Impact of GDPR on Data Sharing Behavior of Smart Home Users

IMPACT OF GDPR ON DATA

SHARING BEHAVIOR OF

SMART HOME USERS:

A study on self-disclosure, IoT privacy and consumer trust

by Victor Dahl & Marco Österlin

Information Architects (TGIAA) at Malmö University Submitted: June 04, 2020

Bachelor Thesis in Computer and Information Science, 15 hp Malmö University Spring 2020

Supervisor: Joseph Bugeja - joseph.bugeja@mau.se

Examiner: Victor Kebande – victor.kebande@mau.se

Bachelor Thesis in Computer and Information Science, 15 hp Malmö University Spring 2020

Supervisor: Joseph Bugeja - joseph.bugeja@mau.se

Abstract

The number of connected Internet of Things devices are expected to surpass 30 billion in 2020. The unprecedented levels of personal data sharing are drastically increasing the complexity of privacy challenges. This kindled efforts such as the General Data Protection Regulation (GDPR), that came into effect in May 2018 to establish user data rights. These new user data rights have had a considerable impact both for the users, and the data controllers & third-parties that are liable to effectuate the new requirements, such as privacy-by-design and explicit consent. In this thesis, we explore this impact of the GDPR, specifically on self-disclosure of personal data through smart home devices, in order to gain insights for smart home practitioners. In doing so, we specifically want to answer two research questions. Our first research question helps us understand opinions and attitudes, specifically those of Swedish residents. An online survey helps us understand their willingness and fears of adopting smart home devices. In our second research question, we apply a semi-Systematic Literature Review to study how the GDPR has influenced self-disclosure through smart home devices, and which factors have had the most significant effect on its users. The survey (n=131) showed that while trust towards data controllers is the cumulatively highest priority of users, consistent product & service quality was more likely to be the first priority (28%). Some users are struggling to find usefulness for smart home devices, so the perceived benefit is currently mainly exceeding the cost and perceived risk for lead adopters. Since the GDPR came into effect, we have seen a raise in user awareness and perceived control. Notably, this led to increased skepticism towards smart home devices. The literature review showed promise in systems to help negotiate and suggest privacy preferences between users and data controllers. We also found an exacerbation of the concern for information privacy and that trust is a major factor for users when deciding to adopt smart home devices. We conclude that there are some factors that are more important than others, as well as provide insights for smart home practitioners on future venues for research and prototyping.

Keywords: GDPR, Smart Home, IoT, Data sharing behavior, Consumer trust, IoT Adoption

Definitions

Data Controller

A data controller is any entity that processes personal data, such as manufacturers and service providers. Usually, the same company that manufactures and sells the device. The data controller sends data requests for user consent to use their personal data.

Disclosure

Data- or self-disclosure is the voluntary sharing of information. In the context of this thesis, said data is personally identifiable information or anonymized data alike. In this thesis, we use data disclosure, self-disclosure and data sharing interchangeably.

Data Subject / User

A user (called data subject by the GDPR) is any individual whose data is protected by the GDPR. Both terms are used interchangeably throughout the thesis. While not all consumers are users, all users belong to the consumer population.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation is an effort to modernize and unify the European Data Protection Directive from 1995 by implementing fundamental rights to protect European residents personal data, and to create fundamental practices aimed towards service providers for protection of personal data.

Personal Data

Personal data are defined as any type or combination of information that identify a living person such as names and social security numbers.

Smart home device

A hardware unit which usually is connected to the Internet e.g., for measuring and optimizing energy consumption, security, entertainment, health, or automation purposes.

Smart home practitioner

A smart home practitioner can be either a data controller, a third party or an academic researcher, whose main field of work is that of smart home technology.

Third-Party

A Third-party (called Data Processor by the GDPR) is an external entity, who processes personal data on the behalf of the data controller. Often this is to offer services in the form of mobile apps, to communicate with and control devices in your home.

TABLE OF CONTENTS

Introduction... 1 1.1. Background ... 1 1.2. Statement of Problem ... 2 1.3. Research Questions ... 2 1.4. Thesis Structure ... 2 Theoretical Foundation ... 3

2.1. The Concept of Privacy ... 3

2.2. The GDPR ... 5

2.3. The Smart Home ... 7

2.4. Related work ... 8

Method ... 10

3.1. Survey ... 10

3.2. Semi-Systematic Literature Review ... 13

3.3. Ethical considerations ... 17

Results ... 18

4.1. Survey Results ... 18

4.2. Semi-Systematic Literature Review Result ... 26

Analysis & Discussion ... 32

5.1. Survey ... 32

5.2. Semi-Systematic Literature Review ... 35

Conclusion ... 40

References ... 42

Appendix 1 – Survey ... 47

LIST OF TABLES

Table 1. Survey time plan ... 11

Table 2. Keyword definitions ... 15

Table 3. User qualitative optional response ... 25

Table 4. Search results ... 26

Table 5. Final articles after semi-Systematic Literature Review ... 27

Table 6. Concept matrix from semi-Systematic Literature Review ... 28

Table 7. Quantitative representation of the 7-point scale evaluation... 29

Table 8. Measured Smartphone permission allowance... 30

LIST OF FIGURES

Figure 1. The relationship between Smart Home and Connected Home ... 7

Figure 2. Smart home household penetration comparison ... 8

Figure 3. Respondent demography ... 18

Figure 4. Respondent gender ... 19

Figure 5. Respondent income ... 19

Figure 6. Respondent education ... 20

Figure 7. Respondent field of work ... 20

Figure 8. Survey Likert question 1 ... 21

Figure 9. Survey Likert question 2 ... 21

Figure 10. Survey Likert question 3... 22

Figure 11. Survey Likert question 4... 22

Figure 12. Survey Likert question 5... 23

Figure 13. Survey Likert question 6... 23

Figure 14. Survey multiple-choice 1 ... 24

Figure 15. Survey multiple-choice 2 ... 24

Figure 16. Survey multiple-choice 3 ... 25

Figure 17. Flow chart of sSLR inclusion/exclusion process ... 27

Figure 18.Consent to the GDPR permission entity types ... 31

Figure 19. Comparison of age groups between our and Statista’s results ... 32

Figure 20. Comparison of genders between our and Statista’s results ... 33

1

Introduction

The number of connected Internet of Things devices are expected to surpass 30 billion in 2020 (Statista, 2020). Meanwhile, the developers and providers of smart home devices and services are struggling to be compliant with the GDPR. According to a survey by Capgemini (2019), only 28 % of all organizations believed themselves to be compliant to the GDPR, and therefore the remaining 72 % are at risk of fines as well as of not fulfilling the expectations of their users. In this thesis, we study the response to, and impact of the GDPR, as suggested by Zheng et al. (2018), specifically in the context of smart homes.

