Pardis Emami-Naeini
Lorrie Faith Cranor
ABSTRACT
Despite growing concerns about security and privacy of Internet of Things (IoT) devices, consumers generally do not have access to security and privacy information when purchasing these devices. We interviewed 24 participants about IoT devices they purchased. While most had not considered privacy and security prior to purchase, they reported becoming concerned later due to media reports, opinions shared by friends, or observing unexpected device behavior. Those who sought privacy and security information before purchase, reported that it was difficult or impossible to find. We asked interviewees to rank factors they would consider when purchasing IoT devices; after features and price, privacy and security were ranked among the most important. Finally, we showed interviewees our prototype privacy and security label. Almost all found it to be accessible and useful, encouraging them to incorporate privacy and security in their IoT purchase decisions.
Supplemental Material
Available for Download
- Hamza Alshenqeeti. 2014. Interviewing as a data collection method: A critical review. English Linguistics Research 3, 1 (2014), 39.Google Scholar
Cross Ref
- B Charles Ames and James D Hlavacek. 1984. Managerial marketing for industrial firms. Random House, Business Division.Google Scholar
- Alan R Andreasen. 1977. A taxonomy of consumer satisfaction/dissatisfaction measures. Journal of Consumer Affairs 11, 2 (1977), 11--24.Google ScholarCross Ref
- Noah Apthorpe, Dillon Reisman, Srikanth Sundaresan, Arvind Narayanan, and Nick Feamster. 2017. Spying on the smart home: Privacy attacks and defenses on encrypted iot traffic. arXiv preprint arXiv:1708.05044 (2017).Google Scholar
- Orlando Arias, Jacob Wurm, Khoa Hoang, and Yier Jin. 2015. Privacy and security in internet of things and wearable devices. IEEE Transactions on Multi-Scale Computing Systems 1, 2 (2015), 99--109. Google ScholarDigital Library
- Nor Hazlin Nor Asshidin, Nurazariah Abidin, and Hafizzah Bashira Borhan. 2016. Perceived quality and emotional value that influence consumer's purchase intention towards American and local products. Procedia Economics and Finance 35 (2016), 639--643.Google ScholarCross Ref
- Mario Ballano Barcena and Candid Wueest. 2015. Insecurity in the Internet of Things. Security Response, Symantec (2015).Google Scholar
- RD Blackwell, PW Miniard, and JF Engell. 2006. Consumer Behaviour, 10th International Student ed. Thomson South-Western, Mason, OH (2006).Google Scholar
- Simon Byers, Lorrie Faith Cranor, Dave Kormann, and Patrick McDaniel. 2004. Searching for privacy: Design and implementation of a P3P-enabled search engine. In International Workshop on Privacy Enhancing Technologies. Springer, 314--328. Google ScholarDigital Library
- Jen Caltrider. 2017. 10 Fascinating Things We Learned When We Asked The World ?How Connected Are You?". https://goo.gl/92JDfqGoogle Scholar
- California Energy Commission. 2009. Power Content Label (PCL). http://www.energy.ca.gov/pcl/power_content_label.htmlGoogle Scholar
- European Commission. 2017. Proposal for a Regulation of the European Parliament and of the Council on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification ("Cybersecurity Act"). https://eur-lex.europa.eu/legal-content/ EN/TXT/HTML/?uri=CELEX:52017PC0477&rid=1Google Scholar
- Lorrie Faith Cranor. 2012. Necessary but not sufficient: Standardized mechanisms for privacy notice and choice. J. on Telecomm. & High Tech. L. 10 (2012), 273.Google Scholar
- Lorrie Faith Cranor, Joseph Reagle, and Mark S Ackerman. 2000. Beyond concern: Understanding net users' attitudes about online privacy. The Internet upheaval: raising questions, seeking answers in communications policy (2000), 47--70.Google Scholar
- Ang Cui and Salvatore J Stolfo. 2010. A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan. In Proceedings of the 26th Annual Computer Security Applications Conference. ACM, 97--106. Google ScholarDigital Library
- Michael R Darby and Edi Karni. 1973. Free competition and the optimal amount of fraud. The Journal of law and economics 16, 1 (1973), 67--88.Google ScholarCross Ref
- Tamara Denning, Tadayoshi Kohno, and Henry M Levy. 2013. Computer security and the modern home. Commun. ACM 56, 1 (2013), 94--103. Google ScholarDigital Library
