We base this project in a use case called the ‘Airbnb problem,’ where a host wants to rent an apartment containing IoT devices to a guest - this involves the delegation of device functions to the guest and management of the guest’s collected personal data. Smart homes include a range of devices for sensing and automation purposes: thermostats, video-enabled door locks, robot vacuum cleaners, environmental sensors, shutters and lights, security cameras and the like. Smart homes also contain entertainment products like smart tvs, and personal items like smart bathroom scales.

All collect data of different degrees of sensitivity, and some allow control of its features. The Airbnb problem is:

  • How do you give temporary access to all smart home devices a guest might use?
  • How do you arrange it so the host cannot see the personal data generated by the guest, and vice-versa?
  • How do you manage the data sharing from a single control surface?

The generated guest data must have a lifecycle that includes provable deletion. This implies non-repudiation of consent and consent revocation. All processes should be transparent, trusted and cryptographically secure.

No comprehensive solution exists for the Airbnb problem, yet if smart homes mean anything, they mean intuitive, low-friction methods of controlling in-home devices, and options for guest use. Homes are not smart if an owner needs to go to 12 different applications or screens to control the devices he or she owns. Further, the human-centric view of IoT and smart homes means strong privacy - not just confidentiality, but flexible sharing arrangements that align with social norms for information sharing and user-centric design principles. And, comprehensive privacy means having visibility into data flows - this is all the more true for guest users of IoT devices, versus owners, so they can feel safe and empowered about the data collected about them by other people’s devices.

The state-of-the-art for controlling the permissions of smart home devices is: Each device has its own screen, app or set of controls. Each manufacturer reinvents the wheel, creating its own set of interactions, its own conception of identity relationships (owner vs user vs admin vs guest), and, importantly, its own version of the privacy characteristics of sharing data or device functions. OR devices are controlled by an internet giant like Amazon or Google. This is likely true for only a subset of devices, so this arrangement will coexist with the arrangement above. And, these internet giants will dictate the shape of privacy and sharing arrangements since they control the platform for in-home device services.

In short, smart home device privacy and sharing arrangements currently are inconsistent, piecemeal, inconvenient, and/or controlled by large internet companies who have their own visions of how people should and should not be able to share their data. Today, IoT devices collect data without displaying how that data is treated in the background, nor when it’s been deleted. The owner/guest identity relationship is absent from today’s smart home architecture.

CASSIOPEIA relies on applying existing technology to enable a broad set of interactions and an expansive conception of privacy. CASSIOPEIA’s architecture prevents the privacy characteristics of IoT data sharing from being tied to any particular company’s product roadmap or business model. Our proof-of-concept is necessary innovation to show developers, policymakers, and the public what ‘privacy-by-default and -design’ looks like when united with the core NGI principles of an open, trustworthy, human-centric internet.