Chapter 15 Exercises: Smart Devices and the Internet of Things

Exercise 15.1 — The IoT Audit (Individual, 45–60 minutes)

Purpose: Map the actual IoT surveillance devices in your own living environment.

Instructions:

Step 1: Walk through every room of your home (or your dormitory, apartment, or other primary residence) and identify every device that is connected to the internet or has wireless communication capability. Include:

  • Smartphones, tablets, laptops (yes, these count)
  • Smart speakers or voice assistants
  • Smart TVs or streaming sticks
  • Smart thermostats, locks, doorbells, or security cameras
  • Game consoles
  • Smart appliances (refrigerator, washing machine, etc.)
  • Wearables (smartwatches, fitness trackers)
  • Any connected health devices (blood pressure monitors, glucose monitors)
  • Any devices you're uncertain about

Step 2: For each device, attempt to determine: - What data does it collect? - Who receives that data (the manufacturer, third parties)? - Is the data used for any purpose beyond the device's primary function? - Is there a privacy policy covering this device? Can you find it?

Step 3: Count the total number of data-collecting devices in your living space. If you live with others, estimate how many of those devices were purchased by someone else in the household (meaning you are subject to their surveillance decisions).

Reflection Questions:

a. How many connected devices did you find? Does the number surprise you?

b. For which devices were you able to identify clear data collection practices? For which were the practices unclear or undisclosed?

c. Which devices in your space were not your decision to install? How does this change your experience of being surveilled in your own home?

Exercise 15.2 — Smart TV ACR Investigation (Individual or Pairs, 60–90 minutes)

Purpose: Understand whether your smart TV is using ACR and what options are available to disable it.

Instructions:

Step 1: If you have access to a smart TV (in your home, dorm common room, or classroom), identify the brand and model.

Step 2: Research whether this TV uses ACR technology. Common ACR implementations by brand: - Samsung: "Viewing Information Services" (formerly "SyncPlus") - LG: "LivePlus" and "Additional Service Information" - Vizio: "Viewing Data" (operated by Inscape) - Sony: "Interactive TV" features - TCL (Roku TV): Roku's data sharing features - Other Roku devices: Roku Advertising Features

Step 3: Find the setting to disable ACR on this specific TV. Is it labeled as "ACR"? Or something else (Viewing Data, Interactive Features, etc.)? How many steps does it take to find and disable it?

Step 4: Document the default setting — is ACR enabled or disabled by default on this TV?

Reflection Questions:

a. Was the ACR setting easy to find and understand? Or was it buried in a settings menu with a non-obvious label?

b. The default setting tells you something about the device manufacturer's intentions. What does the default reveal?

c. Even with ACR disabled, the smart TV may still collect other data (app usage, IP address, device information). What data collection remains even after disabling ACR?

Exercise 15.3 — The Insurance Telematics Thought Experiment (Small Groups, 30–45 minutes)

Purpose: Apply ethical frameworks to usage-based insurance and the trade between monitoring and pricing.

Scenario:

Your state has two car insurance options available:

Option A — Standard Insurance: Priced based on demographic and group actuarial data. You pay based on your age, gender, vehicle type, location, and driving record. No behavioral monitoring.

Option B — Telematics Insurance: Priced based on your actual individual driving behavior. Safe, low-mileage drivers pay less; risky, high-mileage drivers pay more. Requires continuous GPS tracking of location, speed, acceleration, and braking patterns, transmitted to the insurer in real-time. Safe drivers could save 20–30%.

Discussion Questions:

  1. From a purely individual standpoint, who should prefer Option A? Who should prefer Option B? Does the "correct" choice differ by demographic group?

  2. If most safe drivers choose Option B (attracted by lower premiums), what happens to Option A's risk pool? What does this imply for people who cannot afford smart devices, lack the digital literacy to navigate telematics programs, or who prefer not to be monitored for principled reasons?

  3. Is the choice between Option A and Option B genuinely free? What makes it more or less free?

  4. The data collected by telematics insurance — location history, driving behavior — has uses beyond insurance pricing. The chapter describes GM selling driving data to LexisNexis without most customers' knowledge. What additional safeguards would be necessary to make telematics insurance genuinely consent-based?

