It is my first time conducting a Technical Survey, which was done as a class project. However, it soon became an exciting research area that I might want to work in the future. I was initially very excited about conducting a Survey, but the excitement did fade off as the semester went by. It is always challenging to master a new skill, and surveying for the first time can be daunting. A good Survey has many requirements:
- It needs to be concise such that it doesn’t put too much cognitive load on the participants.
- It needs to be structured.
- Un-biased.
- And perfect enough that it answers your research questions.
It takes months of trial-and-error and lots of money to fulfill these requirements. Trust me, surveys consume a lot of money. You need to reward people for filling in your study and not get survey fatigued).
To collect our data, we ran an Amazon Mechanical Turk (Mturk) Human Intelligence Task (HIT) and used Google Forms for our pilot survey. For the sake of brevity and reducing the cognitive load on our participants, we kept our survey limited to 12 total questions, 2 of which were only asked if the previous questions were answered in a specific way. We user tested the survey on 25 participants, and they took on average approximately 5–7 minutes to complete the survey. Details regarding the methods and limitation is listed in the paper.
Moreover, in the process, I also explored “Consent in IoT devices,” which is already a problem faced by many users, and will become acute in the near future, with 5G and 6G.
All in all, I learned a lot in this process and also encouraged me to start thinking in a new area of research, i.e., Security and Privacy in Wireless Communication. I want to thank Prof. Lujo Bauer, Prof. Timothy Libert, Prof. Douglas Sicker, and CyLab Security & Privacy Institute at CMU, for their recommendations and funds for this project.
Link To the Paper
Consenting to IoT Across Different Social Setting
Devices connected to the Internet of Things (IoT) are rapidly becoming ubiquitous across modern homes, workplaces, and other social environments. While these devices provide users with extensive functionality, they pose significant privacy concerns due to difficulties in consenting to these devices. In this work, we present the results of a pilot study that shows how users consent to devices in common locations in a friend’s house in which the user is a guest attending a party. We use this pilot study to indicate a direction for a larger study, which will capture a more granular understanding of how users will consent to a variety of devices placed in different social settings (i.e. a party house owned by a friend, an office space for the user and some 40 other employees, the bathroom of a department store, etc.). Our final contribution of this work will be to build a probability distribution which will indicate how probable a given user is to consent to a device given what sensors it has, where it is, and the awareness and preferences of each user.
1. Background
Today’s homeowners are surrounding themselves with smart devices that can make their life easier. For example, Google Home, Amazon Alexa, smart lights, smart plugs, smart TVs, cameras, and many other IoT home appliances, as shown in Figure 1, permeate the landscape of the modern house. These smart devices, which are used on a daily basis and have the capability to send or receive data through the internet, are called the Internet of Things (IoT) [1], as shown in Figure 1. These IoT devices can be equipped with multiple sensors such as microphones, cameras, gyroscope, infrared scanners, and biometric scanners. These sensors can accomplish a range of tasks, such as e-commerce, surveillance, motion detection, house chores, and even entertainment. With the advent of cheaper IoT devices and improved access to high-speed internet, these devices will become an integral part of our everyday life.
It is envisioned, in the future, these IoT devices will be cheap enough to be densely deployed and interconnected. In a hypothetical scenario, a user will be able to check for grocery items at home and order it online just through their smart watch. Moreover, the user can also automate the process, where the refrigerator or other smart devices can predict, and pre-order items based on the user preferences. These systems will be able to connect people, processes, data, and devices in an intelligent manner leading to a better user experience, which is called Internet of Everything (IoE) [2].
Fig 1. Schematic diagram of the traditional home IoT devices used daily [21].
Although IoT (or IoE, in the future) can seem fascinating and crucial for improving user experience, these devices often cause multiple privacy harms [3] to the owner of the device(s) and the individuals surrounding the owner. Theoretically, an owner, to a certain extent, can mitigate these harms by adjusting their privacy settings that suit his/her needs. However, this alteration does not guarantee that harmlessness either inadvertently or advertently to the other people in the room, regardless of who they are. The work we present here as well as the work we aim to do will answer these questions.
a. Privacy Concerns with IoT
Earlier research shows that people are relatively comfortable with data mining when they are in public spaces. However, even though the home is a private place where users should display increased concerns about their privacy, it would seem that the opposite is true. In this section, we discuss current models of decision making about consent and how these models apply here.
Users often interact with data-hungry IoT devices without fully understanding the full impact of their interactions. Multiple factors make this process challenging for an individual. Our “bounded rationality” [4] limits us from taking rational privacy-sensitive decisions. Humans are not like machines and cannot make binary decisions based on a fixed logic. The logic for a decision changes with time, location, mood, and surrounding individuals. In particular, an individual’s decision making is altered based on how much an individual knows. If an individual is fully informed about what data is being shared, who will have access to the data, and how are they using it, then an individual can make a rational decision.
