"I don’t know how to protect myself": Understanding Privacy Perceptions Resulting from the Presence of Bystanders in Smart Environments Karola Marky Alexandra Voit Alina Stöver [email protected] [email protected] [email protected] Technical University of Darmstadt University of Stuttgart darmstadt.de Darmstadt, Germany Stuttgart, Germany Technical University of Darmstadt Darmstadt, Germany Kai Kunze Svenja Schröder Max Mühlhäuser [email protected] [email protected] [email protected] Keio University University of Vienna Technical University of Darmstadt Yokohama, Japan Vienna, Austria Darmstadt, Germany ABSTRACT October 25–29, 2020, Tallinn, Estonia. ACM, New York, NY, USA, 11 pages. IoT devices no longer affect single users only because others like https://doi.org/10.1145/3419249.3420164 visitors or family members - denoted as bystanders - might be in the device’s vicinity. Thus, data about bystanders can be collected by 1 INTRODUCTION IoT devices and bystanders can observe what IoT devices output. To The market share of IoT devices is steadily increasing [50]. By pro- better understand how this affects the privacy of IoT device owners cessing data, the devices can enhance the convenience of everyday and bystanders and how their privacy can be protected better, we life, improve security, or provide better control over energy con- interviewed 42 young adults. Our results include that owners of IoT sumption [27, 36]. Therefore, the devices collect data via sensors devices wish to adjust the device output when visitors are present. and output it. Both - collection and output - concern anyone that is Visitors wish to be made aware of the data collected about them, present in the smart environment. Therefore, it is crucial to consider to express their privacy needs, and to take measures. Based on different people in smart environments: primary users and indirect our results, we show demand for scalable solutions that address users. Primary users interact with IoT devices to achieve specific the tension that arises between the increasing discreetness of IoT goals, such as controlling the lighting. The group of indirect users devices, their increase in numbers and the requirement to preserve includes residents and visitors of the smart environment. However, the self-determination of owners and bystanders at the same time. only specific users, i.e. the owners of the IoT devices can configure them. In this paper, we denote them as owners. Visitors of the smart CCS CONCEPTS environments, e.g., repair staff or friends, can observe the output of • Security and privacy ! Privacy protections; • Human-centered IoT devices without interacting with them. In this paper, we denote computing ! Empirical studies in ubiquitous and mobile these indirect users as bystanders. The constellation of users and computing. bystanders is also crucial in the scope of privacy. The privacy of the bystanders might be violated by IoT devices KEYWORDS without the bystander noticing it [46]. A smart speaker might record a conversation of guests, or a camera in a fridge might film guests Privacy; Smart Home; Bystander Privacy who open it [30, 31]. On the other hand, the presence of bystanders ACM Reference Format: in a smart environment might also pose a privacy threat to IoT Karola Marky, Alexandra Voit, Alina Stöver, Kai Kunze, Svenja Schröder, device owners since the bystanders can witness the output of IoT and Max Mühlhäuser. 2020. "I don’t know how to protect myself": Under- devices. For instance, a smart speaker might remind an owner to standing Privacy Perceptions Resulting from the Presence of Bystanders in check their emails for medical test results and the bystanders hear Smart Environments. In Proceedings of the 11th Nordic Conference on Human- that. Based on this constellation of bystanders and owners, it is Computer Interaction: Shaping Experiences, Shaping Society (NordiCHI ’20), important to consider both user groups when designing privacy- respecting IoT devices and environments. Previous studies glimpsed Permission to make digital or hard copies of all or part of this work for personal or into the individual user types and for instance recommended a classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation visitor mode [60, 61], means for bystanders to exert control [59], or on the first page. Copyrights for components of this work owned by others than the provision of different levels of agency [18]. In this paper, we present author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or a comprehensive investigation of the owner-bystander constellation republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. from both perspectives. In particular, we aim to shed light on the NordiCHI ’20, October 25–29, 2020, Tallinn, Estonia following research questions: © 2020 Copyright held by the owner/author(s). Publication rights licensed to ACM. ACM ISBN 978-1-4503-7579-5/20/10...