In our first research question, we ask Swedish residents directly about their opinions and views on smart home technology. Then, in our second research question, we describe key concepts and recurring themes of interest on the impact on self-disclosure through a semi-Systematic Literature Review. Our contributions are directed at smart home practitioners, namely researchers of smart home technologies, paradigms, security- and privacy concepts. However, the results could also be of interest for regulators as well.

1.1. Background

In the early 2000s, IoT was in its infancy. As mentioned in the introduction it is now predicted that in 2020 the number of connected devices will surpass 30 billion and that figure is further projected to more than double in the following 5 years (Statista. 2020). This kindled a response from the EU, and in May 2018 the GDPR came into effect to increase the user rights of residents within the EU. Despite their prevalence, IoT devices continue to be ripe targets for threat agents according to Symantec (2018 & 2019). Between 2016-17 the overall IoT attacks saw a six-fold increased and in 2018 a “living off the land” trend was identified (Symantec. 2018; Symantec. 2019). These “living off the land” attacks use off-the-shelf software to enable threat agents to perform attacks otherwise well beyond their capabilities. The motivation behind these attacks is therefore changing, from thieves motivated by personal gain or hackers motivated by curiosity (Bugeja et al. 2017) to that of script-kiddies; whose prime aim is to cause chaos or simply have fun. The increasing numbers, functionalities and ubiquitousness of IoT devices are clearly exacerbating the concern for, and need of, firstly, integrity and security for the identified top targets (routers and connected cameras according to Symantec. 2019), and secondly, privacy management for round-the-clock tracking services (such as fitness trackers and smartphones.)

Through related work and data collection we confirm that there is a significant research gap focusing on the impacts of key factors and concepts in the intersection of IoT and privacy. These factors and concepts could e.g. include (i) consumer trust, (ii) privacy awareness, (iii) priorities during adoption of new devices, (iv) self-disclosure and (v) consent and permissions. Furthermore, Zheng et al. (2018) states that follow-up studies need to be conducted after a longer period after this type of legislation has taken effect. The GDPR requires that all services be developed in accordance with the privacy-by-default principles. The GDPR adaptation of these principles are recited in the 25th _{article called “Data}

2

protection by design and by default” which states that, by default, technical and organizational measures must ensure that no more personal data which is necessary are processed (Eur-lex.europa.eu, 2016). Features designed to protect the user, e.g. by increasing the user control over data has been shown to both raise user awareness and increase trust, notably, this leads to increased sharing and consequently exacerbating the risks of the users (Brandimarte et al., 2013).

1.2. Statement of Problem

The problem to be addressed in this thesis is determining which effects GDPR has had on smart home solutions, especially in regard to the opinions and experiences of Swedish residents and privacy & security of smart home user’s data. Our main contributions lie within identifying and better understanding key factors and concepts to provide insights for smart home practitioners.

1.3. Research Questions

- RQ1. How has the GDPR influenced the opinions and adoption of smart home solutions of Swedish residents?

- RQ2. How has the GDPR impacted self-disclosure of personal data of smart home users?

There are several reasons why we focus on Swedish residents in our first research question and primary study. As discussed later in the section The Smart Home, Sweden is in the forefront of smart home household penetration. It was also necessary to limit the scope of our survey (primary data collection) to fit within the timeframe for this thesis. Finding the answer to this question for Swedish residents and comparing it to the findings of one of our related work can help us to discuss if our findings are also generalizable. The second research question pertains more to the general behavioral psychology of disclosing personal data thought smart home devices, such as trust and awareness. Due to the scope and timeframe of this thesis we found it appropriate to look for answers in existing studies, with this semi-Systematic Literature Review (secondary data collection). It is important to understand what these factors mean both for the individual and the data controller. Our contributions to the body of knowledge regarding the effects of the GDPR in the context of smart home and privacy provides insights for smart home practitioners on future venues for research and prototyping.

1.4. Thesis Structure

This thesis is structured as follows, section 2. Theoretical Foundation describes concepts and definitions upon which our research is built, to get a shared taxonomy with the reader. Section ‘3.Method’ defines our survey as well as our semi-Systematic Literature Review. Section ‘4. Result’ presents our research results. In Section ‘5. Analysis & Discussion’ we discuss why the findings are interesting, why they are significant, and we also present our own interpretations and ideas about our analysis and our findings. Finally, Section ‘6. Conclusion’ summarizes and contextualizes our main contributions.

3

Theoretical Foundation

In the following sections we explain and define the concepts that constitutes the principal subjects of this thesis. It gives further insight into privacy, the GDPR and smart home technology with the purpose of providing a theoretical background. This facilitates and assists with the further reading and to prevents ambiguity of interpretations.

2.1. The Concept of Privacy

The general definition of privacy has according to Smith et al. (2011) been difficult to define and it has been researched for many decades within many disciplines in social sciences. Legal and social scholars have made efforts to construct the definition of privacy, but the result has been vague as the concepts have not been fully developed nor validated empirically (Smith et al., 2011). Solove (2006) states that the concept of privacy is in disarray and is too vague to be used to e.g. guide lawmaking. Dowding (2011) confirms in “Privacy: Defending an Illusion” the difficulty to define privacy that Smith et al. (2011) and Solove (2006) express. Dowding’s (2011) reasoning behind the difficulty to define privacy is that the latest information and communication technologies have disrupted what is considered to be public or private.

Smith et al. (2011) summarized scholars’ publications regarding the general definition of privacy into two Value-Based and two Cognate-Based definitions (Smith et al., 2011). Smith et al.’s (2011) work regarding privacy was found to be the foundation in numerous research articles, such as the work of Pavlou (2011) and Pardo & Siemens (2014). We decided it to be relevant to our research approach and something we could build upon. In comparison to the four definitions presented by Smith et al. (2011), Dowding (2011) classified privacy into four different definitions: (i) bodily-, (ii) territorial-, (iii) information-, and (iv) communications privacy. Falling under the headers of the Cognate-Based and Bodily and Territorial Privacy, as described by Smith et al. (2011) and Dowding (2011) respectively, are definitions outside the scope of this thesis. We therefore exclude them, as the Value-Based, information-, and communications privacy definitions are more suitable within the context of data disclosure. In the following sections, these definitions are described more in detail.

2.1.1.

Value-Based definitions

The first of the value-based definitions is the General Privacy as a Right. According to Smith et al. (2011), it was not until the 20th century that general privacy was protected as a right by the courts in the United States and has been seen as a developing right in the United States law. In the article “The Right to Privacy” published by Harvard Law Review in 1890, Samuel Warren & Louis Brandeis defines privacy as “the right to be let alone” (Warren & Brandeis, 1890). Furthermore, Warren & Brandeis definition emphasizes on the purpose to protect an individual’s private life e.g. protecting individuals from having private information such as habits and relations shared if it is not in public interest (Warren & Brandeis, 1890).

