IoT adoption is widespread: on several continents, more than half of households already have at least one IoT device [1]. Technological developments that enabled Internet-connected common devices, ranging from speakers to doorbells to toys, radically enhanced the ability to collect, analyze, and disseminate information in and from our homes. The existing sentiment towards privacy in the presence of technological advancements seems to be best described in the 1973 U.S. Department of Health, Education and Welfare report on "Records, Computers, and Rights of Citizens" [2]: "The net effect of computerization is that it is becoming much easier for recordkeeping systems to affect people than for people to affect record-keeping systems... Although there is nothing inherently unfair in trading some measure of privacy for a benefit, both parties to the exchange should participate in setting the terms."
In the THRIDI project, we use the HDI (Human-Data Interaction) Framework [3] to explore data protection in smart homes through three lenses: (1) Legibility – transparency of data collection at home (2) Agency – control over personal data considering the multi-party use of home devices, (3) Negotiability – changing relationships and managing control over personal data at home.
A well-known legibility challenge is the lack of appropriate interfaces for users to see the extent and the nature of the data collected. User agency is also hard to achieve when different users share devices with different relationships (e.g., housemates or family members). Similarly, the negotiability of data sharing may not be apparent to the users, as their privacy preferences and data sharing context change in time (e.g., changing needs for care in a smart home designed for healthcare scenarios).
THRIDI focuses on four use-cases: (1) Home security, (2) Smart appliances, (3) Smart health and (4) Smart toys. These use-cases are in line with areas that are gaining popularity as well as considered needing further scrutiny for consumer IoT products (e.g., fitness devices and children’s IoT connected IoT toys picked amongst issues that require "urgent consideration" [4]. In the Sprite+ event, however, we focused on home security.
Fig 1: Snapshot from the MIRO board in the THRIDI SPRITE+ workshop
The THRIDI discussions overlap with several SPRITE+ investigation areas, including:
Digital Vulnerabilities: As IoT devices are embedded in our daily lives, it becomes harder to conceptualise, identify and assess vulnerabilities, and there is a strong indication that constant negotiation is needed among stakeholders ranging from family discussion to maintaining a dialogue with manufacturers. Also, the range of responses to different triggers (e.g., image sorting, scenario-based discussions as part of the design workshop) varies from tech distrust and mistrust to tech optimism. However, we need a serious discussion and action on what roles technologists, people, organisations, governments, and societies need to play to reduce digital risks and harms.
Accountability and Ethics in a Digital Ecosystem: In the workshops, we had the opportunity to discuss several exciting ideas about how privacy, fairness and accountability can be built into new technology ‘by design’, as well as enabling multi-purpose smart devices.
It is clear from the discussions that further interdisciplinary work involving technological, legal and cognitive approaches is needed to achieve these objectives. Based on the workshops we ran, we are preparing a research paper, which will map the risks and solutions space, going back to the three lenses of “legibility”, “agency” and “negotiability”. We hope this work will contribute to answering questions around Digital Technologies and Change, and how digital technologies develop and become socially embedded over time.
References:
1 D. Kumar, K. Shen, B. Case, D. Garg, G. Alperovich, D. Kuznetsov, R. Gupta, and Z. Durumeric, “All things considered: An analysis of IoT devices on home networks,” in 28th USENIX Security Symposium (USENIX Security 19). Santa Clara, CA: USENIX Association, Aug. 2019, pp. 1169–1185
2 “Records, computers and the rights of citizens,” U.S. Department of Health, Education and Welfare. 1973.
3 R. Mortier, H. Haddadi, T. Henderson, D. McAuley, J. Crowcroft, “Human-Data Interaction: The Human Face of the Data-Driven Society”. Oct 2014. https://doi.org/10.2139/ssrn.2508051
4 S. D. Burton, L. M. Tanczer, S. Vasudevan, S. Hailes, and M. Carr, “The UK code of practice for consumer IoT security - where we are and what next,” The PETRAS National Centre of Excellence for IoT Systems Cybersecurity, 2021