Nevertheless, an individual’s access to complete information cannot guarantee rational decision making. An enormous amount of data and its inherent complexity can often overwhelm an individual’s decision making. Although an individual had complete information and had a perfect understanding of the data, the individual may still make an irrational decision based on the short-term incentive/motivation it is offered in exchange for its decision [5].
It has been shown that there exist multiple privacy concerns in IoT based applications [6], which depends on the type of the device, type of data being shared, and the retention period of the data. It is expected that each of these IoT devices can potentially be interconnected to each other, creating a complicated mesh of data sharing approach. In this process, a lot of the users’ data can be collected and analyzed without the direct knowledge of the user. With ultra-dense networks and the Internet of Nano-Things [7] coming in the future, these problems will only be exacerbated. This data can range from information, such as device-identifiable information (DII), personally identifiable information (PII), sensitive personal information, and behavioral information, resulting in multiple individual privacy concerns [8].
Data collection and processing by sensors/IoT devices indoors is perceived differently by different users in different scenarios. For example, users are willing to give up their most sensitive information for a service of their choice, which they would not have done in a normal scenario [5]. On the other hand, it is challenging to collect audio and video data in classrooms, without causing any privacy harms to improve teaching/education systems [9]. One solution is to train using privacy behavior [10] or improve device design and best practices (i.e., privacy by design) [11]. The other solution is to allow the owners of these devices to adjust their privacy settings [12].
Privacy harms can still exist for devices installed outside an owners’ home. Some devices are hidden from plain sight, so it can be hard to understand their data collection. Although an individual can alter the privacy settings of their own devices, it is hard or nearly impossible for an individual to adjust the privacy settings of the IoT devices installed at schools, stores, offices, and at a friend’s home. An individual who does not own that IoT device and to prevent further privacy harms the individual can either (a) request the owner to change the privacy settings to that individual’s liking, or (b) the individual has to leave that room or area (we term this as a barrier to entry), or © the individual changes his/her decision and adjusts with the surrounding context. The first option is generally avoided by an individual since it can either lead to embarrassment for an individual in a social setting, or the decision is at the disposal of the owner, who is unlikely to change the privacy settings. The latter options are the most likely solutions practiced by individuals aware of these IoT devices and these harms.
b. Contribution
In this Blog, we examine the consent of users to allow IoT devices to collect and process their personal data. Our discussion does not consider how the participants consent to devices they own in their own home, since if they decide to not consent, then they can remove the device or disable it. We envision their preferences to consent will change based on who, when, and how, the data is collected. Specifically, we will answer the following questions:
1. What factors motivate users to not consent to IoT devices in one-on-one scenarios and do these factors change in group scenarios?
2. Do IoT devices ever pose a barrier to entry for a given user?
3. How do users negotiate to disable IoT devices which they feel to be intrusive or unwanted?
If we had more time and resources to complete a more robust survey, we would have more comprehensive answers to these questions. However, since we did not, we focused primarily on gaining insights onto general insights on specific situations which represent a partial answer to the first question. We discuss this further in sections 3, 4, and 7.
Questions 1 and 2 can be further broken down in three ways to gain more granular insights about the attitudes to consenting to IoT devices: sensor type, location, and number of other people. Specifically, we define a classification system based on the type of sensors each device uses. From this classification, we build an understanding of users’ preferences to these types of sensors. This classification also allows us to generalize these privacy preferences to future devices which use these types of sensors.
We build upon existing work done by Emami-Naeini et. al [12]. We further try to understand how the location of these sensors impacts the decision of a user to consent to an IoT device. For example, the same work provides a table of the percentages of users who consent to an IoT device in their house. Our work expands this idea of location by asking users where in the house they would feel that a given device is most uncomfortable (i.e. in the bathroom, in the hallway, in the bedroom, etc.). As such, our contribution makes this understanding more granular.
Finally, the last way in which we further existing work is by factoring in the number of other people in the setting. For example, does the probability of a user consenting to a particular device in a particular location change if the number of others in the room?
Taking these three considerations in tandem, we aim to produce a probability distribution which returns the probability that a given user will consent to the device given its classification, its location, and how many other people are in the setting. Using this distribution, an end user can better understand where they can place a given device, an interior designer can better plan which devices can fit a specified location, and a device developer can better understand user concerns and barriers to use.
