Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
The Etiquette of Respecting Privacy in the Age of IoT
Is it rude to ask someone to shut off their Alexa? Ask the family who's written the book on etiquette for nearly 100 years — the descendants of Emily Post herself.
September 28, 2019
7 Min Read
(photo of Emily Post, June 1912. Library of Congress Prints and Photographs division)
Her polite robotic voice pipes up in the background, followed by a giggling human apology. "So sorry, that was Alexa responding to something one of us said on the conference call. I'll go on mute." Those of us on the line, who've been placed on speakerphone, will no longer hear Alexa (or Siri, or Google) — but, of course, she'll still hear us.
Some chuckle and bond over anecdotes about the foibles of their voice-activated digital assistants follow.
But other people are like me. We scowl and grind our teeth.
We think about privacy violations and security vulnerabilities. Like the couple whose conversation was recorded by an Amazon Echo and sent to one of their contacts. Or the German Amazon customer whose Alexa recordings, which contained intimate, "hair-standing on end" personal details, were sent to a stranger. Or Amazon workers tapping into conversations, listening and recording for quality control purposes. Or researchers discovering vulnerabilities that would allow for "skill-squatting" (or voice-squatting) attacks that can turn legitimate commands into malicious executables. Or the vulnerable Google Nest, smart coffee pot, or other unknown item that might be lurking in the background.
We wonder what things we might have said over the past 45 minutes, before we knew the recording device was stealthily listening. Did we mention anything sensitive or confidential? Anything that would violate privacy law if it were leaked? Anything that would help attackers write a good spear-phishing message or guess our passwords? Or did we just say something stupid and embarrassing?
What's a grumpy, privacy-conscious person meant to do in these situations? Make angry demands, spiked with obscenities and snide comments about the foolishness of anyone who'd invite such spy equipment into their lives?
Well, that feels right. But just in case it isn't, I decided to consult an expert.
An Etiquette 'Gold Star'
In 1922, Emily Post wrote the first edition of Etiquette in Society in Business in Politics and at Home. Covering everything from weddings to precisely when and how a gentleman should lift his hat, the book made Post the unofficial arbiter of good manners in America.
Although Emily is no longer with us, the Emily Post Institute has carried on her legacy since 1946. Now led by her great-great-grandchildren Lizzie Post and Daniel Post Senning, the Institute is currently working on the 20th edition of Etiquette.
So who better to consult about the etiquette of the Internet of Things than the family who has been the authority on etiquette for nearly 100 years?
Last Friday afternoon, sitting alone in my dumb home, beside my laptop with the disabled microphone and covered webcam, I called Daniel Post Senning. I picked up my phone — which is equipped with a rose-printed carrying case, five security-related apps, and a dazzling array of no and don't privacy settings — and dialed.
I asked if he'd mind if I put him on speakerphone and record our conversation. I hit "record" only after he gave his approval.
"I am always curious where the next frontier is going to be in etiquette," said Post Senning. "And this idea of privacy in a world where we're all carrying these increasingly powerful recording devices both audio and visual … I think it's a fascinating question."
The Institute hasn't yet written official guidance on the topic yet. (It might be coming in the 20th edition.)
"Whenever I'm in new territory, I always look back to tradition," Post Senning said. "All the courtesies that survived around conference calls, video calls, using speakerphones, generally would apply in the scenarios where the 'person' listening isn’t necessarily a person but might be artificial intelligence or a device that’s connected to the Internet, in the case of Alexa."
Therefore, in professional situations like this, "The idea of letting people know when they're being recorded and who they're being broadcast to are, for me, just core courtesies, no matter what technology you're using," he added. "And it's impossible to know every situation you walk into what combination of technology is going to be at play. So I think the onus really falls on the person who's chosen to deploy it in their home to warn others or to let other people know."
If the owner of the technology fails to extend this courtesy, however, is it rude for a concerned (paranoid) house guest or colleague to ask or even request they turn the device off?
The short answer, Post Senning said, is no. However, it depends on the way you ask.
"There are kind and benevolent truths, and there are harsh and brutal truths," he said, "and if you had that conversation in a way that was accusatory or insulting or even just self-absorbed – 'I can't believe you have that device in your house, don't you know that I don't like to be listened to by evil tech giants?!' – there's a way to have that conversation that could be really offensive."
(Baser impulses nearly drove me to such an offensive conversation. Post Senning gave me an "etiquette gold star" for resisting them.)
We scowling teeth-grinders must recognize too, that the world must not necessarily bend to our whims just because we asked nicely, and our needs are not the only ones that matter.
"Etiquette is most powerful when you're using it as a tool for self-improvement, self-assessment," Post Senning said.
So etiquette would tell a privacy-conscious guest in a smart-as-a-whip home to also consider carefully what you're asking of your host. The inconvenience of turning a microphone off of one device might be small, but entirely altering the operation of an entire building (particularly if the homeowner requires voice activation for accessibility purposes) is a far greater inconvenience. "As the practical landscape changes," Post Senning said, "the nature of the request and how you make it is going to change as well."
Nevertheless, "It's hard to make demands of your host, as a guest. But you can make a request, and you can adjust your behavior and your participation accordingly," he suggested.
Another very practical piece of advice he gave is to get familiar with all the IoT and communications technology you use in the workplace, because using it well can protect your privacy. (Using it not-well might mean forgetting to hit "stop sharing my screen" before beginning an instant message conversation complaining about the people on the conference call.)
Of course that would be less of an issue if we followed one of the oldest etiquette rules that goes almost back to Emily's time, Post Senning said: "the headline rule." The idea was that before you wrote something in a letter, ask yourself if you'd be OK with it becoming a newspaper headline, because even if you trusted the person you were sending the letter to, could you trust everyone else who might obtain access to it?
"As the question about not just what we write but what we say and what we do becomes also potentially public and permanent, I think it raises some really interesting questions about what privacy is and how we continue to value it and show value for it in the way we behave and make choices," Post Senning said.
The heart of all good etiquette is holding yourself accountable to standards of consideration, honesty, and kindness, he added. In that case, we all ought to practice it. Because if recording devices are going to capture our behavior no matter what we do, good etiquette is behavior we wouldn't mind caught.
About the Author(s)
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.
You May Also Like
Your Everywhere Security guide: Four steps to stop cyberattacksFeb 27, 2024
Your Everywhere Security Guide: 4 Steps to Stop CyberattacksFeb 27, 2024
API Security: Protecting Your Application's Attack SurfaceFeb 29, 2024
API Security: Protecting Your Application's Attack SurfaceFeb 29, 2024
Securing the Software Development Life Cycle from Start to FinishMar 06, 2024
Latest Articles in The Edge
Library Cyber Defenses Are Falling DownFeb 20, 2024|3 Min Read
Enterprises Worry End Users Will Be the Cause of Next Major BreachFeb 16, 2024|2 Min Read
10 Security Metrics Categories CISOs Should Present to the BoardFeb 14, 2024|6 Min Read
How Changes in State CIO Priorities for 2024 Apply to API SecurityFeb 12, 2024|4 Min Read