4

The second value-based definition is Privacy as a Commodity. Smith et al. (2011) states that there are libertarian political scientists who think that Privacy is subject to cost-benefit analysis and trade-off. Julie Cohen (2001) argues in the article “Privacy, Ideology, and Technology: A Response to Jeffrey Rosen” that technology is displacing the term privacy and can no longer be taken for granted. Furthermore, the profit-driven pursuit of personal data caused by the redesign of information technologies has affected the understanding and experience of privacy (Cohen, 2001). Privacy as a commodity revolves around the concept that individuals let themselves be economic subjects by e.g. exchanging their personal data for perceived benefits which can be used for personalized marketing (Bennett, 1995).

2.1.2.

Cognate-Based definitions

The first cognate-based definition is General Privacy as a state, which was introduced by Alan Westin in 1967 where the author defined privacy via the four substates Intimacy, reserve, solitude, and anonymity (cited in Smith et al., 2011). Scholars within disciplines such as marketing, information systems, and economics have narrowed down this type of definitions to address information based issues which resulted in that “State of limited access” was translated to “State of limited access to information” (Smith et al., 2011).

The second cognate-based definition is General Privacy as Control. This definition was derived from theories of general privacy developed by Alan Westin and Irwin Altman (Smith et al., 2011). Altman defined general privacy as “The selective control of access to the self” (Altman 1975, cited in Smith et al., 2011). The definition has since been evolved e.g. Laufer and Wolfe formed the concept of control to be a variable that mediates in the entity of general privacy by stating that an individual’s experience, perception, or exercise of control does not necessarily means it is being applied to a general privacy situation (Laufer & Wolfe 1977, as cited in Smith et al., 2011).

2.1.3.

Bodily & Territorial Privacy definitions

Dowding (2011) defines bodily privacy as the concern to protect people from physical invasive procedures such as body cavity searches, drug, and genetic testing. Whereas Territorial Privacy is concerns related to the setting of limits on intrusion into environments people are exposed to in either workplace, public space, or their home e.g. Video surveillance.

2.1.4.

Information & Communications Privacy

definitions

Just like Smith et al. (2011), Dowding (2011) also defines information privacy on the article “The right to privacy” and the quote “The right to be let alone” made by Warren & Brandeis (1890), which was mentioned in the Value-Based privacy definition. Communications Privacy relates to the privacy and security concerns which can be found in analog and digital means of communication, such as e-mail, e-mail, and telephone calls (Dowding, 2011). The definitions of privacy presented by Smith et al. (2011) is based more on philosophical work than Dowding (2011). However, Dowding’s (2011) definitions of privacy is defined by

5

combining real-world application and the work of scholars such as Warren & Brandeis (1890). Furthermore, Dowding (2011) mentions that since the second world war there has been a data explosion caused by technological advancements, which substantially increased the amount of data collected, distributed, used, and abused in unpredicted ways. Dowding (2011) states that we now live in a different era and that the ways to interpret privacy has changed due to the advancements made in Information technology. Dowding (2011) further elaborates on this topic to conclude that we now live in an information economy.

In this thesis, we approach data privacy by the value-based- and information & communications privacy definitions as presented by Smith et al. (2011) and Dowding (2011) respectively. The increased privacy concerns and awareness caused by the fast-paced progression of technology, such as the Cambridge Analytica-Facebook scandal, further motivates our decision to adopt these definitions.

In the limelight of the scandal and the commoditization of data, privacy has gained interest from residents in the European Union due to the introduction of the GDPR which is presented in the next section.

2.2. The GDPR

The General Data Protection Regulation (GDPR) took effect on the 25th _{of May} 2018 and replaced the old European Data Protection Directive (DPD) from 1995 (Eur-lex.europa.eu, 1995). In Sweden, the GDPR replaced Personuppgiftslagen (PUL) from 1998 (Datainspektionen, n.d.E). The objective of the GDPR is to (i) replace DPD with adaptions to technological developments, (ii) protect European resident’s personal data, (iii) to enforce data protection practices of data controllers, and (iv) unify legislation across the EU (Datainspektionen, n.d.A). The GDPR is enforced by the EU even on companies based outside EU if they process data of European residents. For example, the Ring company1 _doorbell that is owned by Amazon and Google’s home automation system called ‘Home’2 are both based outside of EU, sold in European electronic markets, and thus affected by the GDPR.

As the thesis focuses on personal data and the data subject’s data sharing behavior it is important to understand the foundational changes the GDPR brought to the European residents and data controllers.

1 _{https://se-en.ring.com/}

6

In the following lists we briefly mention the eight rights of data subjects and the seven fundamental principles that data controllers need to abide by (Datainspektionen, n.d.B: Datainspektionen, n.d.C). However, in this thesis we tangent mainly on the data rights as well as the fundamental principles mentioned below.

The right to be informed: Data subjects have the right to be informed if their personal data is processed by an entity.

The right to restrict processing: Data subjects can request that the processing of their data is flagged, this puts a limitation on the cases in which the entity is able to utilize the subject’s personal data.

The right to object: Data subjects have in some cases the right to object that their personal data is used for data processing.

The following list declares the fundamental principles of the GDPR related to data controllers (Datainspektionen, n.d.C):

Purpose Limitation: The purpose of personal data collection is not allowed to be stated in a vague or imprecise way and therefore, needs to be specific and concrete.

Data Minimization: Data controllers are not allowed according to the GDPR to process more personal data than necessary.

Storage Limitation: The storage of personal data is limited based on the stated purpose.

Integrity & Confidentiality: The Data controllers need to ensure that the personal data is well protected.

Accountability: Data controllers have the responsibility to be able to demonstrate how they work towards compliance.

In combination with Privacy and the GDPR, as discussed in the previous sections, the last principal subject of this thesis is the smart home, which is presented next.

7

2.3. The Smart Home

The smart home consists of both hardware nodes and services. The hardware nodes are devices that are either directly or indirectly are networked and connected to the Internet, in combination with services they enable varying degrees of home automation (Bugeja et al., 2018c). Through the convergence of a wide array of technologies such as sensors, actuators, gateways/hubs cloud services and smart objects, integration platforms and communication protocols & models, IoT can e.g. be used in service categories such as: energy, entertainment, health care and security (Bugeja et al. 2018c). The smart home ecosystem is often connected through a local networking hub, although this is not always the case. Smart home hubs can provide unification by allowing control of devices from different manufacturers, architectures and purposes to be controlled from one app, as well as to serve as a firewall to provide control of which device is allowed what degree of online communications (Bugeja et al. 2018c).

