research-article

Open access

Discovering Smart Home Internet of Things Privacy Norms Using Contextual Integrity

Authors:

Yan Shvartzshnaider,

Arunesh Mathur,

Dillon Reisman,

Nick FeamsterAuthors Info & Claims

Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, Volume 2, Issue 2

Article No.: 59, Pages 1 - 23

https://doi.org/10.1145/3214262

Published: 05 July 2018 Publication History

Abstract

The proliferation of Internet of Things (IoT) devices for consumer "smart" homes raises concerns about user privacy. We present a survey method based on the Contextual Integrity (CI) privacy framework that can quickly and efficiently discover privacy norms at scale. We apply the method to discover privacy norms in the smart home context, surveying 1,731 American adults on Amazon Mechanical Turk. For $2,800 and in less than six hours, we measured the acceptability of 3,840 information flows representing a combinatorial space of smart home devices sending consumer information to first and third-party recipients under various conditions. Our results provide actionable recommendations for IoT device manufacturers, including design best practices and instructions for adopting our method for further research.

References

[1]

Monica Anderson. 2015. Key takeaways on mobile apps and privacy. http://www.pewresearch.org/fact-tank/2015/11/10/key-takeaways-mobile-apps/

[2]

Noah Apthorpe, Dillon Reisman, and Nick Feamster. 2016. A Smart Home is No Castle: Privacy Vulnerabilities of Encrypted IoT Traffic. In Workshop on Data and Algorithmic Transparency.

[3]

Paul Ashley, Satoshi Hada, Günter Karjoth, Calvin Powers, and Matthias Schunter. 2003. Enterprise privacy authorization language (EPAL). IBM Research (2003).

[4]

Itai Asseo, Maggie Johnson, Bob Nilsson, Neti Chalapathy, and TJ Costello. 2016. The Internet of things: Riding the wave in higher education. Educause Review (2016), 11--31.

[5]

Louise Barkhuus. 2012. The mismeasurement of privacy: using contextual integrity to reconsider privacy in HCI. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 367--376.

Digital Library

[6]

Adam Barth, Anupam Datta, John C Mitchell, and Helen Nissenbaum. 2006. Privacy and contextual integrity: Framework and applications. In 2006 IEEE Symposium on Security and Privacy. IEEE, 15--pp.

Digital Library

[7]

Christoph Bartneck, Andreas Duenser, Elena Moltchanova, and Karolina Zawieska. 2015. Comparing the similarity of responses received from studies in Amazon's Mechanical Turk to studies conducted online and with direct recruitment. PloS one 10, 4 (2015), e0121595.

[8]

Douglas Bates, Martin Mächler, Ben Bolker, and Steve Walker. 2014. Fitting linear mixed-effects models using lme4. arXiv preprint arXiv:1406.5823 (2014).

[9]

Omar Chowdhury, Andreas Gampe, Jianwei Niu, Jeffery von Ronne, Jared Bennatt, Anupam Datta, Limin Jia, and William H Winsborough. 2013. Privacy promises that can be kept: A policy analysis method with application to the HIPAA privacy rule. In Proceedings of the 18th ACM Symposium on Access Control Models and Technologies. ACM, 3--14.

Digital Library

[10]

Federal Communications Commission. 2017. Green Paper: Fostering the Advancement of the Internet of Things. https://www.ntia.doc.gov/other-publication/2017/green-paper-fostering-advancement-internet-things

[11]

Lorrie Faith Cranor, Joseph Reagle, and Mark S Ackerman. 2000. Beyond concern: Understanding net users' attitudes about online privacy. The Internet upheaval: raising questions, seeking answers in communications policy (2000), 47--70.

[12]

Natalia Criado and Jose M Such. 2015. Implicit Contextual Integrity in Online Social Networks. Information Sciences (2015).

