure 1 is a flow chart illustrating process steps in a method performed by a LwM2M client device;

Figures 2a to 2d show a flow chart illustrating process steps in another example of method performed by a LwM2M client device;

Figure 3 is a flow chart illustrating process steps in a method performed by a LwM2M management server device; Figure 4 is a flow chart illustrating process steps in another example of method performed by a LwM2M management server device;

Figures 5a and 5b illustrate a sequence diagram of messages exchanged according to examples of the present disclosure;

Figure 6 is a block diagram illustrating a LwM2M client device according to examples of the present disclosure; and

Figure 7 is a block diagram illustrating a LwM2M management server device according to examples of the present disclosure.

Detailed Description

Aspects of the present disclosure propose a mechanism by which PET functionality on a LwM2M client device may be configured. This may include updating parameters relating to the PET functionality, such as input parameters, objects or resources to which a PET function should be applied etc., or activating or deactivating application of the PET function. The mechanism introduces a new PET function data object, using which a LwM2M client device may expose available PET functionality at the device, and a LwM2M management server device with management responsibility for the LwM2M client device may update configuration of the PET functionality, including its activation and application to different objects and/or resources hosted by the LwM2M client device. In this manner, configuration of the PET functionality may be updated within the LwM2M layer, and without requiring a full firmware update for the LwM2M client device. The application of PET functionality in the LwM2M client device may therefore be updated much more quickly and easily, allowing it to adapt to evolving requirements of applications that may be accessing or using data of resources exposed by the LwM2M client device.

Figure 1 is a flow chart illustrating process steps in a method 100 performed by a LwM2M client device according to examples of the present disclosure. The LwM2M client device comprises a computing device that is operable to run a LwM2M client. The LwM2M client device may comprise an loT device, and may be a constrained device. Referring to Figure 1 , the method 100 comprises, in a first step 110, receiving, from a LwM2M management server device, configuration information for a Privacy Enhancing Technology (PET) function data object that is associated with a PET function, which PET function is executable by the LwM2M client device. In step 120, the method 100 comprises configuring the PET function data object on the LwM2M client device in accordance with the received configuration information. In step 130, the method 100 comprises executing the PET function in accordance with the configured PET function data object. Examples of the method 100 thus enable the exposure and management in the LwM2M layer of PET functionality that is available at a LwM2M client device.

For the purposes of the present disclosure, a PET function comprises a function that may be applied to any personal data, or data that may be used to derive or obtain personal data, where personal data encompasses any information relating to an identifiable natural or legal person. A more complete discussion of personal data can be found in the General Data Protection Regulation (GDPR), Ell Regulation 2016/679.

The mechanism presented in the method 100 uses a PET function data object to expose and manage PET functionality. The PET function data object may conform to an object model that specifies resources that may be associated with instances of the PET function data object. The object model to which the PET function data object conforms may be specified as part of the LwM2M protocol specification, and the data object may comprise a LwM2M management object. In some examples, multiple instances of the PET function data object may be hosted at the LwM2M client device, each instance of the data object being associated with a different PET function that the LwM2M client device is operable to execute.

According to examples of the present disclosure, if the PET function data object is already hosted at the LwM2M client device, the step of configuring the PET function data object on the LwM2M client device may comprise updating a value of a resource of the PET function data object in accordance with the received configuration information. Alternatively, if the PET function data object does not already exist at the LwM2M client device, the step of configuring the PET function data object on the LwM2M client device may comprise creating the PET function data object on the LwM2M client device in accordance with the received configuration information. Figures 2a to 2d show a flow chart illustrating process steps in further examples of a method 200 performed by a LwM2M client device. The steps of the method 200 illustrate example ways in which the steps of the method 100 may be implemented and supplemented in order to achieve the above discussed and additional functionality.

Referring to Figure 2a, in a first step 205, the LwM2M client device may receive a firmware update installing a PET function on the LwM2M client device. In some examples, the PET function may already be installed on the LwM2M client device, in which case the step 205 may be omitted. As discussed above, a PET function comprises a function that may be applied to any personal data, or data that may be used to derive or obtain personal data, where personal data encompasses any information relating to an identifiable person. Examples of PET functions may include, as illustrated at 205a, a data access function, an anonymization function, a pseudo-anonymization function, a data obfuscation function, a differential privacy function, an encryption function, a secure multiparty computation function, and/or a confidential computing function. It will be appreciated that the preceding list of example PET functions is not exhaustive, and contains several functions, including data access, encryption, secure multiparty computation, and confidential computing, whose original purpose is security, but which can also be used for privacy. Included within the scope of data obfuscation functions may be data prediction and data reduction/compression functions, although privacy is not the main purpose of such functions. Data obfuscation may also encompass techniques including changing a sampling and/or reporting period or reporting delta values as opposed to absolute values. A more detailed discussion of some example functions is provided below, with reference to implementation of the methods disclosed herein.

