Author(s):
- Noah Apthorpe
- Yan Shvartzshnaider
- Arunesh Mathur
- Dillon Reisman
- Nick Feamster
Abstract:
The proliferation of Internet of Things (IoT) devices for consumer “smart” homes raises concerns about user privacy. We present a survey method based on the Contextual Integrity (CI) privacy framework that can quickly and efficiently discover privacy norms at scale. We apply the method to discover privacy norms in the smart home context, surveying 1,731 American adults on Amazon Mechanical Turk. For $2,800 and in less than six hours, we measured the acceptability of 3,840 information flows representing a combinatorial space of smart home devices sending consumer information to first and third-party recipients under various conditions. Our results provide actionable recommendations for IoT device manufacturers, including design best practices and instructions for adopting our method for further research.
Documentation:
https://doi.org/10.1145/3214262
References:
- Monica Anderson. 2015. Key takeaways on mobile apps and privacy. http://www.pewresearch.org/fact-tank/2015/11/10/key-takeaways-mobile-apps/
- Noah Apthorpe, Dillon Reisman, and Nick Feamster. 2016. A Smart Home is No Castle: Privacy Vulnerabilities of Encrypted IoT Traffic. In Workshop on Data and Algorithmic Transparency.
- Paul Ashley, Satoshi Hada, Günter Karjoth, Calvin Powers, and Matthias Schunter. 2003. Enterprise privacy authorization language (EPAL). IBM Research (2003).
- Itai Asseo, Maggie Johnson, Bob Nilsson, Neti Chalapathy, and TJ Costello. 2016. The Internet of things: Riding the wave in higher education. Educause Review (2016), 11–31.
- Louise Barkhuus. 2012. The mismeasurement of privacy: using contextual integrity to reconsider privacy in HCI. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 367–376.
- Adam Barth, Anupam Datta, John C Mitchell, and Helen Nissenbaum. 2006. Privacy and contextual integrity: Framework and applications. In 2006 IEEE Symposium on Security and Privacy. IEEE, 15–pp.
- Christoph Bartneck, Andreas Duenser, Elena Moltchanova, and Karolina Zawieska. 2015. Comparing the similarity of responses received from studies in Amazon’s Mechanical Turk to studies conducted online and with direct recruitment. PloS one 10, 4 (2015), e0121595.
- Douglas Bates, Martin Mächler, Ben Bolker, and Steve Walker. 2014. Fitting linear mixed-effects models using lme4. arXiv preprint arXiv:1406.5823 (2014).
- Omar Chowdhury, Andreas Gampe, Jianwei Niu, Jeffery von Ronne, Jared Bennatt, Anupam Datta, Limin Jia, and William H Winsborough. 2013. Privacy promises that can be kept: A policy analysis method with application to the HIPAA privacy rule. In Proceedings of the 18th ACM Symposium on Access Control Models and Technologies. ACM, 3–14.
- Federal Communications Commission. 2017. Green Paper: Fostering the Advancement of the Internet of Things. https://www.ntia.doc.gov/other-publication/2017/green-paper-fostering-advancement-internet-things
- Lorrie Faith Cranor, Joseph Reagle, and Mark S Ackerman. 2000. Beyond concern: Understanding net users’ attitudes about online privacy. The Internet upheaval: raising questions, seeking answers in communications policy (2000), 47–70.
- Natalia Criado and Jose M Such. 2015. Implicit Contextual Integrity in Online Social Networks. Information Sciences (2015).
- Paul Daugherty, Prith Banerjee, Walid Negm, and Allan E Alter. 2015. Driving unconventional growth through the industrial internet of things. (2015). https://www.accenture.com/us-en/_acnmedia/Accenture/next-gen/reassembling-industry/pdf/Accenture-Driving-Unconventional-Growth-through-IIoT.pdf
- Tom Davenport and John Lucker. 2015. Running on data: Activity trackers and the Internet of Things. https://dupress.deloitte.com/dup-us-en/deloitte-review/issue-16/internet-of-things-wearable-technology.html
- Julia Brande Earp, Annie I Antón, Lynda Aiman-Smith, and William H Stufflebeam. 2005. Examining Internet privacy policies within the context of user privacy values. IEEE Transactions on Engineering Management 52, 2 (2005), 227–237.
- Serge Egelman, Janice Tsai, Lorrie Faith Cranor, and Alessandro Acquisti. 2009. Timing is everything?: the effects of timing and placement of online privacy indicators. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 319–328.
