Keywords

1 Introduction

Smart technologies and analytics make possible new innovative services that people value, but they also enable unprecedented visibility into the mundane–and not so mundane–activities of our daily lives in homes and buildings. With the ever increasing multitude of smart devices that permeate our daily lives, companies (and potentially others) can track and store where we go, what we buy, how much we eat and when, our mood over the course of a day, how many steps we take, how often we maintain our cars, when we go to sleep and wake up, who we talk to, and much more. In this new world, exactly how this data is stored, handled, and protected is of concern to users of services, as well as the companies creating smart technologies and governments looking to protect their citizens. As people are becoming more aware of the magnitude and potentially sensitive nature of the data being collected, the ability – and inability – to regulate where information flows and where it stops (“privacy”) is emerging as a potential deterrent to user adoption of new services and experiences.

Addressing user concerns around data collection, storage, handling, use and reuse, will be critical to making smart services broadly appealing. However, designing privacy-mindful experiences is not simple. Successful privacy design involves not only understanding and managing technology-based privacy risks, but also understanding the values, needs and desires of individual users and relevant social groups across a range of settings. Complicating the design challenges of these new technologies is that traditional ways of explaining and managing privacy concerns (e.g., prevalent “notice and choice” model [1]) will be insufficient in a world where smart sensors and technologies are inserted inconspicuously in ordinary objects.

In this paper, we explore the contextual nature of privacy though the application of three leading privacy models and a newly-introduced privacy framework for home activities. Applying these concepts to our research data, we identify combinations of locations and activities that are particularly information-sharing sensitive, prioritize the salience of different types of privacy violations for householders and workers, and the influence of privacy attitudes on current ownership of smart devices and desired future smart home and building experiences.

2 Considering Privacy

A central challenge facing designers is the lack of consensus regarding what privacy means. It has variously been conceived as “the right to be let alone” [2], “the right to be forgotten,” [3], or the right of the individual to “control” the acquisition, disclosure, and us of one’s personal information [4]. To some, privacy is “a measure of the access that others have to you through information, attention, and physical proximity” [5]; to others it is “the condition under which other people are deprived access to either some information about you or some experience of you” [6]. What issues exactly should designers of smart technologies and services be concerned with?

In this paper, we adopt the perspective of analytic philosopher Nissenbaum that privacy is fundamentally about appropriate information sharing [7]. According to Nissenbaum, what people want is not to be guaranteed absolute secrecy, or to have complete control over what is shared about them, but rather to have confidence that when information is shared, it is done so in accordance with generally-understood context-dependent informational norms. This perspective is well aligned with the tenets of user-centered design which also suggests that an individual’s attitudes will play a significant role in privacy outcomes. Further the broad spectrum of reported privacy concerns (e.g. hacking personal data, location tracking, or disclosure of customer data) suggest that we not treat privacy as a single monolithic entity but instead need to take a more granular approach to understanding privacy concerns.

2.1 Privacy Attitudes

A widely used method for assessing privacy attitudes is Westin’s “Privacy Segmentation and Core Privacy Orientation” index [8], which assesses an individual’s privacy attitudes based on their level of agreement with the following statements:

  1. 1.

    Consumers have lost all control over how personal information is collected and used by companies.

  2. 2.

    Most businesses handle the personal information they collect about consumers in a proper and confidential way.

  3. 3.

    Existing laws and organizational practices provide a reasonable level of protection for consumer privacy today.

Westin used individuals’ responses to classify people as “privacy fundamentalists,” who place a high value on privacy and believe strongly in privacy laws and enforcement, “privacy pragmatists,” who weigh the value of personal data and potential risks before sharing, or “privacy unconcerned”, who do not know what the “privacy fuss” is about and see little need for further legal protections.

2.2 Spectrum of Privacy Concerns

Legal scholar Daniel Solove proposes a taxonomy that organizes privacy issues in terms of harmful or problematic activities that put privacy at risk (see Table 1). We look to the taxonomy for its secondary and unintended use as guide for designers, where each element provides a specific type of concern for designers to focus on.

Table 1. Solove’s taxonomy of privacy concerns [9]

2.3 Contextuality of Privacy

Nissenbaum’s contextual model [7] is dependent on social norms. Although not often explicitly articulated, social norms about information flow are tightly bound to our expectations about what type of data is appropriate to share in a given social context (e.g., the workplace, home life), about the subject, sender, and recipient of that data, and about the “transmission principles” that we expect to be followed in particular situations. Social contexts are complex and dynamic, shot-through with unspoken rules that invite discovery and articulation. As Nissenbaum has noted, “when it comes to the nuts and bolts of privacy law, policy, and design, area experts in respective contexts—education, healthcare, and family and home life—are crucial to understanding roles, functions, and information types. They, not privacy experts, are best equipped to inform processes of norm discovery, articulation and formation.” [7]

Recently, Zafiroglu and Patterson applied Nissenbaum’s model to home life [10]. This research suggests that a stable set of sub-contexts, or “facets,” undergird much of daily life within the home. These facets, such as ‘nurturing intimate relationships’ and ‘keep bodies’ (Table 2) are associated with a set of roles, activities, and goals that in turn have strong implications for the conditions under which householders willingly share information. Facets provide guardrails by which designers can gauge the likelihood that data flows introduced by new experiences align with prevailing social norms. When data flows align with existing norms, they are more likely to be accepted by users. When they do not, they may lead to uneasiness or rejection.