- Tamara Denning, Cynthia Matuszek, Karl Koscher, Joshua R Smith, and Tadayoshi Kohno. 2009. A spotlight on security and privacy risks with future household robots: attacks and lessons. In Proceedings of the 11th international conference on Ubiquitous computing. ACM, 105--114. Google ScholarDigital Library
- Media Department for Digital, Culture and Sport. 2018. Secure by Design: Improving the cyber security of consumer Internet of Things Report. https://assets.publishing.service.gov.uk/government/ uploads/system/uploads/attachment_data/file/686089/Secure_by_ Design_Report_.pdfGoogle Scholar
- Serge Egelman, Janice Tsai, Lorrie Faith Cranor, and Alessandro Acquisti. 2009. Timing is everything?: the effects of timing and placement of online privacy indicators. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 319--328. Google ScholarDigital Library
- Pardis Emami-Naeini, Sruti Bhagavatula, Hana Habib, Martin Degeling, Lujo Bauer, Lorrie Cranor, and Norman Sadeh. 2017. Privacy expectations and preferences in an IoT world. In SOUPS '17: Proceedings of the 13th Symposium on Usable Privacy and Security. Google ScholarDigital Library
- EPA. 2012. Learn About the Label. https://www.fueleconomy.gov/ feg/Find.do?action=bt1Google Scholar
- FDA. 2016. Nutrition Facts Label Better Informs Your Food Choices. https://www.fda.gov/ForConsumers/ConsumerUpdates/ucm387114. htmGoogle Scholar
- Joseph L Fleiss, Bruce Levin, and Myunghee Cho Paik. 2013. Statistical methods for rates and proportions. John Wiley & Sons.Google Scholar
- OWASP Foundation. 2017. IoT Security Guidance. https://www. owasp.org/index.php/IoT_Security_GuidanceGoogle Scholar
- FTC. 2011. Shopping for Light Bulbs. https://www.consumer.ftc.gov/ articles/0164-shopping-light-bulbsGoogle Scholar
- FTC. 2015. Shopping for Home Appliances? Use the EnergyGuide Label. https://www.consumer.ftc.gov/articles/ 0072-shopping-home-appliances-use-energyguide-labelGoogle Scholar
- FTC. 2017. ACDI Group LLC. https://www.ftc.gov/enforcement/ cases-proceedings/162--3103/acdi-group-llcGoogle Scholar
- FTC. 2017. Blue Global and Christopher Kay. https: //www.ftc.gov/enforcement/cases-proceedings/152--3225/ blue-global-christopher-kayGoogle Scholar
- FTC. 2017. Comment to National Telecommunications and Information Administration. https:// www.ftc.gov/policy/advocacy/advocacy-filings/2017/06/ ftc-comment-national-telecommunications-informationGoogle Scholar
- FTC. 2017. Lenovo, Inc. https://www.ftc.gov/enforcement/ cases-proceedings/152--3134/lenovo-incGoogle Scholar
- FTC. 2018. Uber Technologies, Inc. https://www.ftc.gov/ enforcement/cases-proceedings/152--3054/uber-technologies-incGoogle Scholar
- Gartner. 2018. Internet of Things endpoint spending worldwide by category from 2014 to 2020 (in billion U.S. dollars). https://www.statista.com/statistics/485252/ iot-endpoint-spending-by-category-worldwide/Google Scholar
- Mary Catherine Gilly. 1980. Complaining Consumers: Their Satisfaction With Organizational Responses and Subsequent Credit Card Repurchase Behavior. (1980).Google Scholar
- Jorge Granjal, Edmundo Monteiro, and Jorge Sá Silva. 2015. Security for the internet of things: a survey of existing protocols and open research issues. IEEE Communications Surveys & Tutorials 17, 3 (2015), 1294--1312.Google ScholarDigital Library
- Andy Greenberg. 2017. THE Reaper IoT Botnet Has Already Infected a Million Networks. https://www.wired.com/story/ reaper-iot-botnet-infected-million-networks/Google Scholar
- Reeyaz Hamirani. 2018. New Study: The 2015 State of Consumer Privacy and Personalization. https://www.gigya.com/blog/ new-study-the-2015-state-of-consumer-privacy-personalization/Google Scholar
- Harris Interactive. 2000. A Survey of consumer privacy attitudes and behaviors. Rochester, NY 47 (2000).Google Scholar
- Sirkka L Jarvenpaa, Noam Tractinsky, and Michael Vitale. 2000. Consumer trust in an Internet store. Information technology and management 1, 1--2 (2000), 45--71. Google ScholarDigital Library
- Fahri Karakaya and Nora Ganim Barnes. 2010. Impact of online reviews of customer care experience on brand or company selection. Journal of Consumer Marketing 27, 5 (2010), 447--457.Google ScholarCross Ref
- Heikki Karjaluoto, Jari Karvonen, Manne Kesti, Timo Koivumäki, Marjukka Manninen, Jukka Pakola, Annu Ristola, and Jari Salo. 2005. Factors affecting consumer choice of mobile phones: Two studies from Finland. Journal of Euromarketing 14, 3 (2005), 59--82.Google ScholarCross Ref