- Enterprise Privacy Authorization Language (EPAL 1.2) 2003. https://www.w3.org/Submission/2003/SUBM-EPAL-20031110/
- Federal Communications Commission. 2016. FCC Adopts Broadband Consumer Privacy Rules. https://www.fcc.gov/document/fcc-adopts-broadband-consumer-privacy-rules
- Federal Communications Commission. 2016. FCC Releases Rules to Protect Broadband Consumer Privacy. https://www.fcc.gov/document/fcc-adopts-broadband-consumer-privacy-rules
- Federal Trade Commission. 2007. Fair Information Practice Principles. https://web.archive.org/web/20100309105100/http://www.ftc.gov/reports/privacy3/fairinfo.shtm#Notice/Awareness
- David Ferraiolo, D Richard Kuhn, and Ramaswamy Chandramouli. 2003. Role-based access control. Artech House.
- David F Ferraiolo, Ravi Sandhu, Serban Gavrila, D Richard Kuhn, and Ramaswamy Chandramouli. 2001. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security (TISSEC) 4, 3 (2001), 224–274.
- Lorenzo Franceschi-Bicchierai. 2017. Internet of Things Teddy Bear Leaked 2 Million Parent and Kids Message Recordings. https://motherboard.vice.com/en_us/article/pgwean/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings
- Frances Grodzinsky and Herman T Tavani. 2010. Applying the “Contextual Integrity” Model of Privacy to Personal Blogs in the Blogoshere. Computer Science and Information Technology Faculty Publications (2010).
- Broadband Internet Technical Advisory Group. 2016. Internet of Things (IoT) Security and Privacy Recommendations. Technical Report. https://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf
- Hayley Tsukayama. 2017. Bose headphones have been spying on customers, lawsuit claims. The Washington Post (2017). https://www.washingtonpost.com/news/the-switch/wp/2017/04/19/bose-headphones-have-been-spying-on-their-customers-lawsuit-claims/
- Paul Hitlin. 2016. Turkers in this canvassing: young, well-educated and frequent users. http://www.pewinternet.org/2016/07/11/turkers-in-this-canvassing-young-well-educated-and-frequent-users/
- Christine Horne, Brice Darras, Elyse Bean, Anurag Srivastava, and Scott Frickel. 2015. Privacy, technology, and norms: The case of Smart Meters. Social science research 51 (2015), 64–76.
- Gordon Hull, Heather Richter Lipford, and Celine Latulipe. 2011. Contextual gaps: privacy issues on Facebook. Ethics and information technology 13, 4 (2011), 289–302.
- Carlos Jensen and Colin Potts. 2004. Privacy policies as decision-making tools: an evaluation of online privacy notices. In Proceedings of the SIGCHI conference on Human Factors in Computing Systems. ACM, 471–478.
- David Kravets. 2016. Sex toys and the Internet of Things collide—what could go wrong? https://arstechnica.com/tech-policy/2016/09/sex-toys-and-the-internet-of-things-collide-what-could-go-wrong/
- Nile Lars. 2014. Connected Medical Devices, Apps: Are They Leading the IoT Revolution — or Vice Versa? https://www.wired.com/insights/2014/06/connected-medical-devices-apps-leading-iot-revolution-vice-versa/
- Jialiu Lin, Shahriyar Amini, Jason I. Hong, Norman Sadeh, Janne Lindqvist, and Joy Zhang. 2012. Expectation and Purpose: Understanding Users’ Mental Models of Mobile App Privacy Through Crowdsourcing. In Proceedings of the 2012 ACM Conference on Ubiquitous Computing (UbiComp ’12). ACM, 501–510.
- Jialiu Lin, Bin Liu, Norman Sadeh, and Jason I. Hong. 2014. Modeling Users’ Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings. In 10th Symposium On Usable Privacy and Security (SOUPS 2014). USENIX Association, 199–212. https://www.usenix.org/conference/soups2014/proceedings/presentation/lin
- Leib Litman, Jonathan Robinson, and Tzvi Abberbock. 2017. TurkPrime.com: A versatile crowdsourcing data acquisition platform for the behavioral sciences. Behavior research methods 49, 2 (2017), 433–442.
- Richard Lowry. 2014. Concepts and applications of inferential statistics. (2014).
- Naresh K Malhotra, Sung S Kim, and James Agarwal. 2004. Internet users’ information privacy concerns (IUIPC): The construct, the scale, and a causal model. Information systems research 15, 4 (2004), 336–355.
- Kirsten Martin. 2015. Privacy notices as tabula rasa: An empirical investigation into how complying with a privacy notice is related to meeting privacy expectations online. Journal of Public Policy 8 Marketing 34, 2 (2015), 210–227.