Referring still to Figure 2a, in step 210, the LwM2M client device receives, from a LwM2M management server device, configuration information for a PET function data object that is associated with a PET function that is executable by the LwM2M client device. This may be the PET function that was installed during the firmware update of step 205, or a PET function that was already installed on the LwM2M client device. Different examples of configuration information that may be received at step 210 are illustrated at 210a to 210g.

As illustrated at 210a and 210b, the received configuration information may comprise at least one of a value of a PET Function resource, the value comprising an identification of the PET function, and/or a value of a PET Function Description resource, the value comprising a direction to a human readable description of the PET function. The direction may for example be a link to a location at which a human readable description of the resource is available. The received configuration information may also or alternatively comprise a value of an Input Parameter resource 210c, the value comprising an input parameter for the PET function. In some examples, a plurality of individual values for the Input Parameter resource may be received. In further examples, the received value may comprise a compound value, for example comprising an array containing multiple individual input parameter values for the PET function with which the PET function data object is associated (and which is identified by the value of the PET Function resource).

As illustrated at 21 Od, the received configuration information may comprise one or more values of an Applied Objects resource, the value or values comprising one or more identifications of data objects hosted at the LwM2M client device to which the PET function is to be applied. The received configuration information may also or alternatively comprise a value or values of an Applied Resources resource as illustrated at 210e, the value or values comprising an identification of a target resource hosted at the LwM2M client device to which the PET function is to be applied.

As illustrated at 210f, the received configuration information may comprise an Output Validation resource, wherein a value of the Output Validation resource comprises a result of verification that the LwM2M client device is operable to perform to confirm whether or not the PET function has been correctly applied. If application of the PET function encounters a problem, the Output Validation resource can indicate this fact, informing any interested party that the result of the incorrect or unsuccessfully applies PET function may not protect the privacy of the original value to which it was applied. A LwM2M management server device may choose not to show certain functionality if the result of the validation is false.

In some examples, the received configuration information may comprise an Activation resource as illustrated at 210g, wherein the activation resource is operable to cause the PET function that is associated with the PET function data object to be activated or deactivated. The above described configuration information indicates some example resources which may be included in the PET function data object proposed in the present disclosure, and via which PET functionality on the LwM2M device may be configured. A complete discussion of these resources, and example values, is provided below with reference to implementation of the methods disclosed herein.

Referring still to Figure 2a, in step 220, the LwM2M client device configures the PET function data object on the LwM2M client device in accordance with the received configuration information. As illustrated at 220a, this may comprise creating the PET function data object in accordance with the received configuration information, if the PET function data object does not already exist on the LwM2M client device. Alternatively, if the PET function data object already exists, the configuring step 220 may comprise updating resources and/or resource values of the existing PET function data object on the LwM2M client device.

Referring now to Figure 2b, in step 230, the LwM2M client device executes the PET function in accordance with the configured PET function data object. As illustrated at 230c, execution may be dependent on the Activation resource of the PET function data object, if present, having been used to activate the PET function. Execution of the PET function at step 230 may comprise, as illustrated at 230b, applying the PET function to at least one target resource identified in the received Applied Resources resource value(s), and/or to at least one target resource in a data object identified in the received Applied Objects resource value(s). Each of the Applied Resources and Applied Objects resources in the PET function data object may contain a plurality of values or array, setting out to which resources and objects, hosted at the LwM2M client device, the particular PET function should be applied. Further detail of this step is illustrated in Figure 2c, discussed below. As illustrated at step 230a, execution of the PET function at step 230 may comprise, at step 230a, inputting the received Input Parameter resource value(s) to the PET function. For example, if the input parameter resource value(s) specifies a PET function variable of a minimum time between notifications, then the LwM2M client device will input this minimum time to the PET function, for example to determine if the specified minimum amount of time has elapsed since a previous notification of a resource value, and consequently whether a new notification may be sent or not. In step 240, the LwM2M client device receives a discover request from a LwM2M server device, which may be the LwM2M management server device that configured the PET function data object, or another LwM2M server device. In step 250, the LwM2M client device responds to the request. Different options for the discovery request and response of steps 240 and 250 are discussed in detail with reference to Figure 2d.

