Insights into Unsolicited Consumer Thoughts on IoT Device Privacy and Security

Abstract

With the growing popularity of internet-capable devices commonly known as the Internet of Things (IoT), and the risks these devices pose for consumer data privacy and security (P&S), it is worthwhile to examine how consumers perceive P&S risks. By understanding how IoT consumers conceptualize and communicate P&S concerns, researchers and developers can better decide how to secure risks and limit harms. We consider P&S together because privacy and security risks both result in similar harms to a consumer using IoT in the home–our study’s subject.

In this study, we seek to understand how IoT consumers conceptualize and communicate their P&S concerns with home-IoT devices such as connected thermostats, security systems, smart watches, and personal assistant hubs. Our approach seeks to specifically understand if and how consumers advertise P&S concerns as they interact with devices in a modern marketplace. In this way, we can better understand the potential efficacy of consumer control mechanisms for P&S.

We collected a corpus of 160,000 consumer posts about 87 popular IoT products on Ama- zon.com. We analyze the corpus with a combination of natural language processing techniques [1] and qualitative human-based methods [2]. Our analysis seeks to (i) determine if P&S is a common discussion issue; and (ii) identify what types of P&S issues are salient to consumers and whether that classification is impacted by device category or other market factors.

Preliminary analysis reveals that few consumers discuss IoT P&S issues online, suggesting that consumers are either not concerned or informed about IoT device P&S. Why this is the case–and what it tells us about consumers’ role in securing the IoT ecosystem–is relevant for P&S policy. Consumer control mechanisms for improving IoT P&S–like the notice and choice framework–may not secure risks or limit harm. If the market cannot rely on consumers to act in a P&S enhancing way, the development of more private and secure IoT devices should not be left solely to consumer influence. Prior work in the domain shows that consumers tend to be unaware, uninterested, or uninformed [3] of P&S harms, whether due to risk perception [4] or expertise [5]. These results mixed with our initial findings have implications for policy makers, standards organizations, and P&S advocates since it demonstrates a consumer control limitation in the IoT domain.

Efforts to understand consumer sentiment are also key for developers and policymakers who intend to create more usable and secure IoT devices. This project informs a broad policy discussion on effective measures to combat IoT privacy and security challenges. We draw additional conclusions about commonly expressed P&S concerns, the time series nature of these discussions, the relationship between P&S discussions and devices or device types, and the correlations between P&S discussions and publicized P&S events such as the Mirai Botnet. This paper represents the first steps in an endeavor that includes consumer interviews and surveys to draw more definitive conclusions on IoT product demand and consumer P&S concerns.

[1] Steven Bird, Edward Loper, and Ewan Klein. Natural Language Processing with Python. O’Reilly Media Inc., 2009. [2] Michael Quinn Patton. Qualitative evaluation and research methods . SAGE Publications, inc, 1990. [3] Alessandro Acquisti and Jens Grossklags. Privacy and rationality in individual decision making. IEEE Security & Privacy, 2(2005):24–30, 2005. [4] Rick Wash. Folk models of home computer security. In Proceedings of the Sixth Symposium on Usable Privacy and Security, SOUPS ’10, pages 11:1–11:16, New York, NY, USA, 2010. ACM. [5] Lee Rainie and Maeve Duggan. Americans’ opinions on privacy and information sharing. Technical report, 2016.