Table 2. Overview of home life facets, or sub-contexts, and associated goals

Although householders have relatively stable sets of expectations and preferences for information boundaries rooted in these facets of home life, their level of sensitivity around sharing a particular data point changes as the data point shifted between facets of home life. What might be very sensitive for a neighbor to know, might be perfectly acceptable for a home insurance company to know. These differences in information sensitivity (and associated preferences) in the home can be categorized according to the transmission principles as: “secret”, or what individuals withhold from all but a select few with data expected to never be available outside of the area or context where it was generated; “shared”, or what individuals are willing to allow specific others to know when directly necessary and relevant to a provided services or ongoing social relationship; “traded”, or what others can share if the individuals receive tangible benefits; and “tattled”, or information which if shared individuals fear will harm them.

3 Method

The intent of this research was to solicit ideas for adding intelligence to homes and buildings, paying particular attention to information sensitivity about everyday activities that take place in these locales. The goals were to (1) prioritize potential smart homes and buildings usages based on participants’ imagined use of smart technologies in these settings, (2) identify value drivers and barriers to adoption of smart technologies in these contexts, (3) prioritize the salience of different types of privacy violations for householder and workers and (4) understand the influence of privacy attitudes on people’s imagined use of smart technologies in these contexts.

The research was conducted using a mobile app loaded on the participants’ smart phones, which allowed us to capture their “in-the-moment” thinking about their daily lives and the imagined role of future smart technology in homes and buildings. Participants volunteered for this research with screening done to ensure a representative balance of gender, education levels, and income levels. Further screening was done based on the quality of their initial “in-the-moment” video, whether they owned or rented, housing type, the nature of the buildings that they spent time in, and existing ownership of smart technology.

The research had three stages, with participants completing research tasks for one stage before moving onto the next. We used a mobile app to probe participants on specific topics as they went about their daily routines. This approach let us understand their real-life behaviors and to capture their real-life motivations for smart technology in homes and buildings. The research stages were as follows:

  1. 1.

    Gather background information, specifically we asked participants about their employment status, living situation (e.g., solo, with roommates, with children), household income, existing smart home device ownership, home type (e.g. apartment, single-family home), home square footage, and whether they owned or rented. Participants also completed Westin’s Privacy Segmentation and Core Privacy Orientation Index [8]. Lastly, we asked about the building where they spent the majority of their time outside the home, along with building type (e.g. office building), number of hours spent there weekly, and building size.

  2. 2.

    Capture imagined uses of smart, where we asked participants to create in-situ videos of two items that they would absolutely love to have a brain and two items that they would absolutely hate to have a brain in their home; we then repeated the process while they were in the non-home building where they spent the most time. Probes were framed in terms of items having a brain, rather than becoming smart, to encourage participants not limiting their thinking to today’s smart devices. For each item identified we queried qualitatively about motivations for choosing the item and asked the expected impact of the item having a brain to be rated on 10 point scale from 1 (little or none) to 10 (transforms life).

  3. 3.

    Identify information sharing sensitivities, where we asked participants to create in-situ videos of three behaviors that they would be nervous about their home sharing or repeating; we then duplicated the process while they were in the non-home building where they spent the most time. For each identified behavior, we queried qualitatively about their motivations behind the selection, expected impact of sharing, and who already knew about (or could figure out) the behavior.

In all, 264 people met our starting criteria and participated in the research; 54 % of the participants were female with 67 % of the participants having a college degree and 92 % residing in a city or metropolis area. At the start of this research, 40 % of participants owned one or more smart home devices with smart thermostats the most popular at 24 %. 56 % were home owners with over 80 % living in houses with less than 2500 square feet. Over 95 % of the participants reported that they spent time in the building for the purposes of work or schooling, with 52 % of the buildings small or medium sized (<4000 square feet).

4 Results

Participants created 3058 “in-the-moment” snapshots. The snapshots were evenly split between home and buildings, with participants spending the most time outside the home in office buildings (58 %), educational buildings (16 %), retail stores (6 %), restaurants or hotels (6 %). Medical buildings, industrial settings, public buildings, airports, or non-profits comprised the remainder.