As discussed above, Figure 2c illustrates process steps that may be performed as part of application of the PET function to a target resource identified in the Applied Resources resource of the PET function data object, or to a target resource of a data object identified in the Applied Objects resource of the PET function data object. Referring to Figure 2c, in step 230bi, the LwM2M client device receives from a LwM2M server device a request for a value of the target resource. The LwM2M server device from which the request is received may be the LwM2M management server device that configured the PET function data object, or may be another LwM2M server device. For example, the LwM2M server device requesting the resource value may for example be a LwM2M server component associated with an application server for a third-party application that makes use of the resources hosted by the LwM2M client device. In step 230bii, the LwM2M client device obtains a value of the target resource. In step 230biii, the LwM2Mclient device inputs the obtained value, and any other input parameters specified in the Input Parameters resource of the PET function data object, to the PET function to obtain a PET protected value of the target resource. The nature of the PET protected value of the target resource may vary widely depending on the type of PET function applied. For example, in the case of a PET function that imposes delta reporting, the PET protected value may comprise the difference between a previously reported value and the true (unprotected) value. In another example, as mentioned above, the PET function may impose a minimum reporting time, so that the PET protected value is the true value but obtained at a minimum time separation from the last reported value. Other examples of PET protected value may be envisaged in accordance with different PET functions. Finally, in step 230biv, the LwM2M client device provides the PET protected value of the target resource to the requesting LwM2M server device.

As discussed above, Figure 2d illustrates different options for discovery requests that may be received by the LwM2M client device, and responses that may be sent to such requests. Referring to Figure 2d, in a first example, the LwM2M client device may receive a discovery request specifying a resource type that is specific to PET function data objects in step 240a. The discovery request may be received from the LwM2M management server device, or another LwM2M server device, for example a LwM2M server component associated with an application server, as discussed above. In step 250a, responsive to the received discovery request, the LwM2M client may expose to the LwM2M management server device or the LwM2M server device, from which the discovery request was received, the configured PET function data object. Steps 240a and 250a thus illustrate a process by which a LwM2M server device may discover existing PET function data objects that are present on the LwM2M client device. The resource type that is specific to PET function data objects may be a previously unspecified resource type, for example Iwm2m-pet.

In another example, the LwM2M client device may receive, in step 240b, a discovery request specifying a resource type that is specific to hosted resources to which a PET function is applied. As for step 240a, the discovery request may be received from the LwM2M management server device, or another LwM2M server device, for example a LwM2M server component associated with an application server, as discussed above. In step 250b, responsive to the received discovery request, the LwM2M client may expose to the LwM2M management server device or the LwM2M server device, from which the discovery request was received, at least one of: a data object hosted at the LwM2M client device and identified in the Applied Objects resource of the PET function data object and/or a target resource hosted at the LwM2M client device and identified in the Applied Resources resource of the PET function data object.

Steps 240b and 250b thus illustrate a process by which a LwM2M server device may discover resources hosted by the LwM2M client device to which a PET function will be applied. The resource type that is specific to hosted resources to which a PET function is applied may be a previously unspecified resource type, for example Iwm2m-pet- applied.

In another example, the LwM2M client device may receive, in step 240c, a discovery request for resources hosted on the LwM2M client device. As for steps 240a and 240b, the discovery request may be received from the LwM2M management server device, or another LwM2M server device, for example a LwM2M server component associated with an application server, as discussed above. In step 250c, responsive to the received discovery request, the LwM2M client may expose to the LwM2M management server device or the LwM2M server device, from which the discovery request was received, resources hosted on the LwM2M client device to the LwM2M server device. This may include, for a target resource hosted at the LwM2M client device and identified in the Applied Resources resource of the PET data object, marking the target resource with a resource type specific to hosted resources to which a PET function is applied. Thus, for a discovery request that does not specify a particular resource type, hosted resources to which a PET function is applied may be marked or tagged with a particular resource type that indicates that a PET function will be applied to these resources. The resource type may be for example the same as that discussed above as specific to resources to which a PET function is applied.

It will be appreciated that, as discussed above with reference to Figure 2d and the LwM2M client actions in relation to discovery, a LwM2M server device other than the LwM2M management server device may discover one or more PET function data objects hosted at a LwM2M client device, and/or one or more resources or data objects to which a PET function will be applied. The present disclosure also proposes methods performed by a LwM2M server device according to which such discovery may be carried out. In one example, such a discovery method comprises sending a discovery message to a LwM2M client device. The discovery message may specify a resource type that is specific to PET function data objects or to hosted resources to which a PET function is applied. In further examples, the discovery message may not specify a particular resource type. In further examples, a discovery method further comprises receiving a response to the discovery message. The response may identify, in accordance with the resource type specified in the discovery message, one or more PET function data objects hosted on the LwM2M client device, and/or one or more data objects and/or target resources to which a PET function will be applied. In a further example, in which no resource type was specified in the discovery message, the response may identify a plurality of resources, and may mark or tag any resources to which a PET function will be applied with a resource type that is specific to resources to which a PET function will be applied.

