1. bookVolume 2021 (2021): Issue 4 (October 2021)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

“I would have to evaluate their objections”: Privacy tensions between smart home device owners and incidental users

Published Online: 23 Jul 2021
Page range: 54 - 75
Received: 28 Feb 2021
Accepted: 16 Jun 2021
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

Recent research and articles in popular press have raised concerns about the privacy risks that smart home devices can create for incidental users—people who encounter smart home devices that are owned, controlled, and configured by someone else. In this work, we present the results of a user-centered investigation that explores incidental users’ experiences and the tensions that arise between device owners and incidental users. We conducted five focus group sessions through which we identified specific contexts in which someone might encounter other people’s smart home devices and the main concerns device owners and incidental users have in such situations. We used these findings to inform the design of a survey instrument, which we deployed to a demographically representative sample of 386 adults in the United States. Through this survey, we can better understand which contexts and concerns are most bothersome and how often device owners are willing to accommodate incidental users’ privacy preferences. We found some surprising trends in terms of what people are most worried about and what actions they are willing to take. For example, while participants who did not own devices themselves were often uncomfortable imagining them in their own homes, they were not as concerned about being affected by such devices in homes that they entered as part of their jobs. Participants showed interest in privacy solutions that might have a technical implementation component, but also frequently envisioned an open dialogue between incidental users and device owners to negotiate privacy accommodations.

Keywords

[1] Prolific. https://www.prolific.co/. Search in Google Scholar

[2] SmartThings. https://www.smartthings.com/. Search in Google Scholar

[3] N. Abdi, K. M. Ramokapane, and J. M. Such. More than smart speakers: Security and privacy perceptions of smart home personal assistants. In Proceedings of the 15th Symposium on Usable Privacy and Security (SOUPS), 2019. Search in Google Scholar

[4] N. Apthorpe, Y. Shvartzshnaider, A. Mathur, D. Reisman, and N. Feamster. Discovering smart home internet of things privacy norms using contextual integrity. In Proceedings of ACM Interaction Mobile Wearable Ubiquitous Technology (IMWUT), 2018. Search in Google Scholar

[5] I. Bastys, M. Balliu, and A. Sabelfeld. If this then what? Controlling flows in IoT apps. In Proceedings of the 25th ACM SIGSAC Conference on Computer and Communications Security (CCS), 2018. Search in Google Scholar

[6] D. Bates, M. Mächler, B. Bolker, and S. Walker. Fitting linear mixed-effects models using lme4. Journal of Statistical Software, 67(1):1–48, 2015. Search in Google Scholar

[7] J. Bernd, R. Abu-Salma, and A. Frik. Bystanders’ privacy: The perspectives of nannies on smart home surveillance. In 10th USENIX Workshop on Free and Open Communications on the Internet (FOCI 20), Aug. 2020. Search in Google Scholar

[8] S. S. Bhunia and M. Gurusamy. Dynamic attack detection and mitigation in IoT using SDN. In Proceedings of the 27th IEEE International Telecommunication Networks and Applications Conference (ITNAC), 2017. Search in Google Scholar

[9] N. Bowles. Thermostats, locks and lights: Digital tools of domestic abuse. The New York Times, June 2018. Search in Google Scholar

[10] W. Brackenbury, A. Deora, J. Ritchey, J. Vallee, W. He, G. Wang, M. L. Littman, and B. Ur. How users interpret bugs in trigger-action programming. In Proceedings of the 2019 Conference on Human Factors in Computing Systems (CHI), 2019. Search in Google Scholar

[11] Z. B. Celik, P. McDaniel, and G. Tan. Soteria: Automated IoT safety and security analysis. In Proceedings of the 2018 USENIX Annual Technical Conference, 2018. Search in Google Scholar

[12] Z. B. Celik, G. Tan, and P. McDaniel. IoTGuard: Dynamic enforcement of security and safety policy in commodity IoT. In Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS), 2019. Search in Google Scholar

[13] C. Cobb, M. Surbatovich, A. Kawakami, M. Sharif, L. Bauer, A. Das, and L. Jia. How risky are real users’ IFTTT applets? In Proceedings of the 16th Symposium on Usable Privacy and Security (SOUPS), 2020. Search in Google Scholar

[14] N. J. Davis, H. Shishodia, B. Taqui, C. Dumfeh, and J. Wylie-Rosett. Resident physician attitudes and competence about obesity treatment: Need for improved education. Medical Education Online, 13(1):4475, 2008. Search in Google Scholar

[15] N. DeMarinis and R. Fonseca. Toward usable network traffic policies for IoT devices in consumer networks. In Proceedings of the 2017 Workshop on Internet of Things Security and Privacy (IoTS&P), 2017. Search in Google Scholar

[16] S. Demetriou, N. Zhang, Y. Lee, X. Wang, C. Gunter, X. Zhou, and M. Grace. Hanguard: SDN-driven protection of smart home WiFi devices from malicious mobile apps. In Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2017. Search in Google Scholar

