04 6 comments
Privacy in the Internet of Things
Every now and then there is a new debate about privacy issues in an internet context. I recently had an interesting conversation with Tobias Kowatsch. He is a senior researcher at the Institute of Technology Management at the University of St. Gallen and he published a paper* regarding privacy in the context of the Internet of Things and Services (IoT).
Tobias, are there differences regarding privacy in the Internet of Things compared to other information systems?
In general, the underlying “contract” for many well known internet applications is: give up a little of your privacy, and you get worthwhile information. Privacy and security topics have been addressed extensively by information systems research. But to my knowledge, up to now there are no publications focusing on specific aspects of IoT services. These are significantly different from other IT-related applications in traditional office or home situations. That is due to their ubiquitous and embedded characteristics that pervade everyday life. Thus, privacy concerns due to unobtrusive data collection methods are more critical for this class of applications. Therefore, it is very important to better understand usage patterns and perceptions from an end-user perspective.
So, you conducted a study to approach the topic. What exactly did you do?
We came up with a research model that is basically a combination of two existing models – the Extended Privacy Calculus Model (Dinev and Hart, 2006) and the Technology Acceptance Model (Davis, 1989). Our model comprises eight hypotheses such as “Expected usefulness of an IoT service is positively related to the intention to use that service.” or “Trust in the organization that provides an IoT service is positively related to the intention to use that service.” for example.
Then we carried out an online survey amongst 92 participants in order to test our research model and its hypotheses. The participants had to answer questions in the context of four IoT services – “Public Transport Payment Service”, “Navigation Service”, “Smart Energy Service” and “Healthcare Monitoring Service”. In addition, we tested for differences between services that relate to business situations and services related to private situations. And we evaluated the participants’ attitudes towards information transparency.
What about the results? Where there any counterintuitive findings?
First of all, our research model was in general confirmed. But the context of the respective IoT service plays an important role when it comes to deciding to provide personal information to that service or not. The most important factors in that decision are trust in the organization providing the service and personal interest in using the respective service. Perceived privacy risk and privacy concerns have significant influence, but are less important. There seems to be a tradeoff between concerns on the one hand and convenience on the other hand.
Interestingly we could not find a significant difference between the services that we considered to relate to private or business situations. That might be due to the fact that these IoT services are perceived pervasive which makes it impossible to really distinguish between business and private situation.
Regarding means to protect data and to inform about data usage the participants expressed that personal data should be protected by international law and by up-to-date encryption technology. A majority of our participants would like to get specific and detailed statements with regard to personal information use.
Would you make any general recommendations to people developing services in the IoT?
IoT services should be evaluated by potential end-users at each stage during development – even at the conceptual stage – with regard to privacy concerns against and trust towards the service providing organization. A tool to do so could be the questionnaire that we used for our survey. It is available in the deliverables of the EU project “IoT Initiative”.
And there is a second aspect I would like to highlight: Although personal interest and perceived usefulness may override privacy concerns in the first instance, the latter must be considered to a great extent as well. If there is a problem only once – remember the issues regarding stolen credit card data – it will be a really huge problem for the organization. Trust in the service providing organization is a key asset!
Tobias, thanks a lot for discussing this interesting study with me.
Any IoT service or application developers out there? What are your current challenges when it comes to security and privacy?
Or imagine being a user of IoT services, which measures should be taken from a service provider to give you a good feeling? I am looking forward to your comments.
The study discussed in this blog post was published in the following book:
Kowatsch, T., and Maass, W. 2012. “Privacy Concerns and Acceptance of IoT Services,” in The Internet of Things 2012: New Horizons, I.G. Smith (ed.), Halifax, UK: IERC – European Research Cluster on the Internet of Things, pp. 176-187.
A slightly different pre-study has been published in the following conference proceedings:
Kowatsch, T., and Maass, W. “Critical Privacy Factors of Internet of Things Services: An Empirical Investigation with Domain Experts,” in: The 7th Mediterranean Conference on Information Systems (MCIS 2012), H. Rahman, A. Mesquita, I. Ramos and B. Pernici (eds.), Springer, Guimarães, Portugal, 2012, pp. 200-211