The above discussed discovery methods thus enable a LwM2M server device to discover, using LwM2M, PET functionality available at a LwM2M client device, and to discover to what resources a PET function will be applied. The LwM2M server device may adjust its interaction with the LwM2M client device, including for example the sending of observe requests, requests for resource values etc., on the basis of this information. The LwM2M client may also or additionally pass the information regarding PET functionality and resources to which it is applied to other layers, allowing for this information to be taken into account.

The methods 100 and/or 200 may be complemented by a method 300 performed by a LwM2M management server device as illustrated in Figure 3. The LwM2M management server device comprises a LwM2M server component implementing management functionality for one or more LwM2M client devices. The LwM2M management server device may comprise a computing device or other computing architecture or physical computing entity that operates a LwM2M server. The LwM2M management server component may in some examples be hosted in a cloud deployment.

Referring to Figure 3, the method 300 comprises, in step 310, generating configuration information for a Privacy Enhancing Technology (PET) function data object that is associated with a PET function, which PET function is executable by a LwM2M client device. In step 320, the method 300 comprises sending the generated configuration information to the LwM2M client device.

Figure 4 shows a flow chart illustrating process steps in a further example of a method 400 performed by a LwM2M management server device. The steps of the method 400 illustrate example ways in which the steps of the method 300 may be implemented and supplemented in order to achieve the above discussed and additional functionality.

Referring to Figure 4, in a first step 402, the LwM2M management server device, or an associated functional component, may perform a firmware update installing a PET function on a LwM2M client device for which the LwM2M management server device has management authority. As discussed above, a PET function comprises a function that may be applied to any personal data, or data that may be used to derive or obtain personal data, where personal data encompasses any information relating to an identifiable person. Examples of PET functions may include a data access function, an anonymization function, a pseudo-anonymization function, a data obfuscation function, a differential privacy function, an encryption function, a secure multiparty computation function, and/or a confidential computing function. It will be appreciated that the preceding list of example PET functions is not exhaustive, and contains several functions whose original purpose is security, but which can also be used for privacy. A more detailed discussion of some example functions is provided below, with reference to implementation of the methods disclosed herein.

As an alternative to the installation of a PET function in a firmware update in step 402, the LwM2M management server device may, in step 404, discover the LwM2M client device as having exposed a PET function data object (for which configuration information may be generated in subsequent steps). As illustrated in Figure 4, the discover step 404 may comprise sending a discovery request to the LwM2M client device in step 404a, the discovery request specifying a resource type that is specific to PET function data objects, and receiving a response to the discovery request in step 404b, the response identifying the PET function data object. In still further examples, the LwM2M management server device may discover PET functionality on a managed LwM2M client device in some other manner, for example via configuration information provided to the LwM2M management server device, or in some other way.

In step 410, the LwM2M management server device generates configuration information for a PET function data object that is associated with a PET function executable by the LwM2M client device. The configuration information may be for updating of an existing PET function data object on the LwM2M client device, or may be for creating a PET function data object on the LwM2M client device. For example, the LwM2M management server device may generate the configuration information based on the aforementioned firmware update installing the PET function on the LwM2M client device. In other examples, the LwM2M management server device may obtain the information about the PET function on the LwM2M client device and the resources to which it should be applied, on the basis of which the configuration information for the PET function data object can be generated, using other processes. For example, the resources to which the PET function should be applied could be obtained from an SLA or other governing agreement for service provision, from an open Application Programming Interface (API) provided by a client, from which PET information can be derived, from a human operator, a Machine Learning module or process, or from any other source.

Examples of information that may be comprised in the configuration information generated at step 410 include: a value of a PET Function resource 410a, the value comprising an identification of the PET function a value of a PET Function Description resource 410b, the value comprising a direction to a human readable description of the PET function a value of an Input Parameter resource 410c, the value comprising an input parameter for the PET function one or more values of an Applied Objects resource 41 Od, the value or values comprising one or more identifications of data objects hosted at the LwM2M client device to which the PET function is to be applied one or more values of an Applied Resources resource 41 Oe, the value or values comprising an identification of a target resource hosted at the LwM2M client device to which the PET function is to be applied an Output Validation resource 41 Of, wherein a value of the Output Validation resource comprises a result of verification that the LwM2M client device is operable to perform to confirm whether or not the PET function has been correctly applied an Activation resource 410g, wherein the activation resource is operable to cause the PET function that is associated with the PET function data object to be activated or deactivated.

As discussed above with reference to the Output Validation resource and Figure 2a, if application of the PET function encounters a problem, the Output Validation resource can indicate this fact, and the LwM2M management server device may choose not to show certain functionality if the result of the validation is false.