Digital Library

[13]

Paul Daugherty, Prith Banerjee, Walid Negm, and Allan E Alter. 2015. Driving unconventional growth through the industrial internet of things. (2015). https://www.accenture.com/us-en/_acnmedia/Accenture/next-gen/reassembling-industry/pdf/Accenture-Driving-Unconventional-Growth-through-IIoT.pdf

[14]

Tom Davenport and John Lucker. 2015. Running on data: Activity trackers and the Internet of Things. https://dupress.deloitte.com/dup-us-en/deloitte-review/issue-16/internet-of-things-wearable-technology.html

[15]

Julia Brande Earp, Annie I Antón, Lynda Aiman-Smith, and William H Stufflebeam. 2005. Examining Internet privacy policies within the context of user privacy values. IEEE Transactions on Engineering Management 52, 2 (2005), 227--237.

[16]

Serge Egelman, Janice Tsai, Lorrie Faith Cranor, and Alessandro Acquisti. 2009. Timing is everything?: the effects of timing and placement of online privacy indicators. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 319--328.

Digital Library

[17]

Enterprise Privacy Authorization Language (EPAL 1.2) 2003. https://www.w3.org/Submission/2003/SUBM-EPAL-20031110/

[18]

Federal Communications Commission. 2016. FCC Adopts Broadband Consumer Privacy Rules. https://www.fcc.gov/document/fcc-adopts-broadband-consumer-privacy-rules

[19]

Federal Communications Commission. 2016. FCC Releases Rules to Protect Broadband Consumer Privacy. https://www.fcc.gov/document/fcc-adopts-broadband-consumer-privacy-rules

[20]

Federal Trade Commission. 2007. Fair Information Practice Principles. https://web.archive.org/web/20100309105100/http://www.ftc.gov/reports/privacy3/fairinfo.shtm#Notice/Awareness

[21]

David Ferraiolo, D Richard Kuhn, and Ramaswamy Chandramouli. 2003. Role-based access control. Artech House.

Digital Library

[22]

David F Ferraiolo, Ravi Sandhu, Serban Gavrila, D Richard Kuhn, and Ramaswamy Chandramouli. 2001. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security (TISSEC) 4, 3 (2001), 224--274.

Digital Library

[23]

Lorenzo Franceschi-Bicchierai. 2017. Internet of Things Teddy Bear Leaked 2 Million Parent and Kids Message Recordings. https://motherboard.vice.com/en_us/article/pgwean/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings

[24]

Frances Grodzinsky and Herman T Tavani. 2010. Applying the "Contextual Integrity" Model of Privacy to Personal Blogs in the Blogoshere. Computer Science and Information Technology Faculty Publications (2010).

[25]

Broadband Internet Technical Advisory Group. 2016. Internet of Things (IoT) Security and Privacy Recommendations. Technical Report. https://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf

[26]

Hayley Tsukayama. 2017. Bose headphones have been spying on customers, lawsuit claims. The Washington Post (2017). https://www.washingtonpost.com/news/the-switch/wp/2017/04/19/bose-headphones-have-been-spying-on-their-customers-lawsuit-claims/

[27]

Paul Hitlin. 2016. Turkers in this canvassing: young, well-educated and frequent users. http://www.pewinternet.org/2016/07/11/turkers-in-this-canvassing-young-well-educated-and-frequent-users/

[28]

Christine Horne, Brice Darras, Elyse Bean, Anurag Srivastava, and Scott Frickel. 2015. Privacy, technology, and norms: The case of Smart Meters. Social science research 51 (2015), 64--76.

[29]

Gordon Hull, Heather Richter Lipford, and Celine Latulipe. 2011. Contextual gaps: privacy issues on Facebook. Ethics and information technology 13, 4 (2011), 289--302.

Digital Library

[30]

Carlos Jensen and Colin Potts. 2004. Privacy policies as decision-making tools: an evaluation of online privacy notices. In Proceedings of the SIGCHI conference on Human Factors in Computing Systems. ACM, 471--478.

