Article Enabling RPL on the Internet of Underwater Things

1. Edge Processing Data is processed locally on the IoT device rather than being transmitted to centralized servers.

Privacy Advantage- Minimizes data exposure and reduces the attack surface.

-Aligns with data minimization principles under GDPR and CCPA.

-Enables real-time decision-making with lower latency.

Limitations: -Limited processing power and storage on edge devices.

-Device-level compromise can lead to localized data leakage.

Use Case- Smart home devices processing voice or image data locally to avoid cloud transmission of sensitive information.

2. Encryption (End-to-End and at Rest) Encrypting data in transit (TLS) and at rest on devices or servers (AES, RSA).

Privacy advantage: -Protects confidentiality and integrity of data across the lifecycle.

-Essential for securing PII, sensor data, and user credentials.

-Helps demonstrate compliance with encryption mandates in regulatory frameworks (FIPS 140-3).

Limitations:

-Key management can be complex at IoT scale.

-Does not address inference attacks or metadata leakage.

Use Case: Wearable health devices encrypting health metrics before transmission to ensure HIPAA and GDPR compliance.

3. Federated Learning Machine learning models are locally trained on devices, and only model updates (not raw data) are shared with the server.

Privacy advantage: -Preserves data locality and privacy.

-Enables advanced data insights without centralized data collection.

-Reduces legal exposure under privacy laws, as raw personal data is not transmitted.

Limitations: -Requires secure aggregation protocols to prevent reverse-engineering.

-Higher device resource requirements.

-Higher communication overhead; may suffer from heterogeneous data quality across devices.

Use Case: IoT fitness trackers collaboratively improving activity prediction algorithms without sharing user data.

Thank you, Prof. Kundu, for bringing up this critical and timely issue. With GDPR, CCPA, and several emerging data protection frameworks placing increasing responsibility on businesses, it’s no longer sufficient to treat privacy as an afterthought in IoT architecture. A privacy-by-design approach is essential—and that, in turn, demands a careful balance between regulatory compliance and data utility.

Edge processing offers a strong first line of defense by minimizing the volume of sensitive data sent to the cloud. Processing data locally—at or near the source—not only reduces latency but also significantly limits the risk of exposure during transmission. However, the challenge remains in deploying advanced analytics on resource-constrained devices. This often necessitates lightweight models and efficient firmware design.

Encryption, while fundamental, must go beyond basic TLS. We need robust, end-to-end encryption combined with secure key management protocols and hardware-level attestation. This ensures data remains confidential and tamper-proof even if intercepted. That said, encryption doesn't prevent misuse once data is decrypted at endpoints, and it doesn’t inherently support informed consent or control over data reuse.

Federated learning introduces a promising middle ground—it enables collaborative model training across devices without moving raw data. This aligns well with GDPR’s principles of data minimization and purpose limitation. However, federated learning comes with its own concerns, such as vulnerability to poisoning attacks and the complexity of coordinating decentralized model updates. Incorporating differential privacy and secure aggregation techniques is therefore essential to mitigate these risks.

In practice, no single approach is sufficient. A robust IoT privacy framework must integrate edge analytics, encrypted communication, federated learning, and policy-driven access control. Moreover, aligning architectural decisions with regulatory requirements like data subject rights, consent management, and audit trails ensures that privacy is embedded at every stage—from device onboarding to decommissioning.

Looking forward to hearing how others are tackling this intersection of data privacy, AI, and IoT at scale.

Warm regards