Noah Apthorpe
Skip Abstract Section
Abstract
The proliferation of Internet of Things (IoT) devices for consumer "smart" homes raises concerns about user privacy. We present a survey method based on the Contextual Integrity (CI) privacy framework that can quickly and efficiently discover privacy norms at scale. We apply the method to discover privacy norms in the smart home context, surveying 1,731 American adults on Amazon Mechanical Turk. For $2,800 and in less than six hours, we measured the acceptability of 3,840 information flows representing a combinatorial space of smart home devices sending consumer information to first and third-party recipients under various conditions. Our results provide actionable recommendations for IoT device manufacturers, including design best practices and instructions for adopting our method for further research.
- Monica Anderson. 2015. Key takeaways on mobile apps and privacy. http://www.pewresearch.org/fact-tank/2015/11/10/key-takeaways-mobile-apps/Google Scholar
- Noah Apthorpe, Dillon Reisman, and Nick Feamster. 2016. A Smart Home is No Castle: Privacy Vulnerabilities of Encrypted IoT Traffic. In Workshop on Data and Algorithmic Transparency.Google Scholar
- Paul Ashley, Satoshi Hada, Günter Karjoth, Calvin Powers, and Matthias Schunter. 2003. Enterprise privacy authorization language (EPAL). IBM Research (2003).Google Scholar
- Itai Asseo, Maggie Johnson, Bob Nilsson, Neti Chalapathy, and TJ Costello. 2016. The Internet of things: Riding the wave in higher education. Educause Review (2016), 11--31.Google Scholar
- Louise Barkhuus. 2012. The mismeasurement of privacy: using contextual integrity to reconsider privacy in HCI. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 367--376. Google ScholarDigital Library
- Adam Barth, Anupam Datta, John C Mitchell, and Helen Nissenbaum. 2006. Privacy and contextual integrity: Framework and applications. In 2006 IEEE Symposium on Security and Privacy. IEEE, 15--pp. Google ScholarDigital Library
- Christoph Bartneck, Andreas Duenser, Elena Moltchanova, and Karolina Zawieska. 2015. Comparing the similarity of responses received from studies in Amazon's Mechanical Turk to studies conducted online and with direct recruitment. PloS one 10, 4 (2015), e0121595.Google ScholarCross Ref
- Douglas Bates, Martin Mächler, Ben Bolker, and Steve Walker. 2014. Fitting linear mixed-effects models using lme4. arXiv preprint arXiv:1406.5823 (2014).Google Scholar
- Omar Chowdhury, Andreas Gampe, Jianwei Niu, Jeffery von Ronne, Jared Bennatt, Anupam Datta, Limin Jia, and William H Winsborough. 2013. Privacy promises that can be kept: A policy analysis method with application to the HIPAA privacy rule. In Proceedings of the 18th ACM Symposium on Access Control Models and Technologies. ACM, 3--14. Google ScholarDigital Library
- Federal Communications Commission. 2017. Green Paper: Fostering the Advancement of the Internet of Things. https://www.ntia.doc.gov/other-publication/2017/green-paper-fostering-advancement-internet-thingsGoogle Scholar
- Lorrie Faith Cranor, Joseph Reagle, and Mark S Ackerman. 2000. Beyond concern: Understanding net users' attitudes about online privacy. The Internet upheaval: raising questions, seeking answers in communications policy (2000), 47--70.Google Scholar
- Natalia Criado and Jose M Such. 2015. Implicit Contextual Integrity in Online Social Networks. Information Sciences (2015). Google ScholarDigital Library
- Paul Daugherty, Prith Banerjee, Walid Negm, and Allan E Alter. 2015. Driving unconventional growth through the industrial internet of things. (2015). https://www.accenture.com/us-en/_acnmedia/Accenture/next-gen/reassembling-industry/pdf/Accenture-Driving-Unconventional-Growth-through-IIoT.pdfGoogle Scholar
