Trust TEE?: Exploring the Impact of Trusted Execution Environments on Smart Home Privacy Norms

IoT devices like smart cameras and speakers provide convenience but can collect sensitive information within private spaces. While research has investigated user perception of comfort with information flows originating from these types of devices, little focus has been given to the role of the sensing hardware in influencing these sentiments. Given the proliferation of trusted execution environments (TEEs) across commodity-and server-class devices, we surveyed 1049 American adults using the Contextual Integrity framework to understand how the inclusion of cloud-based TEEs in IoT ecosystems may influence comfort with data collection and use. We find that cloud-based TEEs significantly increase user comfort across information flows. These increases are more pronounced for devices manufactured by smaller companies and show that cloud-based TEEs can bridge the previously-documented gulfs in user trust between small and large companies. Sentiments around consent, bystander data, and indefinite retention are unaffected by the presence of TEEs, indicating the centrality of these norms.


INTRODUCTION
Internet of Things (IoT) devices often sense sensitive details about users and transmit this information to various recipients over the Internet [22,56]. The estimated deployment of smart speakers stands at 335.3 million, and cameras stand at 180.7 million by 2027 [10]. It shows the flourishing popularity of these devices and will constitute the highest number of devices in the home [32,34]. Furthermore, device manufacturers often create integration platforms to utilize the sensed information for other services and service providers, making it a complex task to understand the privacy norms of the users.
Several prior works have studied privacy norms and attempted to measure them using contextual integrity (CI) for smart home personal assistants [2,3]. Additionally, there was work that studied commercially available IoT devices ranging from speakers, surveillance cameras, fitness tracking bands, thermostats, door locks, and power meters used in the home [1,8,9,20,29,39,53,65]. The importance of CI methodology is that it can be directly adapted to test the conformity of specific information flow exchanges to privacy norms, providing much-needed data to policymakers, device manufacturers, or the research community. The work has showcased the importance of users' access to the sensed data and get notified of changes in data collection practices or information utilization. However, this body of work studies existing commercial hardware and does not examine the future possibilities of privacy norms that may arise with the changing technologies.
Trusted Execution Environments (TEEs) are an industry initiative to process and compute over data in the secure part of the processor. TEEs store sensitive information encrypted in memory. Remote attestation is used to assert the integrity of secure processes running on other hardware. These types of features can help establish trust in devices computing over private data. The impacts of cloud-based TEEs on privacy norms for data collection and retention, information utilization, and requirement for notifications in the context of smart devices have yet to be studied. In this model, IoT-enabled services running in the cloud make use of TEEs to provide assurances to users regarding the confidentiality of data handled by these services. In this work, we leverage a wellestablished survey methodology based on scenarios generated by varying parameters within the contextual integrity [41] framework to investigate this space.
With our survey, we examine the following research questions: (1) Does the introduction of TEEs in cloud-based IoT information flows within a smart home alter the existing privacy norms? Which of the parameters that describe information flows (i.e., the receiver, sender, utilization of data, the type of device used to sense, and the company manufacturing the device) most affect user sentiments in sharing the information under cloud-based TEE deployment model? (2) Do we observe more confidence in sharing the information for users' correct understanding of the concepts on TEE?
We conducted a between-subject survey on Amazon Mechanical Turk (Mturk) [57] with a total of 1049 participants. The first group of 539 participants responded to inquiries about smart home information flows without TEEs, and the remaining 510 participants responded to inquiries about information flows with TEEs. The survey ran in batches over two weeks until we observed a near equal distribution among populations based on gender, income, and age between both groups. The survey cost $1537 and allowed us to query the acceptance of 48 information sharing scenarios from each participant. Our work makes the following contributions: (1) We show that the presence of a cloud-based TEE has significant influence on user comfort with information flows in the smart home in certain circumstances. These effects can smooth comfort disparities across sensing modalities (i.e., audio vs. video), and are particularly pronounced for devices manufactured by smaller companies. (2) By contrast, we also find certain features of smart home information flows that are unaffected by the presences of cloud-based TEEs, including sentiments around consent, bystander data, and indefinite data retention. This establishes TEEs as one part of the smart home privacy infrastructure, but not a panacea. (3) We provide design implications based upon the changes that we observe under cloud-based TEE information-sharing scenarios. These provide the device manufacturers, service providers, and policymakers insights into how TEEs may adjust the privacy landscape in smart homes. The rest of the paper is organized as follows. In Section 2, we explain the concept of TEEs and CI and review the related work. In Section 3, we describe our survey method, followed by the results of the analysis done on the survey in Section 4. In Section 5, we discuss the implications of our findings. Finally, we discuss the limitation of our work in Section 6, and conclude in Section 7.

