Chapter 15 Quiz: Smart Devices and the Internet of Things

Select the best answer for each multiple-choice question. Short-answer questions require a written response of 2–4 sentences.

1. In consumer technology marketing, the word "smart" primarily signals that a device is:

A) More intelligent or capable than comparable non-smart devices B) Connected to the internet and designed to collect and transmit behavioral data C) Manufactured to the highest quality standards in its category D) Compatible with voice assistant commands and automation systems

2. Automatic Content Recognition (ACR) in smart TVs works by:

A) Reading metadata tags embedded in broadcast or streaming content signals B) Periodically capturing still images of what is on screen, generating fingerprints, and matching them against a content database C) Requiring streaming services to report what content users are watching D) Using audio recognition to identify programming by its soundtrack

3. The Amazon Echo's "always-on" microphone creates a privacy concern primarily because:

A) Amazon uses the recorded conversations for targeted advertising on other platforms B) The device must continuously monitor audio to detect the wake word, meaning it may record and transmit audio during false activations or before users intend it to activate C) The device stores all audio recordings permanently with no deletion option D) The microphone is always recording regardless of whether a wake word is detected

4. The 2017 Vizio FTC settlement ($2.2 million) was primarily related to:

A) Vizio sharing user viewing data with foreign government agencies B) Inadequate disclosure and consent around Vizio's collection of smart TV viewing data through ACR C) A data breach in which Vizio's customer financial information was stolen D) Vizio's failure to secure its smart TVs against cybersecurity vulnerabilities

5. "Telematics" in the context of auto insurance refers to:

A) Remote diagnostics that allow mechanics to identify vehicle problems without physical inspection B) The use of connected vehicle data — including location, speed, and driving behavior — for insurance pricing and monitoring C) The satellite communication systems used by commercial vehicle fleets D) The GPS navigation systems built into modern automobiles

6. The Mozilla Foundation's 2023 investigation of automobile brands found that:

A) Most automobile manufacturers had strong privacy practices that exceeded regulatory requirements B) All 25 brands tested failed minimum privacy standards, with most collecting extensive data beyond vehicle operation and sharing or selling it to third parties C) Electric vehicles posed significantly greater privacy risks than conventional vehicles D) Connected vehicle privacy practices were well-governed by existing NHTSA regulations

7. Which of the following is NOT typically collected by modern wearable fitness devices like Apple Watch or Fitbit?

A) Heart rate and heart rate variability B) Sleep duration and sleep stages C) Full GPS location history during outdoor activities D) Blood test results and laboratory biomarkers

8. HIPAA (Health Insurance Portability and Accountability Act) does NOT cover wearable health device data collected by companies like Fitbit or Apple because:

A) Wearable devices collect fitness data rather than medical data B) HIPAA only applies to data collected in the U.S. healthcare system C) HIPAA governs data held by healthcare providers and health plans — companies like Fitbit and Apple are neither, so HIPAA's protections do not apply to their data D) Wearable data is covered by HIPAA but enforcement is handled by the FTC rather than HHS

9. The 2016 Mirai botnet attack succeeded primarily because:

A) Mirai exploited a sophisticated zero-day vulnerability in consumer IoT firmware B) IoT device owners had never changed factory-default usernames and passwords, allowing the botnet to recruit devices using publicly known default credentials C) IoT devices lacked security certificate validation, allowing the botnet to impersonate legitimate servers D) Internet service providers failed to block the botnet's command-and-control traffic

10. When a household member installs an Amazon Echo in a shared living space, which of the following best describes the consent situation for other household members?

