The Right to Privacy in Socio-Technical Smart Home Settings: Privacy Risks in Multi-Stakeholder Environments

Smart home settings are often pictured as single user settings set up by professionals. However, smart home users are manifold and live in shared spaces consisting of several household members [1]. End-Users set up and configure individual devices themselves and for other household members [2]. This can lead to serious privacy issues for the respective household members. We hypothesize that data protection of other household members is to be upheld less seriously because consumers often cannot honor their own values of privacy which is commonly referred to as the Privacy Paradox [3].

We discuss ethical and legal implications of privacy. Households as such are protected under legal frameworks, like the GDPR or CCPA. However, different household members are not obliged to comply with protecting each other’s data under these umbrellas. Thus, we claim individuals are morally obliged to protect the privacy of all household members.

Three examples of smart home settings are conceptualized where privacy issues can occur and are analyzed using the framework of contextual integrity. Within these examples and in other smart home settings privacy is easily breached. To hinder these breaches, we propose to develop transparency measures and open communication between all household members.

Smart home devices are categorized as socio-technical infrastructures which include multiple household members [2]. These settings are especially interesting as members of a household hold a closer relationship and share different data among each other than, e.g. colleagues who share an office. Part of this setting are the smart home devices—while voice assistants are appreciated by its users, they give rise to privacy concerns [4]. This complex situation of interconnected relationships in these socio-technical settings is a special challenge to users and configurators of the smart homes.

We already see users struggling with the use and configuration of ICT which is often referred to as the privacy paradox [3]. The privacy paradox describes the dichotomy between the desire of users to keep personal information private and their use of new technologies where personal information is still disclosed. Current research has established that consumers consider privacy and security concerns more likely after purchasing an Internet of Things device [5]. Before purchasing both privacy and security concerns are not considered greatly. However, consumers value this information to be important when purchasing a device. Also, they find accessibility of information on privacy and security of IoT devices to be weak [5]. When consumers cannot uphold their own value of privacy, they likely cannot commit to protect the privacy of additional household members. This is problematic as inter alia personal data is collected, of which another household member is not aware of, is not willing to share or is not informed on privacy protection of these devices. Therefore, we conclude that technical support for the users and configurations is needed and can be provided by manufacturers to some extent, e.g., through transparency assistants and proper information.

To establish the connection between socio-technical smart home settings and potential breaches of privacy we use the framework of contextual integrity. Contextual integrity claims that personal information is always provided in context thus it may change its meaning or intent when it is used in another context. Contextual integrity asserts that privacy is violated if contextual norms of appropriateness or norms of flow are breached [6]. This is based on the idea of different societal norms and settings. People act differently in different social settings. Particularly, the content of personal information also differs. Medical history is usually shared with your physician, but not with your colleagues. Following these notions, there is no general breach of privacy or acceptance when sharing information or data but rather it matters which information, in what context and which setting is shared.

Following this idea of contexts Nissenbaum determines that flows of personal information must be appropriate [7]. Information flows are appropriate when they are legitimate according to four criteria – contexts, actors, information type and transmission principles [8]. Within this framework, context-relative informational norms are characterized. This means that contextual integrity serves to judge privacy or a breach thereof of personal information from one party to another. This transfer includes transmission, communication, transfer, distribution or dissemination of personal information [7]. Contexts thus relate to informational norms as backgrounds and introduce a multiplicity of social context [7]. The importance of contexts, as described above, is that they are recognized when personal information is shared. Actors are defined as three explicit subjects: the sender of the information, the recipient of the information and the information subject [7]. The actors distinguish the different subjects within data distribution; who the data is about, who is sharing the data and who receives it. The Actors focus on single individuals and serves to capture their relationships and roles of individuals in certain settings. Attributes or information types refer to the content of the data. The attributes also have to be recognized within their context; some specific information is appropriate in some settings but not in others. This becomes apparent when we consider the example of physician and the colleagues discussed above. Transmission principles refer to the flow of information from one individual to another. Private information is usually shared to one particular party in one particular setting. Further distribution or transmission of the information can breach the intended context of which that information was originally shared. Within the context of smart home systems, the data subject and sender of the data are important, as they are often not the same person. Transmission principles can capture the distinction between sharing information within a private space, the home, and that information to be distributed elsewhere. With analyzing four different dimensions about information distribution, we can capture the intended purpose or aim of individuals to share this information. If one of these changes contextually, or is not agreed to, privacy is violated.

