1. bookVolume 2022 (2022): Issue 1 (January 2022)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

If This Context Then That Concern: Exploring users’ concerns with IFTTT applets

Published Online: 20 Nov 2021
Page range: 166 - 186
Received: 31 May 2021
Accepted: 16 Sep 2021
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

End users are increasingly using trigger-action platforms like If-This-Then-That (IFTTT) to create applets to connect smart-home devices and services. However, there are inherent implicit risks in using such applets—even non-malicious ones—as sensitive information may leak through their use in certain contexts (e.g., where the device is located, who can observe the resultant action). This work aims to understand to what extent end users can assess this implicit risk. More importantly we explore whether usage context makes a difference in end-users’ perception of such risks. Our work complements prior work that has identified the impact of usage context on expert evaluation of risks in IFTTT by focusing the impact of usage context on end-users’ risk perception. Through a Mechanical Turk survey of 386 participants on 49 smart-home IFTTT applets, we found that participants have a nuanced view of contextual factors and that different values for contextual factors impact end-users’ risk perception differently. Further, our findings show that nudging the participants to think about different usage contexts led them to think deeper about the associated risks and raise their concern scores.

Keywords

[1] If This, Then That (IFTTT). https://www.ifttt.com/. Accessed: 2019-09-9. Search in Google Scholar

[2] Noah Apthorpe, Yan Shvartzshnaider, Arunesh Mathur, Dillon Reisman, and Nick Feamster. Discovering smart home internet of things privacy norms using contextual integrity. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, 2(2):1–23, 2018. Search in Google Scholar

[3] Iulia Bastys, Musard Balliu, and Andrei Sabelfeld. If this then what?: Controlling flows in iot apps. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 1102–1119. ACM, 2018. Search in Google Scholar

[4] Microsoft Flow: Automate processes and tasks. https://flow.microsoft.com/. Accessed: 2019-09-9. Search in Google Scholar

[5] Rainer Böhme and Stefan Köpsell. Trained to accept?: A field experiment on consent dialogs. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’10, pages 2403–2406, New York, NY, USA, 2010. ACM. Search in Google Scholar

[6] Apple’s HomeKit. http://www.apple.com/ios/home/. Accessed: 2019-09-9. Search in Google Scholar

[7] Z Berkay Celik, Leonardo Babun, Amit Kumar Sikder, Hidayet Aksu, Gang Tan, Patrick McDaniel, and A Selcuk Uluagac. Sensitive information tracking in commodity iot. In 27th USENIX Security Symposium (USENIX Security 18), pages 1687–1704, 2018. Search in Google Scholar

[8] Z Berkay Celik, Patrick McDaniel, and Gang Tan. Soteria: Automated iot safety and security analysis. In 2018 USENIX Annual Technical Conference (USENIX ATC 18), pages 147–158, 2018. Search in Google Scholar

[9] Z Berkay Celik, Gang Tan, and Patrick D McDaniel. Iot-guard: Dynamic enforcement of security and safety policy in commodity iot. In NDSS, 2019. Search in Google Scholar

[10] Eun Kyoung Choe, Sunny Consolvo, Jaeyeon Jung, Beverly Harrison, Shwetak N Patel, and Julie A Kientz. Investigating receptiveness to sensing and inference in the home using sensor proxies. In Proceedings of the 2012 ACM Conference on Ubiquitous Computing, pages 61–70. ACM, 2012. Search in Google Scholar

[11] Camille Cobb, Milijana Surbatovich, Anna Kawakami, Mah-mood Sharif, Lujo Bauer, Anupam Das, and Limin Jia. How risky are real users’ ifttt applets? In Sixteenth Symposium on Usable Privacy and Security ({SOUPS} 2020), pages 505–529, 2020. Search in Google Scholar

[12] Zapier: Automate Workflows. https://zapier.com/. Accessed: 2019-09-9. Search in Google Scholar