Digital Library

[31]

David Kravets. 2016. Sex toys and the Internet of Things collide---what could go wrong? https://arstechnica.com/tech-policy/2016/09/sex-toys-and-the-internet-of-things-collide-what-could-go-wrong/

[32]

Nile Lars. 2014. Connected Medical Devices, Apps: Are They Leading the IoT Revolution -- or Vice Versa? https://www.wired.com/insights/2014/06/connected-medical-devices-apps-leading-iot-revolution-vice-versa/

[33]

Jialiu Lin, Shahriyar Amini, Jason I. Hong, Norman Sadeh, Janne Lindqvist, and Joy Zhang. 2012. Expectation and Purpose: Understanding Users' Mental Models of Mobile App Privacy Through Crowdsourcing. In Proceedings of the 2012 ACM Conference on Ubiquitous Computing (UbiComp '12). ACM, 501--510.

Digital Library

[34]

Jialiu Lin, Bin Liu, Norman Sadeh, and Jason I. Hong. 2014. Modeling Users' Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings. In 10th Symposium On Usable Privacy and Security (SOUPS 2014). USENIX Association, 199--212. https://www.usenix.org/conference/soups2014/proceedings/presentation/lin

Digital Library

[35]

Leib Litman, Jonathan Robinson, and Tzvi Abberbock. 2017. TurkPrime.com: A versatile crowdsourcing data acquisition platform for the behavioral sciences. Behavior research methods 49, 2 (2017), 433--442.

[36]

Richard Lowry. 2014. Concepts and applications of inferential statistics. (2014).

[37]

Naresh K Malhotra, Sung S Kim, and James Agarwal. 2004. Internet users' information privacy concerns (IUIPC): The construct, the scale, and a causal model. Information systems research 15, 4 (2004), 336--355.

Digital Library

[38]

Kirsten Martin. 2015. Privacy notices as tabula rasa: An empirical investigation into how complying with a privacy notice is related to meeting privacy expectations online. Journal of Public Policy 8 Marketing 34, 2 (2015), 210--227.

[39]

Kirsten Martin and Helen Nissenbaum. 2016. Measuring privacy: an empirical test using context to expose confounding variables. Colum. Sci. 8 Tech. L. Rev. 18 (2016), 176.

[40]

Chris Matyszczyk. 2015. Samsung's warning: Our Smart TVs record your living room chatter. https://www.cnet.com/news/samsungs-warning-our-smart-tvs-record-your-living-room-chatter/

[41]

Aleecia M McDonald and Lorrie Faith Cranor. 2008. The cost of reading privacy policies. ISJLP 4 (2008), 543.

[42]

Eliott McLaughlin. 2017. Suspect OKs Amazon to hand over Echo recordings in murder case. https://www.cnn.com/2017/03/07/tech/amazon-echo-alexa-bentonville-arkansas-murder-case/index.html

[43]

Pardis Emami Naeini, Sruti Bhagavatula, Hana Habib, Martin Degeling, Lujo Bauer, Lorrie Faith Cranor, and Norman Sadeh. 2017. Privacy Expectations and Preferences in an IoT World. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). USENIX Association, Santa Clara, CA, 399--412.

Digital Library

[44]

Helen Nissenbaum. 2010. Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford Law Books.

Digital Library

[45]

Bill Parducci. 2005. eXtensible Access Control Markup Language (XACML) specification. (2005).

[46]

Joseph Phelps, Glen Nowak, and Elizabeth Ferrell. 2000. Privacy concerns and consumer willingness to provide personal information. Journal of Public Policy 8 Marketing 19, 1 (2000), 27--41.

[47]

Qualtrics Online. 2017. http://www.qualtrics.com

[48]

Lee Rainie and Maeve Duggan. 2017. Privacy and Information Sharing. http://www.pewinternet.org/2016/01/14/privacy-and-information-sharing/

[49]

Andrew D Selbst. 2013. Contextual expectations of privacy. Cardozo Law Review (2013).

[50]

Juliet Popper Shaffer. 1995. Multiple Hypothesis Testing. Annual Review of Psychology 46, 1 (1995), 561--584.