Taking a legal perspective, there is a broad international consensus that the privacy of an individual needs to be protected. However, the scope of what is protected differs among different legal traditions. In comparison, data protection is defined more consistently. It refers to the protection of personally identifiable information (PII). The protection of privacy is a concept which is divided into legally manageable areas; the connecting element is the protection of personality. An essential aspect of the protection of privacy is the possibility for each individual to draw the line between privacy and publicity.

Accordingly, Article 12 of the Universal Declaration of Human Rights (UDHR) protects privacy as a universal human right. As an important international document, the UDHR is of great moral value, but not legally binding. Legally binding, on the other hand, are international treaties, such as the International Covenant on Civil and Political Rights (ICCPR). Its Article 17 is almost identical. To ease the enforcement, different systems of human rights protection have emerged at the regional level, especially in the Americas and Europe: Art. 11 of the American Convention on Human Rights explicitly states the protection of privacy (“Right to Privacy”). The European Convention on Human Rights (ECHR) states it explicitly in Art. 8—the right to respect for private and family life. The European Charter of Fundamental Rights (CFR) also guarantees self-determination, self-expression and confidentiality with the two strongly related provisions of the right to respect for private and family life, housing and communications in Art. 7 CFR and the right to protection of personal data in Art. 8 CFR. Current legislation, like the General Data Protection Regulation (GDPR) does not mention the term privacy at any point. In Art. 1 para. 2 the GDPR protects “the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”. The California Consumer Privacy Act (CCPA) covers all communications relating to natural persons and not only PII. This is a broad approach: For example, it is stated, that persons are also protected with regard to information on where they live, driving behavior, sleeping behavior and similar (Section 1798.140 (o) (1) CCPA). Its approach is very open as it regards any information that is likely to be associated with a consumer or household. Taking a broad understanding, it also refers to information about and within multi-person households—without naming the persons specifically.

The importance of privacy and distribution of information to all parties affected by smart home devices in a household is high, as we claim privacy to have ethical importance and to uphold the human right to privacy as described above. The legal protection of distributing PII is not universally granted, especially in smart home settings, due to different legal frameworks. Still, we assume this protection to be important and grant an ethical argument. Based on this distinction we assume law and morality to be separate. While one is influenced by the other, laws do not reflect all societal or individual norms. The differences or similarities of law and morality are greatly discussed within the realm of philosophy of law where different authors come to different conclusions. Similarly to our claim of law and morality to be separate, H. L. A. Harts conceptualizes a separability thesis within legal positivism [9]. He assumes that morality is not necessarily captured within law. Both concepts are considered to be distinct. However, they can influence one another as they both regulate social life. Especially in the case of smart home settings, members within a household fall short of protection due to lack of definition. The individual’s privacy might be legally protected, but enforcement for this protection is not always established within smart home settings. A separation between law and morality is necessary in order to account for a different claim on why privacy in these contexts ought to be protected.

If we regard privacy not only as a commodity, to be valued a certain amount of money or as something that can be sold, privacy has to be important by some other means. As privacy is distinct and differing between societies, nations, and even individuals – a value-based account is the most promising to grant its importance. The notion of human rights has been discussed as a prerequisite for a good life in recent literature [10, 11]. If we follow this notion privacy becomes one of these prerequisites to a good life. Without concerning the idea of a good life in detail, it grants a necessary foundation for human advancement and enjoyment of life. This means privacy is a necessity for human fostering. The idea of privacy is not only connected to personal autonomy which means self-determination of information about oneself, i.e. the individual right to share or not share. Privacy also concerns societal, political and social values. Privacy has instrumental value which derives from its importance to individuals, relationships and the society at large. The importance for the individual is not only dependent on the autonomy described above but is also important for moral development and personal freedoms. The concept of privacy leaves the individual to distinguish what she wants to share and want she wants to remain private, especially in connection to different contexts, and fosters the possibility to choose to express unpopular opinions and believes. While this allows both positive and negative outcomes, it grants the possibility to be open about personal information such as religion or homosexuality. Another account for the value of privacy for individuals can be found in van den Hoven [12]. Charles Fried establishes privacy to be important for trust, intimacy and friendship to foster special connection to other individuals which would not be possible without a concept of privacy [13]. Priscilla Regan claims privacy to not only be valuable for individuals but also as a common value for societies because it supports democratic political systems [14]. Privacy within a democratic system allows for possibilities for anonymous speech, the ability for secret voting and the freedom of association. It protects from intrusive government interference into the private sphere and permits the general dichotomy between private and public space [14]. This grants different individuals to be distinct within their beliefs, hobbies, interests and relationships within societies. Thus, the main values of privacy derive from other important concepts or abilities of which privacy is a prerequisite.