  5. Apply the concepts of visibility asymmetry and consent as fiction to the telematics scenario. From a surveillance studies perspective, what is most concerning about how this trade is structured?

Purpose: Apply the consent framework to IoT devices in shared living environments.

Instructions:

Consider the following scenarios. For each, identify: - Who is surveilled? - Who consented? - Who did not consent? - What mechanisms exist (if any) for non-consenters to protect themselves? - What changes would be necessary for this situation to be ethically acceptable?

Scenario A: A roommate installs an Amazon Echo in the shared living room. You, the other roommate, did not participate in this decision.

Scenario B: A landlord installs a Nest thermostat in your apartment. The thermostat tracks when the apartment is occupied and transmits this data to the landlord's property management platform.

Scenario C: A parent installs a video baby monitor with cloud connectivity in the nursery. The baby monitor has known default-credential vulnerabilities. A guest staying in the nursery bedroom is unaware of the camera.

Scenario D: An Airbnb host has installed a Ring doorbell (which they disclose) and a connected TV with ACR enabled (which they do not disclose). You are a guest staying for a week.

Scenario E: Your employer installs an Amazon Echo in the break room for employee convenience. Conversations in the break room are recorded by the device.

Group Discussion:

After analyzing all five scenarios, identify the common structural features. What would a legal framework for "environmental consent" in IoT contexts need to include to address all five cases? Is such a framework practical?

Exercise 15.5 — IoT Security Vulnerability Research (Individual, 60–90 minutes)

Purpose: Understand the scale and nature of IoT security vulnerabilities.

Instructions:

Using reputable sources (academic papers, security research publications, FTC reports, CISA advisories), research at least TWO of the following IoT security incidents or vulnerability categories:

  1. The 2016 Mirai botnet attack and default credential vulnerabilities
  2. Smart baby monitor security breaches (there are multiple documented cases)
  3. Ring doorbell camera security incidents and the FBI partnership controversy
  4. Smart TV security vulnerabilities (research any brand-specific incidents)
  5. Connected car cybersecurity vulnerabilities (there are documented remote control demonstrations)
  6. Medical device IoT vulnerabilities (pacemaker, insulin pump remote access research)
  7. Smart city infrastructure vulnerabilities

For each incident/category, document: - What vulnerability was exploited? - What was the impact (who was affected, how)? - Was the vulnerability disclosed responsibly or discovered in a breach? - What remediation was possible/offered? - Who bore the cost of the vulnerability?

Synthesis Question: After reviewing these cases, do you think IoT security problems are primarily technical (engineering failures), economic (manufacturers prioritizing cost over security), regulatory (inadequate legal requirements), or behavioral (users not changing defaults)? Construct an argument for your view, acknowledging competing explanations.

Exercise 15.6 — The Quantified Worker Analysis (Individual Written Assignment, 500–700 words)

Purpose: Apply the IoT surveillance framework to workplace monitoring, connecting Chapter 15 to Jordan's scenario.

Context: Read at least one of the following: - Shirin Ghaffary, "The Algorithm That Manages Amazon Warehouse Workers Also Fired Them Without Human Review," Vox/Recode, 2019 - Or any recent academic or journalistic account of automated performance management in logistics or warehouse settings.

Writing Prompt:

Jordan's warehouse uses IoT scanners that track physical movement, pace, and productivity. Drawing on both the IoT analysis from Chapter 15 and the broader surveillance framework from earlier chapters, write an essay that addresses:

  1. Describe what data the warehouse's IoT system collects about Jordan, using the data taxonomy from Chapter 11 (declared, observed, inferred, derived).

  2. Analyze the power asymmetry in the Jordan/warehouse system. How does the visibility asymmetry manifest? Who can see what, and who cannot?

  3. Apply the consent framework. Did Jordan consent to this monitoring? Is the consent meaningful?

  4. Compare the warehouse IoT monitoring to the consumer IoT described in the chapter (smart speakers, connected TVs, wearables). What are the key structural similarities? What are the key differences? Does the workplace context change the ethical analysis?

  5. Argue for or against the following claim: "Automated performance monitoring in warehouse settings is fundamentally different from a supervisor watching workers, and the difference matters ethically."

Chapter 15 | Part 3: Commercial Surveillance