[51]

Pan Shi, Heng Xu, and Yunan Chen. 2013. Using contextual integrity to examine interpersonal information boundary on social network sites. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 35--38.

Digital Library

[52]

Yan Shvartzshnaider, Schrasing Tong, Thomas Wies, Paula Kift, Helen Nissenbaum, Lakshminarayanan Subramanian, and Prateek Mittal. 2016. Learning Privacy Expectations by Crowdsourcing Contextual Informational Norms. The Fourth AAAI Conference on Human Computation and Crowdsourcing (2016).

[53]

Daniel J Simons and Christopher F Chabris. 2012. Common (mis) beliefs about memory: A replication and comparison of telephone and Mechanical Turk survey methods. PloS one 7, 12 (2012), e51876.

[54]

Snap Spectacles 2017. Snap Spectacles. https://www.spectacles.com/

[55]

FTC Staff. 2010. Protecting Consumer Privacy in an Era of Rapid Change--A Proposed Framework for Businesses and Policymakers. Journal of Privacy and Confidentiality 3, 1 (2010), 5.

[56]

Seymour Sudman, Norman M Bradburn, and Norbert Schwarz. 1996. Thinking about answers: The application of cognitive processes to survey methodology. Jossey-Bass.

[57]

UserBob - Usability Testing. 2017. https://userbob.com/

[58]

Primal Wijesekera, Arjun Baokar, Ashkan Hosseini, Serge Egelman, David Wagner, and Konstantin Beznosov. 2015. Android Permissions Remystified: A Field Study on Contextual Integrity. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, 499--514. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/wijesekera

Digital Library

[59]

Jenifer S Winter. 2012. Privacy and the emerging internet of things: using the framework of contextual integrity to inform policy. In Pacific Telecommunications Council Conference Proceedings.

[60]

Christopher Wolf and Jules Polonetsky. 2013. An Updated Privacy Paradigm for the "Internet of Things". https://fpf.org/wp-content/uploads/Wolf-and-Polonetsky-An-Updated-Privacy-Paradigm-for-the-%E2%80%9CInternet-of-Things%E2%80%9D-11-19-2013.pdf

[61]

Kathryn Zickuhr. 2013. Who's not online and why. Pew Research Center's Internet and American Life Project. http://www.pewinternet.org/files/old-media/Files/Reports/2013/PIP_Offline%20adults_092513_PDF.pdf

[62]

Michael Zimmer. 2008. Privacy on planet Google: Using the theory of contextual integrity to clarify the privacy threats of Google's quest for the perfect search engine. J. Bus. 8 Tech. L. 3 (2008), 109.

Cited By

Levinson LMcKinney JNippert-Eng CGomez RŠabanović S(2024)Our business, not the robot’s: family conversations about privacy with social robots in the homeFrontiers in Robotics and AI10.3389/frobt.2024.133134711Online publication date: 21-Mar-2024
https://doi.org/10.3389/frobt.2024.1331347
Feng YStenger BZhang S(2024)Post-Pandemic Data Privacy: Contextual Acceptance of COVID-19 Mitigation Mobile Applications in the US (Preprint)Journal of Medical Internet Research10.2196/57309Online publication date: 16-Feb-2024
https://doi.org/10.2196/57309
Dahabiyeh LTaha N(2024)Open research data and privacy violationsJournal of Information Science10.1177/01655515241297399Online publication date: 25-Nov-2024
https://doi.org/10.1177/01655515241297399
Show More Cited By

Index Terms

Discovering Smart Home Internet of Things Privacy Norms Using Contextual Integrity
1. Human-centered computing
  1. Ubiquitous and mobile computing
    1. Empirical studies in ubiquitous and mobile computing
2. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Privacy protections

Recommendations

Privacy Norms for Smart Home Personal Assistants
CHI '21: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