- Kirsten Martin and Helen Nissenbaum. 2016. Measuring privacy: an empirical test using context to expose confounding variables. Colum. Sci. 8 Tech. L. Rev. 18 (2016), 176.
- Chris Matyszczyk. 2015. Samsung’s warning: Our Smart TVs record your living room chatter. https://www.cnet.com/news/samsungs-warning-our-smart-tvs-record-your-living-room-chatter/
- Aleecia M McDonald and Lorrie Faith Cranor. 2008. The cost of reading privacy policies. ISJLP 4 (2008), 543.
- Eliott McLaughlin. 2017. Suspect OKs Amazon to hand over Echo recordings in murder case. https://www.cnn.com/2017/03/07/tech/amazon-echo-alexa-bentonville-arkansas-murder-case/index.html
- Pardis Emami Naeini, Sruti Bhagavatula, Hana Habib, Martin Degeling, Lujo Bauer, Lorrie Faith Cranor, and Norman Sadeh. 2017. Privacy Expectations and Preferences in an IoT World. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). USENIX Association, Santa Clara, CA, 399–412.
- Helen Nissenbaum. 2010. Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford Law Books.
- Bill Parducci. 2005. eXtensible Access Control Markup Language (XACML) specification. (2005).
- Joseph Phelps, Glen Nowak, and Elizabeth Ferrell. 2000. Privacy concerns and consumer willingness to provide personal information. Journal of Public Policy 8 Marketing 19, 1 (2000), 27–41.
- Qualtrics Online. 2017. http://www.qualtrics.com
- Lee Rainie and Maeve Duggan. 2017. Privacy and Information Sharing. http://www.pewinternet.org/2016/01/14/privacy-and-information-sharing/
- Andrew D Selbst. 2013. Contextual expectations of privacy. Cardozo Law Review (2013).
- Juliet Popper Shaffer. 1995. Multiple Hypothesis Testing. Annual Review of Psychology 46, 1 (1995), 561–584.
- Pan Shi, Heng Xu, and Yunan Chen. 2013. Using contextual integrity to examine interpersonal information boundary on social network sites. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 35–38.
- Yan Shvartzshnaider, Schrasing Tong, Thomas Wies, Paula Kift, Helen Nissenbaum, Lakshminarayanan Subramanian, and Prateek Mittal. 2016. Learning Privacy Expectations by Crowdsourcing Contextual Informational Norms. The Fourth AAAI Conference on Human Computation and Crowdsourcing (2016).
- Daniel J Simons and Christopher F Chabris. 2012. Common (mis) beliefs about memory: A replication and comparison of telephone and Mechanical Turk survey methods. PloS one 7, 12 (2012), e51876.
- Snap Spectacles 2017. Snap Spectacles. https://www.spectacles.com/
- FTC Staff. 2010. Protecting Consumer Privacy in an Era of Rapid Change–A Proposed Framework for Businesses and Policymakers. Journal of Privacy and Confidentiality 3, 1 (2010), 5.
- Seymour Sudman, Norman M Bradburn, and Norbert Schwarz. 1996. Thinking about answers: The application of cognitive processes to survey methodology. Jossey-Bass.
- UserBob – Usability Testing. 2017. https://userbob.com/
- Primal Wijesekera, Arjun Baokar, Ashkan Hosseini, Serge Egelman, David Wagner, and Konstantin Beznosov. 2015. Android Permissions Remystified: A Field Study on Contextual Integrity. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, 499–514. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/wijesekera
- Jenifer S Winter. 2012. Privacy and the emerging internet of things: using the framework of contextual integrity to inform policy. In Pacific Telecommunications Council Conference Proceedings.
- Christopher Wolf and Jules Polonetsky. 2013. An Updated Privacy Paradigm for the “Internet of Things”. https://fpf.org/wp-content/uploads/Wolf-and-Polonetsky-An-Updated-Privacy-Paradigm-for-the-%E2%80%9CInternet-of-Things%E2%80%9D-11-19-2013.pdf
- Kathryn Zickuhr. 2013. Who’s not online and why. Pew Research Center’s Internet and American Life Project. http://www.pewinternet.org/files/old-media/Files/Reports/2013/PIP_Offline%20adults_092513_PDF.pdf
- Michael Zimmer. 2008. Privacy on planet Google: Using the theory of contextual integrity to clarify the privacy threats of Google’s quest for the perfect search engine. J. Bus. 8 Tech. L. 3 (2008), 109.