BACKGROUND AND RELATED WORK 2.1 TRUSTED EXECUTION ENVIRONMENT
A Trusted Execution Environment (TEE) is a secure area of the processor and that guarantees confidentiality and integrity of code and data [16,46,61]. TEEs facilitate trust by keeping applications isolated within the hardware by keeping its stack, heap, and code separate from rest of the processor. This isolation is called an enclave and is provided within ARM TrustZone by splitting the processor into two logical modes: a secure world containing TEE and a normal world containing the normal OS [43]. Because of the split, each has its own registers and memory. On Intel architectures, isolated enclaves are provided by multiplexing the hardware resources between trusted and untrusted software [27]. TEE has three main concepts: (1) Secure Computing: The untrusted world does not have access to application secrets (e.g., passwords, secret keys) that exist within an enclave. The enclave executes the application code when invoked, and it accesses enclave memory, reads, and writes untrusted memory. A set of entry functions are at the enclave, and untrusted software can utilize to perform certain operations [16]. (2) Secure Storage: The TEE clears all data on termination, and to securely persist sensitive data across executions, enclave data is stored in untrusted memory by encrypting it with TEE-resident secret keys. The enclave can decrypt this data when it is required in future invocations [16]. (3) Remote Attestation: Remote attestation allows a device/user to validate the identity and integrity of a remote enclave. This process also establishes a secret key between the device and enclave upon validation. The secret key protects the communication between the remote enclave and the device [16].
Current work has shown how to utilize the TEE concepts in the IoT ecosystem [42,50]. There are works that showcase TEE concepts in blockchains to improve smart contracts working [13,51]. We also see TEE on the mobile platforms of Google [25] and Apple [6] to store credit cards in mobile wallets and secrets required for authentication.

CONTEXTUAL INTEGRITY
The theory of Contextual Integrity (CI) is a well-established framework for studying privacy norms and expectations [41]. CI defines privacy in terms of acceptance of given information exchange to contextual information norms [41]. The norms usually come as a part of context due to specific settings established by law, policies, common practices, or even social pressures. An information exchange that is misaligned with the norms violates the privacy expectation of the user.
Information flows within the CI framework are described by five parameters: (1) the sender of the information, (2) the subject of the information being transferred, (3) the attribute or information type, (4) the recipient of information, and (5) the transmission principle or condition imposed on the transfer of information from the sender to the recipient [8]. The concept of Contextual integrity (CI) has been used to elicit expected general privacy norms across online environments [38,52].

CONTEXTUAL INTEGRITY USED IN UNDERSTANDING PRIVACY NORMS IN IOT
Several prior works have utilized the CI framework to explore information sharing scenarios in the IoT context [1-3, 8, 9, 20, 29, 39, 53, 65]. This is usually accomplished through the use of factorial vignette surveys [3,8,9,20,65] or an interview methodology exploring participants' acceptance [1,2,53]. Another approach utilized storyboarding techniques with CI parameters to understand users' privacy norms [29]. The work in [8,9] implemented the CI framework to examine the acceptability of information sharing in IoT devices and toys. They always considered IoT devices' information can get monitored by the internet service provider (ISP) and were one of the recipients. Furthermore, their focus was on understanding the impacts of transmission principles of data retention, notification, and data encryption in the information flows for various recipients. The work in [39] first captures privacy preferences in smart homes, such as considering different senders and attributes to recipients, and proposes a machine learning model for predicting personalized privacy preferences for a user. The work in [20] was focused on understanding and evaluating privacy norms with Google My Activity dashboards and later discussed the advantages of having a dashboard for a user to understand its privacy norms. The research in [65] was on the understanding perception of users on video analytics in which they covered various applications from tracking (attendance and productivity), sentiment analysis, health prediction, and authentication. The work in [29] was concentrated on understanding privacy norms in smart homes with the mitigation strategies used by the users. And later on, they discussed the plausible and the easiest way a device manufacturer or service provider can provide that service. The rest of the works [1][2][3]53] focus on understanding general privacy norms for smart home assistants and associated data sharing risk perceptions.
The work in [1][2][3] only covered smart speakers as senders, and [65] used only a video camera. In [8,29,39], the senders were IoT devices ranging from smart speakers, fitness bands, sleep monitors, thermostats, light bulbs, and cameras. The work [9] used only smart toys with CI for checking COPPA compliance. The work in [20] uses pre-recorded google activities of devices to enquire on privacy norms. Recently [14,47] are also using smart home devices with IFTT applets for CI inquiry.