The videos and open-ended questions from the studies framed participants’ imagined experience of future smart homes and buildings. As with earlier work, we took these narratives as a direct representation of the imagined experience and a critical part of their underlying mental model [11]. The narratives were coded using a mix of structured coding related to the original home life framework and exploratory coding, with the exploratory coding structure iteratively refined as analysis progressed.

4.1 Extending the Facet Framework

The final coding tree represented the participants’ over-arching mental model of smart home and building experiences [12] and defined the value propositions they expected smart technologies to deliver. We looked for meta-patterns, or schemas shared by participants as a way of data sense-making. The meta-patterns allowed us to extend the original facet framework to include situations to those in which building occupants willingly share information about their in-building activities, states and conditions in order to achieve a variety of goals. The extended framework details eight sub-contexts, or ‘facets’ of building life, as shown in Table 3.

Table 3. Overview of building life facets, or sub-contexts, and associated goals

The final coding tree also provided new insights into the more granular aspects of the experiences associated with each facet. Specifically, it allowed us to detail with activities and specific actions the end-user expected would be supported by smart technologies for each facet goal, areas of information sensitivity, and the motivators, that were expected value drivers or barriers to adoption of smart technologies.

4.2 The Landscape of Privacy Sensitivity

When participants imagined brainy homes and buildings, they often did not trust what they themselves had imagined (48 % of total concerns raised). Their lack of trust in their future visions was predicated on a mix of different concerns, including worries about reliability of the brainy object to consistently work as expected, how the participant would control of the object and their ability to set boundaries on information the object would generate and potentially share (“privacy”).

Privacy concerns had the most negative impact on trust, with both location and facets impacting participant perception of potential privacy risks. Participants called out privacy as a potential risk in their imagined use of smart technologies in buildings nearly 46 % more often than they did in the home, adjusted for total number of snapshots in each setting. Figure 1 shows the distribution of privacy concerns in homes, while Fig. 2 shows the distribution of privacy concerns in buildings.

Fig. 1.
figure 1

Heatmap of relative percentage of privacy concerns in the home as a function of home facets and home location. Note, facets with less than 1 % of the total privacy concerns were not shown in the interest of table readability.

Fig. 2.
figure 2

Heatmap of relative percentage of privacy concerns in buildings as a function of building facets and building location. Note, facets with less than 3 % of the total privacy concerns were not shown in the interest of table readability.

Bathrooms were areas of concern regardless of building type, but especially if engaged in activities related to “Keep Bodies” (e.g. grooming). Respondents in homes had a high-level of concern about privacy when consuming or engaging with media (e.g. TV shows) regardless of location, while respondents in buildings were most concerned when in their personal offices, especially when engaging with others.

4.3 Categorizing Privacy Concerns

To categorize participants’ imagined privacy concerns—that is, the concerns they name when asked to contemplate the hypothetical introduction of intelligence into objects already within their homes and buildings, we used a taxonomy of privacy violations proposed by privacy scholar Daniel Solove [3]. Again, location and facets played a significant role in the nature of privacy locations. The most dramatic differences were between homes and buildings, as shown in Fig. 3. Overall, disclosure, or revealing factual information that impacts one’s reputation, was the most frequently mentioned, followed by surveillance.

Fig. 3.
figure 3

Relative distribution of types of privacy concerns for home and building life

Respondents in the home were 11 % likely to be concerned with insecurity and 10 % more likely to worry about secondary use, while in buildings they were 20 % more likely to worry about surveillance and 11 % more concerned with breach of confidentiality.

4.4 Shifts in Information Sensitivity

As we examined the data around what behaviors participants would be nervous about their home or building repeating, we recognized differences in information sensitivity in homes and buildings. In the home, participant concerns were motivated primarily by potential embarrassment. In buildings, they were motivated by potential embarrassment, but also by potential consequences, with a shift towards secrecy and tattling. Figure 4 shows the shifts in information sensitivity as participants moved from home to building settings.

Fig. 4.
figure 4

Relative frequency of different levels of information sensitivity in homes and buildings

Information sensitivity was driven by information type, its recipient, the facet, and the specific location where the activity or behavior takes place. Within the home, participants were most likely to report sharing “secrets” with immediate family, typically a partner or a spouse. In buildings, participants most often shared with a close co-worker or spouse. The contexts with the highest relative frequency of identified secrets were the home facets of “Keep House” (59 %) and “Keep Bodies” (18 %), and in the bedroom, kitchen, and bathroom. In buildings, the most concern was around “Partner & Act with Others” (41 %), particularly managing personal reputation, and “Keep Bodies” (30 %) and in offices and bathrooms.