2. Approach
There is a growing research interest to predict users’ privacy preferences based on a broad range of attitudes and scenarios [12]. In this work, we analyze granular scenarios to justify the varying user preferences. Our contextual questions flow naturally from the work done in [12] by adding granularity to their questions. We achieve this granularity in four ways as shown in Figure 2 and listed below:
1. Type of Data: Despite the fact that the market for IoT devices is diverse, we can classify these devices based on their sensors. Using this classification, we can ensure that our work is more generalizable and not device-specific. For example, we ask questions about Amazon Alexa in each of the contextual questions, but we map Alexa to its type of sensor in our analysis, namely ‘microphone’. While Alexa might be a popular device now, there is no guarantee that it will be as popular in the future, which is why we want to map it this way.
2. Type of Owner: In some cases, even if the data is not too sensitive, the privacy preference of a user might change based on the owner or who collects this data. For example, imagine a party scenario where a given user runs into a former romantic partner with whom the relationship badly. This scenario can be awkward, and so the user may not consent to this device.
3. Type of Scenarios: The privacy preferences also change massively in the case of varying social settings in which these device interactions occur. Adding more specific sublocations (e.g., the bedroom, the restroom, and the hallway) to these social settings, might further complicate these preferences.
4. Type of Retention Period: Users are often fine with devices using their personal data for a small duration of time, such as financial data for buying goods and services. However, if the data is retained for a longer period, users’ preferences might become more conservative even for least sensitive data.
Fig 2. Types of factors affecting users’ consent to IoT devices to avoid the risk of privacy harm.
These 4 classes and sub-classes can result in more than 400 different combinations where a user might feel the risk of privacy harm. Due to our lack of funding and time we only explore one such combination (i.e., type of data: audio, type of owner: friend, type of scenario: party, and retention period: unspecified). In particular, we focused on the setting of a friend’s house. We term this as our location and the sublocations we surveyed are the hallway, restroom, and bedroom of the friend’s house. The need for this additional granularity comes from the fact that certain users may feel comfortable in one setting but not in others. This is best captured by the nanny cam scenario [13].
3. Analysis
Below, we analyze the data we collected over our Mturk HIT. The preliminary results indicate interesting user preferences and concerns about users and their interaction with IoT devices. The results shown in this section will work as a motivation for our future studies.
a) Privacy Preference Question Analysis
Before we move on to consent analysis, we need to understand the ownership and privacy preferences of users, which has been collected using Questions 1 through 6, shown in Appendix A of the Paper. Figure 3 shows the number of participants: (a) who own IoT devices, i.e., “Owner”, and (b) who are friends with people who own IoT devices, i.e., “Friends”. and who know friends who “maybe” own IoT devices.
Fig 3. Understanding the ownership of IoT devices among participants and their friends.
As noted before, these responses illustrate the awareness of the user to IoT devices. Nearly 60 users said that they themselves owned IoT device(s), which speaks to the prevalence of these devices as well as the willingness of users to keep these devices in their homes or with them in general. Further we also ask participants if they are friends with people who own IoT devices. This question serves two purposes: (a) get a sense if participants of aware of presence of IoT devices outside their home, and (b) it works as a foundation for the later questions in the survey. It seems that most of the participants are unaware if their friends own any IoT devices. Table 1 further classifies the type of devices owned by the participants and their friends.
Interestingly the response from Figure 3 about friends owning IoT devices does not match with the results shown in Table 3. This can be due to the lack of understanding the exact definition of IoT or the presence of lazy and uninterested users. The latter is unlikely because a lazy user would have to select more options in Question 4.
Now that we have established the prevalence of these IoT devices in the lives of ourselves and our friends, we turn to the concerns that the users may have about their privacy. From Figure 4 above, we highlight the two most interesting and common fears. Almost 63% of respondents indicated that they are concerned that the data these devices collect may “end up in the wrong hands” (i.e., Type 3), and 57.5% of respondents indicate that they worry about excessive data collection (i.e., Type 1). Together, these responses indicate a general fear in the minds of those surveyed about a ubiquitous set of applications which do not have a clear remit of what types of data they are allowed to collect.
Fig 4. Different types of privacy concerns among participants. Type 1:``I feel that they collect too much information/data than needed”, Type 2:``I don’t have control over the data they collect”, Type 3:`` I fear the data might end up in the wrong hands”, Type 4:``I don’t have control over who has access to the data”, Type 5:`` The vendor or manufacturer is using the data in ways I did not expect”, and Type 6:``None”
Interestingly the results of Figures 3 and 4 seem to be contradictory. If the users fear some nebulous class of applications and their supposedly sinister data collection and aggregation, why buy these applications in the first place? Why buy precisely the thing which we fear and place it in our own homes, and in some cases, even on our bodies? It seems that the users’ fears and actions are at odds here.