[17] P. Emami-Naeini, Y. Agarwal, L. Cranor, and H. Hibshi. Ask the experts: What should be on an IoT privacy and security label? In Proceedings of the 41st IEEE Symposium on Security and Privacy (SP), 2020. Search in Google Scholar

[18] P. Emami-Naeini, H. Dixon, Y. Agarwal, and L. F. Cranor. Exploring how privacy and security factor into IoT device purchase behavior. In Proceedings of the 2019 Conference on Human Factors in Computing Systems (CHI), 2019. Search in Google Scholar

[19] V. Fanelle, S. Karimi, A. Shah, B. Subramanian, and S. Das. Blind and human: Exploring more usable audio CAPTCHA designs. In Proceedings of the 16th Symposium on Usable Privacy and Security (SOUPS), 2020. Search in Google Scholar

[20] E. Fernandes, J. Jung, and A. Prakash. Security analysis of emerging smart home applications. In Proceedings of the 37th IEEE Symposium on Security and Privacy (SP), 2016. Search in Google Scholar

[21] E. Fernandes, J. Paupore, A. Rahmati, D. Simionato, M. Conti, and A. Prakash. Flowfence: Practical data protection for emerging IoT application frameworks. In Proceedings of the 25th USENIX Security Symposium (USENIX Security), 2016. Search in Google Scholar

[22] E. Fernandes, A. Rahmati, J. Jung, and A. Prakash. Security implications of permission models in smart-home application frameworks. IEEE Security Privacy Magazine, 15(2):24–30, 2017. Search in Google Scholar

[23] E. Fernandes, A. Rahmati, J. Jung, and A. Prakash. Decentralized action integrity for trigger-action IoT platforms. In Proceedings of the 25th Annual Network and Distributed System Security Symposium (NDSS), 2018. Search in Google Scholar

[24] A. Foster. When parents eavesdrop on nannies. https://www.nytimes.com/2019/08/19/opinion/nanny-cams-privacy.html, August 2019. Search in Google Scholar

[25] G. A. Fowler. The doorbells have eyes: The privacy battle brewing over home security cameras. The Washington Post, 2019. Search in Google Scholar

[26] C. Geeng and F. Roesner. Who’s in control?: Interactions in multi-user smart homes. In Proceedings of the 2019 Conference on Human Factors in Computing Systems (CHI), 2019. Search in Google Scholar

[27] G. M. Graff. Now a dorm room minecraft scam brought down the Internet. Wired, December 2017. Search in Google Scholar

[28] W. He, M. Golla, R. Padhi, J. Ofek, M. Dürmuth, E. Fernandes, and B. Ur. Rethinking access control and authentication for the home internet of things (IoT). In Proceedings of the 27th USENIX Security Symposium, 2018. Search in Google Scholar

[29] K.-H. Hsu, Y.-H. Chiang, and H.-C. Hsiao. Safechain: Securing trigger-action programming from attack chains. IEEE Transactions on Information Forensics and Security, 14(10):2607–2622, 2019. Search in Google Scholar

[30] J. Huang and M. Cakmak. Supporting mental model accuracy in trigger-action programming. In Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp), 2015. Search in Google Scholar

[31] Y. J. Jia, Q. A. Chen, S. Wang, A. Rahmati, E. Fernandes, Z. M. Mao, and A. Prakash. ContexIoT: Towards providing contextual integrity to appified IoT platforms. In Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS), 2017. Search in Google Scholar

[32] V. Koshy, J. S. S. Park, T.-C. Cheng, and K. Karahalios. “We just use what they give us”: Understanding passenger user perspectives in smart homes. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems (CHI), 2021. Search in Google Scholar

[33] C.-J. M. Liang, L. Bu, Z. Li, J. Zhang, S. Han, B. F. Karlsson, D. Zhang, and F. Zhao. Systematically debugging IoT control system correctness for building automation. In Proceedings of the 3rd ACM International Conference on Systems for Energy-Efficient Built Environments (BuildSys), 2016. Search in Google Scholar

[34] C.-J. M. Liang, B. F. Karlsson, N. D. Lane, F. Zhao, J. Zhang, Z. Pan, Z. Li, and Y. Yu. Sift: Building an internet of safe things. In Proceedings of the 14th International Conference on Information Processing in Sensor Networks (ISPN), 2015. Search in Google Scholar

[35] S. Mare, L. Girvin, F. Roesner, and T. Kohno. Consumer smart homes: Where we are and where we need to go. In HotMobile, 2019. Search in Google Scholar

[36] N. McDonald and A. Forte. The politics of privacy theories: Moving from norms to vulnerabilities. In Proceedings of the 2020 Conference on Human Factors in Computing Systems (CHI), 2020. Search in Google Scholar