- Surya Mattu Kashmir Hill. 2018. The House That Spied on Me. https://gizmodo.com/the-house-that-spied-on-me-1822429852Google Scholar
- Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W Reeder. 2009. A nutrition label for privacy. In Proceedings of the 5th Symposium on Usable Privacy and Security. ACM, 4. Google ScholarDigital Library
- Patrick Gage Kelley, Lorrie Faith Cranor, and Norman Sadeh. 2013. Privacy as part of the app decision-making process. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 3393--3402. Google ScholarDigital Library
- J Patrick Kelly and Richard T Hise. 1979. Industrial and consumer goods product managers are different. Industrial Marketing Management 8, 4 (1979), 325--332.Google ScholarCross Ref
- Veronica Lara. 2018. What the Internet of Things means for consumer privacy. https://perspectives.eiu.com/technology-innovation/ what-internet-things-means-consumer-privacy-0/white-paper/ what-internet-things-means-consumer-privacyGoogle Scholar
- Hosub Lee and Alfred Kobsa. 2017. Privacy preference modeling and prediction in a simulated campuswide IoT environment. In 2017 IEEE International Conference on Pervasive Computing and Communications, PerCom 2017, Hawaii, USA, March 13--17, 2017. 276--285.Google ScholarCross Ref
- Linda Lee, J Lee, Serge Egelman, and David Wagner. 2016. Information disclosure concerns in the age of wearable computing. In NDSS Workshop on Usable Security (USEC), Vol. 1.Google ScholarCross Ref
- Ted Lieu. 2017. H.R.4163: Cyber Shield Act of 2017. https://www. congress.gov/115/bills/hr4163/BILLS-115hr4163ih.pdfGoogle Scholar
- Chen Ling, Wonil Hwang, and Gavriel Salvendy. 2006. Diversified users' satisfaction with advanced mobile phone features. Universal Access in the Information Society 5, 2 (2006), 239--249. Google ScholarDigital Library
- Zoë Mack and Sarah Sharples. 2009. The importance of usability in product choice: A mobile phone case study. Ergonomics 52, 12 (2009), 1514--1528.Google ScholarCross Ref
- Kathleen M Macqueen, Eleanor McLellan-Lemal, Kelly Bartholow, and Bobby Milstein. 2008. Team-based codebook development: Structure, process, and agreement. Handbook for team-based qualitative research (2008), 119--135.Google Scholar
- Carsten Maple. 2017. Security and privacy in the internet of things. Journal of Cyber Policy 2, 2 (2017), 155--184.Google ScholarCross Ref
- Edward Markey. 2017. S.2020: Cyber Shield Act of 2017. https: //www.congress.gov/115/bills/s2020/BILLS-115s2020is.pdfGoogle Scholar
- M Mazzocchi, AE Lobb, and BW Traill. 2004. A strategy for measuring trust in food safety information: A literature review. Technical Report. University of Florence Working Paper Series on Trust.Google Scholar
- Mozilla. 2018. Shop Safe This Holiday Season. https://foundation. mozilla.org/en/privacynotincluded/Google Scholar
- Geoff Norman. 2010. Likert scales, levels of measurement and the "laws" of statistics. Advances in health sciences education 15, 5 (2010), 625--632.Google Scholar
- NTIA. 2017. Communicating IoT Device Security Update Capability to Improve Transparency for Consumers. https://www.ntia.doc.gov/ files/ntia/publications/draft-communicating_iot_security_update_ 0426.pdfGoogle Scholar
- Information Commissioner's Office. 2018. Right to be informed. https://ico.org.uk/for-organisations/ guide-to-the-general-data-protection-regulation-gdpr/ individual-rights/right-to-be-informed/Google Scholar
- Jerry C Olson and Jacob Jacoby. 1972. Cue utilization in the quality perception process. ACR Special Volumes (1972).Google Scholar
- Temitope Oluwafemi, Tadayoshi Kohno, Sidhant Gupta, and Shwetak Patel. 2013. Experimental Security Analyses of Non-Networked Compact Fluorescent Lamps: A Case Study of Home Automation Security.. In LASER. 13--24.Google Scholar
- OWASP. 2016. Top IoT Vulnerabilities. https://www.owasp.org/ index.php/Top_IoT_VulnerabilitiesGoogle Scholar
- Petras. 2018. Developing a Consumer Security Index for Consumer IoT devices (CSI). https://www.petrashub.org/portfolio-item/ developing-a-consumer-security-index-for-domestic-iot-devices-csi/Google Scholar