Smart Home Personal Assistants (SPA) have a complex ecosystem that enables them to carry out various tasks on behalf of the user with just voice commands. SPA capabilities are continually growing, with over a hundred thousand third-party skills in ...
Privacy Norms within the Internet of Things Using Contextual Integrity
GROUP '20: Companion Proceedings of the 2020 ACM International Conference on Supporting Group Work

The collection of devices networked via the internet, also referred to as the Internet of Things, is poised to grow in adoption. With this rise has come equally increasing concerns for security and privacy. Considering Nissenbaum's framework of ...
Privacy preserving Internet of Things

The Internet of Things (IoT) is the latest web evolution that incorporates billions of devices that are owned by different organisations and people who are deploying and using them for their own purposes. IoT-enabled harnessing of the information that ...

Comments

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies

Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies Volume 2, Issue 2

June 2018

741 pages

EISSN:2474-9567

DOI:10.1145/3236498

Issue’s Table of Contents

Copyright © 2018 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 July 2018

Accepted: 01 April 2018

Revised: 01 April 2018

Received: 01 February 2018

Published in IMWUT Volume 2, Issue 2

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

National Science Foundation

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

112
Total Citations
View Citations
4,995
Total Downloads

Downloads (Last 12 months)912
Downloads (Last 6 weeks)124

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Levinson LMcKinney JNippert-Eng CGomez RŠabanović S(2024)Our business, not the robot’s: family conversations about privacy with social robots in the homeFrontiers in Robotics and AI10.3389/frobt.2024.133134711Online publication date: 21-Mar-2024
https://doi.org/10.3389/frobt.2024.1331347
Feng YStenger BZhang S(2024)Post-Pandemic Data Privacy: Contextual Acceptance of COVID-19 Mitigation Mobile Applications in the US (Preprint)Journal of Medical Internet Research10.2196/57309Online publication date: 16-Feb-2024
https://doi.org/10.2196/57309
Dahabiyeh LTaha N(2024)Open research data and privacy violationsJournal of Information Science10.1177/01655515241297399Online publication date: 25-Nov-2024
https://doi.org/10.1177/01655515241297399
Genç HCoşkun A(2024)From Silence to Dialogue: Boosting Collocated Social Interactions with TechnologyProceedings of the 13th Nordic Conference on Human-Computer Interaction10.1145/3679318.3685391(1-13)Online publication date: 13-Oct-2024
https://dl.acm.org/doi/10.1145/3679318.3685391
Fan LZhang SKong YYi XWang YXu XYu CLi HShi Y(2024)Evaluating the Privacy Valuation of Personal Data on SmartphonesProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/36785098:3(1-33)Online publication date: 9-Sep-2024
https://doi.org/10.1145/3678509
Windl MSchlegel MMayer S(2024)Exploring Users' Mental Models and Privacy Concerns During Interconnected InteractionsProceedings of the ACM on Human-Computer Interaction10.1145/36765048:MHCI(1-23)Online publication date: 24-Sep-2024
https://dl.acm.org/doi/10.1145/3676504
Kumar PZimmer MVitak J(2024)A Roadmap for Applying the Contextual Integrity Framework in Qualitative Privacy ResearchProceedings of the ACM on Human-Computer Interaction10.1145/36537108:CSCW1(1-29)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3653710
Shalawadi SGetschmann Cvan Berkel NEchtler F(2024)Manual, Hybrid, and Automatic Privacy Covers for Smart Home CamerasProceedings of the 2024 ACM Designing Interactive Systems Conference10.1145/3643834.3661569(3453-3470)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3643834.3661569
Jain PXu ADownes TKim IKhan TBiehl JLee A(2024)Understanding Perceived Utility and Comfort of In-Home General-Purpose Sensing through Progressive ExposureProceedings of the ACM on Human-Computer Interaction10.1145/36374328:CSCW1(1-32)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3637432
Zhou HGoel MAgarwal Y(2024)Bring Privacy To The Table: Interactive Negotiation for Privacy Settings of Shared Sensing DevicesProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642897(1-22)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642897
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents