On the Principle of Accountability: Challenges for Smart Homes & Cybersecurity

This chapter introduces the Accountability Principle and its role in data protection governance. We focus on what accountability means in the context of cybersecurity management in smart homes, considering the EU General Data Protection Law requirements to secure personal data. This discussion sits against the backdrop of two key new developments in data protection law. Firstly, the law is moving into the home, due to narrowing of the so called household exemption. Concurrently, household occupants may now have legal responsibilities to comply with the GDPR, as they find themselves jointly responsible for compliance, as they are possibly held to determine the means and purposes of data collection with IoT device vendors. As a complex socio-technical space, we consider the interactions between accountability requirements and the competencies of this new class of domestic data controllers (DDCs). Specifically, we consider the value and limitations of edge-based security analytics to manage smart home cybersecurity risks, reviewing a range of prototypes and studies of their use. We also reflect on interpersonal power dynamics in the domestic setting e.g. device control; existing social practices around privacy and security management in smart homes; and usability issues that may hamper DDCs ability to rely on such solutions. We conclude by reflecting on 1) the need for collective security management in homes and 2) the increasingly complex divisions of responsibility in smart homes between device users, account holders, IoT device/software/firmware vendors, and third parties.