OUR APPROACH
We generate information-sharing scenarios within the smart home by varying CI parameters, as described in prior works [8,9]. Unlike prior work, our flows also consider the deployment of TEEs within these scenarios. We provide quantitative analysis on changes observed in privacy norms and the parameters describing the context under both with TEE and without TEE information flows. And finally, we investigate the impact of a correct understanding of the concepts of TEE on CI parameters and privacy norms.

METHOD
In this section, we describe our survey-based study methodology, which has been adapted from [8]. We will describe the contextual integrity [41] factors included in our analysis, the design of our survey instrument, and our analysis approach. This study was evaluated and approved by our organization's Institutional Review Board (IRB).

SELECTION CI INFORMATION FLOW PARAMETERS
When considering privacy through the lens of the contextual integrity framework, we must consider the subject, sender, and recipient of the data being shared, the type of data being shared, and the transmission principles governing the data sharing practice [41]. In designing the survey instrument to support our inquiries, we made the following choices when parameterizing these dimensions.
• Subject. Throughout our survey, scenarios investigated the collection of data about either the device owner or other occupants within the space. In each of these cases, we asked respondents to act as if they were the owner of the device collecting data when formulating their response. • Sender. Given their prevalence in the marketplace, our survey focused on data collected and transmitted by two types of senders: smart cameras and smart speakers. Prior work has shown that a device manufacturing companies has significant impacts on user privacy concerns [18,19,31,62]. To this end, we further divided these senders into subgroups based upon the manufacturing company: established companies like Google and Amazon that provide established products (e.g., Ring, Alexa, Nest) and small companies who provide similar devices (e.g., Wyze, Eufy).
• Recipient. Our survey explored data sharing with six types of recipients: Law Enforcement agencies investigating a reported crime, Device Manufacturers who may seek to understand device utilization, Other Devices at Place that may coordinate activities through platforms such as Apple Home-Kit or Samsung SmarthThings, Recommendation Services that might connect users to offer/services nearby, Health Services that may monitor patient health or coordinate emergency response, and Family Members or Friends. • Type of Data. In our survey, the type of data collected and sent was purely a function of the device. The use of audio data was investigated in scenarios involving a smart speaker, while the use of video data was investigated in scenarios involving smart cameras. • Transmission Principles. The contextual integrity framework relies on the concept of transmission principles to specify constraints or conditions on the circumstances surrounding information use. We built upon prior work [8,9,39,65] and investigated the impacts transmission principles related to notification (e.g., "if you have been notified"), retention (e.g., "if information is not stored", "if information is stored for a duration of 1-3 months", "if the information is stored indefinitely"), and purpose of collection (e.g., "if information is used for maintenance of device/feature", "if the privacy policy mentions the recipient and purpose of sharing").
In line with prior work [8], we build questions for information flows by sampling from this space of contextual integrity parameters. We now describe how our survey instrument investigates these scenarios.