[37] N. McDonald, S. Schoenebeck, and A. Forte. Reliability and inter-rater reliability in qualitative research: Norms and guidelines for CSCW and HCI practice. In Proceedings of the 22nd ACM Conference on Computer Supported Cooperative Work and Social Computing (CSCW), 2019. Search in Google Scholar

[38] C. Nandi and M. D. Ernst. Automatic trigger generation for rule-based smart homes. In Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security (PLAS), 2016. Search in Google Scholar

[39] D. T. Nguyen, C. Song, Z. Qian, S. V. Krishnamurthy, E. J. M. Colbert, and P. McDaniel. IotSan: Fortifying the Safety of IoT Systems. In Proceedings of the 14th International Conference on Emerging Networking EXperiments and Technologies (CoNEXT), 2018. Search in Google Scholar

[40] S. Notra, M. Siddiqi, H. H. Gharakheili, V. Sivaraman, and R. Boreli. An experimental study of security and privacy risks with emerging household appliances. In Proceedings of the 2014 IEEE Conference on Communications and Network Security, 2014. Search in Google Scholar

[41] S. S. Oh, J. A. Mayer, E. C. Lewis, D. J. Slymen, J. F. Sallis, J. P. Elder, L. Eckhardt, A. Achter, M. Weinstock, L. Eichenfield, L. C. Pichon, and G. R. Galindo. Validating outdoor workers’ self-report of sun protection. Preventive Medicine, 39(4):798–803, 2004. Search in Google Scholar

[42] D. Palmer. Mirai botnet adds three new attacks to target IoT devices. ZDNet, May 2018. Search in Google Scholar

[43] R. Schuster, V. Shmatikov, and E. Tromer. Situational access control in the Internet of Things. In Proceedings of the 25th ACM SIGSAC Conference on Computer and Communications Security (CCS), 2018. Search in Google Scholar

[44] T. K. Shrirang Mare, Franziska Roesner. Smart devices in airbnbs: Considering privacy and security for both guests and hosts. Proceedings on Privacy Enhancing Technologies, Apr. 2019. Search in Google Scholar

[45] A. K. Simpson, F. Roesner, and T. Kohno. Securing vulnerable home IoT devices with an in-hub security manager. In Proceedings of the 15th IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops), 2017. Search in Google Scholar

[46] V. Sivaraman, H. H. Gharakheili, A. Vishwanath, R. Boreli, and O. Mehani. Network-level security and privacy control for smart-home IoT devices. In Proceedings of the 11th IEEE International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), 2015. Search in Google Scholar

[47] M. Surbatovich, J. Aljuraidan, L. Bauer, A. Das, and L. Jia. Some recipes can do more than spoil your appetite: Analyzing the security and privacy risks of IFTTT recipes. In Proceedings of the 26th International World Wide Web Conference (WWW), 2017. Search in Google Scholar

[48] M. Tabassum, T. Kosinski, and H. R. Lipford. “I don’t own the data”: End user perceptions of smart home device data practices and risks. In Proceedings of the 15th Symposium on Usable Privacy and Security (SOUPS), 2019. Search in Google Scholar

[49] Y. Tian, N. Zhang, Y.-H. Lin, X. Wang, B. Ur, X. Guo, and P. Tague. SmartAuth: User-centered authorization for the Internet of Things. In Proceedings of the 26th USENIX Security Symposium, 2017. Search in Google Scholar

[50] Q. Wang, P. Datta, W. Yang, S. Liu, A. Bates, and C. A. Gunter. Charting the attack surface of trigger-action IoT platforms. In Proceedings of the 26th ACM SIGSAC Conference on Computer and Communications Security (CCS), 2019. Search in Google Scholar

[51] Q. Wang, W. U. Hassan, A. Bates, and C. Gunter. Fear and logging in the internet of things. In Proceedings of the 25th Annual Network and Distributed System Security Symposium (NDSS), 2018. Search in Google Scholar

[52] Y. Yao, J. R. Basdeo, O. R. Mcdonough, and Y. Wang. Privacy perceptions and designs of bystanders in smart homes. In Proceedings of the 22nd ACM Conference on Computer Supported Cooperative Work and Social Computing (CSCW), 2019. Search in Google Scholar

[53] T. Yu, V. Sekar, S. Seshan, Y. Agarwal, and C. Xu. Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things. In Proceedings of the 14th ACM Workshop on Hot Topics in Networks (HotNets), 2015. Search in Google Scholar

[54] E. Zeng and F. Roesner. Understanding and improving security and privacy in multi-user smart homes: A design exploration and in-home user study. In Proceedings of the 28th USENIX Security Symposium, 2019. Search in Google Scholar

[55] L. Zhang, W. He, J. Martinez, N. Brackenbury, S. Lu, and B. Ur. AutoTap: Synthesizing and repairing trigger-action programs using LTL properties. In Proceedings of the 41st International Conference on Software Engineering (ICSE), 2019. Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo