Donate
‹ Back
Building Trust 1 May 2019

The Trust Opportunity: Exploring Consumer Attitudes to the Internet of Things

This new research from Consumers International and the Internet Society explored consumer perceptions and attitudes towards trust, security and the privacy of consumer Internet of Things (IoT) devices.

Executive Summary

The survey of consumers in Australia, Canada, France, Japan, UK and the US aimed to find out what matters most to consumers when buying connected devices, and who is responsible for better privacy and security.

What we found:
  • Connected devices are everywhere – but concerns about privacy and security remain.
  • 63% of people surveyed find connected devices ‘creepy’ in the way they collect data about people and their behaviours
  • This sentiment is echoed throughout the survey, with half of people across markets distrusting their connected devices to protect their privacy and handle their information in a respectful manner (53%).
  • On top of not trusting the device itself to keep data secure, 75% of people agree there is reason for concern about their data being used by other organisations without their permission.
  • The security concerns are serious enough to deter almost a third (28%) of people who do not own smart devices from buying one; security concerns are as strong a deterrent as the price of a device. [1]
  • People have concerns about security and privacy but do not know how to adapt and adjust device settings in a way that might allay these fears. 80% of people surveyed are aware of how to set and reset passwords, but only 50% are aware of how to disable the collection of data about users and their behaviours.

We see from the survey that a high number think that privacy and security standards should be assured by regulators (88%), followed by manufacturers (81%) and championed by retailers (80%).

75% of people distrust the way data is shared

63% of people find connected devices ‘creepy’

50% of people know how to disable data collection

28% of people who do not own a smart device, will not buy one due to security concerns

Given the level of concern amongst owners and non-owners, there is potential for companies to use high levels of privacy and security as a way to stand out from the crowd and build trust with current and future customers, while at the same time creating a more secure consumer IoT environment.

The results [2] also suggest consumers are thinking about the need for more formal regulation in the market. It is likely that this demand will grow as information about the risks associated with connected products becomes more widespread.

In response to this demand, companies should explore how to deliver assurances to consumers that their devices and services are helpful and useful without crossing the line into creepiness. This could help them build trust in connected devices among consumers and potentially generate a competitive advantage. 

Download the full report

View the infographics

About the Partnership and Project

Consumers International is the global membership organisation for consumer groups across the world. We bring together over 200 member organisations in more than 100 countries to empower and champion the rights of consumers everywhere. We want consumers to get the best out of the digital economy and society without having to compromise on quality, care and fair treatment.

The Internet Society, founded by Internet pioneers, is a non-profit organization dedicated to ensuring the open development, evolution and use of the Internet. Working through a global community of chapters and members, the Internet Society collaborates with a broad range of groups to promote the technologies that keep the Internet safe and secure and advocates for policies that enable universal access.

Consumers International and the Internet Society are working in partnership to deliver a better digital world, where everyone can benefit from digital innovation without compromising on their rights. We both believe that online security and privacy are key to online trust, which underpins all economic and social exchanges online.

The partnership brings together the best technical and policy knowledge related to IoT from the Internet Society and long-standing knowledge of consumer experiences and attitudes towards the digital economy and society from Consumers International.

The focus for our partnership has been on the growing market for consumer IoT as an important part of people’s digital environment. We have been working towards effectively engaging consumers, governments and regulators, and businesses in the creation of a secure and trusted consumer IoT market. We want to enable consumer groups across the world to help drive demand for better security and privacy in consumer IoT products.

This research is a key part of this activity, exploring what consumers currently understand and feel about trust, security and privacy in the consumer IoT and how policy change, new business practice, standards development and enforcement, alongside awareness-raising among consumers, can bring positive change.

Security and privacy opportunities in the consumer IoT market

The rapid increase in products and services that are connected to the Internet are already transforming consumers’ lives through connected energy grids, transport, home security and lifestyle appliances. Forecasts predict this technology is set to become part of everyday life with many products connected to the Internet by default.

Testing by consumer organisations [3] has revealed dangerous weaknesses in range of connected products, from children’s toys and connected watches to connected TVs and fitness trackers. Such vulnerabilities create a risk of exposing the device itself (e.g. a connected home lock being disabled) and to personal data (e.g. information being shared with unauthorised third parties). Thinking beyond the harm to consumers, IoT vulnerabilities also create a risk of exposing networks ( e.g. attacking the power grid of an entire country via connected webcams).

As more types of connected-by-default devices and services become mainstream for consumers, these security and privacy issues are multiplied. These issues pose a threat not just to consumers’ control over what happens to data about them, but also to consumer trust in IoT devices. The lack of consumer trust in the IoT market could be detrimental to manufacturers and retailers and as a result, it could stifle innovation within the industry. We believe there are opportunities for different stakeholders to address security and privacy issues in the IoT market and increase consumer trust.