In the following we present smart home scenarios with regard to privacy that affect the inhabitants of the smart home and their relationships. We analyze how and which privacy violations can occur and how the relationship of household members is affected. We employ the concept of contextual integrity to analyze breaches of privacy within smart home settings. We use three different scenarios in the socio-technical setting of smart home households which include purchases and configuration of a new device and changes in features and privacy practices of an existing device. The following three scenarios are exemplary to deal with possible breaches of contextual integrity that occur with changes within smart home systems.

5.1 “1 + 1 = 3 Smart Speakers as an Additional Conversation Partner”

During an intimate conversation Craig’s smart speaker turns on and interferes his conversation with Clara. Both of them do not know what triggered the response as none of them said the activation phrase. Clara is very uncomfortable; their conversation was private and not meant to be listened to by an outside party. She wants to know what the device listens to, what it does with the information and how it is triggered. Craig does not know. He bought the speaker because of a sale and now it is convenient to use. Craig also values his privacy and wants his conversations with Clara to be private. He is not informed on what his device records, when it listens, what data it collects and what happens with that data.

Clara and Craig look up the privacy regulations to find out that the device will constantly listen for small time periods in order to potentially be triggered. The manufacturer does not store this data. However, when the activation phrase is said the device actively listens, the data needs to be transferred to the manufacturer’s server to be processed in order for the device to reply. Additionally, the history of past requests is saved. Clara and Craig decide to move their private conversations into the bedroom, a room without a smart speaker. Following their conversation, they discuss where they would like to have a smart speaker and where it is not acceptable. They place one in the kitchen—in order to look up recipes hands free—but they also decide to ban the speaker from the bedroom and bathroom.

There is a dichotomy between how Clara wants to act in their private home as a girlfriend and how she behaves when smart home devices may be recording. The context of personal space and how one acts within is of high importance for the individual’s willingness to share. Parts of their conversation are further distributed which changes the transmission principle to another party than Craig. The actors within the transfer of personal information change because there is another recipient of the information. The private context within the home is breached thus contextual integrity is not present anymore.

5.2 Data Collection at the Front Door

Greg bought a smart doorbell with a video stream directly on his smart phone to keep him and his family safe. He is notified promptly once the camera’s motion detection senses movement at the front door. This way he already knows at the office if his parcels were delivered and if his daughter came home from school on time. Besides that, he can also interact with the person at the front door through an intercom and tell them to wait for him or come back later. All videos are stored in the cloud for review.

One day Greg notices that is doorbell is offline and he can’t access his cloud account—at this point he thinks it is a regular service outage. Later that day he receives a call from his daughter: The doorbell continuously plays a sound of laughter and a dark and distorted voice addresses her. He instructs her to unplug the WIFI and drives home immediately. His cloud account was hacked, and the hackers took over the doorbell’s camera and intercom as well as all the recordings stored in the cloud. He reviews who is affected by the leak. He notices that he never before thought about the privacy of visitors and his family—he would see them at the front door after opening anyway. He also never informed them about the cloud recordings.

Greg did not make his visitors nor the other residents fully aware on the personal data being processed, the recordings being stored, the cloud server being involved. The context of approaching a door e.g. for a visiting friend has changed – it is not private anymore. The transmission principle with the distribution of the data has also changed. There is no possibility of intervention because the camera is motion activated. The location information of everyone recorded with that camera has been distributed to third parties. The recipient of the information thus has changed. Contextual integrity for visitors and the parcel delivery driver is not present and their privacy has been breached.