- Todd Powers, Dorothy Advincula, Manila S Austin, Stacy Graiko, and Jasper Snyder. 2012. Digital and social media in the purchase decision process: A special report from the Advertising Research Foundation. Journal of advertising research 52, 4 (2012), 479--489.Google ScholarCross Ref
- Cate Riegner. 2007. Word of mouth on the web: The impact of Web 2.0 on consumer purchase decisions. Journal of advertising research 47, 4 (2007), 436--447.Google ScholarCross Ref
- Naveed Saif, Nasir Razzaq, Muhammad Amad, and Sajid Gul. 2012. Factors affecting consumers' choice of mobile phone selection in Pakistan. European Journal of Business and Management 4, 12 (2012), 16--26.Google Scholar
- Johnny Saldaña. 2015. The coding manual for qualitative researchers. Sage.Google Scholar
- Mesay Sata. 2013. Factors affecting consumer buying behavior of mobile phone devices. Mediterranean Journal of Social Sciences 4, 12 (2013), 103.Google Scholar
- Sabrina Sicari, Alessandra Rizzardi, Luigi Alfredo Grieco, and Alberto Coen-Porisini. 2015. Security, privacy and trust in Internet of Things: The road ahead. Computer networks 76 (2015), 146--164. Google ScholarDigital Library
- Digital Standard. {n. d.}. The Standard. https://www. thedigitalstandard.org/the-standardGoogle Scholar
- Janice Y Tsai, Serge Egelman, Lorrie Cranor, and Alessandro Acquisti. 2011. The effect of online privacy information on purchasing behavior: An experimental study. Information Systems Research 22, 2 (2011), 254--268. Google ScholarDigital Library
- Joseph Turow, Lauren Feldman, and Kimberly Meltzer. 2005. Open to exploitation: America's shoppers online and offline. Departmental Papers (ASC) (2005), 35.Google Scholar
- European Union. 2017. Energy efficient products. https://ec.europa. eu/energy/en/topics/energy-efficiency/energy-efficient-productsGoogle Scholar
- Blase Ur, Pedro Giovanni Leon, Lorrie Faith Cranor, Richard Shay, and Yang Wang. 2012. Smart, useful, scary, creepy: perceptions of online behavioral advertising. In proceedings of the eighth symposium on usable privacy and security. ACM, 4. Google ScholarDigital Library
- Mark Warner. 2017. S.1691. https://www.congress.gov/115/bills/ s1691/BILLS-115s1691is.pdfGoogle Scholar
- Frederick E Webster. 1978. Is industrial marketing coming of age? Review of marketing (1978), 138--59.Google Scholar
- Ashleigh Wood. 2016. Privacy notices: Make yours the best in show. https://www.smartinsights.com/marketplace-analysis/ digital-marketing-laws/privacy-notices-make-best-show/Google Scholar
- Daniel Wood, Noah Apthorpe, and Nick Feamster. 2017. Cleartext Data Transmissions in Consumer IoT Medical Devices. In Proceedings of the 2017 Workshop on Internet of Things Security and Privacy. ACM, 7--12. Google ScholarDigital Library
- Tianlong Yu, Vyas Sekar, Srinivasan Seshan, Yuvraj Agarwal, and Chenren Xu. 2015. Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the internet-of-things. In Proceedings of the 14th ACM Workshop on Hot Topics in Networks. ACM, 5. Google ScholarDigital Library
- Feng Zhu and Xiaoquan Zhang. 2010. Impact of online consumer reviews on sales: The moderating role of product and consumer characteristics. Journal of marketing 74, 2 (2010), 133--148.Google ScholarCross Ref
Index Terms
- Exploring How Privacy and Security Factor into IoT Device Purchase Behavior
Recommendations
Investigating the effect of security and privacy on IoT device purchase behaviour
AbstractGiven the significant privacy and security risks of Internet-of-Things (IoT) devices, it seems desirable to nudge consumers towards buying more secure devices and taking privacy into account in the purchase decision. In order to ...
Internet of Things (IoT): From awareness to continued use
AbstractThis paper proposes a research model with five constructs, i.e., IoT awareness, users’ IoT privacy knowledge, users’ IoT security knowledge, users’ IoT Trust, and continued intention to use IoT to bring clarity to the growing yet ...
Highlights- Clarifying how variables linked from IoT awareness to IoT continued use.
- IoT ...
Privacy Lessons Learnt from Deploying an IoT Ecosystem in the Home
EuroUSEC '22: Proceedings of the 2022 European Symposium on Usable SecurityStudies of privacy perception in the Internet of Things (IoT) include in-laboratory evaluations as well as investigations of purchase decisions, deployment, and long-term use. In this study, we implemented identical IoT configurations in eight ...
Comments