Understanding attitudes and gathering opinions

Complementing our other activities with manufacturers, retailers and regulators within this partnership, this survey brings a valuable consumer perspective that allowed us to gather insights not only into how consumers perceive IoT devices, but also their levels of awareness and ideas around responsibility.

This study aimed to get a sense of consumers’ attitudes to privacy and security when it comes to connected devices and explore to what extent consumers trust connected devices. Our other objectives were to understand what matters to consumers when buying connected devices and where they feel that the responsibility for better security and privacy lies.

Methodology

The research was carried out by Ipsos MORI via their online panel survey which regularly surveys the general online population across the world.

We surveyed a sample of a minimum of 1,000 consumers in each of these countries: United States, France, Canada, Australia, United Kingdom and Japan between 1 March and 6 March 2019. We chose to conduct the survey online to ensure that the samples from each country were reflective of the general online population. People who are online are more likely to understand how such devices work. The study did not require people to own a connected device so that it also reflected the opinion of consumers who are considering or haven’t bought a device.

Unravelling intricacies of consumer trust in connected devices and what underpins it can be a difficult task, especially within the setting of a quantitative survey that can be restricting in terms of the depth of insights. Concepts of both trust and connected devices can be abstract and vary in people’s interpretation of each. The study tried to mitigate this difficult position by capturing consumers’ attitudes towards trust in connected devices by prompting them with attitudinal statements about such devices. The statements were preceded by a definition and examples of connected devices.

Defining smart devices

For this research, we defined connected devices as everyday products and devices that can connect to the Internet using Wi-Fi or Bluetooth, such as connected meters, fitness monitors, connected toys, home assistants or gaming consoles.[4]

The definition excluded tablets, mobile phones and laptops; although they can be considered in technology terms ‘connected devices’, they are a lot more complex and apps allow them to perform many functions which in return generate more complex privacy and security issues than other connected devices. To avoid conflating the issues, the research focused on devices that do not have this added layer of complexity.

Research Findings

1 Immersed in Privacy and Security Concerns

Consumer IoT devices are widely used – the survey showed that 69% of participants across all markets own one or more devices such as connected meters, fitness monitors, connected toys, home assistants or gaming consoles.

Our participants across all markets most commonly own gaming consoles, followed by home appliances and fitness monitors. On average, they own connected devices from at least two different categories (e.g. home appliances and connected wearables); however, this number is lower in Japan – where 46% do not own any Internet-connected devices.

We have also learned that high levels of connected device ownership does not indicate that people are satisfied with the privacy and security of these devices. On average, 65% of consumers across all markets report being concerned with the way connected devices collect and use personal data, with the US showing the highest concern levels at 70%.

On the other hand, consumers in France (60%) and Japan (52%) show less concern about the way these devices collect and use data, than the rest of the surveyed countries. For point of comparison we asked about other forms of technology, we found mobile apps (such as banking or health apps) had the highest levels of concern about the way personal data is collected (69%). The lowest level of concern found, was for tablets or laptops – which 62% of people are concerned about.

In all countries, these concerns are shared by those who haven’t purchased a device. We wanted to uncover whether consumer intentions to buy or not buy a connected device are related to their concerns about privacy and security. Although the most frequently mentioned barriers to purchasing a connected device across all countries are lack of need/use for them (63%) and cost (28%), the research also found that 28% of people who do not own and do not intend to purchase a connected device make this decision because of lack of trust in security and privacy.

The opportunity for trust?

It should come as no surprise that making useful, affordable, privacy and security-respecting devices will be popular with consumers, but we have not yet seen many companies voluntarily embrace strong privacy and security features in their products.

Given the level of concern amongst owners and non-owners, companies could use this as a way to stand out from the crowd and build trust with current and future customers and create a more secure consumer IoT environment. If we take into account how much focus manufacturers and retailers place on the price of a connected product as a way to influence consumers’ purchasing behaviour, it is clear from our research that good privacy and security standards in an IoT device could be an equally important selling point and competitive differentiator.

2 Creepiness and Distrust

Concepts and definitions such as trust, Internet of Things or even privacy and security can be difficult to explore among consumers because of their abstract nature. In particular, when trying to find out more about consumer trust in security and privacy of IoT devices we had to overcome the hurdle of trying to explain what we mean by ‘trust’.

People from different backgrounds and cultures can interpret a concept like trust in many ways. To mitigate the differences, we asked participants to express their opinion about a number of statements that could relate to their feelings of trust.