In this thesis we use smart home, connected home, smart connected home, and IoT interchangeably.

2.3.1.

The types of homes

Another distinction to be made are the three types of homes: smart home, connected home and smart connected home (Bugeja et al., 2018c). Smart home implies the operation of, e.g. lighting and windows, locally without Internet connectivity. The connected home includes remote control (often interfaced through a smartphone) of appliances as those used for security. The smart connected home joins the capabilities of both smart and connected homes and can add other communicative and service functionality as well (Bugeja et al., 2018c). In this thesis we adopt the definition and description of Smart Connected Homes as described by (Bugeja et al., 2018c) and we use this interchangeably with IoT.

Figure 1. The relationship between Smart Home and Connected Home as described by Bugeja et al. (2018c)

8

2.3.2.

Smart home household penetration

In the early 2000s, IoT was in its infancy. It is now predicted that in 2020 the number of connected devices will surpass 30 billion and that figure is further projected to more than double in the following 5 years (Statista, 2020). Comparing household penetration globally places Sweden as one of the forerunners in adopting the transition to smart home technology, with 28.5 % in 2020 only barely lagging behind the US and Norway with 32.4% and 35.4% respectively (Statista, 2019). The next two countries (to form the top 5) are according to the same source Denmark and South Korea. With the great degree of adoption this arguably makes Sweden an excellent country for smart home related research.

Figure 2. Smart home household penetration comparison. Sweden is the top third country in the world in terms of market penetration of smart home devices, making it an excellent place to do

smart home research.

2.4. Related work

In this section we explore previous research related to our research.

Presthus & Sørum (2019) examined in “Consumer perspectives on information privacy following the implementation of the GDPR to what extent the GDPR’s implementation affected Norwegian consumers' concerns for information privacy. Presthus & Sørum (2019) conducted two surveys, one prior to the implementation of GDPR and the second one shortly after the GDPR took effect to be able to identify the impacts caused by the GDPR. The survey results showed that the consumers increased their awareness of information privacy, there was a low interest to exercise the new data rights, and approximately half of the respondents felt they had control of their personal data. However, a recurring issue in the surveys revolved around consumers' trust in companies that manage personal data (Presthus & Sørum, 2019). Our first research question built upon this work and our survey is partially inspired from theirs.

9

Guhr et al. (2020) explored to what extent users' information privacy concerns impact their intended Smart home service usage in “Privacy concerns in the Smart Home context”. The study emphasized on the significant role that addressing privacy concerns as they may impact the intended use of Smart home services. Furthermore, Guhr et al. (2020) found that there is a negative relationship between privacy concerns and the intentions to adopt or use smart home services. Guhr et al. (2020) states that future research should focus on the regulatory aspect, and investigate if regulations such as the GDPR may build trust among users to protect their personal data, and if this type of initiatives reduces users’ concerns about using smart home devices (Guhr et al., 2020). This has greatly inspired both research questions of this thesis and is one of the main questions we aimed to answer.

In “User Perceptions of Smart Home IoT Privacy” Zheng et al. (2018) examined consumers motives behind purchases of IoT devices, Consumers perception of privacy risks in relation to smart home, and if the consumers have taken any measures to protect their privacy. Zheng et al. (2018) conducted eleven semi-structured interviews and found that consumers let convenience and connectedness influence their privacy decisions e.g. when dealing with entities such as a device manufacturer. Furthermore, perceived benefits are influencing the consumers opinion about an entity collecting their smart home data. Consumers does not verify if the device manufacturer protects their privacy although they trust the manufacturer, and consumers were unfamiliar with privacy risks related to machine learning algorithms potential to draw conclusions based on collected data (Zheng et al., 2018). As future work Zheng et al. (2018) mentions that it remains to be seen if the GDPR and other legislations will have any significant impacts on consumers' doubts regarding IoT devices privacy or the data collection practices of IoT devices. Zheng et al. (2018) states that follow-up studies need to be conducted after a longer period after this type of legislation has taken effect. Their future-work section states that studies need to be conducted to identify the consequences that came along with the GDPR over a longer period of time due to the extensive changes to data privacy that was introduced, which is one of our goals.

Cho et al. (2019) examined the decision making of social media users’ in “Of promoting networking and protecting privacy: Effects of defaults and regulatory focus on social media users’ preference settings”. The authors conducted two empirical studies, which emphasized on the default settings and regulatory focus as factors. The study sought to understand the mentioned factors' impact on the users’ when using privacy-oriented settings (Cho et al., 2019). The results showed that when users were given privacy-oriented settings as default, the choices that they made were also privacy-oriented e.g. restrict access to their profiles. Contrarily, when users were given share-by-default settings they were more likely to be more approving of higher levels of access (Cho et al., 2019). To the best of our knowledge, no studies have answered our first research question in a Swedish context, and no studies on neither research question have been focusing on smart homes.

10

Method

The previous section provided a background in privacy, the GDPR and smart home. In the following sections the research activities that were chosen are introduced and motivated. We designed one data collection method per research question that we want to answer: an online survey (primary study) followed by a semi-Systematic Literature Review (secondary study). It concludes with a method discussion for each and overall ethical considerations.

Computer science is a discipline overlapping its precursors mathematics and engineering, resulting in it suffering from a “lack of identity”, Demeyer (2011). This overlap has yet to get established research methods leading to computer science research often borrowing approaches from other fields (Hassani 2017). Software engineering especially has suffered from this as it often requires consideration of psychological factors like group dynamics resulting in research methods being borrowed from psychology as described by Demeyer (2011) and Hassani (2017). From its predecessor, computer science has according to Hassani (2017) inherited a primarily positivistic research paradigm, prompting investigative, objective, and generalizing approaches. This has influenced the decisions and motivations behind the methods in the following sections.

3.1. Survey

For our first method, since this thesis has a clear focus on the user's perspective, designing a method to gather data directly from the users is an obvious choice. Our scope and limitations compels us to choose a method that is easy and labor-cheap to create and manage, is easy and free to deliver, allows anonymity in responses and is time efficient, all of which describes an online survey as described by Balch (2010). This online survey would collect mainly quantitative data to give us indications towards understanding our subjects' adoption and trust process in the context of smart home devices and services.

- RQ1. How has the GDPR influenced the opinions and adoption of smart home solutions of Swedish residents?

The survey was conducted using Google Forms1 _{as it is free and familiar to the} authors. The potential responses and an analysis plan were designed and developed to make sure that we knew what to do with the results and how to do it. We then asked for feedback from our supervisor to make sure the survey questions were valid and collected the data that we intended. Before we published the survey we performed a pilot test (n=6) where we (i) looked for variability in responses, (ii) that we generated the type of data that was needed, and (iii) requested direct feedback from the respondents that the questions were clearly worded. As recommended by Tullis & Albert (2017) we aimed for 50-100 respondents that were Swedish residents.

