Concept
Imagine that you are on your way to a rented holiday home you have booked. The weather is changing and you might start wondering about temperature settings in the holiday home. A question might pop up in you mind: "Can I change the holiday home settings to my own preference before reaching there?"
The End to end Web IoT demo is designed to allow an authorized user to access "things" that might be owned by another person, locally and remotely. The design of the demo intends to address "Privacy by design" principle that has been advocated by GDPR. GDPR is a new European Regulation on personal privacy. It has come into force across European Union (EU) and the European Economic Area (EEA) since from the 25th of May 2018. GDPR has far-reaching consequences on how personal data is collected, stored and used in the Internet of Things (IoT) world and across the web. Now it is law for IoT solutions to be GDPR compliant in EU and EEA!
The demo has three parts: the home Gateway that runs Mozilla Gateway framework, Webthings (or "things") that connect to Gateway as "Things" add-ons, and a PWA (Progressive WebApp) to control "things". Gateway is connected to either Mozilla cloud or your own cloud if you have one. All "things" were designed as add-ons for Gateway following Web of Things proposals To control "things", we have created a PWA (ProgressiveWebApplication) that runs on mobile devices.
The "Things Project" has introduced an add-on system, which is loosely modeled after the add-on system in Firefox, to allow for the addition of new features or devices such as an adapter to the Things Gateway.
Mozilla IoT has support for Gateway framework on Raspberry Pi 3 and provides a limited number of hardware supports for "things" add-ons. This demo also has been leveraging Mozilla Web-of-things architecture on Samsung devices. From Gateway aspect, Artik 710 has been experimented. And at "things" add-on aspect, it created add-ons for TizenRT with IoT.js on ARTIK05x, JubiLinux (A community debian port) on Intel Edison board and Raspbian on Raspberry Pis (0, 1, 3).
When making choices on technologies for the demo, we intend to have "privacy awareness" in mind. Some of the security and privacy issues have been or being addressed at Gateway and "Things" controller application.
Mozilla "Project Things" aims at "building a decentralized ‘Internet of Things' that is focused on security, privacy, and interoperability", as stated by the company.
The framework has provided solution for secure remote access. Secure remote access is achieved using HTTPS via encrypted tunneling. Basically, the "Things Project" provides a TLS tunnelling service via its registration server to allow people to easily set up a secure subdomain during first time setup. An SSL certificate is generated via LetsEncrypt and a secure tunnel from a Mozilla cloud server to the gateway is set up using PageKite.
From privacy aspect, The "Things" Gateway provides a system for safely authorizing third-party applications using the de-facto authorization standard OAuth 2.0. When a third-party application needs to access or control another person's Things, it always requires consent from the Things' owner. The owner can decide the scope of the access token granted to the third-party application. Things' owner also has options to delete or revoke the tokens that are assigned to the third-party application.
Details on "things" privacy have been discussed at our recent blog "An End-to-End Web IoT Demo Using Mozilla Gateway" and talk "The Complex IoT Equation". Basically we have created a rental holiday use case to discuss "things" ownership and "things" usership.
The diagram below shows an example of User Interface from our demo on a third party application requesting consent from the Things' owner (Sensor and actuators).
The demo has created a PWA as "Things" Controller. In PWAs, you can only register service workers on pages served over HTTPS. Since service workers process all network requests from the web app in the background, this is essential to prevent a man-in-the-middle attack. PWAs can work offline. From privacy perspective, this potentially offers us possibilities to: *** Minimize Collecting, storing, and using user data as much as possible.** *** Know where the data resides.**
All details about Gateway, Sensors and Social part of demo setups can be accessed at: