Privacy expectations and challenges of smart home ecosystems

Abstract: Technology has long facilitated our lives. Nowadays, we increasingly embrace living in digital spaces. Sometimes we cannot avoid enrolling into them, if only because staying outside makes our lives more complicated. One technology that has become almost universally accepted as unavoidable to fully participate as a person is the smartphone, but in their use we balance trading our privacy for convenience. To mitigate this, the evolution of smartphone privacy controls is an example of how researchers work to shield users from privacy risks. Another technology that enters our lives and homes is the Internet of Things (IoT). Unlike smartphones, the IoT has not converged in a few common platforms (like Android and iOS), but is spread out over numerous, separate ecosystems of individual vendors. In addition, IoT ecosystems are closed by design; both data collection and processing is realized by black-box devices and vendor backends. This makes it challenging to devise a unified privacy protection measure for the IoT that, for instance, smartphone users enjoy – a permission system. Addressing this challenge, my thesis aims at providing an early foundation for designing an IoT permission system. It sets out to understand associated design challenges in several dimensions, from the perspectives of users and the technology. The user side was studied with qualitative and mixed Human-Computer Interaction (HCI) methods, such as interviews and surveys. The exploration of the technology side involved mobile IoT companion apps and IoT devices themselves. The former was conducted through a combination of static and dynamic analysis. The latter was approached from the perspective of emulating the externally observable network behavior of the devices and the ecosystem. The contributions of this work begin with providing empirical evidence on the understanding that IoT users have of the data processing practices of this technology as well as user expectations of such practices; both from a privacy perspective. Secondly, a thorough study of mobile IoT companion apps has shed light on how the effectively mandatory use of the apps factors into the information exposure of IoT users and how the users react to that. Finally, a system intended to facilitate the prototyping of IoT privacy tools, e.g. a permission system, is proposed. The multi-faceted approach applied in this work to study design challenges of an IoT permission system intends to serve as a stepping stone for research aimed at supporting IoT users in making informed choices about their privacy.