The survey is available in Appendix 1.

11

3.1.1.

Survey Process

In this section we describe the process we used to design and perform our online survey. The whole process was planned to take 6 weeks. The first two weeks were for planning the survey, designing the survey, and performing pilot tests. The survey was to be left online for 21 days due to our timeframe and planning. During the last week we would close the survey for further responses and extract the results into figures and describe the figures. Analysis was performed the week following the data collection of the semi-Systematic Literature Review.

Table 1. Survey time plan. This process/timeline table of our survey shows how we planned to perform the data collection for our first research question and method. The survey is available in

Appendix 1.

3.1.2.

Survey design

The instrument of data collection used in our survey is an online survey form by Google with both qualitative and quantitative questions. The survey design and structure were based of Briony Oates (2006) book “Researching Information Systems and Computing”. This book is deemed to be one of the most important resources for research methods in the context of information system and computing according to Richardson (2006) and is widely adopted at many universities around the world (Advance HE, 2008). For the question design we included the work of several scholars to have a variety of perspectives and guidelines when constructing the questions used in the survey.

Planned start Action type Action description

24/02/2020 Develop

1. Decide what data types we need to collect 2. Design Survey Questions and potential responses according to the data needed.

3. Devise a plan on how the potential responses should be analyzed.

3. Verify that the Survey Questions are clearly worded, reliable, valid, and consistent; (Discussed with our supervisor then Updated using feedback)

02/03/2020 Develop

5.a. Pilot test study (n=6)

5.b. ask for feedback (consistency, phrasing, clarity)

5.c. Verify that generated data (is valid, is actionable, has good variability, has sufficient depth)

5.d. Perform any necessary changes & launch main data collection strategy from feedback 09/03/2020 Collect data 6. Publish survey

16/03/2020 Collect data 7. Spread survey to potential respondents 23/03/2020 Collect data 7. Spread survey to potential respondents 30/03/2020 Extract results 8. Close survey and extract results

12

Oates (2006) and Hyman & Sierra (2016) states that the layout and structure of the survey needs to be attractive and that the layout should be clear, adequate font size is used, and the use of white space is considered. Furthermore, Oates (2006) mentions that the survey’s length needs to be taken into consideration as there is a risk that the survey is either too long or too short. This may lead to that the research question is not answered or that respondents lose interest in the survey (Oates, 2006). According to Oates (2006) a survey needs to include an introduction and in combination with Oates (2006) statement that by having a variety of question types, may help to keep the respondents’ interest in the survey. Therefore, we decided to use both Likert scale statements and Multiple-choice questions.

We based the survey structure on Oates (2006) recommendations which led to the 5 sections below:

1. Introduction 2. Demography 3. Likert

4. Multiple-choice questions 5. Feedback

The first section introduced respondents to the survey and presented the subject and defined the keywords, Smart home device, Smart home service provider, Personal data, and the GDPR.

In the second section respondents answered demography questions such as age and gender. Demography is collected to show that our respondents come from varied backgrounds and belong to the intended target audience. If someone is not comfortable sharing this information there is an ‘Prefer not to answer’ option on all the demography questions. The intervals used for age and gender derived from Statista’s smart home survey (Statista, 2019) to allow direct comparison and serve as a surface to discuss the reliability and validity of this study. Furthermore, monthly income interval’s and the highest level of educational attainment used in the survey were gathered from the research article “Privacy concerns in the smart home context” and then adapted to Swedish standards by using e.g. SEK instead of Euro (Guhr et al., 2020). The branch of industry options was taken from Malmö University’s website and missing industries such as heavy industry & manufacturing and Retail, customer service & restaurant were added after feedback from the pilot test.

In the third section we used a five-point Likert scale as laid out by Boone & Boone (2012). The purpose of the Likert scale statements was to measure respondents' attitudes and behaviors (Ignacz, 2019) regarding the GDPR and smart home devices.

The fourth section in the survey utilized multiple-choice questions to get information on specific aspects of respondents' thought process in regard to the GDPR and smart home devices, while the short answer ones are there to catch any qualitative feedback the respondents might have.

The feedback section was used to gather information where respondents had anything other than the statements and questions they wanted to comment and through this we early caught on to any mistakes or misconceptions that needed clarification.

13

3.1.3.

Method discussion

There is a clear risk of basing a study mainly on the first to third degree contacts of the authors. By comparing our results to other sources, we can prove that the variability in the responses are equal or similar to the data collected in other studies.

In the planning stage of the survey we took the GDPR into consideration due to the sensitive nature of the demography data we collected, although it was not required. Recital 26 in the GDPR states that the GDPR applies to any data that regards an identifiable person or combinations of data that may identify a natural person (Eur-lex.europa.eu, 2016). We removed the requirement that would force respondents to log into their personal Google account to participate in the survey. Therefore, all data collected in the survey was anonymous and could not be traced back to any individual.

Our first intentions were to use a four scale interval where the neutral alternative is removed as it is generally will make a significant difference as it may attract respondents who are ambivalent about the other presented alternatives (Bishop, 1987). Therefore, we decided against it, as the GDPR and data privacy are complex subjects and respondents may not have a well-founded opinion regarding the subject. Bandalos & Enders (1996) found that reliability increases by the amount of scale points and benefits the most with a 5- or 7-point scale. According to Tullis & Albert (2017) the main drawback of this method is that the data you can collect is limited. We also acknowledge that there are disadvantages of online surveys, like bias of respondents and that poor design of quality and asking the wrong questions can impact the end quality of the results.

3.2. Semi-Systematic Literature Review

A Systematic Literature Review (Kitchenham, 2007; Petticrew & Roberts, 2005) is a strong form of evidence that uses a strict methodological framework to answer defined research questions. The benefits of which are objectivity, transparency, and replicability. For our purposes, these guidelines are excessively long and complex. This led us to design and appropriate a simplified version with inspiration from the Systematic Literature Review as described by Kitchenham (2007), Petticrew & Roberts (2005) and Silva & Neiva (2016). Our approach is a semi-Systematic Literature Review that is more efficient and less exacting than the strict methodological framework than a Systematic Literature Review, yet more transparent, replicable, and exhaustive than a literature analysis.

- RQ2. How has the GDPR impacted self-disclosure of personal data of smart home users?

14

SLR research questions should be framed using the PICOC (Population, Intervention, Comparison, Outcome, Context) criteria (Silva & Neiva, 2016. Petticrew & Roberts, 2008):

• Population: consumers / end users • Intervention: the GDPR

• Comparison: DPD (predecessor to the GDPR)

• Outcomes: Summary of challenges and opportunities of the collection and sharing of personal data

• Context: Personal IoT and Smart Home industry

3.2.1.

