In recent years smart devices have become a feature of people’s, increasingly complex, home ecosystems. This brings new opportunities for users and may improve energy efficiency, but it also poses new threats to the privacy and security of end users. While there is emerging evidence of attacks against home devices and data misuse, there is an overall lack of coherent and structured information about the extent and nature of these digital harms and ways to mitigate them. In this blog, David Buil-Gil, James Nicholson, and Steven Kemp look at the use of partnerships for information sharing, and why evidence-based prevention is needed to better assess existing and emerging threats, and how to ensure the privacy and security of smart home users.
The emergence of smart home ecosystems
In 1982, a group of students and researchers from Carnegie Melon University were pioneers in connecting a Coca-Cola vending machine to the internet for the first time. Since then, the Internet of Things (IoT) has grown to include a wide variety of physical devices such as connected cars, electrical grids, military equipment, smartphones, corporate security systems, and a diversity of home electronic appliances and systems. The connection of home devices to the internet is widely known as the “smart home”.
Many different home appliances can be connected to the internet, including lighting, heating and water consumption controls, smart meters, cleaning robots, door locks, voice control devices such as Amazon Alexa and Google Home, and baby and pet monitoring systems. The interconnection of multiple smart home devices forms smart home ecosystems.
New opportunities and new threats
Smart homes offer new opportunities and functionalities for users and can improve energy efficiency (for example, through smart meters and timers), but they are also known to pose risks to the privacy and personal security of users. Large amounts of privacy-sensitive and security-critical information about users and their everyday activities are digitalised and stored in smart home ecosystems. Illegitimate access and use of this data by cybercriminals, corporations and energy providers, or by household members, can generate impactful harms for users.
A variety of digital harms of smart homes have already been identified, including threats to the users’ confidentiality (for example, unwanted release of sensitive or private information), authentication (for example, sensing or control information being falsified), and access (for example, unauthorised access to system controls). Issues that could affect users of smart home devices are numerous, and examples of these harms could include:
Understanding the digital harms of smart homes
Whilst there is emerging evidence that smart homes may pose threats to the privacy and security of users, there is a lack of information about the extent and nature of these digital harms and the ways users and public and private entities can effectively mitigate them. The lack of accurate data about the volume and characteristics of these threats may not only obscure the true extent of the problem, but also hinder multi-party efforts to prevent attacks and data misuses against the privacy and security of users.
There are three main reasons why there are knowledge gaps when it comes to identifying and resolving online harms related to smart devices.
Developing new public-private partnerships for data sharing and evidence-based prevention, and strengthening existing collaborative initiatives, is required. This will allow better assessment of the volume and nature of existing and emerging threats against smart home ecosystems and the risks to the privacy and security of smart home users. Joint public-private partnerships already exist for online fraud and, for anti-money laundering and wider economic threats faced by financial markets, the Joint Money Laundering Intelligence Taskforce (JMLIT) is often recognised as an international example of good practice for crime prevention. These partnerships allow the sharing of data and intelligence across parties, which is key for private and public entities to identify existing threats and develop mechanisms to prevent future incidents.
For smart home ecosystems, the creation of formalised public-private partnerships would be immediately beneficial to gain a better understanding of the nature of the digital harms of smart homes and to respond to these better. A partnership could build upon existing work by the National Cyber Security Centre, which already provides cyber security guidance to organisations and end users, including advice on smart devices and smart meters. It is also key for public administrations to create centralised recording systems that gather existing evidence about the privacy- and security-related incidents of smart homes, or to build on existing databases such as that of Action Fraud to record information for smart devices. Finally, it is urgent to develop policies that allow end users to access their own usage information. This is not only essential because users should have the right to access their own data, but also because this would enable users to increase their own awareness and agency, develop measures to ensure their privacy and security, and identify potential data misuses.
The ‘PrivIot – Understanding and Mitigating Privacy risks of IoT Homes with Demand-Side Management’ project explores digital harms in the interaction between home IoT devices, smart meters, and Demand-Side Management (DSM) technologies, and develops conceptual tools to improve users’ situational awareness and agency. PrivIoT is a project funded by the PETRAS National Centre of Excellence for IoT Systems Cybersecurity. The research team of the project also includes Stefanie Kuenzel (Royal Holloway University of London), Sameh Zakhary (University of Nottingham), Lynne Coventry (Northumbria University), Daniel Tilley (Daniel Tilley Analytic Solutions) and Rhian Lukins (Northumbria University).
Policy@Manchester aims to impact lives globally, nationally and locally through influencing and challenging policymakers with robust research-informed evidence and ideas. Visit our website to find out more, and sign up to our newsletter to keep up to date with our latest news.