In recent years smart devices have become a feature of people’s, increasingly complex, home ecosystems. This brings new opportunities for users and may improve energy efficiency, but it also poses new threats to the privacy and security of end users. While there is emerging evidence of attacks against home devices and data misuse, there is an overall lack of coherent and structured information about the extent and nature of these digital harms and ways to mitigate them. In this blog, David Buil-Gil, James Nicholson, and Steven Kemp look at the use of partnerships for information sharing, and why evidence-based prevention is needed to better assess existing and emerging threats, and how to ensure the privacy and security of smart home users.
- Smart home devices may pose risks to the privacy and personal security of users.
- There is an overall lack of information about the nature and extent of the digital harms of smart homes and effective ways to mitigate them.
- Developing public-private partnerships for data sharing is needed to assess emerging threats and ensure the privacy and security of smart home users.
- It is necessary to create centralised recording systems that gather existing evidence about the privacy- and security-related incidents of smart homes.
- Policies should be developed that allow end users to access their own usage information.
The emergence of smart home ecosystems
In 1982, a group of students and researchers from Carnegie Melon University were pioneers in connecting a Coca-Cola vending machine to the internet for the first time. Since then, the Internet of Things (IoT) has grown to include a wide variety of physical devices such as connected cars, electrical grids, military equipment, smartphones, corporate security systems, and a diversity of home electronic appliances and systems. The connection of home devices to the internet is widely known as the “smart home”.
Many different home appliances can be connected to the internet, including lighting, heating and water consumption controls, smart meters, cleaning robots, door locks, voice control devices such as Amazon Alexa and Google Home, and baby and pet monitoring systems. The interconnection of multiple smart home devices forms smart home ecosystems.
New opportunities and new threats
Smart homes offer new opportunities and functionalities for users and can improve energy efficiency (for example, through smart meters and timers), but they are also known to pose risks to the privacy and personal security of users. Large amounts of privacy-sensitive and security-critical information about users and their everyday activities are digitalised and stored in smart home ecosystems. Illegitimate access and use of this data by cybercriminals, corporations and energy providers, or by household members, can generate impactful harms for users.
A variety of digital harms of smart homes have already been identified, including threats to the users’ confidentiality (for example, unwanted release of sensitive or private information), authentication (for example, sensing or control information being falsified), and access (for example, unauthorised access to system controls). Issues that could affect users of smart home devices are numerous, and examples of these harms could include:
- denial of service attacks that block users’ access to smart devices
- devices infected by malware
- unauthorised interception of communications and information about users’ everyday lives (for example, eavesdropping)
- attacks that compromise sensitive data
- control and stalking over household members
- impersonation attacks based on password cracking or social engineering.
Understanding the digital harms of smart homes
Whilst there is emerging evidence that smart homes may pose threats to the privacy and security of users, there is a lack of information about the extent and nature of these digital harms and the ways users and public and private entities can effectively mitigate them. The lack of accurate data about the volume and characteristics of these threats may not only obscure the true extent of the problem, but also hinder multi-party efforts to prevent attacks and data misuses against the privacy and security of users.
There are three main reasons why there are knowledge gaps when it comes to identifying and resolving online harms related to smart devices.
- Firstly, there is low to no collaboration between private and public entities for data sharing and threats assessment. Private companies rarely share details about cyber security incidents with public entities and police forces. This could be associated with a lack of confidence in the public sectors’ ability to respond to cyber security issues and also fears of reputational damage and a preference for a private mode of control over users’ privacy and security on the internet. Similarly, although the UK government is increasing its efforts to improve the security of smart homes, public entities may not be allowed to, or have a low interest in, sharing intelligence about ongoing and emerging threats with private organisations (which sometimes are not even based in the UK).
- Secondly, there is no centralised system within UK government to record information about attacks and privacy breaches against smart devices. Even if private organisations, public authorities and individual users were willing to share information about known incidents with each other and record it in existing government databases, this information would be recorded alongside generic datasets of cyber-enabled incidents, with details about devices compromised only included in the free text sections (which prevents comparative analyses of digital harms of smart homes). Moreover, all incidents against the privacy of users that do not meet the UK government’s crime counting rules would be directly excluded from these registers.
- Thirdly, end users of smart homes usually cannot access or visualise data about their own usage. This prevents individuals implementing actions to protect their privacy and identifying unusual usage patterns that may indicate a compromised device.
Developing new public-private partnerships for data sharing and evidence-based prevention, and strengthening existing collaborative initiatives, is required. This will allow better assessment of the volume and nature of existing and emerging threats against smart home ecosystems and the risks to the privacy and security of smart home users. Joint public-private partnerships already exist for online fraud and, for anti-money laundering and wider economic threats faced by financial markets, the Joint Money Laundering Intelligence Taskforce (JMLIT) is often recognised as an international example of good practice for crime prevention. These partnerships allow the sharing of data and intelligence across parties, which is key for private and public entities to identify existing threats and develop mechanisms to prevent future incidents.
For smart home ecosystems, the creation of formalised public-private partnerships would be immediately beneficial to gain a better understanding of the nature of the digital harms of smart homes and to respond to these better. A partnership could build upon existing work by the National Cyber Security Centre, which already provides cyber security guidance to organisations and end users, including advice on smart devices and smart meters. It is also key for public administrations to create centralised recording systems that gather existing evidence about the privacy- and security-related incidents of smart homes, or to build on existing databases such as that of Action Fraud to record information for smart devices. Finally, it is urgent to develop policies that allow end users to access their own usage information. This is not only essential because users should have the right to access their own data, but also because this would enable users to increase their own awareness and agency, develop measures to ensure their privacy and security, and identify potential data misuses.
The ‘PrivIot – Understanding and Mitigating Privacy risks of IoT Homes with Demand-Side Management’ project explores digital harms in the interaction between home IoT devices, smart meters, and Demand-Side Management (DSM) technologies, and develops conceptual tools to improve users’ situational awareness and agency. PrivIoT is a project funded by the PETRAS National Centre of Excellence for IoT Systems Cybersecurity. The research team of the project also includes Stefanie Kuenzel (Royal Holloway University of London), Sameh Zakhary (University of Nottingham), Lynne Coventry (Northumbria University), Daniel Tilley (Daniel Tilley Analytic Solutions) and Rhian Lukins (Northumbria University).
Policy@Manchester aims to impact lives globally, nationally and locally through influencing and challenging policymakers with robust research-informed evidence and ideas. Visit our website to find out more, and sign up to our newsletter to keep up to date with our latest news.