- Tom Davenport and John Lucker. 2015. Running on data: Activity trackers and the Internet of Things. https://dupress.deloitte.com/dup-us-en/deloitte-review/issue-16/internet-of-things-wearable-technology.htmlGoogle Scholar
- Julia Brande Earp, Annie I Antón, Lynda Aiman-Smith, and William H Stufflebeam. 2005. Examining Internet privacy policies within the context of user privacy values. IEEE Transactions on Engineering Management 52, 2 (2005), 227--237.Google ScholarCross Ref
- Serge Egelman, Janice Tsai, Lorrie Faith Cranor, and Alessandro Acquisti. 2009. Timing is everything?: the effects of timing and placement of online privacy indicators. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 319--328. Google ScholarDigital Library
- Enterprise Privacy Authorization Language (EPAL 1.2) 2003. https://www.w3.org/Submission/2003/SUBM-EPAL-20031110/Google Scholar
- Federal Communications Commission. 2016. FCC Adopts Broadband Consumer Privacy Rules. https://www.fcc.gov/document/fcc-adopts-broadband-consumer-privacy-rulesGoogle Scholar
- Federal Communications Commission. 2016. FCC Releases Rules to Protect Broadband Consumer Privacy. https://www.fcc.gov/document/fcc-adopts-broadband-consumer-privacy-rulesGoogle Scholar
- Federal Trade Commission. 2007. Fair Information Practice Principles. https://web.archive.org/web/20100309105100/http://www.ftc.gov/reports/privacy3/fairinfo.shtm#Notice/AwarenessGoogle Scholar
- David Ferraiolo, D Richard Kuhn, and Ramaswamy Chandramouli. 2003. Role-based access control. Artech House. Google ScholarDigital Library
- David F Ferraiolo, Ravi Sandhu, Serban Gavrila, D Richard Kuhn, and Ramaswamy Chandramouli. 2001. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security (TISSEC) 4, 3 (2001), 224--274. Google ScholarDigital Library
- Lorenzo Franceschi-Bicchierai. 2017. Internet of Things Teddy Bear Leaked 2 Million Parent and Kids Message Recordings. https://motherboard.vice.com/en_us/article/pgwean/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordingsGoogle Scholar
- Frances Grodzinsky and Herman T Tavani. 2010. Applying the "Contextual Integrity" Model of Privacy to Personal Blogs in the Blogoshere. Computer Science and Information Technology Faculty Publications (2010).Google Scholar
- Broadband Internet Technical Advisory Group. 2016. Internet of Things (IoT) Security and Privacy Recommendations. Technical Report. https://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdfGoogle Scholar
- Hayley Tsukayama. 2017. Bose headphones have been spying on customers, lawsuit claims. The Washington Post (2017). https://www.washingtonpost.com/news/the-switch/wp/2017/04/19/bose-headphones-have-been-spying-on-their-customers-lawsuit-claims/Google Scholar
- Paul Hitlin. 2016. Turkers in this canvassing: young, well-educated and frequent users. http://www.pewinternet.org/2016/07/11/turkers-in-this-canvassing-young-well-educated-and-frequent-users/Google Scholar
- Christine Horne, Brice Darras, Elyse Bean, Anurag Srivastava, and Scott Frickel. 2015. Privacy, technology, and norms: The case of Smart Meters. Social science research 51 (2015), 64--76.Google Scholar
- Gordon Hull, Heather Richter Lipford, and Celine Latulipe. 2011. Contextual gaps: privacy issues on Facebook. Ethics and information technology 13, 4 (2011), 289--302. Google ScholarDigital Library
- Carlos Jensen and Colin Potts. 2004. Privacy policies as decision-making tools: an evaluation of online privacy notices. In Proceedings of the SIGCHI conference on Human Factors in Computing Systems. ACM, 471--478. Google ScholarDigital Library
- David Kravets. 2016. Sex toys and the Internet of Things collide---what could go wrong? https://arstechnica.com/tech-policy/2016/09/sex-toys-and-the-internet-of-things-collide-what-could-go-wrong/Google Scholar