Each of the above examples of configuration information is discussed in further detail above with reference to Figure 2a, and below with reference to example implementations of the methods disclosed herein.

Referring still to Figure 4, in step 420, the LwM2M management server device sends the generated configuration information to the LwM2M client device. In step 430, the LwM2M management server device may activate or deactivate the PET function using the Activation resource of the PET function data object.

Figures 1 to 4 discussed above provide an overview of methods which may be performed according to different examples of the present disclosure. The methods involve the configuration of a PET function data object, which may be used to manage and activate an associated PET function on a LwM2M client device. There now follows a detailed discussion of how different process steps illustrated in Figures 1 to 4 and discussed above may be implemented according to an example use case and messaging.

Example Use Case

The following use case is based on the Smart Grid - Advanced Metering Infrastructure environment, as set out in Cardenas, Alvaro & Safavi-Naini, Reihaneh. (2012) Security and Privacy in the Smart Grid. 10.1016/B978-0-12-415815-3.00025-X. The Smart Grid is an loT domain in which data privacy plays a very important role. A brief discussion of the use case is provided below.

The Advanced Metering Infrastructure is one section of the Smart Electrical Grid, and comprises all the devices that are responsible for monitoring and gathering data from the distribution part of the electrical grid. One specific device is the smart meter, which provides two-way communication with the central system, allowing efficient monitoring and control of the electricity delivery process. Smart meters facilitate the data collection process, which provides the system operator with an important source of information. Among other measurements, a smart meter needs to provide information on the active energy consumed in a specific time period (kWh), information which is used for billing purposes. Currently this information is reported by the smart meter with a granularity that varies from 1 minute to 1 month, and different applications require different granularities (the granularity can increase to seconds-level if applications require it). It has been shown in F. G. Marmol et al., "Do not snoop my habits: preserving privacy in the smart grid," IEEE Communications Magazine, vol. 50, no. 5, pp. 166-172, May 2012, that fine grain energy consumption data can be used by adversaries to infer sensitive lifestyle information (types of electrical appliances used, habits, the presence or absence of household's inhabitants etc.). Consequently, modifying and tuning the different reporting parameters of energy data, such as through the application of PET functions, may be required in order to preserve and even enhance the privacy of inhabitants. Two examples of such modification, discussed in further detail below, concern the reporting period and the format of reporting the energy consumption. A more detailed discussion of tuning of reporting parameters for the smart grid is provided in Tudor et al., “Analysis of the impact of data granularity on privacy for the smart grid”, WPES '13: Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society, November 2013, Pages 61-70. The above discussed use case, concerning the smart grid and in particular the Active Energy Data Object, standardized as IPSO object number “10243”, is referred to as an example in the following discussion of an example implementation of the creation, discovery and configuration of PET function data objects, and the application of associated PETs, in accordance with the methods disclosed herein.

PET data object creation (method steps 110, 120, 205, 210, 220a, 310, 402, 410)

As discussed above, with reference to step 402 of the method 400, PET functionality that is not already present on a LwM2M client device may be installed via a firmware update. The following implementation example presents two examples of PET functions, each of which is presented in more detail in Tudor et al., “The influence of dataset characteristics on privacy preserving methods in the advanced metering infrastructure”, Computers & Security, Volume 76, 2018, Pages 178-196:

• Modify reporting period (PET1): Instead of reporting values every second this function allows for longer report times. On LwM2M this function can be applied by setting a default "pmin" value to observations in order to force periodic reporting, "pmin” is defined in the LwM2M Specification referenced above.

• Report “delta consumption” (PET2): This function modifies a reporting data representation to a representation computed by an internal function. The function sends the delta between two notifications instead of the actual resource value, “delta consumption” allows to anonymize devices and their aggregated consumption.

In accordance with the methods disclosed herein, each of the above PET functions may be associated with a PET function data object hosted at the LwM2M client device that is operable to execute the functions. An example LwM2M Object template for any PET function data object is provided below. The object may be serialized in SenML (RFC 8428, used in the following examples) or CBOR (RFC 7049). It will be appreciated that the resources in the example template correspond to the example configuration data discussed above with reference to Figures 2a and 4.

