Design guidelines for makers of home connected devices to build trust in users


Capstone Project for

My capstone project team at Carnegie Mellon University worked with Google to tackle rising privacy concerns around home connected devices. For 7 months, we analyzed the problem space and prototyped physical and software interaction techniques. The insights resulted in design guidelines for makers of home connected devices — signifiers.io.


My Role
UX Designer and Prototyper

Project Type
IoT Prototyping / 7 months

Deliverables
signifiers.io, Research Booklet, Design Booklet, Presentations at Google

Teammates
Saba Kazi, Omead Kohanteb, Owen Tong, Heidi Yang

Privacy as an Afterthought

To give us benefits, sensors in connected devices are always watching, listening, and learning about who we are. With benefits come privacy risks — often not considered until privacy has been violated.

A smart TV captures the user’s movements and living room conversations even when they are not commands.

A smart bed keeps track of sleep schedules and biometrics data that are personal to the user.

A smart mirror, placed in a bathroom, transmits the user’s visual data in that private space.

User Research Insights

Designing for Trust

Matching Mental Models

How a device works should match the user’s mental model — their expectations of how a device would work. A mismatch leads to distrust.

Control through Kill Switches

A kill switch such as a lens cap on a camera or going offline gives users absolute control of the device’s data collection capabilities.

Contextual Privacy Settings

A device should control its sensors’ data collection based on context, e.g., an indoor security camera should be turned off when the owner gets home.

Exploratory Research Process

Investigating the Sensor Privacy Landscape

Given the breadth of the privacy landscape, we employed a diverse array of research methods to explore the space. Below are the research methods we performed. More information on our research process can be found in the research booklet.

signifiers.io are guidelines for makers of connected devices. The guidelines feature how to integrate feedback and control mechanisms when designing devices. The recommendations are based on principles around mental models, kill switches, and contextual information.

signifiers.io Site Overview

Organization
1. Categories by sensor modality and usage context
2. Top nav for quick navigation
3. List of do’s, don’ts, and consider’s

Content
4. Short and actionable recommendations
5. In-depth justifications
6. Pictures and videos as examples

signifiers.io Site Overview

Organization
1. Categories by sensor modality and usage context
2. Top nav for quick navigation
3. List of do’s, don’ts, and consider’s

Content
4. Short and actionable recommendations
5. In-depth justifications
6. Pictures and videos as examples

Guideline Example: Mental Model

Do not remove an LED that indicates a camera’s recording status

An LED is a common medium used to indicate the recording status of a camera, particularly important when screen feedback is not available. When the LED is removed, users may not be able to confidently tell if the camera is recording.

When we removed the LED, some participants were unsure whether the camera is recording when the shutter is opened.

When the LED was already on as the camera popped up, participants were unsure if the camera was recording even when it’s inside the TV compartment.

Guideline Example: Control

If the device passively listens, include a button on the device to turn off the passive listening.

Having a device passively listening in the home is still a very foreign concept to many users. Even if the device does not store any of the audio data it is passively listening to, users need to be able to stop the passive listening effortlessly.

On / off button on a voice-controlled device

Guideline Example: Context

Home monitoring devices …

While the same people use bathrooms most of the time, in general, they do have a higher chance of being used by guests. Because of this, it should be easy for the user to hide or make private any data that is collected by these devices that they may not want guests to see.

Smart door lock shows the users…

Guideline Example

Use the pop-up or pop-out technique for a device that is usually in a peripheral view of the user

The pop-up or pop-out technique causes changes in the physical form of a device, making it noticeable and unambiguous when the device is sensing data.

In our tests of the voice controlled device and TV, the movement brought the participants’ attention to the device and participants immediately understood what they are doing.

Pop-up technique on a voice controlled home assistant

Pop-out technique on a TV

Don’t trigger moving parts or verbal auditory feedback without explicit user input.

Don’t use feedback that could make your device feel life-like on a device that needs to provide feedback to an implicit user input, like motion sensing. Having a device move or make a noise without the user telling it to do so can be startling for the user.

Justification

When participants approached some of our prototypes of the mirror, a camera popped up or the mirror started talking to the participant. Many participants found these actions which were triggered without their explicit input to be “alerting”, “unfriendly”, and “startling”.

Research & Design Process

Physical Prototypes in a Simulated Home

This section explains our research and design process. We iterated on one round of lo-fi prototypes and two rounds of hi-fi prototypes. More information is available in the research booklet and the design booklet.


Exploratory Research

Given the breadth of the privacy landscape, we employed a diverse array of research methods to explore the space. Below are the research methods we performed.

5

Diary Study Runs

6

Expert Interviews

8

Participatory Design

8

Speed Dating Sessions

10

Sci-Fi Movies

36

Research Papers

81

Survey Participants

300+

Articles and Videos

In addition to surveys and online sources, we conducted in-person research sessions to gain deeper understanding of the landscape.

After the research sessions, we affinity diagrammed findings to find patterns and derive insights.

We discussed insights and ideated on possible solutions for the project.


Lo-Fi Prototypes & Testing

We molded simple clay prototypes to communicate different feedback and control methods. We tested them alongside 16 different connected devices to see which methods are most appropriate in the context of each device.

Clay models of feedback and control mechanisms for sensor such as visual, audio, touch, motion, etc.

We asked participants to select their preferred prototypes for different devices, and the rationale behind it.

For a smart mirror, the participant chose red/yellow/green lights for the status of data transfer since they resemble traffic lights and are easily understood.


Hi-Fi Prototypes & Testing

We created device prototypes out of foamcore and Arduinos and tested them in a simulated home setting. We built a total of 44 unbranded, generic devices over two one-week periods.

TV

Mirror

Voice-controlled home device

Thermostat

Security camera

Toilet

Door lock

Bed

Design Techniques

We employed design techniques such as anthropomorphism and skeuomorphism as our inspirations. Examples of anthropormorphic design include lights that simulate breathing patterns or compartments that pop out when the device hears a trigger words while skeuomorphic design is represented through a lens cap and a peep hole.

Voice-controlled assistant prototypes: [front] lights that “breathe” when the device is passively listening, then pulse faster and brighter after the trigger word; [left] same as [front] with a microphone on/off button; [right] a cylinder in the middle pops up after the trigger word

Inside the voice-controlled home assistant prototypes

We created prototypes out of chipboard, foam core, Arduino boards, LEDs, remote-operated tea lights, a toilet, buttons, an inflatable bed, iPhones, and a lot of hot glue.

Testing in a Simulated Home

We tested the prototypes in a simulated home with a sleeping area, a living area, a bathroom, and an entry way. We assessed our prototypes based on 1) noticeability, 2) ease of understanding, 3) confidence in understanding, and 4) clarity on when the device is recording data.

A timelapse video of a testing session in our simulated home

A participant interacting with a connected mirror, which scans and records skin data.

The online survey, designed to reflect our in-house testing protocols.

Project Outcome

To spread knowledge on privacy in connected devices, our project sponsors and we agreed that the guidelines should be shared under the Creative Commons license. Areas that can be further explored include connectedness among devices, tertiary users, and accessibility.

Project presentation at Google in Mountain View