Man in living room with smart television

commentary

(The RAND Blog)

September 3, 2014

Are You Sitting Comfortably? Understanding the Security and Privacy Implications of the Internet-Connected Living Room

Photo by apops/Fotolia

by Neil Robinson

The modern home is an increasingly connected place. At the centre of this connectivity is the living room, a shared space that now plays host to a range of Internet-connected devices. The expected market for such devices is expected to grow significantly. For example, according to market research firm NextMarket, shipments of connected living room streaming devices (including 'smart' TVs, streaming sticks, set-top boxes and connected Blu-ray players) are expected to grow from 114m devices in 2012 to 267m by the end of 2017. Innovation in this area is disrupting traditional business models and value chains of content creation and broadcasting.

The technologies inside these new devices are converging. Coupled with this, the devices are becoming increasingly integrated with platforms, architectures, and sources of content available through the Internet.

All this convergence is not yet self-managing, so security remains elusive. Consumers still have to configure their devices, and many struggle with the different functionalities between apparently similar applications on TVs, radios, and games consoles. Ofcom, the UK's communications regulator, therefore, asked RAND Europe to investigate the privacy and security concerns of the Internet-connected living room, the threats to consumers, and the challenges for industry.

Familiar Threats and Vulnerabilities with New Devices

Vulnerabilities arise through both behaviour patterns of end-users and weaknesses in technology. The living room has traditionally been seen as a place to sit back and consume entertainment ('lean back'), rather than to search for new content ('lean forward'). The lean-back devices in the living room are seemingly considered as secure and trusted; this perception could make users more susceptible to those threats already present on the Internet such as fraud, scams, or bullying.

The introduction of privacy issues into the living room is something new. A key development is the way in which companies seek to profile consumers, with advertising based on patterns of device usage, which may raise privacy concerns. Data gathering is often part of an implicit exchange for access to services or content, accessed seamlessly through the smart TV or console. Those creating or commissioning new material might increasingly turn to business models using profiled personal data to fund their investment. As online, the consumer becomes the product, often unwittingly and sometimes without their explicit consent.

Industry, meanwhile, has multiple concerns. First is the way in which technology in the connected living room might affect their business models. Easy-to-use subscription streaming services might help maintain revenue, but, conversely, seamless integration between smartphones and smart TVs might make piracy easier. Second is the concern about risks to reputation arising from data and security breaches, and perceptions about the role industry could play in surveillance; concerns which might increase as more personal data is shared through such connected devices.

Do Existing Tools Help Us Navigate the Internet-Connected Living Room?

Existing approaches to tackle these concerns, such as user-awareness campaigns or encouraging companies to improve their security practices, may not be viable for much longer. The practices of device manufacturers and those that offer services can contribute to poor security; for example, smart TV software is infrequently updated. Unlike the personal computer, manufacturers seem to rely upon users purchasing new hardware as a means of closing security holes.

There are also concerns about the quality of software used on these devices. On the one hand, security might be better managed by companies rather than consumers. Consumers have limited choice if they wish to install specialised security software on living room devices. This is due to either complex interfaces or the restrictions imposed on third-party applications.

From a privacy perspective, users often appear to be indifferent to how their data is used, with whom their data is shared, what the value of their data is, and how they can exercise control over its usage. Companies, on the other hand, recognise the value of analysing user and usage data for business models, advertising revenue, and also to better protect copyright. Tools to supposedly help users exercise informed consent and make meaningful choices about how their personal information is used are similar to those used on the web more generally.

Finally, users are poorly informed about security risks and unclear about how to protect themselves. Advice from manufacturers and security companies can be unhelpful; for example, users have been advised just to disconnect their devices if they are concerned about security. Both technical and social measures play a role in content control in the living room. Parents in the UK appear to prefer technical tools relative to other European countries, but the benefit of physically being present in the room is still seen as important.

An Opportunity to Think Afresh About Security and Privacy?

The evolution of the connected living room represents an opportunity to consider innovative responses to these risks. For example, the effectiveness of awareness campaigns might be more easily measured in the connected living room relative to the Internet generally. Industry also needs to consider how it responds to these security challenges. Finally, there might be scope for looking at better ways to communicate concerns to end-users, for example through labeling schemes or better educating consumers about the full capabilities of these devices.

The newly dynamic, connected living room is still evolving, but so is our grasp of the full implications of these security and privacy issues.


Neil Robinson is a research leader at RAND Europe in Brussels. His work covers such areas as European cybersecurity policy, privacy, and the broader socioeconomic implications of the Information Society.

Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.