Skip navigation
Please use this identifier to cite or link to this item: http://arks.princeton.edu/ark:/88435/dsp0176537427x
Title: Network Privacy and User Protection in the Internet of Things
Authors: Apthorpe, Noah
Advisors: Feamster, Nick
Contributors: Computer Science Department
Keywords: Computer networks
Human-computer interaction
Internet of things
Privacy
Security
Traffic analysis
Subjects: Computer science
Issue Date: 2020
Publisher: Princeton, NJ : Princeton University
Abstract: The proliferation of specialized Internet-connected consumer products, often called Internet of things (IoT) devices, presents unprecedented challenges for preserving user privacy. Some of these products, such as WiFi thermostats, replace conventional non-networked appliances. Others introduce new technologies, such as voice assistants, into users' daily lives. Many consumer IoT devices contain sensors that record users' activities in their living spaces and transmit information about these behaviors on the Internet. Understanding the social and technical privacy implications of consumer IoT devices is essential to informing the design and regulation of these technologies to protect users from inappropriate data collection and use. This dissertation employs human-computer interaction methods, technical vulnerability auditing, and Internet traffic analysis to study user experiences with consumer IoT devices and the privacy risks posed by these products. Interviews and surveys show that users face complex decisions when adopting consumer IoT devices, weighing convenience against privacy concerns and variable trust in device manufacturers. Consumer IoT devices also affect users' relationships, strengthening interpersonal connections while causing conflicts about device sharing and undesired surveillance. A new survey method based on the theory of contextual integrity enables further discovery of user privacy norms at scale and the comparison of privacy norms to IoT device behavior and privacy regulation. Network privacy audits of IoT children's toys flagged by the New Jersey Attorney General's Office reveal many vulnerabilities, including personally identifiable information in crash reports, data retention after deletion requests, and a lack of encryption and authentication. These vulnerabilities violate manufacturer privacy policies and the U.S. Children's Online Privacy Protection Act. Finally, metadata analysis shows that passive network eavesdroppers can infer private in-home activities from IoT Internet traffic even when devices use end-to-end transport layer encryption. This motivates the creation of a low-overhead traffic shaping algorithm, "stochastic traffic padding," that prevents eavesdroppers from distinguishing user activities from generated traffic patterns. These contributions advance our understanding of IoT privacy challenges, support the need for strong privacy defaults in consumer IoT products, and enhance the ability of researchers, manufacturers, and regulators to protect users from IoT privacy risks.
URI: http://arks.princeton.edu/ark:/88435/dsp0176537427x
Alternate format: The Mudd Manuscript Library retains one bound copy of each dissertation. Search for these copies in the library's main catalog: catalog.princeton.edu
Type of Material: Academic dissertations (Ph.D.)
Language: en
Appears in Collections:Computer Science

Files in This Item:
File Description SizeFormat 
Apthorpe_princeton_0181D_13364.pdf63.92 MBAdobe PDFView/Download


Items in Dataspace are protected by copyright, with all rights reserved, unless otherwise indicated.