One possible explanation (which will be a question in a future, more complete survey) would be that the users feel that the benefits gained in the functionality of these devices outweigh the privacy harms caused by these devices. Another approach could be to ask respondents to rank which device’s benefits most outweigh their privacy harms and why. These questions not only help us to understand this contradiction but also can help us understand how users may or may not consent to IoT devices which they do not own. For example, if a given user perceives a device to be “useful”, then they might be more willing to consent to the device despite knowing the potential harms that they may incur.
Another potential reason for this contradiction is that the users may not feel that they have any real control over their consent in the first place. If everyone around a given user has some such device connected to some network of other devices, then that the user may believe that their consent means little in the grander context of the network. If I am surrounded by these IoT devices, and each of them collects some unknowable amount of data and transmits it throughout its own network discreetly, how much power do I really have to stop them? The next survey we conduct will also ask if users feel empowered to make decisions about their own consent with regards to these IoT devices.
Interestingly, the first explanation may stem from a misevaluation of how costly privacy harms may actually be. As Solove notes [3], people may have difficulty quantifying a privacy harm, which may be skewing their cost-benefit analysis of these devices. If a user perceives significant physical harm stemming from some sort of device, they are probably unlikely to consent to it. Privacy harms are distinct from physical harms because often times, they are much more subtle and harder to fully understand. If you notify a user that their data is being collected, it seems to only breed more questions. What type of data is being collected? Where is the device that is collecting it? How long will this data be stored? With whom will it be shared? How am I harmed from this? Even if we have all of these answers, how do we reason about the tradeoff between functionality and privacy?
One way to partially solve some these problems is to notify the users meaningfully. If the device owner can answer a subset of questions (e.g. what type of data is being collected, what the data retention time is, etc.), other users could potentially make more informed consent decisions. We polled the respondents about how they preferred to be notified of the device in Figure 5.
Fig 5. Ways through which a participant can be notified about an IoT device
The respondents seem to place a lot of trust on the device owner. The most frequent selection was by far through a direct conversation with the device owner, but this could be inconsistent if the owner does not inform each user in the same way. Also, the owner might be unclear about the specific configurations about their device and how these configurations can impact privacy, and so there could be some misinformation which could negatively impact the consent decision.
One interesting suggestion is notification through cell phones. This way, we can actually standardize the types of notices that we can give all users. Our next study should capture what types of questions they have about these devices and how a notification could be most useful.
We turn now to our analysis of our contextual concerns.
b) Contextual Scenario Analysis
The primary goal of each of these questions was to collect context-dependent data about how we expect the users to behave in these scenarios.
Fig 6. Distribution of users who who “Want the transcript deleted.”
Fig 7. Distribution of users who “Do Not Care if the transcript is deleted.”
Fig 8. Distribution of users who “Do Not Want the transcript to be deleted.”
From this preliminary analysis, we can see immediately that the perceived risk is dramatically different across different sub-locations. This indicates that our initial assumption that consent to IoT devices is dependent on the sub-location. Despite being in a familiar location (their friend’s house), 80.8% of respondents said that they wanted the transcript compiled by Alexa deleted. Figures 6–8 shows the responses of such respondents to the contextual questions. Clearly, these users have significant privacy concerns (as evidenced by the fact that they want the transcript deleted), which they seem to have felt most acutely in the bathroom. This finding concurs with previous work done in the same field [12].
4. Conclusion
We conclude by reiterating the three questions which we aim to answer:
1. What factors motivate users to not consent to IoT devices in one-on-one scenarios and do these factors change in group scenarios?
2. Do IoT devices ever pose a barrier to entry for a given user?
3. How do users negotiate to disable IoT devices which they feel to be intrusive or unwanted?
Despite the cost-prohibitive aspects of this study, we believe that this survey points at a larger, more interesting avenue of work which will answer these questions. The probability distribution which we will build creates more robust predictions of how laypeople will and will not consent to IoT devices across common locations in different group settings. This distribution gives quantitative answers to the first two questions. Further, the data collected from the focus groups will nuance the data by providing qualitative data. This data will better capture how people negotiate how these devices impact their privacy. The result of the focus groups will provide a different approach to answering the second question as well as completely answering the third question.
Taken in tandem, we believe that these answers provide a novel, interesting, and significant to the fields of privacy, data collection, and IoT. Future work would build on this contribution by considering more scenarios, different types of devices, and different social settings. We envision that a later stage we will be able to answer more detailed questions regarding consent in IoT appliances, such as:
a) How should an opt-out interface look like?
b) Should there be a consent transfer among devices? In other words, does consenting to one IoT device imply consent to any other device that consumes data from the first device?
c) Which privacy features should the owners be able to control?
d) What privacy features should the non-owners be able to control?
e) Which privacy features should be default?
f) Who should design this choice mechanism: industry or regulators?