SURVEY DESIGN
To facilitate our study, we created and hosted a survey using the Qualtrics platform [44]. The survey was designed as a betweensubjects study, with one group of participants being shown only scenarios that involve the use of cloud-based TEE-enabled sensing platforms (i.e., with TEE), and the other group being shown only scenarios that involve the use of cloud-based commodity (i.e., without TEE) sensing platforms. The survey considered scenarios in which data was sent to a cloud-based infrastructure for processing and feedback. We considered cloud-based architecture as they are commonly used in smart home applications, particularly where device integration is concerned [7, 26,49]. Potential limitations of this design choice are discussed in Section 6. The survey itself consisted of four sections: consent and overview, an informational video, questions on acceptance of information flows, and post-completion demographic questions.

CONSENT AND OVERVIEW.
Initially, we presented the participants with a consent form approved by our organization's IRB. If the participants did not consent, they were not allowed to participate further in the study. Participants were then shown the survey overview depicted in Appendix F.1, which contains a brief overview of concepts related to IoT devices, device ownership, and differentiation between small and established companies.

INFORMATIVE VIDEO.
For participants in our baseline (without TEE) group, we prepared a short video exploring a sensing/sharing scenario in the context of a commodity (without TEE) sensor. The video explores a scenario in which a connected camera uses a cloudbased facial recognition service to automatically unlock the door of a smart home. The scenario starts with the collection of data by an on-premises camera and communication to the remote receiver's cloud. The remote receiver maintains a cloud database of authorized faces. Based on the outcomes of the face recognition algorithm being executed on the remote receiver's processor, an actuation command is sent to the smart home's door. To ensure that we did not influence individual perceptions of IoT technologies in this baseline condition, we followed the practice of prior work [8,9] and described the data items flowing between entities, but did not address specific threats to data security in-flight or at-rest.
For participants in the TEE group, we prepared an analogous short video that provided a brief overview of TEE functionality and a sensing/sharing scenario in the context of a cloud-based TEEenabled sensor. In addition to the content in the 'without TEE' video, we showcased the cloud-based TEE model for the same example. Specifically, we first covered the topic of remote attestation in TEE infrastructures, where the clients could identify the functionalities used by the cloud service and the establishment of a secure channel to send the sensed data (i.e., camera frames). Secondly, we showed how the data sent to a face recognition algorithm is protected from other processes demonstrating the isolated execution of TEE. And at last, the concept of sealed storage was introduced to showcase one way that databases can be securely stored and maintained in the cloud. After this video, participants in the TEE group were presented a brief true/false questionnaire exploring their understanding of basic cloud-based TEE functionality.

CONTEXTUAL INTEGRITY QUESTIONS.
The main section of our survey presented questions about the acceptability of information flows derived from the collection of contextual integrity parameters outlined above. To limit the number of questions asked of any one participant, the sender (i.e., smart camera or smart speaker), company (i.e., large or small), and subject (i.e., the owner or other occupants within the space) were chosen randomly on a per-participant basis and did not vary during the course of the survey. The remaining contextual integrity parameters were then varied over eight questions (1 null + 7 non-null transmission principles) for each of the recipient, leading to investigation of 48 transmission flows, i.e., ((1 null + 7 non-null transmission principles) × 6 recipients) per participants.
As shown in Figure 1a, we first presented a question matrix with information flows corresponding to data being transmitted to each of the six recipients with an unspecified (null) transmission principle. Each of the remaining six questions focused on a single recipient and explored each transmission principle identified above (cf. Figure 1b). All question matrices used a 5-Point Likert Scale: (2) Extremely acceptable, (1) Somewhat acceptable, (0) Neutral, (-1) Somewhat unacceptable, (-2) Extremely unacceptable. Our survey also included two randomly-inserted attention-check response matrices.

IUIPC AND DEMOGRAPHICS.
The final section of the survey contained the Internet Users' Information Privacy Concerns (IUIPC) scale, as well as a series of demographic questions. We report demographic percentages and IUIPC scores in the Appendix D and E. Our responses were nearly equally divided between male and female users, reflecting expected trends [45]. Furthermore, 15% of our participants have not owned or used IoT devices and it corroborates with the trends reported in April 2022 in Statista [5].

SURVEY DEPLOYMENT
We created our survey using Qualtrics platform [44], and our institution's IRB approved our survey content and recruitment process of participants. We recruited participants from Amazon Mechanical Turk (Mturk) [57]. Only the workers who met the requirements of 95% and above HIT rating, age 18 years and above, and residence in the US were selected to participate in the survey. Respondents were compensated with a $1 payment upon completion of the survey, which took 8 minutes on average. Overall, we collected 1091 unique responses to our survey.