Process

The process is appropriated from that which is described by Kitchenham (2007), Silva & Neiva (2016) and Petticrew & Roberts (2008. The articles that qualify the inclusion criteria will get collected. From there, the available data points from the search results are extracted to a database.

1. Framing the research question: Frame the research question and the scope using PICOC (above).

2. Define keywords: List the interesting keywords found in the research question.

3. Search engine and string: Using the keywords, build a search engine query.

4. Data Collection:

a. Pre-processing: Search results from online sources were filtered using inclusion/exclusion criteria available in search engine filters. Citation lists were downloaded for review.

b. First stage: We analyzed the paper titles and abstracts in the citation lists and marked them for inclusion and exclusion in the study.

c. Second stage: Articles marked ‘Included’ were downloaded and duplicates were removed. The introduction and conclusion were read by to gauge their relevance to our research.

5. Extract Result: For each article, a researcher extracted findings and answers.

6. Synthesize & Analyze: Both researchers analyzed, discussed, and disseminated the answers.

15

3.2.2.

Keywords

Keywords are found by breaking down the research question into its root forms. Table 2. Keyword definitions. This list of keywords was extracted from the research question and

PICOC and was used to create the search string. Keyword Definition (source)

General Data Protection

Regulation (GDPR)

A regulation passed by the EU to replace the preceding Data Protection Directive. It increased the data rights of all data subjects within the jurisdiction of the EU.

Smart Home

May denote any kind of residence (e.g., apartment, cottage, and rented living space), which involves information and communication technologies allowing for remote control, monitoring, and access (Balta-Ozkan et al., 2013 as cited in Bugeja et al, 2017).

Internet of Things (IoT)

Umbrella term for everyday objects that can be connected to the Internet. Classified by Bugeja et al. (2018) into Energy and resource management, Entertainment, Health and wellness, networking and utility, Human-machine utilities, household appliances and kitchen aids, security & safety and finally sensors.

Privacy “The right to be let alone” (Warren & Brandeis, 1890). Challenge Challenges the Smart home industry is facing.

Impact A significant effect of one thing to another.

3.2.3.

Search Engines and Strings

Brereton (Cited in Kitchenham, 2007. p.17) identified the following seven electronic databases during an exhaustive search for sources of relevance in computer science:

● IEEE Xplore ieeexplore.ieee.org/

● Scopus scopus.com

● ScienceDirect sciencedirect.com

● Springer link.springer.com/

● Association for Computing Machinery dl.acm.org/

● Google scholar scholar.google.com

● Compendex engineeringvillage.com

The search string used to find the articles for our systematic literature review was created by assembling the keywords previously shown in section 3.2.2, and in some cases their closest synonyms, into one string.

(GDPR OR Regulation) AND (IOT OR Internet of things OR Smart home) AND (Challenge OR Challenges OR Question) AND (Impact OR Affect) AND (Privacy OR Integrity)

16

3.2.4.

Data Collection

Search Engine Filters

The following criteria was inspired from Kitchenham (2007. P.19) and used directly in the search engine filters to remove out of scope articles.

• Years: 2016-YTD

• Article/content type: Research articles • Journals

o Science Direct

▪ Computer Law & Security Review ▪ Future Generation Computer Systems ▪ Procedia Computer Science

▪ Telecommunications Policy ▪ Computers in Human Behavior o ACM

▪ ACM Transactions on Human-Computer Interaction ▪ Proceedings of the ACM on Human-Computer Interaction ▪ Proceedings of the ACM on Interactive, Mobile, Wearable

and Ubiquitous Technologies

▪ Journal of Data and Information Quality ▪ ACM Transactions on Internet Technology ▪ ACM Transactions on Cyber-Physical Systems ▪

o Other

▪ All journals included because of low volume Inclusion criteria

• Study is of high quality: Peer reviewed and from renowned sources. • Article was submitted at the earliest in 2016 and therefore published

between 2016-2020.

• Study addresses challenges or constraints in related domains subject to GDPR.

• Full-text articles accessible by the public or through academia credentials. Exclusion criteria

• Study is focused on Industrial IoT/IIoT 4.0 (Not subject to the GDPR) or general security and privacy

• Study does not come from an established and trusted source

• Study is a review, editorial, abstract, short paper, workshop, or conference summary

3.2.5.

Method Discussion

There are several differences between the procedure of a Systematic Literature Review as described by Kitchenham (2007) and Petticrew & Roberts (2005) and our approach. We omitted the formal quality review of found articles, our search strategy was simplified and expedited as our data extraction was done without

17

checking data extraction consistency, leading to reasonable cause to believe that there could be errors in our data collection.

Due to the scope and timeframe of this thesis we found it appropriate to focus on finding answers and producing new knowledge by looking for patterns in existing primary studies and literature. These qualitative results will help us gain a better comprehension of the current situation as experienced by smart home practitioners and thus helping to verify and validate the findings from our survey. To increase the search result of the semi-Systematic Literature Review, we could have added more keywords and synonyms. However, some search engines have limits on the amount of characters and Boolean operators that the search string can have and, therefore, we had to limit the length of our search string. This could be avoided if we instead did two searches with two different search strings, but due to the time constraint, this was not possible.

3.3. Ethical considerations

Scientific research is an important factor that contributes to the development of our society and often, researchers face ethical challenges where it may be difficult to distinguish between ethics and morality (Akaranga & Makau, 2016). To ensure that our research was conducted and faced potential ethical challenges in a correct manner we utilized the eight general requirements from the book “Good Research Practice” throughout the thesis (Swedish Research Council, 2017, p. 10).

18

Results

In this section the results of our data collection strategies are presented. First, we present the results from our online survey and thereafter the results from our semi-Systematic Literature Review.

4.1. Survey Results

The survey had a total of 131 responses, and the results are shown in the following visualizations. The results are grouped to Demography, Likert, and Multiple-choice, just like in the survey.

4.1.1.

Demography

In this section we present the demography of our respondents. This include age, gender, income, field of work as well as level of education.

Figure 3. Respondent demography. This visualization of the age of respondents shows that a majority were in the age group 25-34.

Our respondents were mainly in the younger age groups as shown in Figure 3, 18-24 (27%) and especially 25-34 (55%), were overrepresented. The other age groups were represented to some degree, the 35-44 group is contributing 8% of the total respondents, the 45-54 group with 6% and the 55-64 group with 3%. 1% preferred not to answer.

19

Figure 4. Respondent gender. The gender of respondents was balanced between male and female. Figure 4 shows that out of the total number of respondents, 51% were male and 46% were female. 3% preferred not to answer.

Figure 5 shows that a share of 19% were in the low-income group. 31% of users were in the average income group. 34% were in the above average income group, and 8 % were in the high-income group. 8% preferred not to answer.