PET function data object template:

OBJECT : LwM2M PETS_CONFIG

H - ro PETS-CONFIG* [ instance number ]

H - rw instance number uint ! 6 H - rw PETs function string

H - rw PETs function description url

H - rw Input Parameters [ array] opaque

H - rw Applied Ob j ects [ array] ob j link

H - rw Applied Resources [ array] uintl 6

H - r Output Validation boolean

H - r PET status boolean

H - x Activate/deactivate rw configuration data ( read and write ) ro state data ( read only) x action

As discussed above, the “PETs function" resource (configuration information 210a, 410a) is a string identifying the PET function with which the PET function data object is associated (in the present example PET1 or PET2). The "PETs function description" resource (configuration information 210b, 410b) is a URL that points to a human- readable description of the function. The "Input Parameters" resource (configuration information 210c, 410c) contains an array of PET variables which are input to the PET function, the number and nature of these variables will depend on the particular PET function and how it operates. The "Applied Objects" resource (configuration information 21 Od, 41 Od) contains an array of Object Links (e.g., "/3303/0", '73303/1 ") where the PET Function will be applied. The "Applied Resources" resource (configuration information 210e, 410e) contains an array of Resource Identifiers, so as to compose a path to the final resources to which the PET function is to be applied (e.g., “5700”, “5701”). In the present example, the combination of values in the “Applied Objects” and “Applied Resources” resources of the PET function data object results in application of the PET function to the resources:

/3303 / 0 /5700 /3303 / 0 /5701 /3303 / 1 /5700 /3303 / 1 /5701

The "Output validation" resource (configuration information 210f, 41 Of) is a mechanism on the client device that verifies whether the PET function has been correctly applied (TRUE) or not (FALSE). Management servers can choose not to show certain functionality if the result of validation is "FALSE". The appropriate manager, or management server, may activate the PET function using the "Activate/deactivate" resource (configuration information 210g, 410g) of the corresponding PET object. After each execution the "PET status" will change to active (TRUE) or not (FALSE). Object information from the PET function data object will be translated into input on previously updated libraries. If the PET function is installed via a firmware update, then this process will take place after the firmware update is completed. PET function data object discovery (steps 240, 240a, 240c, 250, 250a, 250c, 404)

It is desirable for a LwM2M server device, which may for example have management authority for a LwM2M client device, to be able to find existing PET functions that may have been applied by other LwM2M server devices or by the manufacturer of the device. A LwM2M Server may query a LwM2M endpoint for existing PET functions using the Discovery interface of LwM2M and a new resource type that is specific to PET function data objects. In the following example, the new resource type "rt" is named "Iwm2m-pet". It is assumed that the identifier “5555” is used the identifier for a PET function data object, referred to in the following example, and in the example template above, as a "LwM2M PETS_CONFIG" Object. It will be appreciated the identifier “5555” is used merely for the purposes of illustration, and other identifiers may be envisaged.

A LwM2M server device first sends a discovery request to a LwM2M client device specifying the new resource type “Iwm2m-pet”. The client device replies with the two instances of a data object of this type that are hosted on the device:

- > GET . /well-known/core?rt=lwm2m-pet

< - 2.05 Success </5555 /OX/5555 /1>

The LwM2M server device then reads one of the PET function data objects to see its field values and validation.

- > GET /5555/0

< - 2.05 Success

{

[ {"n": "pf", "vs": "Mod-rep-per " } ,

{"n": "pfd", "vs": "https://pet.company.com/petl"},

{"n": "input param",

[{"n":"l", "vd":<data>} ,

{"n":"2", "vd" :<data>} ] } ,

{"n": "applied obj",

[ { "n" : "l",-"vs" :"/10243/0"},

{ "n" : "2", "vs" : "/10243/1" } ] },

{"n": "out validation", "vb": "false"},

{"n": "pet status", "vb": "false"}

In the above response, string values, data values and Boolean values are provided, as appropriate, for the different resources set out above. The resource names are abbreviated for brevity: “pf” for PET function, “input_param” for input parameters, etc. It will be appreciated that the applied objects in the above response are two instances of the Active Energy data object “10243” discussed above.

PET function data object configuration (steps 220, 220a, 220b, 320, 420, 430)

This phase may take place before or after the PET data object discovery discussed above. For example, if the PET function data object is created following a firmware update, discovery before PET data object configuration may be redundant.

Configuration of the PET function data object, and by extension the PET function with which it is associated, may be performed using the LwM2M Device Management and Service Enablement interface, defined in the LwM2M specification referenced above. Configuration may comprise sending configuration parameters and modifying resources in the PET function data object. For example, a LwM2M management server device may decide to update some part of the PET configuration, for example by adding a new Resource to which a PET function is to be applied. In the following example, configuration information is sent to the LwM2M client device such that PET 1 (associated with PET function data object “5555/0”) should be applied to resources “5700” and “14”:

- > POST /5555 / 0

{ "n" : "applied resources" ,

[ { "n" : "i" , "v" : "5700" } , { "n" : "2 " , "v" : " 14 " } ] }

< - 2 . 05 Success

Another example of a configuration operation could be to change the way in which the PET function operates, for example by changing input parameters for the PET function via the Input Parameters resource of the associated PET function data object. The precise input parameters and the nature of any change in operation will depend on the particular PET function being configured.