RESPONSE ANALYSIS
We first removed 42 participant responses that had incorrect answers for the attention check questions. This left 1049 unique responses, and each participant gave seven responses for transmission flows. We had 510 and 539 participants in 'with TEE' and 'without TEE' groups, respectively. The distribution of participants between groups and scenarios is shown in Table 1. In total, each participant answered questions about 48 transmission flows.

AVERAGE ACCEPTABILITY SCORES.
In our survey, each participant responded to questions about information flows for all the recipients. To observe the trends in comfort for each recipient, we averaged the acceptability scores of flows categorized by the CI parameters of the group, the sender, the manufacturing company, and the subject across null and non-null transmission principles. For example, we averaged the acceptability scores for each transmission principle by recipient (e.g., law enforcement) and parameters (e.g., group: without TEE, subject: you, manufacturing company: small company, sender: smart speaker). To easily visualize the average scores, we have plotted heatmaps for recipients with and without TEE in the form of CI parameters (the sender, manufacturing company, the subject) by transmission principles.

SIGNIFICANCE TEST.
We divided the information flows based on sets of pairs (sender, manufacturing company, and subject) that are independent. It allows us perform a non-parametric Wilcoxon signed-rank test to measure the effect of non-null transmission principles. To study the impact of presenting the nonnull transmission principle, we compare the average acceptability scores between pairs of information flows with the null transmission principle and the non-null transmission principle having the same sender, manufacturing company, and subject. For example, we compared averaged scores for a set of pairs (smart speaker, established company, and you) for Law Enforcement's non-null transmission principle "if you have given consent" against the average scores of Law Enforcement's null transmission principle. We performed 42 tests for finding the significant non-null transmission principles for all recipients and set the threshold for significance to = 0.05/42 ≈ 0.001 to account for the Bonferroni multiple-testing correction [60].

INDEPENDENCE TEST.
In the survey, the information flows utilize the parameters of the sender, manufacturing company, and subject. Each of these parameters had two variables, and we wanted to measure the effect of these variables on the parameter across all non-null transmission principles and recipients. To study the influence of variables on the individual parameter with the comfort measured for non-null transmission principles and recipients, we performed a Mann-Whitney U Test within each group. The test finds the likelihood of having one distribution of the average acceptance scores being stochastically greater than the second. For example, the sender has two variables smart speaker and a smart camera. The test will determine the distribution of comfort measured for a non-null transmission principle "if you have notified" is the same across the smart speaker and smart camera.

INDEPENDENCE TEST -TEE UNDERSTANDING.
Our survey enquired about the understanding of TEE after the informative video. It led to three groups Answered Correct (correct responses to all three questions), Answered Wrong (one or more incorrect responses), and Combine (responses to TEE questions not considered). As we had more than one group and the comfort was the measure of the average acceptance scores of the transmission principles and recipients, we performed the Kruskal-Wallis test. The test finds the likelihood of having at least one stochastically dominant group.
For all of the independence tests mentioned, we performed 13 comparisons (six recipients and seven non-null transmission principles). We accounted for the corrected p-value using Bonferroni correction = 0.05/13 ≈ 0.004 [60].

RESULTS
Our analysis of the survey responses provides insights into how TEE's may influence privacy norms in smart home scenarios. In this section, we describe results from our analysis procedures described in Section 3.4.