[13] Samsung Smartthings. https://www.smartthings.com/. Accessed: 2019-09-9. Search in Google Scholar

[14] Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. Security analysis of emerging smart home applications. In 2016 IEEE symposium on security and privacy (SP), pages 636–654. IEEE, 2016. Search in Google Scholar

[15] Earlence Fernandes, Justin Paupore, Amir Rahmati, Daniel Simionato, Mauro Conti, and Atul Prakash. Flowfence: Practical data protection for emerging iot application frameworks. In 25th USENIX Security Symposium (USENIX Security 16), pages 531–548, 2016. Search in Google Scholar

[16] Joseph L Fleiss, Bruce Levin, and Myunghee Cho Paik. Statistical methods for rates and proportions. john wiley & sons, 2013. Search in Google Scholar

[17] Hana Habib, Neil Shah, and Rajan Vaish. Impact of contextual factors on snapchat public sharing. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, pages 1–13, 2019. Search in Google Scholar

[18] Weijia He, Maximilian Golla, Roshni Padhi, Jordan Ofek, Markus Dürmuth, Earlence Fernandes, and Blase Ur. Re-thinking access control and authentication for the home internet of things (iot). In 27th USENIX Security Symposium (USENIX Security 18), pages 255–272, 2018. Search in Google Scholar

[19] OPENHAB: Open Source Automation Software for Home. https://www.openhab.org/. Accessed: 2019-09-9. Search in Google Scholar

[20] What is IFTTT? How to use If This, Then That services. https://www.computerworld.com/article/3239304/what-isifttt-how-to-use-if-this-then-that-services.html. Accessed: 2020-12-12. Search in Google Scholar

[21] Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang, Amir Rahmati, Earlence Fernandes, Zhuoqing Morley Mao, and Atul Prakash. Contexlot: Towards providing contextual integrity to appified iot platforms. In NDSS, 2017. Search in Google Scholar

[22] Kim J Kaaz, Alex Hoffer, Mahsa Saeidi, Anita Sarma, and Rakesh B Bobba. Understanding user perceptions of privacy, and configuration challenges in home automation. In 2017 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), pages 297–301. IEEE, 2017. Search in Google Scholar

[23] Ruogu Kang, Stephanie Brown, Laura Dabbish, and Sara Kiesler. Privacy attitudes of mechanical turk workers and the us public. In 10th Symposium On Usable Privacy and Security ({SOUPS} 2014), pages 37–49, 2014. Search in Google Scholar

[24] Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, and Lorrie Faith Cranor. Standardizing privacy notices: An online study of the nutrition label approach. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’10, pages 1573–1582, New York, NY, USA, 2010. ACM. Search in Google Scholar

[25] Hosub Lee and Alfred Kobsa. Understanding user privacy in internet of things environments. In 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT), pages 407–412. IEEE, 2016. Search in Google Scholar

[26] Hosub Lee and Alfred Kobsa. Privacy preference modeling and prediction in a simulated campuswide iot environment. In 2017 IEEE International Conference on Pervasive Computing and Communications (PerCom), pages 276–285. IEEE, 2017. Search in Google Scholar

[27] Jialiu Lin, Shahriyar Amini, Jason I Hong, Norman Sadeh, Janne Lindqvist, and Joy Zhang. Expectation and purpose: understanding users’ mental models of mobile app privacy through crowdsourcing. In Proceedings of the 2012 ACM conference on ubiquitous computing, pages 501–510. ACM, 2012. Search in Google Scholar

[28] Hiroaki Masaki, Kengo Shibata, Shui Hoshino, Takahiro Ishihama, Nagayuki Saito, and Koji Yatani. Exploring nudge designs to help adolescent sns users avoid privacy and safety threats. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, pages 1–11, 2020. Search in Google Scholar

[29] Pardis Emami Naeini, Sruti Bhagavatula, Hana Habib, Martin Degeling, Lujo Bauer, Lorrie Faith Cranor, and Norman Sadeh. Privacy expectations and preferences in an iot world. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017), pages 399–412, 2017. Search in Google Scholar