Figure 5. Respondent Income. Most of the respondents reported to earn around 10 000 SEK to 50 000 SEK.

20

Figure 6. Respondent education. More than half of respondents reported having a bachelor’s degree or master’s degree

Figure 6 shows that 40% of respondents had earned a bachelor’s degree, compared to the second largest group of 16 % who had earned their masters. For upper secondary school and high school, the groups were 14% and 15% respectively. 11% had a higher vocational degree, 2% had a Folk High school. 2% preferred not to answer.

Figure 7. Respondent field of work. While a clear majority of respondents work in IT, we received replies from several other fields as well.

Figure 7 shows that 37 % of the respondents work within the IT-field. The second largest group at 13 % work within Economy, administration & human resources. Options that received less than two answers were compiled into the “Other” category.

21

4.1.2.

Opinions on smart home devices

The second section of our survey was the six statements with Likert response options. Through these we aim to gauge the respondent’s intentions and behaviors.

Figure 8. Survey Likert question 1. Most of the respondents do not feel more relaxed, comfortable, worrying less about their data being mismanaged or that the GDPR protects them since the GDPR

took effect.

Figure 8 shows that 20% agreed to some degree that they felt that the GDPR had made them more comfortable sharing data. 33% were neutral and 47% disagreed or Strongly disagreed.

Figure 9. Survey Likert question 2. Most of our respondents stand neutral in the likelihood that they would give consent to data collecting smart home devices after the GDPR took effect.

Figure 9 shows that 35% disagreed that they are more likely to consent to data collection. 33% were neutral and 32% agreed.

22

Figure 10. Survey Likert question 3. The respondents are not more or neutral in the question interested in purchasing a new smart home device after the GDPR took effect.

Figure 10 shows that a majority of 53% strongly disagreed or disagreed that their interest in purchasing smart home devices has increased since the GDPR while 12% agreed or strongly agreed. 34% were neutral.

Figure 11. Survey Likert question 4. Most of the respondents stand neutral in their opinion if smart home devices abide by the GDPR.

Figure 11 shows that 45 % were neutral. 22% agreed or agreed strongly and 32% disagreed or disagreed strongly.

23

Figure 12. Survey Likert question 5. Most of our respondents replied positively that they have increased their data privacy awareness due to the GDPR.

Figure 12 shows that a majority of 61% either agreed or agreed strongly that the GDPR had increased their awareness for data privacy. 23% disagreed and did not think that the GDPR had helped raise their awareness. 16% remained neutral.

Figure 13. Survey Likert question 6. Most of our respondents do not read the terms of service of the devices they acquire.

Figure 13 shows that people tend to not read the Terms of Service Agreements. 75% disagreed or disagreed strongly that they read the agreements while 10% agreed or agreed strongly. 15% remained neutral.

24

Figure 14. Survey multiple-choice 1. Respondents self-proclaimed understanding of the GDPR, where a majority states that they understand the regulation.

Figure 14 shows that 45 % of respondents gauged their own understanding of the GDPR and how the data rights affect them to be at a basic level. 28% even gauged themselves as having a good understanding of the GDPR. In total 28% also had either not heard of the GDPR or had a less than basic understanding of the GDPR and the data rights.

Figure 15. Survey multiple-choice 2. Respondents intentions to purchase a new smart home device in relation to if they currently own one or not. A majority do not currently own a smart home device

nor intend to buy one.

Figure 15 shows that the intention to purchase a smart home device within 12 months (46%) is slightly lower than the intent not (54%). The spread between currently owning (47%) and not owning (53%) a smart home device is similar.

25

Figure 16. Survey multiple-choice 3. Respondents priorities visualized per factor if they were to buy a smart home device today.

Figure 16 shows that the three most important factors affecting new purchases are Consistent product & service quality, Price of device and Trust towards manufacturing company practice.

Table 3. User qualitative optional response. Respondent open response field only resulted in four usable responses after sanitation from irrelevant replies.

Qualitative Reply field Count

Depends on purpose, device, and brand 1

I do not want to purchase one. Not a necessary product to exist. 1

The dumber the device, the more likely I am to purchase it. Wi-Fi

controlled light bulb? Sure. Alexa? No. 1

We have smart lamps and many Apple products that are integrated. I

am not interested in more products. 1

We did not receive many qualitative replies to question 3B as seen in Table 3. The replies have been sanitized from profanity and from obvious non-replies.

26

4.2. Semi-Systematic Literature Review Result

4.2.1.

Search Result

As the research in the field of both smart homes, the GDPR and their interrelations is both extensive and in an early stage, we could not presume to have exhaustively found articles on the subject. However, we believe that our process suffices to locate and provide valuable insights into the current state of research on the subject related to our second research question.

A detailed matrix of our results is available in Appendix 2.

Table 4. Search results. Resulting articles per source through our process. The low final result of 4 articles implies there is a quite significant research gap.

Source Preprocessing After first _phase After second _phase

IEEE Xplore 7 1 0 Scopus 1 1 0 ScienceDirect 812 18 3 Springer 327 1 0 Association for Computing Machinery 334 3 1 Google scholar 60 1 _{2 0} Compendex No Access 2 _{- -} Total 1551 26 4

The search results in the Table 4 have been filtered with the inclusion and exclusion criteria that was available through each search engine. This means that duplicates could exist in the ‘Search results’ column but not in the ‘After first phase’ column where they would be manually removed. In the second phase we read the abstract, introduction, and conclusion. We then excluded articles that were not relevant to our research question which resulted in four articles to be read thoroughly.

1 _{44800 articles were the initial search result. Due to the lack of filtering options}

supplied by Google, we limited the scope to the first 60 articles with the highest relevancy.

27

In Figure 17 the inclusion and exclusion criteria are those described in section 3.2.4 Data Collection on page 16. In the 22 articles that were removed when we found no relevance to our study in the introduction or conclusion of the paper. In Table 5 below we present the four articles that we chose for a final review.

Table 5. Final articles after semi-Systematic Literature Review. Articles that were chosen after the second phase and went on to the third phase: full-length review.

Title Author Year Type

Anonymous or Not? Understanding the Factors Affecting Personal Mobile Data Disclosure

Perentis et al.

2017 Journal

Semantic-based privacy settings

negotiation and management Sanchez, Torre & Knijnenburg 2019 Journal Willingness of sharing personal device

data for scientific research Szyjewski 2019 Conference A Survey on Facebook Users and

Information Privacy Presthus & Vatne 2019 Conference

Figure 17. Flow chart of sSLR inclusion/exclusion process. In this figure we display where and why articles were either

28

The Concept matrix in Table 6 below shows which of the four articles pertain to which key concepts that are of interest to this thesis. These are the concepts that will be the focus of the analysis. In the matrix the “Yes” means that the concept is present in the article.