INFLUENCE OF TEES ACROSS MULTI-FACETED INFORMATION FLOWS
We first sought to explore the influence of TEE in information flows with transmission principles across every combination of sender, manufacturing company, and subject. To evaluate this, we calculated the average acceptability scores for all recipients as discussed in Section 3.4.1. We visualized average acceptability scores as heatmaps, e.g., as shown in Figure 2. Overall, we observed higher comfort (i.e., darker shading) in scenarios involving a TEE. This phenomenon was particularly pronounced in the context of the "if you have given consent" transmission principle. Across the board, the "information is stored indefinitely" transmission principle exhibits the lowest comfort across both TEE and without TEE scenarios. We observed the highest variation in average acceptance scores for the Law Enforcement recipient scenarios (cf. Figure 2), with the TEE scenarios exhibiting markedly higher comfort levels than the without TEE scenarios. This trend is even reflected in the context of the "null" transmission principle, which does not specify constraints on consent, data use, or data retention. By contrast, the lowest variation in average acceptance scores occurred in scenarios involving Other Devices within the space (cf. Figure 8 in Appendix C). This is likely resulting from device owners holding a baseline level of trust in the devices that they purchase and deploy within their homes.
All other scenarios exhibited variations on the spectrum between the extremes of Law Enforcement and Other Devices. Across each scenario and transmission principle, we observed that TEE cases registered higher average comfort scores than the without TEE cases. The notable exception is the "information is stored indefinitely" transmission principle, which remained consistent across the TEE and without TEE use cases.

INFLUENCE OF TEE ON COMFORT WITH TRANSMISSION PRINCIPLES ACROSS SCENARIOS
We evaluate the effect of the non-null transmission principles in the information flows. We utilize user comfort as a function of transmission principle, as shown in Figure 2. We carried out a within-subject analysis and used the Wilcoxon Signed Ranked Test, as described in Section 3.4.2 to compare the change in effect for the non-null transmission principles from null transmission principle within each group. In the case of without TEE information flows, we found significant differences across pairs of average acceptance scores between null and non-null transmission principles, and we have reported them in Table 6 of Appendix A. For each pair of significant difference observed, we calculated the percentage change using the average scores of respective pair of recipient's null transmission principle and non-null transmission principles.
To easily display the change in percentage from the null transmission principles, we have plotted a percentage bar graph (cf. Figure 3). The percentage indicates the aggregate difference across all relevant scenarios where we observed significant differences. For example, the transmission principle "if you are notified" vs null transmission principle, in without TEE case, we saw differences of 9.42% for the Law Enforcement recipient, 7.05% for the Device Manufacturer recipient, 17.22% for the Health Services recipient and 8.61% for the Family Members/Friends recipient, the sum of which is 42.3%. We followed the same procedure to calculate the percentage change for the pairs of significant differences observed in with TEE information flows.
We observe that the transmission principle "if you have given consent" changes from the null transmission principle for both with TEE and without TEE information flows in nearly the same way. As we observe the percentage change for information flows without TEE is 71.6% and for with TEE is 71.5%. We observe the transmission principle "if you are notified" provides a higher comfort for information flows without TEE, as the percentage change is 42.3%. In comparison, we observe that the information flows with TEE alter the comfort by only 17.27%. It showcases the transmission principle "if you are notified" provides higher comfort in without TEE information flows. The participants with TEE have a higher comfort in information flows using the null transmission principle and that results in lower change in comfort for the "if you are notified" transmission principle. For the transmission principle "if information is used for maintenance of device/feature", we observe the percentage change for information flows without TEE is 37.03% and with TEE is 30.48%. The participants with TEE already have a higher comfort in information flows using the null transmission principle and we again observer smaller alteration of comfort. In case, of transmission principles describing the data retention policies "if information is not stored" and "if information is stored for 1-3 months" we observe the information flows with TEE have higher comfort. We observe a significantly lower acceptance for transmission principle "if information is stored indefinitely. " Under both information flows with TEE has a change of -70.1% and without TEE has change of -47.12%. Again with TEE the information flows for the null transmission principle is higher but the acceptance scores for indefinite storage is in the similar range of with that of without TEE information flows. Lastly, we observe the similar change in comfort for the transmission principle "if privacy policy mentions recipient and the purpose of sharing. " The change is 52.16% for without TEE information flows and the change is 56.5% for with TEE information flows.

