Smart Home Privacy Concerns Reinforce Need for Stronger Privacy Regulations in US
This blog post summarizes the paper “‘You Shouldn’t Need to Share Your Data’: Perceived Privacy Risks and Mitigation Strategies Among Privacy-Conscious Smart Home Power Users” by Anna Lenhart, Sunyup Park, Michael Zimmer, and Jessica Vitak. This paper will be presented at the 26th ACM Conference on Computer-Supported Cooperative Work and Social Computing, a top venue for social computing scholarship. It will also be published in the journal Proceedings of the ACM (PACM).
****
In the last decade, smart home devices have become more popular as their functions have expanded and costs have decreased. Devices ranging from smart speakers to doorbells, cameras, TVs, baby monitors, sensors, and more are increasingly found in US households, often interconnected and managed through a digital hub, and frequently including automation options that regulate when and how they are used.
These smart devices provide numerous benefits and are designed to be easy to set up and use. Users highlight the convenience and sense of security they provide, and research has highlighted ways smart devices can benefit older adults and those with disabilities. At the same time, however, these devices collect significant data from traditionally private spaces. Because of this, it can be easy to forget that your smart TV or speaker could record a private conversation or, your smart garage opener might reveal when you are away. Or, as MIT Technology Review highlighted last December, your smart vacuum may capture images of you on the toilet. Collected data might be used for targeted advertising, made accessible to law enforcement, or shared with third parties who label data to train algorithms. Based on this landscape, privacy risks seem inherent to smart home devices.
We explored the privacy risks of smart homes by talking with “privacy-conscious power users” — people who spend significant time, energy, and money to research and customize their smart home setups. Our participants were actively engaged in optimizing their devices for usability, but they were also keenly interested in controlling data flows from devices. In analyzing data from focus groups with 32 power users, we identified multiple types of risks they were concerned about, and uncovered various mitigation strategies they employed to mitigate those risks — some of which were simple, but many required considerable technical proficiency to achieve.
One of our core takeaways from this analysis was that if these highly knowledgeable and engaged users struggle to fully understand and manage data flowing through their devices, it will be far harder for everyday users to understand the types and quantity of data being collected and take appropriate measures to manage their privacy risks.
Below, we offer four policy recommendations based on this study. The US has struggled to pass comprehensive privacy regulations, but various policy proposals have emerged to address some of the challenges our participants identified. Below, we highlight opportunities for extending recent policy initiatives to foster consumer privacy protections related to smart home technologies.
1. Mandate That Platforms Use Data in Ways Users Expect
The most straightforward way to address concerns for everyday users is to pass a comprehensive privacy law that centers data minimization — only collecting data needed for device operation — and data loyalty, a mandate that manufactures act in the best interest of data subjects when processing and designing services. While proposals such as the American Data Privacy and Protection Act (ADPPA) have strong data minimization provisions, data loyalty provisions do not currently address smart homes users’ concerns regarding their data being used to manipulate decisions or actions their family makes.
2. Ensure Secure Interoperability Among Platforms
Several participants described challenges with connecting devices from different brands. One way to address this is through interoperability standards. Since our data collection, many new devices run on Matter, a common language that smart home devices can use to communicate regardless of the brand.
Industry standards risk being co-opted by dominant platforms, which can lead to less privacy for consumers and barriers to entry for new platforms. To address this, Congress proposed Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act in which the FTC sets standards and puts limits on how interoperability interfaces can be changed. Any future data protection legislation should consider interoperability mandates and ways to keep check on concentrated power in the standards-making process.
3. Mandate Disclosures
Repeatedly, our participants described wanting more information about what data their devices collect, where that data flows, and why it was being collected. To obtain this information, they discussed the need for layered labels (see work on this by Pardis Emami-Naeini) to provide both easy-to-digest and more detailed information about data collection and use. They also described using third-party software to create dashboards to monitor network traffic. Participants faced challenges both in the technical knowledge required to set up these dashboards and the missing context around why data may ping a particular IP address.
Congress has considered transparency for smart home devices. The Informing Consumers about Smart Devices Act would mandate that smart home manufacturers “disclose whether the covered device manufactured by the manufacturer contains a camera or microphone as a component of the covered device.” The Terms-of-service Labeling, Design, and Readability (TLDR) Act and ADPPA would mandate summary statements for terms of service for all web-based platforms, providing details on what data is being collected and what data is required for basic functioning of the service.
4. Give Users Additional Controls
Nearly all participants expressed that while there are some ways to enhance transparency about company policies, visibility of data flows, and controls to manage their data — something we discuss in another paper — companies need to go further, and doing so will require new standards and regulations. Data protection laws must ensure that data minimization and duty of loyalties and mandate that any secondary use allowances are accompanied by user-interfaces that provide for clear, affirmative consent.
