This is the first in a series of posts pulled from a talk I gave at O’Reilly’s online conference Experience Design for Internet of Things (IoT) on “Lessons from Architecture School for IoT Security.” The talk is a call to action for designers and non-technical people to get involved — with us at Simply Secure or elsewhere — in the worthy problems of experience design for IoT security. I want to encourage more people to think about security and to outline some ways UX design can support privacy in IoT applications. You can find the slides for the original talk here.

Many thanks for all the positive comments from the online audience for the talk. I’m glad to see that a few of the participants joined our Slack channel. You should join too — by emailing [email protected] — if you’re interested in being part of an emerging conversation about security, privacy, design, and more.

Architecture School

I studied architecture. Not systems architecture, but actual building architecture. The time I spent in the Colleges of Environmental Design in Boulder, Colorado and Berkeley, California shaped how I think and how I approach problems. No, I can’t tell you if your deck will fall down, and although I may have an opinion on your kitchen remodel, that’s not part of my professional education.

My background is much closer to what we today call “design thinking” or even “Lean Startup” methods. Architecture school teaches problem finding, rather than problem solving, and it’s great preparation for work on many kinds of complex systems. There are many elements of a studio-based architectural education that make it useful for thinking about security, including rapid prototyping and getting feedback during critiques. However, the most relevant quality is how architecture school teaches new ways of seeing how buildings work and how people inhabit them. I’d like to share some of the lessons from architecture school that are applicable to security.

Calling Designers, IoT Security Needs You

Anyone working on a connected-home application is also in the data-collection business, as connecting and collecting go hand-in-hand. Bruce Schneier’s recent Guardian article includes examples that speak to designers’ priorities on crafting user experience: Samsung TVs listening in on near-by conversations and Mattel re-selling children’s questions to Hello Barbie dolls. As a designer, I understand the motivation for some of the choices that eventually led to privacy problems, and that some designers haven’t had exposure to the privacy implications of their designs. The desire to create convenient, positive interactions for users can have unintended consequences, and designers have a role to play in safeguarding end-user needs. Beyond that, designers have the power to make conversations about privacy richer than the tension between what’s technically possible and what’s legal. What’s desirable? What’s delightful? Security for IoT needs design.

Here’s one lesson from architecture school for designing IoT applications with privacy in mind.

Start with People, In Context

Architecture is concerned with creating spaces for people to experience. As a Human-Centered designer, I encourage everyone to get out into the field as much as possible to understand the context. People working on domestic IoT applications should go and meet with people in their homes to get a deeper understanding of how their products fit into the rhythms of home life. But even without doing in-context interviews, looking at examples of how people inhabit space can inform the design of appropriate technology. Most of us spend quite a bit of time in buildings, and critically examining how people inhabit buildings can lead to the design of more Human-Centered IoT products.

To be deliberately provocative, I’ve selected images for this series that feel historical and far-removed from the current hype around IoT. This one is from the Dutch Golden Age.

Pieter de Hooch, “Man Handing a Letter to a Woman in the Entrance Hall of a House.” from the Rijksmuseum. Pieter de Hooch, 1670. “Man Handing a Letter to a Woman in the Entrance Hall of a House.” from the Rijksmuseum.

Looking at this painting with the eyes of an architect, this domestic scene tells us about the values of Dutch society in the 1600s. There are no window coverings, highlighting a social convention around transparency. There are also multiple people visible, each of whom has different privileges in the home. The man delivering the letter could be a guest, who would only have access to the entrance hall or certain semi-public areas of the home. There’s also a dog and a child. Children are an interesting case in the modern context because they are not able to consent to the collection of their data in many situations.

One method for doing design research is to seek inspiration from observation of extreme users, or people outside the mainstream who are likely to invest time in creating work-arounds to make technology fit their needs. Extreme users can be helpful participants with well-articulated worldviews, whose experiences can create designs that work well across the entire spectrum of users. Designing to accommodate the needs of a child in a European country — who is protected from unwanted data collection by local regulations — can result in a user experience that works well for all kinds of people, including those eagerly opting in. We can expect additional regulatory constraints around children’s data in the future, so giving attention to these issues now can also help designers future-proof their product.

UX Consideration

Profile managers are examples of interfaces that can contribute to future-proofing by allowing people to opt in or out of data collection.

Netflix profile manager Video-streaming service Netflix has an explicit interface for asking viewers to sign in with a profile to interact with their system, but what about other people who may also be watching? There are examples of using mobile phones to passively interact with video viewing systems, such as logging everyone in a group who may be watching at once, but without an explicit login moment, users have no ability to safeguard their privacy by opting out.

Watching videos is a screen-based interaction, but the issues become more complex with ambient systems. We don’t yet have best practices around signing in to ambient systems where an explicit login at a console may not be appropriate. How can we as designers create appropriate interfaces to give users control of ambient IoT systems?

Security Thought-Starter

There is no single place to turn for guidance on this issue, but the European Article 29 Working Party is one starting point for understanding privacy protection and data collection mechanisms. If you’re a developer or entrepreneur thinking about collecting data in the home, keep in mind that there need to be ways for people to opt out, whether they’re guests or residents, adults or children.

Plan for change, and don’t take on privacy debt in a quickly-changing landscape.

Planning for the ability to opt out of collection by ambient devices can help future-proof emerging design work.

To learn more about emerging challenges in IoT interfaces, check out the recently released Designing Connected Products by Claire Rowland, Elizabeth Goodman, Martin Charlier, Ann Light, and Alfred Lui.

This series continues with Part 2: Understand Unspoken Needs