PET function application (steps 230a, 230bi - 230biv, 230c)

Once a PET function has been configured via configuration of its associated PET function data object, the PET function will be applied to all Application interactions with resources on the endpoint that are identified in the relevant resources of the PET function data object (Applied Objects and Applied Resources). Third Party companies will receive data for the relevant resources that undergoes the PET, as opposed to the original, unprotected data values. It may be anticipated that applications seeking to access resource values may perform normal resource discovery, with the LwM2M client device marking or flagging those resources to which a PET function will be applied by listing the relevant resource type as a resource attribute, the resource type being specific to resources to which a PET function is applied. For example, a discovery request to find the objects on a LwM2M client device that are relevant to an application may return:

</ 3303 / 0 /5700> ; rt=lwm2m-pet- applied, < / 3303 / 0 / 5701> , < / 3303 / 1 / 5700> ; rt=lwm2m-pet -applied, </3303 / 1 /5701>

The above response indicates that the “5700” resources have a PET function applied, while the “5701” resource does not. Continuing the use case example discussed above, it may be envisaged that an application on the customer side wishes to receive notifications whenever the "Active Energy" on the meter changes. As discussed, in IPSO the Active Energy is expressed on Object “10243” and its Resource Identifier “14”, the units are “kWh”.

Before the application server queries the value of the relevant resource, it is assumed that a LwM2M management server device for the LwM2M client device has configured PET objects “5555/0” and “5555/1” as discussed above, such that PET1 and PET2 are applied to every resource of data objects “10243” and “10242”. An observe request from the application server for object “10243”, resource “14”, will result in application of the two PET functions: [ PET1 ] [ /10243/0 ] [ 14 ] and [ PET2 ] [ /10243/0 ] [ 14 ] , so that responses from the queried Object will be represented as “delta consumption” every 60 seconds. The 60 second pmin in the PET function data object for PET 1 overrides a pmin specified in the observe request, and the application server therefore received notifications every 60 seconds, each notification indicating the difference between a current value of the active energy object resource “14”, and a value at the previous notification:

B -> A : GET obs=0 / 10243/ 0 / 14 ?pmin=l

A -> B : 2 . 05 Content " 0 . 7 " token : g32u

60 seconds A -> B : 2 . 05 Content " 0 . 3" token : g32u . . . 60 seconds . . .

A -> B : 2 . 05 Content " 0 . 4 " token : g32u

An observation request is sent from B to A for object “10243”, resource “14”, requesting notifications every second. The notifications are in fact provided every 60 seconds, and with delta reporting.

Example messaging

Figures 5a and 5b illustrate a sequence diagram of messages exchanged according to examples of the present disclosure. Figures 5a and 5b divide the messaging into four distinct phases, corresponding to the PET function data object creation, PET function data object discovery, PET function data object configuration, and PET function application discussed above. It will be appreciated that although these phases are numbered 1 to 4, they need not be carried out in the illustrated order, for example phase 3: configuration may take place before or after phase 2: discovery.

Referring initially to Figure 5a, in phase 1 , a LwM2M management server device 504 provides a LwM2M client device (illustrated as LwM2M endpoint 502) with privacy enhancing functionality in message 1 , via a firmware update that installs PET functions on the LwM2M endpoint 502. In message 2, the LwM2M management server device creates PET function data objects corresponding to the installed PET functions on the LwM2M endpoint. The created PET function data objects are now discoverable by third parties. In phase 2, a LwM2M third-party server, or application server, 506 discovers the created PET function data objects. The third-party server or application server 506 is an example of the “another LwM2M server device” that may discover the PET functionality on the endpoint 502 as discussed above. In message 3, the LwM2M server 506 sends a discovery request for data objects having the resource type “rt=lwm2m-pet”, which is specific to PET function data objects. In message 4, the LwM2M endpoint 502 returns the identifiers of the two instances of such data objects that it is hosting. In message 5, the LwM2M server 506 requests the first object instance “5555/0”, and in message 6, the LwM2M endpoint 502 sends the field values of the requested data object. The LwM2M application server may additionally perform discovery for other data objects and resources hosted on the LwM2M endpoint 502 (not shown in Figure 5a). The response to such discovery may indicate which resources will have PET functions applied by including a suitable resource type as an attribute of the resources, as discussed above.

Referring now to Figure 5b, in phase 3, the LwM2M management server device configures the PET function data objects, including updating resource values of the objects, activating and deactivating the PET functions. For example, in message 7, the LwM2M management server device 505 updates a value of the “Applied Resources” resource on PET function data object “5555/0”, to specify that the corresponding PET should be applied to resources “5700” and “14”. The LwM2M acknowledges the update in message 8. In messages 9 and 10, the LwM2M management server device 504 activates PET object 1 and PET object n.