INFLUENCE OF TEES ON TRUST IN DEVICE'S MANUFACTURING COMPANY
Here we seek to explore whether presence of a TEE significantly impacts user comfort with information flows in smart home scenarios. More specifically, we investigate user comfort as a function of data recipient (averaged over all transmission principles), as well as comfort as a function of transmission principle (averaged over all recipients). In both cases, we carried out a within-subjects analysis split between information flows transmitted by a device manufactured by a small company vs. an established company. To conduct our analysis, we used the Mann-Whitney U test, as described in Section 3.4.3.
In the case of without TEE information flows, 278 participants answered questions about information flows transmitted by devices manufactured by small companies vs. 261 participants for devices manufactured by established companies. We found significant differences in comfort as described in Table 2. Specifically, we observed a significant difference in the transmission principle "if information is stored indefinitely" with a − of 0.003. Additionally, we have plotted a percent sum graph to observe the distribution of the scores between the small and established companies (cf. Figure 4a), where we also see the mean rank for the distribution for a devices manufactured by established companies is higher (284.98) than for small companies (255.94). Similarly, we saw significant differences in comfort for the recipients Law Enforcement ( − of 0.0035) and Health Services ( − of 0.0041). In comparison to the small companies, the spread and average acceptance scores were higher for the established companies in each of the significant differences observed. We did not observe any significant differences for other transmission principles or recipients in the without TEE group.
The TEE group had 264 participants answered questions about information flows transmitted by devices manufactured by small  companies vs. 246 participants for devices manufactured by established companies. In contrast to the without TEE case, we did not see any significant differences in user comfort with information flows as a function of either recipient or transmission principle between the small company and established company device groups.  This is reflected in Figures 4b ("if information stored indefinitely").
The spread and average acceptance scores were nearly the same between small and established companies for all transmission principles and recipients.

IMPACT OF TEES ON COMFORT RATINGS BY THE DEVICE TYPE
The survey had two types of devices, smart speaker and smart camera, and we were interested in examining the changes for users' comfort in the smart home information flows based on device sensing. Similar to Section 4.3, we investigate user comfort as a function of data recipient, as well as comfort as a function of transmission principle. In both cases, we carried out a within-subject analysis split between information flows transmitted by a smart speaker  Figure 4: Distribution of average acceptance scores as a percent sum graph between small company and established company for the transmission principle "if information is stored indefinitely". In Figure 4a, the information flow without TEE shows the distribution of scores is inclined towards established company and in Figure 4b the distribution of scores are nearly the same between device's manufacturing company when the information flow involves a TEE.
(audio) vs. smart camera (video). To conduct our analysis, we again used the Mann-Whitney U test, as described in Section 3.4.3.
In case of without TEE information flows, 259 participants answered questions about information flows transmitted by smart speaker vs. 280 participants for smart camera. We found significant differences in comfort as described in Table 3. Specifically, we observed a significant difference in transmission principles "if information used for maintenance of device/feature" with a − of 0.0039. Additionally, we have plotted a percent sum graph to observe the distribution of the scores between smart speaker and  smart camera (cf. Figure 5a), where we also see the mean rank for the distribution for a smart speaker is higher (289.26) than for a smart camera (252.18). Similarly, we saw significant differences in comfort for transmission principle "if privacy policy mentions the recipient and the purpose of sharing" ( − of 0.0017) and for the recipients Law Enforcement ( − of 0.0024), Device Manufacturers ( − of 0.0029), Other Devices at Place ( − of 0.0031) and Recommendation Services ( − of 0.0024). In comparison to the smart camera, the spread and average acceptance scores were higher for the smart speaker in each of the significant differences observed. We did not observe any significant differences for other transmission principles or recipients in without TEE group.
The TEE group had 249 participants answered questions about information flows transmitted by smart speaker vs. 261 participants for smart camera. In contrast to the without TEE case, we did not see any significant differences for user comfort with information flows as a function of sensor type either for a recipient or for a transmission principle. This is reflected in Figures 5b ("if information used for maintenance of device/feature") for with TEE. The spread and average acceptance scores were nearly the same between smart speaker and smart camera for all transmission principles and recipients.