$15.00 RQ1: What are considerations of IoT device owners when in- https://doi.org/10.1145/3419249.3420164 stalling and configuring devices in their homes? NordiCHI ’20, October 25–29, 2020, Tallinn, Estonia Marky et al. RQ2: What kind of information are IoT device owners com- Naeini et al. found that the privacy perceptions are dependent on fortable sharing with bystanders? the context and users differentiate between different environments RQ3: What are the perceptions of bystanders regarding privacy and data types [15]. In particular, they perceive the collection of in a smart environment? their data in public environments as less critical than in private RQ4: What are the coping strategies of bystanders to protect ones. Furthermore, they consider data about their environment (e.g., their privacy in smart environments? room temperatures) as less critical than data about themselves. Fi- To answer our research questions, we conducted semi-structured nally, Naeini et al. report that perceived benefits constitute a major interviews with 42 participants. Among other aspects, we found factor when consenting to data sharing. The role of the perceived that only a few owners consider privacy when installing devices benefits has been confirmed in an interview study by Zheng et al. in their homes. However, they wish for detailed options to control in which they focused on the experiences of eleven smart home the information that is output in the presence of bystanders. Even owners [63]. Owners are also willing to share privacy-sensitive urgent information, such as an emergency in the family, should data with service providers if the data was anonymized [29]. be protected. Concerning the bystanders, we confirm and extend When asked for specific concerns, people mention concerns results from other domains, such as life logging [10, 14], showing about the physical security and general privacy of the home [60, 64, that bystanders wish to exert control over their data collection. We 65]. On the other hand, a study by Zeng et al. has shown that many furthermore demonstrate that bystanders lack actionable measures smart home owners were generally not concerned about potential to exert control over the data collection. Based on our results, we threats [60]. Owners only expressed little privacy concerns about conclude that solutions provided by existing IoT devices are not the nature of the data but strong concerns on how the providers sufficient and do not scale. There is a demand for new solutions of smart home devices handle the data [49]. Lay owners expressed that reduce the burden on owners and bystanders and support difficulties in naming specific consequences that could arise from them effectively in making and realizing their privacy decisions. sharing smart home data [21]. But smart home owners should be However, current developments make IoT devices more discreet and aware of potential consequences to be motivated to configure the their number will increase in the future. This makes it difficult for system so that it matches their privacy needs [21, 28]. owners and bystanders to make adjustments to protect their privacy Different studies revealed that smart home owners wish tobe for each individual IoT device. Our study indicates that there is a aware of data that is collected and transferred to providers [15, tension between the self-determination of owners and bystanders 24, 40]. An interview study with 23 smart home owners examined and the ongoing advancements of IoT devices. Finally, we name their perceptions of devices, data practices, and risks [51]. The challenges for the design of future smart environments that consider results confirm that owners are uncertain about the data practices privacy aspects based on the owner-bystander constellation. of the companies and wish for more transparency and control. Being asked to create a design that respects smart home privacy, 2 BACKGROUND AND RELATED WORK participants in a study created designs that aimed to increase the transparency of data collection and allow the owners to control the In this section, we detail the privacy definition that we based our data collection [58]. Users wished to be informed about the privacy investigation on. Then, we present related works on privacy con- aspects of the devices before purchase [16]. cerns in smart homes and bystander privacy. Adding to this body Besides smart homes in general, also the perceptions and con- of research, our paper focuses on the privacy concerns that might cerns regarding specific devices have been investigated in related arise from the presence of bystanders in smart environments. We work. The awareness of the data collected by smart TVs has been investigate the views of owners and bystanders in-depth. investigated by Ghiglieri et al. [22]. The authors found that users In this paper, we consider privacy as the possibility for users of smart TVs are generally not aware of the data collected by their to control the circumstances and conditions under which their devices.