NSF-Funded Project to Focus on Improving Security, Privacy of Smart Homes

Lorem ipsum

Q&A with Denise Anthony

Professor of Health Management and Policy

With just a touch or a voice command, we can switch off the air conditioning in our homes from far away, ask a smart speaker to find out the side effects of a prescription drug, and check out our backyard video camera on our cell phone when we get an intruder alarm.

But for all the potential benefits of these smart internet of things (IoT), security and privacy remain a challenge.

A team of researchers from seven universities including the University of Michigan will work together on a national research project to address the entire life cycle of security, privacy and usability challenges from the perspective of the everyday consumer in a residential setting.

Funded through a five-year, $10 million Frontier Award from the National Science Foundation, the project, "Security and Privacy in the Lifecycle of IoT for Consumer Environments" (SPLICE) is led by David Kotz from Dartmouth College. It includes researchers from Dartmouth, the University of Illinois, Johns Hopkins University, the University of Maryland, the University of Michigan, Morgan State University, and Tufts University.

Denise Anthony, professor of Health Management & Policy at the University of Michigan School of Public Health and incoming director of the Master of Health Informatics program, will be working on this project. She discussed its origins and potential impact. 

How did you become involved in this project?

I have been studying privacy and trust issues related to new technologies for many years, starting while I was on the faculty at Dartmouth. That is where I started working directly with computer scientists like David Kotz.  He invited me to join the SPLICE team of mostly computer scientists in order to look at the sociological and relational issues related to information security and privacy in smart homes.

The Internet of Things includes everything from smart TVs and smart speakers to intelligent personal assistants like Amazon’s Alexa and Google Home. Technologies like this are increasing in our homes and they are always on, and always connected to the internet.

SPLICE is looking at security and privacy issues across the life cycle of these smart things in smart homes, to address three main questions: What are the new information security and privacy risks in these environments? How can we leverage technology to actually improve security and privacy among all stakeholders throughout the smart thing life cycle? And what practices and policies should be implemented to ensure people can enjoy living in a smart home that is also a trustworthy digital environment?

How is this different from the work other organizations have done around this issue?

When we think about the smart home, much of the focus of discussions and even of the research that's been done has focused on a standalone, owner-occupied house with a nuclear family living inside.

We are bringing a focus to issues of power and other social dynamics in thinking about smart devices in different kinds of households and residences. For example, if you think about public housing, you have residents, you have building managers, you have property owners and you have public agencies. Another example is senior living facilities where you have people in a residential setting, interacting with other residents and also others, like employees who are providing services, and possibly also health care personnel. 

The SPLICE project will help to understand the implications of smart devices for different types of actors in these different types of residences, such as renters, owners, building managers, and domestic workers.  Another goal is also to ensure that smart homes and all the smart devices in them, are secure and trustworthy for all the different needs of these different actors.

You're also addressing the product through its life cycle. What do you mean by that?

By life cycle we mean that we are thinking about smart devices for the home for everything from the design and development stage of the product or system, through the deployment and operation within the home, all the way to the time of disposal of the device or the transfer of the residence.

So in regular language that means the project is working to ensure that smart devices are designed and produced with security and privacy in mind; that they can be introduced into your home and operated in a way that is not only appropriate for their purpose, but also consistent with information security and privacy practices and expectations; and finally, to the time you move or replace a device that you can do so securely. 

Think about moving into a new apartment that includes a smart thermostat or smart lighting, or acquiring a new refrigerator that connects to the internet. How do you make sure it is set up and operates in a way that does not enable a hacker to gain access to your home network or to your private information? What happens when you move out of your home and somebody else moves in? How do you change over all of these devices? So thinking about the life cycle means considering security and privacy at each of these stages. 

What's SPLICE's goal?

Approximately 15 billion IoT devices are in use today, with projections that 300 million homes will have IoT devices and systems in the coming few years. Yet we have little clear understanding of the novel security and privacy risks that this emerging environment will produce because we haven't fully identified the social and human scope of the challenges nor developed the necessary tools or practices to address them. We seek to ensure that smart homes are trustworthy, by developing technologies and principles that enable their various owners and occupants to be confident and capable of securing their smart Homes while protecting their privacy.

What does success look like? How do you know you will have reached your goal?

As the number of smart devices in and around a home grows, understanding which devices are present and what information is flowing to and from them will become increasingly important and challenging, so SPLICE will work on that technical problem, while also studying the perceptions and behavior of multiple actors across different types of smart homes. That research will enable us to create tools that are understandable and usable by consumers and other stakeholders to ensure smart homes are secure and preserve privacy. We will also work with industry and other stakeholders like standards bodies and regulators  to inform principles for best practices for the design and development of smart things.

How does this relate to your role in public health?

People use their phones, wearable devices like FitBits, and even virtual assistant tools like Alexa to care for their health and well-being. Others have internet-enabled medical devices like glucose monitors. And even before the COVID-19 pandemic, services like telehealth - use of technology to synchronously or asynchronously connect with clinicians or clinical health information -  were expanding. But the pandemic has led to the rapid expansion of telehealth and virtual health services, not only from patients’ homes but also from health care providers’ homes. 

Suddenly we need to consider not only important issues of accessibility for these services such as availability of broadband, but also the implications of telehealth and other health-related activities occurring in an environment of multiple always-connected, always listening devices in a smart home. Of course these interconnected devices, apps and tools create benefits, but they also have real risks such as hacking or unintended interactions that can interfere with the secure functioning of these devices and apps. We also have to consider privacy -- who has access to the data flowing in a smart home environment where a telehealth visit might occur? Is it Google or Amazon? What can they or others do with the data?  Can we design tools to better preserve privacy? These are questions not only about the transmission principles governed by laws and policies, but they also are questions of technology design and deployment that SPLICE will address.