Our results showed that 63% of people agree that connected devices are creepy[5] in the way they collect data about people and their behaviours, with French consumers being the most ‘creeped out’ (71%) and Japanese being the least (46%). This emotion was mirrored again when we asked about the possibility of other organisations accessing data from IoT devices about users without permission, for example advertisers misusing data consumers thought was being collected for a different purpose. In fact, three quarters of consumers across all surveyed countries were concerned about this practice when it comes to connected devices.

Not only do consumers not trust the security of IoT devices to protect them from other parties accessing data about them, they even distrust the device itself. Across markets, over half of people tend to distrust their connected devices to protect their privacy and handle their information in a respectful manner (53%). In France, the number of people who distrust their devices to protect them is 63%.

Even though consumers own and engage with IoT devices, they do so with a cloud of suspicion around them and experience distrust towards the device on several levels.

The opportunity for trust?

There is a real opportunity for companies to rethink how they can nurture consumer trust in the IoT market. Companies, whether it is manufacturers or retailers, should explore how to deliver assurances to consumers that their devices and services are helpful and useful without crossing the line into creepiness which might contribute towards feelings of mistrust.

In practical terms, they can set proper expectations regarding what data is collected, how it is used and how it is secured. Companies can highlight features that can be controlled by the consumer, such as enabling or disabling data collection. 

3 Low Know-How

Exploring the concepts of privacy and security in connected devices among consumers has not been straightforward. It is difficult to separate the two and pinpoint where privacy ends and security starts. The two tend to work together on a higher conceptual level that most consumers do not engage with on a daily basis. For this reason, the research explored consumer awareness of the two concepts through privacy and security features of IoT devices.

We found that people have concerns about security and privacy but do not know how to adapt and adjust device settings in a way that might allay these fears. There is good knowledge of basic security best practices, such as setting and resetting passwords. 80% of people surveyed are aware of how to set and reset passwords and 68% of people are aware of automatic security updates from manufacturers. Knowledge of these features is essential for mitigating against hacks and lessening the impact of cyberattacks. However, a lot less is known about other settings in devices. Only 50% of consumers are aware of settings that control what data is collected and who it is shared with.

The research showed that in general consumers in Australia, UK, US and Canada are much more aware of security features in connected devices than consumers in Japan and France. However, the only security feature the four countries are as unsure about as France and Japan is disabling data collection on their connected device(s).

Even though consumers have low know-how of certain security features in connected devices, they have an appetite for security and privacy as wider concepts. They might not be so aware of some features but they have assessed that privacy and security are an important component of IoT devices and they, as consumers, should be aware of them. Our research showed that availability of information about the connected device’s privacy and security is part of the purchase equation, with 77% of people across markets considering the availability of information about a connected device’s privacy and security important for their decision to buy.

Among the surveyed countries, the numbers of US consumers taking privacy and security information about a connected device into account when making a purchase, was the highest (82%). By comparison, only 61% of French consumers look for this information when buying an IoT device, followed by Japanese consumers with 70%.

What influences consumers to buy or not buy IoT?

We investigated which factors were influential for consumers when they were deciding whether or not to buy a connected device. A list of eight potential factors were shown to respondents, and they were asked which they agreed with. The graphic opposite shows the percentage of consumers who agreed with each statement. These results show a blend of all of the eight factors were deemed important, indicating a complex decision-making process.

The opportunity for trust?

Improving knowledge of privacy and security features amongst consumers could go some way to helping consumers feel less concerned about how their personal information is used for things like marketing or service improvements.

4 Where does Responsibility Lie?

Asking consumers to assign responsibility for security and privacy can be problematic. They often have only basic knowledge about issues around IoT and a lack of a wider picture of the IoT market. However, what people can do is to indicate whether they think they should have the responsibility as consumers.

Our survey showed that about 60% of people across markets think consumers should be responsible for safety and privacy on their connected devices. France had the lowest number of people wanting to take responsibility for security and privacy in IoT devices (48%). However, this number still shows that consumers as primary users of IoT devices share responsibility for security and privacy.

However, the majority of people agree that appropriate levels of privacy and security should be assured by regulators (88%), followed by manufacturers (81%) and favoured by retailers (80%). This trend differed slightly only in Japan where consumers had a stronger preference for setting legal obligations, such as regulation to secure standards for security and privacy in IoT devices.

These results do not come as a surprise following the previous findings showing that consumers do not have very sophisticated knowledge of security and privacy in IoT devices. The level of risk from devices and the complexity of securing devices contributes to consumers wanting regulators, manufacturers and retailers to uphold standards of privacy and security and to take more responsibility, as is the case with other mainstream activities that pose potentially high risks to individuals – such as the safety of air travel.

The opportunity for trust?

We predict that the demand for more formal regulation from consumers will grow as information about connected devices becomes more widespread and the media picks up on high profile hacks and security failings. Until this happens, retailers and manufacturers that demonstrate they have built-in security, privacy and trust by design have a great opportunity to stand out from the crowd and appeal to consumers.