5.3 Anna Buys a New Vacuum

People in a shared apartment own a vacuum robot. One of the roommates, Anna, decides to upgrade to a new, better model. It has a stronger motor, it is quieter, and it is easier to navigate. It contributes to all roommates feeling more comfortable and the general cleanliness of the space. Whereas the older model was only driving around aimlessly until the battery was dead, the new model tracks its courses and generates maps of the apartment. The vacuum notifies the owner via an app if the battery is dead, it is stuck somewhere or on the status of the cleaning process. Via the app, the user can navigate the vacuum manually, start the cleaning process (even outside of the home) and generate different zones to be cleaned more extensively or not at all. A statistic is generated on the different cleaning sessions with data on specific rooms which were cleaned, the number of square meters, the time vacuumed and disruption within the cleaning process. Anna is now able to see specifically if her roommates are home, based on the interruptions. The interruptions also allow her to know which room was tidied up. Their floor plan and the statistics of the cleaning sessions are further distributed to the manufacturer to improve the functioning of the vacuum. The other roommates were not able to decide on the new model and especially its (new) privacy settings. Their data is distributed to the app and to the manufacturer.

Considering these changes, the roommates did not specifically agree their personal data to be distributed further, which introduces a change of the transmission principle from Anna or the household to the manufacturer. The context on which the data is shared has changed. They are willing to share information on their location and cleanliness of the apartment to their roommates when they are home but not to others or roommates that are not home. Contextual integrity and thus privacy have been breached.

5.4 Breaches of Contextual Integrity

These three examples help to identify prominent privacy breaches within smart home settings. The framework of contextual integrity helps to analyze if personal information is distributed appropriately. In all three examples we can examine a change in the transmission principle, context and a shift of actors. Personal information is distributed out of its intended context for individuals to another party or a familiar party outside of the home. The home as a private space has specific context which is inherently considered to be disconnected from the public. Individuals assume their personal information, i.e. habits or conversations to be private. Smart home systems can, as described above, disrupt this privacy and change the context. Even if a household member receives personal information of another household member outside of the home with smart home devices, the context will change. Additionally, the transmission principle changes. The person or entity receiving this information is not limited to other household members or visitors, but may extend to another party, the manufacturer of the device, or just by processing the data to a cloud. Thirdly, there is a shift between different actors when using smart home devices. Without smart home devices, the information subject and the sender of the information are usually the same person within a home. With the use of smart home devices, that another household member has configured, the information subject and sender of information can differ. The individual now does not privately share this information to other household members, but instead the device of another person distributes this information further. Thus, the recipient of the information changes from a household member to potentially a third party.

These changes within actors, transmission principle and context lead to PII to flow inappropriately and thus to potential breaches of privacy. The established examples focused on changes or actualities which were not communicated or discussed within the household, we think this is common in everyday life. These problems can be solved by transparency measures and joint decision making on privacy settings with all household members.

In the aforementioned examples we pointed out that privacy issues in smart home context can occur easily and are introduced by different parties. Such changes are related to the change of the context which is introduced by the smart home devices cloud processing. However, the actual processing is not at the core of the problem, rather is the missing transparency for affected persons in the smart home setting. This lack of transparency can result from the lack of understanding of the actual inner workings of such devices by the original buyer and configurator; but it can also be introduced by the manufacturer through a software update or the intrusion of the system by hackers. Beside the latter, these cases do not contain a malicious intention and would not occur if transparency had been present and enabled a discussion.

Such a discussion is necessary as privacy perceptions are different and depend on the context. A special challenge in smart home environments is to not only regard the current context but to understand how this context changes through the regular use of devices, future hard- and software upgrades and how the risk of malicious incidents needs to be taken into account. Currently it is dependent on the buyer of a device to do this and to potentially include the affected persons into her considerations.

The privacy paradox extends to the smart home and thus introduces privacy risks for all persons in the household as the context can be changed unwillingly by the introduction of smart devices—at most times through a lack of transparency and thus negotiation and awareness. To help the end-user to make informed decisions and to foster transparency we plan to develop a framework to envision such context changes. This framework should not only consist of thought-provoking scenarios but actual smart home devices and manufacturer specific illustrations and descriptions of the processing of PII. This information will be included into a card game to help envision the context changes together with other affected persons.