4.5 Impact of Privacy Attitudes

Westin’s Privacy Segmentation and Core Privacy Orientation Index [4] was used to classify participants as Privacy Fundamentalists (25 %), Privacy Pragmatists (28 %), or Privacy Unconcerned (47 %). In our data, respondents that Westin would have labeled as privacy fundamentalists were more likely than the other two categories to be concerned about privacy when they contemplated introducing intelligence into homes and buildings. However, for participants, the influence of privacy attitudes extended beyond just privacy for smart products and services. In particular, privacy attitudes were associated with:

  • Ownership of one or more smart devices, with privacy pragmatists 10 % less likely to report owning smart devices in the home. Only 32 % reported having such devices in their home, versus 42 % of fundamentalists and 44 % of unconcerned.

  • Desired smart home and building experiences. Privacy fundamentalists were more likely to imagine security-related uses for smart technologies, which may explain their higher existing ownership of smart devices given today’s market focus. They were also most likely to imagine smart as improving their personal productivity. Pragmatists on the other hand saw the most value in intelligence that supported personal care and cleaning. The Unconcerned were the least concerned about security applications of smart, but were the most interested in the social potential of these technologies and often described themselves as oversharers.

5 Discussion

Homes and buildings are complex contextual environments in which information flow expectations differ as a function of multiple factors. By offering a glimpse of the future through eyes of end-users—a future not yet invented but already imagined—our aim is to provide designers of smart homes and buildings with a better understanding of privacy expectations so that they may develop smart home and building usages that resonate with the diverse experiences, roles, concerns, and activities of householders and workers.

First, we found that almost half of imagined home-life privacy concerns were not localized to any particular areas of the home. If one’s home truly is one’s castle, smart technologies represent a significant threat to our historical, low-tech privacy barriers. It will no longer be sufficient to close the bedroom curtains or ignore knocks at the front door to ensure privacy. Rather, privacy concerns revolve around activities that take place within the home: In our data, the most sensitive facets of home life were what Zafiroglu and Patterson call “keep house” and “keep bodies”. At first blush this is surprising. Information about cleaning, being organized, making the day run smoothly, managing appearances, economizing and keeping the home supplied may not seem particularly sensitive. However, these activities get to the heart of our ability to present ourselves to others as organized and capable beings who are maintaining parity with our neighbors and friends. They also allow us to feel as though we are living up to the aspirational messages that abound in the modern world.

In the workplace, on the other hand, people reported very few non-localized privacy concerns. In the context of work, we saw that people already assume their daily lives are under scrutiny. Top of mind privacy concerns in this environment included managing our reputations rather than sequestering our physical bodies. Surveillance is a particular worry, with many participants anxious about their ability to hide the details of their daily work lives from co-workers, managers, or others who may judge and perhaps even sanction them for indications of non-work.

Third, we saw that when our research participants imagined others outside the home knowing something about their activities, 72 % of that information was considered shareable; only 30 % was considered out of bounds. It is not that people want everyone to know everything about them, but rather that they see the sharing of some information about themselves as acceptable for particular purposes, such as in exchange for a better understanding of their dwelling or household, or in exchange for tangible benefits such as goods or cost savings.

Surprisingly, the opposite pattern materializes for buildings. In these environments, only 18 % of information about activities was considered shareable. Taken together, these two findings seem paradoxical and invite reflection. Why would information collected in private spaces be considered sharable, but information collected in public spaces be considered off-limits? Our data suggests that our research participants have an understanding that activities at work have monetary value for the worker and for the enterprise, rendering it, in both cases, private by default. Where the worker is concerned, scrutiny invites reprobation. Where the company is concerned, the information is not for the worker to share. Within the home, on the other hand, people assume a kind of comfort with and de factor ownership over information—because it is about them, it is theirs to protect, to share selectively, or to distribute widely.

Finally, our work highlights the utility of Solove’s taxonomy [3] for mapping privacy concerns related to introducing new technologies. The taxonomy may provide designers with a clearer understanding of privacy, with each class of problems shaping different design solutions. In contexts where information collection is of concern, our data suggests that designers should focus on understanding the purpose behind the data being collected, limiting data capture to only the essential, and managing appearances by limiting device capabilities to what is necessary. For information processing, they should focus on safeguarding data and limiting its use to those that align with contextual norms. They can reduce information dissemination concerns by ensure the data is accurate, openly communicating about how it is being handled, and enabling data management by individuals. Lastly, designers can reduce the perception of invasion issues by being useful but not disruptive in the context and enabling people to easily disconnect.

6 Conclusions

We hope that by articulating and implementing innovative privacy design principles, designers can play a pivotal role in building trust and assuaging the public’ fears about smart technologies. The facet framework and accompanying approach to exploring the introduction of new technologies provides a tool to help product designers to identify and develop privacy-mindful usages that resonate with the context in which they are deployed.