Date of Award


Document Type


Degree Name

Doctor of Philosophy (PhD)


Computer Engineering and Sciences

First Advisor

Terrence O’Connor

Second Advisor

Munevver Mine Subasi

Third Advisor

Veton Kepuska

Fourth Advisor

Bernard Parenteau


Privacy issues have plagued the rapid proliferation of the Internet of Things (IoT) devices. Resource-constrained IoT devices often obscure transparency for end-users. A lack of transparency and control complicates user trust in IoT. Additionally, a growing history of misuse and abuse exists in IoT. Notably, a smart TV has periodically scanned and collected users’ private information without consent, while power companies have adjusted the temperature of smart thermostats during heat waves. Due to a hybrid of distributed ecosystems within IoT, users cannot easily implement traditional access control over their devices as data flows within different nodes for storage and processing. A misunderstanding of IoT privacy issues and growing privacy fatigue by consumers further complicate this problem. The usability of privacy-preserving mechanisms and tools offers promise but relies on accurately capturing privacy preferences. In this dissertation, we demonstrate how we tackled the aforementioned challenges through understanding users’ privacy choices and providing the necessary means to help them enforce their privacy. First, we replicate a previous study to examine users’ privacy expectations and preferences for IoT devices. We specifically focus our effort on examining users’ feelings regarding their data collection in an IoT-based environment. Our work analyzes different contributing factors that impact users’ privacy decisions about data collection. Our analysis supports previous work that has argued users’ perceived benefit is an essential factor and motivating favor. In contrast to the previous study, we identified the workplace has now morphed into a sensitive location where users are uncomfortable sharing their private information. Second, we propose MQTT-based Privacy Orchestrator (MPO) to implement traditional access control on IoT devices. MPOenforces privacy preferences by implementing access control at an MQTT broker. Through MPO implementation, we demonstrate a practical and scalable solution to facilitate users’ privacy preferences and enforce access control for MQTT-based devices. Third, we examine the usability of MPO to ensure that users have a usable tool they can utilize to enforce their privacy choices. We analyze MPO’s ability to mitigate the privacy fatigue phenomenon.


Copyright held by author