[30] Patricia A Norberg, Daniel R Horne, and David A Horne. The privacy paradox: Personal information disclosure intentions versus behaviors. Journal of Consumer Affairs, 41(1):100–126, 2007. Search in Google Scholar

[31] Sören Preibusch. Guide to measuring privacy concern: Review of survey and observational instruments. International Journal of Human-Computer Studies, 71(12):1133–1143, 2013. Search in Google Scholar

[32] R Core Team. R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria, 2013. Search in Google Scholar

[33] Elissa M Redmiles, Sean Kross, and Michelle L Mazurek. How well do my results generalize? comparing security and privacy survey results from mturk, web, and telephone samples. In 2019 2019 IEEE Symposium on Security and Privacy (SP), Vol. 00. IEEE, pages 227–244, 2019. Search in Google Scholar

[34] Norman Sadeh, Jason Hong, Lorrie Cranor, Ian Fette, Patrick Kelley, Madhu Prabaker, and Jinghai Rao. Understanding and capturing people’s privacy policies in a mobile social networking application. Personal and Ubiquitous Computing, 13(6):401–412, 2009. Search in Google Scholar

[35] Florian Schaub, Rebecca Balebako, Adam L. Durity, and Lorrie Faith Cranor. A design space for effective privacy notices. In Proceedings of the Eleventh USENIX Conference on Usable Privacy and Security, SOUPS ’15, pages 1–17, Berkeley, CA, USA, 2015. USENIX Association. Search in Google Scholar

[36] Milijana Surbatovich, Jassim Aljuraidan, Lujo Bauer, Anupam Das, and Limin Jia. Some recipes can do more than spoil your appetite: Analyzing the security and privacy risks of ifttt recipes. In Proceedings of the 26th International Conference on World Wide Web, pages 1501–1510. International World Wide Web Conferences Steering Committee, 2017. Search in Google Scholar

[37] Yuan Tian, Nan Zhang, Yueh-Hsun Lin, XiaoFeng Wang, Blase Ur, Xianzheng Guo, and Patrick Tague. Smartauth: User-centered authorization for the internet of things. In 26th USENIX Security Symposium (USENIX Security 17), pages 361–378, 2017. Search in Google Scholar

[38] Janice Y Tsai, Patrick Kelley, Paul Drielsma, Lorrie Faith Cranor, Jason Hong, and Norman Sadeh. Who’s viewed you?: the impact of feedback in a mobile location-sharing application. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 2003–2012. ACM, 2009. Search in Google Scholar

[39] Gerhard Tutz and Wolfgang Hennevogl. Random effects in ordinal regression models. Computational Statistics & Data Analysis, 22(5):537–557, 1996. Search in Google Scholar

[40] Blase Ur, Elyse McManus, Melwyn Pak Yong Ho, and Michael L Littman. Practical trigger-action programming in the smart home. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 803–812. ACM, 2014. Search in Google Scholar

[41] Qi Wang, Wajih Ul Hassan, Adam Bates, and Carl Gunter. Fear and logging in the internet of things. In Network and Distributed Systems Symposium, 2018. Search in Google Scholar

[42] Yang Wang, Pedro Giovanni Leon, Alessandro Acquisti, Lorrie Faith Cranor, Alain Forget, and Norman Sadeh. A field trial of privacy nudges for facebook. In Proceedings of the SIGCHI conference on human factors in computing systems, pages 2367–2376, 2014. Search in Google Scholar

[43] Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang, Taimin Zhang, and Wenyuan Xu. Dolphinattack: Inaudible voice commands. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 103–117. ACM, 2017. Search in Google Scholar

[44] Serena Zheng, Noah Apthorpe, Marshini Chetty, and Nick Feamster. User perceptions of smart home iot privacy. Proceedings of the ACM on Human-Computer Interaction, 2(CSCW):1–20, 2018. Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo