Privacy Impacts of IoT Devices: A SmartTV Case Study

Abstract

The Internet of Things (IoT) enables the passive collection of personal data at an unprecedented scale by ubiquitous devices built into our daily lives. However, IoT devices neither provide notice or collect consent as recommended by the U. S. Federal Trade Commission (FTC) fair information practice principles. IoT devices may, based on their physical limitation, not even be capable of compliance. Requirements engineers need concrete methodologies to identify, understand, and limit risks to customer privacy posed by IoT devices. We conducted an exploratory case study of the privacy policy for an archetypical IoT device, a SmartTV. We employed the Goal-Based Requirements Analysis Method to extract goals from applicable Samsung U. S. privacy policy documents and classified the resulting goals with the Anton-Earp privacy goal taxonomy. The goal of this research is to characterize the privacy protections and vulnerabilities posed by this example IoT device and its associated policies. In particular, we seek to assess whether data collection is apparent to the average user and evaluate the extent to which a SmartTV exposes users to cloud computing's privacy vulnerabilities. Our results suggest that: (1) users face increased risk of privacy harms from SmartTVs, (2) most data collection by SmartTVs is not apparent to the average user, and (3) many SmartTV goals further compromise user privacy by requiring connection to manufacturer backend servers.