- Nile Lars. 2014. Connected Medical Devices, Apps: Are They Leading the IoT Revolution -- or Vice Versa? https://www.wired.com/insights/2014/06/connected-medical-devices-apps-leading-iot-revolution-vice-versa/Google Scholar
- Jialiu Lin, Shahriyar Amini, Jason I. Hong, Norman Sadeh, Janne Lindqvist, and Joy Zhang. 2012. Expectation and Purpose: Understanding Users' Mental Models of Mobile App Privacy Through Crowdsourcing. In Proceedings of the 2012 ACM Conference on Ubiquitous Computing (UbiComp '12). ACM, 501--510. Google ScholarDigital Library
- Jialiu Lin, Bin Liu, Norman Sadeh, and Jason I. Hong. 2014. Modeling Users' Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings. In 10th Symposium On Usable Privacy and Security (SOUPS 2014). USENIX Association, 199--212. https://www.usenix.org/conference/soups2014/proceedings/presentation/lin Google ScholarDigital Library
- Leib Litman, Jonathan Robinson, and Tzvi Abberbock. 2017. TurkPrime.com: A versatile crowdsourcing data acquisition platform for the behavioral sciences. Behavior research methods 49, 2 (2017), 433--442.Google Scholar
- Richard Lowry. 2014. Concepts and applications of inferential statistics. (2014).Google Scholar
- Naresh K Malhotra, Sung S Kim, and James Agarwal. 2004. Internet users' information privacy concerns (IUIPC): The construct, the scale, and a causal model. Information systems research 15, 4 (2004), 336--355. Google ScholarDigital Library
- Kirsten Martin. 2015. Privacy notices as tabula rasa: An empirical investigation into how complying with a privacy notice is related to meeting privacy expectations online. Journal of Public Policy 8 Marketing 34, 2 (2015), 210--227.Google ScholarCross Ref
- Kirsten Martin and Helen Nissenbaum. 2016. Measuring privacy: an empirical test using context to expose confounding variables. Colum. Sci. 8 Tech. L. Rev. 18 (2016), 176.Google Scholar
- Chris Matyszczyk. 2015. Samsung's warning: Our Smart TVs record your living room chatter. https://www.cnet.com/news/samsungs-warning-our-smart-tvs-record-your-living-room-chatter/Google Scholar
- Aleecia M McDonald and Lorrie Faith Cranor. 2008. The cost of reading privacy policies. ISJLP 4 (2008), 543.Google Scholar
- Eliott McLaughlin. 2017. Suspect OKs Amazon to hand over Echo recordings in murder case. https://www.cnn.com/2017/03/07/tech/amazon-echo-alexa-bentonville-arkansas-murder-case/index.htmlGoogle Scholar
- Pardis Emami Naeini, Sruti Bhagavatula, Hana Habib, Martin Degeling, Lujo Bauer, Lorrie Faith Cranor, and Norman Sadeh. 2017. Privacy Expectations and Preferences in an IoT World. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). USENIX Association, Santa Clara, CA, 399--412. Google ScholarDigital Library
- Helen Nissenbaum. 2010. Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford Law Books. Google ScholarDigital Library
- Bill Parducci. 2005. eXtensible Access Control Markup Language (XACML) specification. (2005).Google Scholar
- Joseph Phelps, Glen Nowak, and Elizabeth Ferrell. 2000. Privacy concerns and consumer willingness to provide personal information. Journal of Public Policy 8 Marketing 19, 1 (2000), 27--41.Google ScholarCross Ref
- Qualtrics Online. 2017. http://www.qualtrics.comGoogle Scholar
- Lee Rainie and Maeve Duggan. 2017. Privacy and Information Sharing. http://www.pewinternet.org/2016/01/14/privacy-and-information-sharing/Google Scholar
- Andrew D Selbst. 2013. Contextual expectations of privacy. Cardozo Law Review (2013).Google Scholar
- Juliet Popper Shaffer. 1995. Multiple Hypothesis Testing. Annual Review of Psychology 46, 1 (1995), 561--584.Google ScholarCross Ref
