Physically-intuitive Privacy and Security: A Design Paradigm for Building User Trust in Smart Sensing Environments

Abstract

Sensor-based interactive systems -- e.g., "smart" speakers, webcams, and RFID tags -- allow us to embed computational functionality into physical environments. They also expose users to real and perceived privacy risks: users know that device manufacturers, app developers, and malicious third parties want to collect and monetize their personal data, which fuels their mistrust of these systems even in the presence of privacy and security controls. We propose a new design paradigm, physically-intuitive privacy and security (PIPS), which aims to improve user trust by designing privacy and security controls that provide users with simple, physics-based conceptual models of their operation. PIPS consists of three principles: (1) direct physical manipulation of sensor state; (2) perceptible assurance of sensor state; and, (3) intent-aligned sensor (de)activation. We illustrate these principles through three case studies -- Smart Webcam Cover, Powering for Privacy, and On-demand RFID -- each of which has been shown to improve trust relative to existing sensor-based systems.

Figures (3)

• Figure 1: Smart Webcam Cover employs automatic uncovering and manual covering for a webcam. (a) When end-users finish video applications, PDLC film of Smart Webcam Cover turns opaque automatically, negating the need to remember to block a webcam. However, (b, c) Unlike covering, end-users are required to manually press a button of Smart Webcam Cover, which makes the film turn transparent. Adapted from Do et al. 2021 do2021smart
• Figure 2: Candid Mic is designed to expose its wiring between power modules and sensing and wireless communication modules. This allows visible power disconnection and connection based on users' intention. (a) End-users opens an clamshell casing manually. (b) Then, Candid Mic is ready to record end-users' voice as the power module is connected at the hinge. (c, d) once finishing the voice recording, end-users can close the casing, which disconnects the power module at the hinge. The disconnection is physically visible, which provides perceptible assurance that the microphone cannot record unwittingly. Adapted from Do et al. 2023 do2023powering
• Figure 3: On-demand RFID allows end-users to make their RFID tags readable on demand. (a) By default, the antenna of the tag is disconnected. (b) When end-users intend to use the tag, they can press a button to push a visible ink stored in the tag, bridging the severed antenna and making the tag readable. (c) Once finishing the intent to use the tag, end-users can release their press, automatically retracting the ink and disconnecting the antenna. Adapted from Do et al. 2025 do2025demand