The enemy within: welcome to the Internet of gaslighting

Posted on Feb 26, 2020 by Glyn Moody

Two and a half years ago, this blog warned about the Internet of “listening, eavesdropping, spying things” that were starting to become more popular. Today, smart speakers are found in many homes, and people seem largely oblivious of the privacy issues. Beyond these obvious spies that many invite into their homes, there are the more subtle ones: the Internet of Things (IoT). The worst are broadcasting details about people’s lives in the clear; but even the best, which encrypt the streams sent out of a house, can reveal surprising details about the activities of those who live there. More recently, Privacy News Online looked at another problem of IoT devices: the fact that they are vulnerable to being hacked. And the more people have of them, the greater chance of one or more devices being turned against users.

As if all those issues weren’t enough, it’s becoming clear there’s another threat. Call it the Internet of gaslighting. The term “gaslighting” is widely used on the Internet nowadays, but goes all the way back to the 1938 play Gas Light and its 1940 and 1944 film adaptations. The story concerns a husband who tries to convince his wife and others that she is mad by manipulating small elements of their daily lives, and insisting that she is mistaken, mis-remembering things, or just delusional when she points out these changes. The play’s title alludes to one way that the abusive husband tries to make his wife doubt her sanity, by slowly dimming the gas lights in their home, while pretending nothing has changed. The more things change, the more they remain the same. In 2018, the New York Times reported on early examples of digital gaslighting:

One woman had turned on her air-conditioner, but said it then switched off without her touching it. Another said the code numbers of the digital lock at her front door changed every day and she could not figure out why. Still another told an abuse help line that she kept hearing the doorbell ring, but no one was there.

As the New York Times article explained, these phenomena had a common cause: women’s abusers were controlling Internet-connected devices in homes, using everyday apps on their smartphones. These might be cases of people controlling devices inside their own home in order to abuse their partner. But they might also be committed even after the abuser has left. Too often, the person setting up the device can retain control of it because they know the administrator’s password, and can access the home system across the Internet. This makes spying on the victim easy, for example.

Changing passwords on multiple Internet-connected devices around the house once an abuser has left is probably not a priority for the victim in these circumstances. That’s a real problem, because it means that others can easily take advantage of the situation if they are so minded. Simply putting the burden on those suffering this kind of digital gaslighting is not the solution. What is needed is a new approach from the IoT industry that recognizes the potential problems its products and services might cause in the hands of someone intent on abusing their power.

An article in The Age looking at “technology-facilitated abuse” – what it calls “the darker side of the smart home” – points to the “Safety by Design” (SbD) initiative in Australia, that “places the safety and rights of users at the centre of the design, development and deployment of online products and services”. Although SbD seems mostly aimed at online services, its basic idea extends naturally to the edge of the online world, where Internet of Things devices reside:

SbD seeks to create stronger, healthier and more positive communities online by driving-up standards of user safety. It puts the responsibility for this on online service providers, their developers and engineers. It makes SbD a core business objective – at the very centre of product development.

Translated into the home environment, the SbD philosophy requires developers and engineers to think not just about how people can get the best out of their devices, but how bad actors might re-purpose them to get the worst. Normally, that means stopping hackers from exploiting backdoors and flaws to take control of a device. But the Internet of gaslighting reveals a more subtle danger. There, it is not that devices have been “taken over” by intruders, or that they are being used in ways that were never envisaged. Instead, it is very often the people who set them up that use them to harass their victims, simply by operating them totally in accordance with the user manual. What is different is when they operate them, and for what purpose.

The less-than-legitimate intent of apparently legitimate users is not something that designers give much thought to. In the context of the Internet of Things, which are built to be used in shared domestic spaces, that needs to change. To avoid their products being turned into subtle but effective weapons of harassment, engineers need to think about the way their devices might be misused – and then to come up with some ways to head off, or at least mitigate, those problems.

That’s a new challenge over and above the obvious ones of surveillance or of malware, which are now increasingly recognized. Finding solutions won’t be easy, but it is something the industry needs to address if it wants to ensure that the “smart” home isn’t seen as a cunning, abusive one too. As well as worrying about attacks from the outside world, it also needs to think about the enemy within.

Featured image from Gaslight (1944) Official Trailer.