In phase 4 the LwM2M server 506 obtains data which is protected by the PETs. In message 11 , the LwM2M application server sends an observation request (a GET message with the Observe option enabled) targeting resource “14” of object “10243/0” and specifying a pmin of 1 second. PET 1 and PET2 are applied to this resource, so the pmin of 1 second is overridden by the pmin of 60 seconds specified in the PET function data object associated with PET1. In messages 12, 13 and 14, the LwM2M endpoint 502 sends notification at 60 second intervals, using delta encoding to represent the reported values of the target resource.

It will be appreciated that the above described messaging is merely one example of an implementation of the methods disclosed herein, using the Active Energy IPSO object “10243” and associated resources to illustrate one way in which the methods may be implemented. PET functions of different types to PET1 and PET2 described above may be configured and applied to a wide range of hosted target resources, including for example sensor values, using examples of the present disclosure.

As discussed above, the methods 100 and 200 are performed by a LwM2M client device and the methods 300 and 400 are performed by a LwM2M management server device. The present disclosure provides a LwM2M client device and LwM2M management server device which are adapted to perform any or all of the steps of the above discussed methods. The LwM2M client device and LwM2M management server device may comprise constrained devices and/or logical or other functions. Figure 6 is a block diagram illustrating a LwM2M client device 600 which may implement the methods 100 or 200 according to examples of the present disclosure, for example on receipt of suitable instructions from a computer program 650. Referring to Figure 6, the LwM2M client device 600 comprises a processor or processing circuitry 602, and may comprise a memory 604 and interfaces 606. The processing circuitry 602 is operable to perform some or all of the steps of the methods 100 or 200 as discussed above with reference to Figures 1 and 2a to 2d. The memory 604 may contain instructions executable by the processing circuitry 602 such that the LwM2M client device 600 is operable to perform some or all of the steps of the methods 100 or 200. The instructions may also include instructions for executing one or more telecommunications and/or data communications protocols. The instructions may be stored in the form of the computer program 650. The interfaces 606 may comprise one or more interface circuits supporting wired or wireless communications according to one or more communication protocols. The interfaces 606 may support exchange of messages in accordance with examples of the methods disclosed herein, and may for example comprise one or more LwM2M interfaces.

Figure 7 is a block diagram illustrating a LwM2M management server device 700 which may implement the methods 300 or 400 according to examples of the present disclosure, for example on receipt of suitable instructions from a computer program 750. Referring to Figure 7, the LwM2M management server device 700 comprises a processor or processing circuitry 702, and may comprise a memory 704 and interfaces 706. The processing circuitry 702 is operable to perform some or all of the steps of the methods 300 or 400 as discussed above with reference to Figures 3 and 4. The memory 704 may contain instructions executable by the processing circuitry 702 such that the LwM2M management server device 700 is operable to perform some or all of the steps of the method 300 or 400. The instructions may also include instructions for executing one or more telecommunications and/or data communications protocols. The instructions may be stored in the form of the computer program 750. The interfaces 706 may comprise one or more interface circuits supporting wired or wireless communications according to one or more communication protocols. The interfaces 706 may support exchange of messages in accordance with examples of the methods disclosed herein, and may for example comprise one or more LwM2M interfaces.

Examples of the present disclosure thus provide a mechanism for provisioning, discovering, configuring, activating and deactivating privacy enhancing functionality on LwM2M endpoints. The mechanism uses a PET function data object that is associated with a PET function executable by the endpoint. The PET function data object may be a LwM2M management object, and provides access to the PET function in the LwM2M layer, allowing for discovery and management of PET functionality in this layer, and so offering greatly increased flexibility in the use of the PET functionality. In addition, examples of the present disclosure allow for granularity in the application of PET functions, enhancing the functionality and diversity of solutions that currently employ only encryption.

It will be appreciated that examples of the present disclosure may be virtualised, such that the methods and processes described herein may be run in a cloud environment.

The methods of the present disclosure may be implemented in hardware, or as software modules running on one or more processors. The methods may also be carried out according to the instructions of a computer program, and the present disclosure also provides a computer readable medium having stored thereon a program for carrying out any of the methods described herein. A computer program embodying the disclosure may be stored on a computer readable medium, or it could, for example, be in the form of a signal such as a downloadable data signal provided from an Internet website, or it could be in any other form.

It should be noted that the above-mentioned examples illustrate rather than limit the disclosure, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended claims. The word “comprising” does not exclude the presence of elements or steps other than those listed in a claim, “a” or “an” does not exclude a plurality, and a single processor or other unit may fulfil the functions of several units recited in the claims. Any reference signs in the claims shall not be construed so as to limit their scope.