“I don’t own the data”: End User Perceptions of Smart Home Device Data Practices and Risks
Madiha Tabassum, University of North Carolina at Charlotte;
Tomasz Kosinski, Chalmers University of Technology;
Heather Lipford, University of North Carolina at Charlotte
Paper included in the Proceedings of the Fifteenth Symposium on Usable Privacy and Security (August 2019, Santa Clara, CA, USA)
Open access to the Proceedings of the Fifteenth Symposium on Usable Privacy and Security is sponsored by USENIX
Smart homes are more connected than ever before, with a variety of commercial devices available. The use of these devices introduces new security and privacy risks in the home, and needs for helping users to understand and mitigate those risks. However, we still know little about how everyday users understand the data practices of smart home devices, and their concerns and behaviors regarding those practices. To bridge this gap, we conducted a semi-structured interview study with 23 smart home users to explore what people think about smart home device data collection, sharing, and usage practices; how that knowledge affects their perceived risks of security and privacy; and the actions they take to resolve those risks. Our results reveal that while people are uncertain about manufacturers’ data practices, users’ knowledge of their smart home does not strongly influence their threat models and protection behaviors. Instead, users’ perceptions and concerns are largely shaped by their experiences in other computing contexts and with organizations. Based on our findings, we provide several recommendations for policymakers, researchers and designers to contribute to users’ risk awareness and security and privacy practices in the smart home.