Building a Trusted and Safe Consumer Internet of Things

This research gives us insight into what consumers know and feel about the privacy and security aspects of connected devices, and what more they would like to see to help build their trust and allay concerns. Understanding the consumer perspective and their experience of new products and services is crucial for developing effective policy, business and advocacy interventions.

These insights will also contribute to Consumers International and the Internet Society’s ongoing work to build a trusted IoT environment that ensures security and respects privacy which includes work across the following areas:

Manufacturers and retailers:
Standards:
  • Consumers International is an International Organisation for Standardisation Liaison member helping to develop a new standard Consumer protection: privacy by design for consumer goods and services standard (ISO/PC 317)[6] which focuses on connected products.
International policy making fora:
  • In May 2018, Consumers International co-hosted the second G20 Consumer Summit in Buenos Aires with a focus on the security of online. Following the event, the final leaders’ declaration[7] at the G20 called for improvements to security and privacy in consumer IoT, in particular for products marketed at or for children.
Consumer awareness:
  • The Internet Society and Consumers International’s Connect-Smart campaign raised awareness of the risks associated with connected products that fail to build in basic privacy and security features during the design stage.

Next Steps

Internet of Things devices enhance the day-to-day activities of users around the world by providing benefits such as greater convenience, more streamlined services and better information.

However, the results of this survey demonstrate that consumer distrust in IoT persists. In fact, survey findings show in some cases this distrust has discouraged consumers from purchasing connected devices.

While there are many factors at play when it comes to consumer trust in connected devices, manufacturers and retailers can achieve significant impact by adopting IoT privacy and security standards. In doing so, trust becomes embedded in the design and sale of IoT devices; consumers can more confidently buy and enjoy safer IoT devices; and manufacturers and retailers can further differentiate as leading brands that proactively protect consumers’ best interests.

The Internet Society and Consumers International have been working together, and with other partners, to provide resources to support manufacturers and retailers in the adoption of IoT privacy and security standards.

If you are a manufacturer or retailer interested in learning more, you can find more information from the Internet Society on their Trust by Design initiative, or from Consumers International for a number of IoT guidelines and checklists.

The survey conducted by Ipsos Mori can be found in the Annex of the PDF version of this report (pages 16-17).

All infographics are available here


Notes

[1] Please note, security concerns were as strong a deterrent as the price of a device in all markets except Japan.

[2] As the results are based upon direct questions about risk and concern about IoT products, it must be factored in that we cannot determine to which extent these concerns are always top of mind – but when prompted there was widespread concern about security and privacy.

[3] See for example our Norwegian and Belgian members’ activity:
https://www.forbrukerradet.no/side/significant-security-flaws-in-smartwatches-for-children/
https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws/
https://www.test-aankoop.be/action/pers%20informatie/persberichten/2018/hackable-home
https://www.consumerreports.org/televisions/samsung-roku-smart-tvs-vulnerable-to-hacking-consumer-reports-finds/

[4] By prompting the respondents on what we mean by connected devices, we assure consistency and alignment on understanding, and thus ability to infer and generalize across markets. Translations of the original questionnaire was made to French (both Canadian and French version) and Japanese. Local proofing has been employed to ensure consistency in local differences, such as ‘creepy’, “concern”, “risk” and examples of connected devices.

[5] Translations of the original questionnaire was made to French (both Canadian and French version) and Japanese. Local proofing has been employed to ensure consistency in local differences, such as ‘creepy’, ‘concern’, ‘risk’ and examples of connected devices.

[6] ISO/PC 317 https://www.iso.org/committee/6935430.html

[7] G20 Digital Economy Ministerial Declaration http://www.g20.utoronto.ca/2018/2018-08-24-digital.html

‹ Back

Related articles

The Internet Society Survey on Policy Issues in Asia-Pacific 2018
Internet of Things (IoT)15 November 2018

The Internet Society Survey on Policy Issues in Asia-Pacific 2018

This year’s survey focuses on the security and privacy of the Internet of Things (IoT)—the rapidly expanding network of devices, physical objects, services and applications that communicate over the Internet.

IoT Trust by Design
Resource22 May 2018

IoT Trust by Design

IoT Trust Framework identifies the core requirements manufacturers, service providers, distributors/purchasers and policymakers need to understand, assess and embrace for effective security and privacy as part of the Internet of Things.

OTA Calls IoT Cyberattacks “Shot Across the Bow”
Internet of Things (IoT)5 January 2017

OTA Calls IoT Cyberattacks “Shot Across the Bow”

Coalition Releases Connected Device Requirements Global support for OTA's security and privacy framework, integrates efforts of DHS, FCC, FTC, the...

Join the conversation with Internet Society members around the world