A) They implicitly consent by continuing to live in the shared space with the device B) They have not consented and have limited practical options to meaningfully opt out of the device's monitoring C) Their consent is obtained through the device owner's consent, which extends to the shared space D) Amazon's terms of service require the device owner to obtain consent from all household members

11. The chapter's discussion of smart home data and insurance pricing illustrates which concept from earlier chapters?

A) Panopticism — the awareness of potential observation modifies behavior B) Visibility asymmetry — one party (the insurer) gains data about another (the insured) who lacks equivalent visibility C) Synopticism — many insurers simultaneously observing many insured individuals D) Dataveillance — the systematic tracking of behavioral patterns in aggregate

12. Automatic Content Recognition (ACR) captures viewing data for which category of content?

A) Only content delivered through the smart TV's own apps and platform B) Only content from paid streaming subscriptions C) Whatever appears on screen — including broadcast TV, cable, streaming services, gaming consoles, and Blu-ray players D) Only content from platforms that have licensing agreements with the ACR technology provider

13. General Motors' OnStar platform was found to have sold driving behavioral data to LexisNexis and Verisk Analytics. This is an example of which concept from Chapter 5?

A) Panopticism B) Social sorting C) Function creep — data collected for one purpose (vehicle connectivity/emergency services) used for a substantially different purpose (insurance risk data brokerage) D) Chilling effect

14. The IoT consent problem in shared spaces is described as "structural" in the chapter. This means:

A) The consent problem is too complex to be solved by any single technological solution B) Individual consent agreements cannot capture the reality that IoT devices affect all people in a physical space, not just the person who purchases or installs them C) Structural racism in IoT design creates consent problems for communities of color D) The consent problem is inherent in the physical structure of IoT devices

15. Research on smart speaker "false activations" found that:

A) False activations are extremely rare — occurring less than once per month on well-designed devices B) All major smart speaker brands activated without their intended wake word at measurable rates, potentially recording and transmitting ambient conversation C) False activations only occur in high-noise environments, not in quiet homes D) False activations are immediately flagged and automatically deleted by the device manufacturer

16. The EU's proposed Data Act (2022) would give vehicle drivers which right that current U.S. law does not provide?

A) The right to receive compensation for the commercial use of their driving data B) The right to access the data their vehicles generate C) The right to have all driving data deleted after 30 days D) The right to sue automobile manufacturers for data breaches in EU courts

17. Jordan's warehouse IoT scanner shares which structural feature with the consumer IoT devices described in the chapter?

A) Both operate in domestic spaces protected by the Fourth Amendment's "reasonable expectation of privacy" B) Both involve data generated by physical movement that is collected by a third party, analyzed algorithmically, and used to make decisions about the person without their full visibility into the process C) Both require explicit consent under the California Consumer Privacy Act D) Both collect data that flows to the same advertising networks described in Chapters 11–14

18. Short Answer: The chapter describes the IoT consent problem as "structural" — meaning that bilateral individual consent models are inadequate for surveillance architecture that affects everyone in a shared space. Using two specific examples from the chapter (shared home, rental property, automobile, workplace, or other shared IoT context), explain why the bilateral consent model fails and describe what a more adequate consent framework might require.

[Answer space — 150–250 words]

Answer Key

  1. B
  2. B
  3. B
  4. B
  5. B
  6. B
  7. D
  8. C
  9. B
  10. B
  11. B
  12. C
  13. C
  14. B
  15. B
  16. B
  17. B
  18. Rubric: Full credit requires (1) accurate explanation of why bilateral consent models fail in shared IoT contexts — they assume a two-party relationship between a device owner and a service provider, but IoT in shared spaces affects non-parties who have not consented; (2) two specific, accurate examples illustrating the structural problem (e.g., always-on speaker affecting all household members; landlord-installed thermostat affecting tenants; connected car monitoring all passengers); (3) a substantive proposal for what an adequate framework would require. Strong answers will draw on the concept of "environmental consent" mentioned in the chapter — disclosure requirements for IoT monitoring in shared spaces regardless of the device owner's commercial relationship with the monitored persons — and will note the power asymmetry issues (landlord/tenant, employer/employee) that compound the consent problem. Partial credit for accurate examples without a framework proposal.

Chapter 15 | Part 3: Commercial Surveillance