Table 6. Concept matrix from semi-Systematic Literature Review articles shows what concepts our accepted articles have in common.

Concept Perentis et _{al. (2017)} Sanchez et _{al. (2019)} Szyjewski ₍₂₀₁₉₎ Presthus & _{Vatne (2019)}

Trust Factors Yes Yes

Self-Disclosure Yes Yes

Behavior Vs.

Intention Yes Yes Yes

These are the articles and concepts related to our research question “How has GDPR impacted self-disclosure of personal data of smart home users?” we were able to extract from the articles. In the following sections, we describe each of these concepts further.

4.2.2.

Self-Disclosure of Personal Data

There are several factors that affect the volume and quality of self-disclosure (Perentis et al. 2017; Szyjewski 2019; Brandimarte et al. 2013). According to Perentis et al. 2017 the frequency of decisions requested regarding this self-disclosure through mobile devices are increasing. The results of the study conducted by Perentis et al. (2017) showed that the most significant effect on sharing choices when it came to self-reported data was personality traits, whereas the impact from the factors demography and social network were insignificant. Features designed to protect the user, e.g. by increasing the user control over data has been shown to both raise user awareness and increase trust. Notably, this leads to increased sharing and consequently exacerbating the risks of the users (Brandimarte et al., 2013). Szyjewski (2019) mentions that the Cambridge Analytica-Facebook scandal may be one of the catalysts that have increased users’ awareness about personal data. According to Szyjewski (2019) since the enforcement of the GDPR in 2018, it may also have had an impact on users’ willingness to share personal data as European residents have increased awareness of data privacy. From the perspective of this thesis it is important to note that these factors are not necessarily all related to the GDPR but are important in the sense that we need to distinguish between what effects come from the GDPR and not (Perentis et al., 2017).

Szyjewski (2019) states that the main cause of low quality of research data is the human factor, due to respondents not presenting the real facts when participating in a survey. Like Szyjewski, Perentis et al. (2017) concluded that based on a field study, data that was self-reported by the test subjects were prone to bias. According to Szyjewski (2019) the solution may be in data that is

29

stored in devices such as mobile phones. Szyjewski (2019) emphasizes on the importance to advise participants that no private data such as images, password, or messages would be accessed, instead data such as locations and product purchases are more interesting for research. Contrarily, users’ mobile devices and third-party software gathers data continuously and identifies e.g. the user’s behavior. However, due to the sensitive nature linked to personal data, Szyjewski (2019) states that a mobile phone is the most personal device and it was not widely accepted to disclose personal data even if it would be anonymized. Reason being is that users could not verify if the data were anonymized or not, although the data the devices and software collects are used to adapt the products to the users’ needs, they may not know to what extent the data reveal about them (Szyjewski, 2019). Szyjewski (2019) also found that most respondents do not want to share their personal data that is being stored on their personal devices even if it would be for research purposes.

4.2.3.

Trust Factors

Several researchers have developed applications that grant the users increased insight and control of their privacy preferences. Giving users more granular control over their data raised trust along with awareness and perception of control (Brandimarte et al. 2013). Further arguing for smart privacy preference settings, Perentis et al. (2017) argues that while the process of suggesting privacy settings with limited user input is quite robust, the data that was self-reported by the subjects are prone to bias.

Table 7. Quantitative representation of the 7-point scale subjective evaluation of Fit-Pro (Sanchez et al., 2019. P. 14)

Item Score Description

Understandability 2.31 1 = Definitely Understand, 7 = Definitely do not understand

Control 1.62 1 = Definitely gave control, 7 = Definitely did not give control

Simplicity 2.04 1 = Very easy, 7 = Very difficult to use

Preferability 1.86 1 = Definitely Prefer, 7 = Definitely do not prefer over the traditional privacy preference model

One such application was evaluated by its users to give a much better understanding, control, simplicity and preferability in comparison to their existing fitness applications (Sanchez et al., 2019). The same application was also explicitly developed to “capture the complexity of privacy management in the IoT paradigm in the light of the GDPR” (Sanchez et al., 2019 p.18).

30

By conducting a survey based on the privacy calculus model, Presthus & Vatne (2019) investigated how Facebook users perceive information privacy in relation to the benefits that being a Facebook member brings. The survey results showed that a majority of the respondents have none or somewhat sense of trust for Facebook, have not read the terms of service, and the majority of the respondents have changed their personal data sharing settings to be more privacy-oriented (Presthus & Vatne, 2019). Furthermore, Self-reported data such as gender and age were the type of data that most of the respondents felt approving of Facebook to use for profitable purposes. The respondents had concerns about their responsibility of what they shared on Facebook. However, Presthus & Vatne (2019) found that respondents over the age of thirty were more carefree in their use of Facebook compared to the respondents under the age of thirty. Presthus & Vatne (2019) emphasizes that trust is a recurring theme in literature regarding information privacy and it was found that in general Facebook users are concerned about their privacy and that their level of trust was low. However, even though the level of trust was low, the use of Facebook was not affected and that the Facebook users prioritize social interaction over the loss of privacy (Presthus & Vatne, 2019). Facebook states that they do not sell personal data unless they have given consent by the user. Furthermore, Presthus & Vatne (2019) mentions that this statement has been criticized as it is deemed to be misleading. According to Presthus & Vatne (2019) the Norwegian consumer council has stated that Facebook grants advertisers’ access to their target groups that is based on Facebook users’ data and is considered to be the same as selling the data. However, it seems that most consumers accept the exchange of personal data for a free service such as Facebook.

4.2.4.

Privacy preferences: Behavior & Intention

An individual’s privacy preferences could with limited user input be inferred through that users’ mobile interactions and communications, establishing the role of smartphones in human behavior (Perentis et al., 2017). Sanchez et al. (2019) found that the very granular permissions users set in their field test application ‘Fit-Pro’ shared no significant association with their existing fitness application permissions. Known as the “privacy paradox” their previous settings did not reflect their actual privacy preferences (Sanchez et al., 2019).

Table 8. Measured Smartphone permission allowance from study by Sanchez et al., (2019). In this simplification of their results we have grouped the permissions into three arbitrary ranges of low,

medium, and high for quick overview of what data is considered sensitive. Low approval (20%-49%) Medium approval (50%-69%) High approval (70%-100%) • Contacts • Photos • Phone • Storage • Camera • Last name • SMS • Weight • Friends • Location • First name • Birth date • Identity • Media • Elevation • Floors • Activities • Calories • Sleep • Heartrate • Food • Profile • Settings • Weight • Location • Bluetooth • Mobile data • Steps • Distance • Gender • Height • Motion