- Pan Shi, Heng Xu, and Yunan Chen. 2013. Using contextual integrity to examine interpersonal information boundary on social network sites. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 35--38. Google ScholarDigital Library
- Yan Shvartzshnaider, Schrasing Tong, Thomas Wies, Paula Kift, Helen Nissenbaum, Lakshminarayanan Subramanian, and Prateek Mittal. 2016. Learning Privacy Expectations by Crowdsourcing Contextual Informational Norms. The Fourth AAAI Conference on Human Computation and Crowdsourcing (2016).Google Scholar
- Daniel J Simons and Christopher F Chabris. 2012. Common (mis) beliefs about memory: A replication and comparison of telephone and Mechanical Turk survey methods. PloS one 7, 12 (2012), e51876.Google ScholarCross Ref
- Snap Spectacles 2017. Snap Spectacles. https://www.spectacles.com/Google Scholar
- FTC Staff. 2010. Protecting Consumer Privacy in an Era of Rapid Change--A Proposed Framework for Businesses and Policymakers. Journal of Privacy and Confidentiality 3, 1 (2010), 5.Google Scholar
- Seymour Sudman, Norman M Bradburn, and Norbert Schwarz. 1996. Thinking about answers: The application of cognitive processes to survey methodology. Jossey-Bass.Google Scholar
- UserBob - Usability Testing. 2017. https://userbob.com/Google Scholar
- Primal Wijesekera, Arjun Baokar, Ashkan Hosseini, Serge Egelman, David Wagner, and Konstantin Beznosov. 2015. Android Permissions Remystified: A Field Study on Contextual Integrity. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, 499--514. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/wijesekera Google ScholarDigital Library
- Jenifer S Winter. 2012. Privacy and the emerging internet of things: using the framework of contextual integrity to inform policy. In Pacific Telecommunications Council Conference Proceedings.Google Scholar
- Christopher Wolf and Jules Polonetsky. 2013. An Updated Privacy Paradigm for the "Internet of Things". https://fpf.org/wp-content/uploads/Wolf-and-Polonetsky-An-Updated-Privacy-Paradigm-for-the-%E2%80%9CInternet-of-Things%E2%80%9D-11-19-2013.pdfGoogle Scholar
- Kathryn Zickuhr. 2013. Who's not online and why. Pew Research Center's Internet and American Life Project. http://www.pewinternet.org/files/old-media/Files/Reports/2013/PIP_Offline%20adults_092513_PDF.pdfGoogle Scholar
- Michael Zimmer. 2008. Privacy on planet Google: Using the theory of contextual integrity to clarify the privacy threats of Google's quest for the perfect search engine. J. Bus. 8 Tech. L. 3 (2008), 109.Google Scholar
Index Terms
- Discovering Smart Home Internet of Things Privacy Norms Using Contextual Integrity
Recommendations
Privacy Norms for Smart Home Personal Assistants
CHI '21: Proceedings of the 2021 CHI Conference on Human Factors in Computing SystemsSmart Home Personal Assistants (SPA) have a complex ecosystem that enables them to carry out various tasks on behalf of the user with just voice commands. SPA capabilities are continually growing, with over a hundred thousand third-party skills in ...
Privacy Norms within the Internet of Things Using Contextual Integrity
GROUP '20: Companion Proceedings of the 2020 ACM International Conference on Supporting Group WorkThe collection of devices networked via the internet, also referred to as the Internet of Things, is poised to grow in adoption. With this rise has come equally increasing concerns for security and privacy. Considering Nissenbaum's framework of ...
Privacy preserving Internet of Things
The Internet of Things (IoT) is the latest web evolution that incorporates billions of devices that are owned by different organisations and people who are deploying and using them for their own purposes. IoT-enabled harnessing of the information that ...
Comments