INFLUENCE OF TEES ON COMFORT WITH INFORMATION FLOWS BY SUBJECT OF DATA
In this section, we explore whether presence of TEE significantly influences user comfort with smart home scenarios based upon subject of sensing. Similar to Section 4.3, we investigate user comfort as a function of data recipient, as well as comfort as function of transmission principle. In both cases, we carried out a betweensubject analysis split between information flows where the subject of sensing is the device owner in the smart home without TEE vs. the smart home with TEE. To conduct our analysis, we again used the Mann-Whitney U test, as described in Section 3.4.3.
In the case of subject of sensing being the device owner, 268 participants answered questions about information flows without TEE vs. 256 participants for with TEE information flows. We did not observe any significant differences in the user's comfort for all  Figure 5: Distribution of average acceptance scores as a percent sum graph between smart speaker and smart camera for transmission principles "if information used for maintenance of device/feature". In Figure 5a we observe the distribution of average scores more inclined towards smart speaker. In Figure 5b the distribution of the scores increases for smart camera under TEE.
transmission principles and recipients. The device owner's spread and the average acceptance scores were nearly the same between those without TEE and with TEE information flows. Similarly, we carried out another between-subject analysis split between information flows where the subject of sensing is other occupants. In the other occupants' group, 271 participants answered questions about information flows without TEE vs. 254 participants answered questions about information flows with TEE information flows. We did not observe any significant differences in the user's comfort for all transmission principles and recipients. The other occupants' spread and the average acceptance scores were nearly the same between those without TEE and with TEE information flows.
We additionally, performed a within-subject analysis split between information flows where the subject of sensing in the smart home is the device owner vs. other occupants. In the case of without TEE information flows, we observed significant differences across all transmission principles and recipients. Similarly with TEE information flows, we observed significant differences across all transmission principles and recipients. In comparison to other occupants, the spread and the average acceptance scores were higher for device owners for all of the transmission principles and recipients for both cases without and with TEE information flows. And this corroborates the results shown in the prior work [4,24,55,63], showing the complexity of bystander privacy that involves the perceived trust, the relationship between the device owner and other occupants, and the devices' purpose in the shared space. We have reported the test scores for both analysis in Appendix B.

EFFECT OF UNDERSTANDING TEE CONCEPTS CORRECTLY ON SMART HOME INFORMATION FLOWS
We surveyed participants with TEE group about their correct understanding of TEE concepts of secure storage, secure computing, and remote attestation. There were three questions with binary choices and answering all three questions right entailed that the participant understood the TEE concept correctly. We explore whether a correct understanding of TEE concepts influences user comfort with information flows in smart home scenarios. Similar to Section 4.3, we investigate user comfort as a function of data recipient and transmission principle. We carried out analysis split between information flows transmitted by Answered Correct (respondents answering correctly to all three questions on the concepts of TEE after informative video), Answered Wrong (respondents answering one or more questions wrong for the questions after informative video), and Combined (responses to TEE questions not considered).
To conduct our analysis we used the Kruskal Wallis independence test described in Section 3.4.4. We had 202 participants in Answered Correct, 308 participants in Answered Wrong, and Combine had 510 participants. We found significant differences in comfort as described in Table 4. We observed significant differences in all transmission principles and recipients between all the comparisons. For instance, we found significant difference for transmission principle "if you are notified" with a − of 0.004. Additionally, we have plotted box plot to observe the distribution of scores between Answered Correct, Answered Wrong, and Combined (cf. Figure 6), where we also see the average acceptance scores were lower for a Answered Wrong (median below 1) than for Answered Correct (median above 1) with the average acceptance scores being higher. The average acceptance scores for the Combine was lower compared to Answered Correct.

EFFECT OF IOT DEVICE USAGE EXPERIENCE ON TRANSMISSION PRINCIPLES AND RECIPIENTS
We compared the effect on comfort for having TEE in information flows between the respondents who self-reported they have prior experience on usage of IoT devices (users) and the respondents who have no prior experience on usage of IoT devices (nonusers). Similar to Section 4.3, we investigate user comfort as a function of data recipient, as well as comfort as a function of transmission principle. In both cases, we carried out a within-subject split between information flows transmitted by a user vs. nonuser. To conduct our analysis, we again used the Mann-Whitney U test, as described in Section 3.4.3.
In case of without TEE information flows, 464 participants answered for having a prior experience with an IoT device vs. 75 participants having none. We observed significant differences for all transmission principles and recipients for comfort as described  in Table 5. For instance, we found significant difference for transmission principle "if information is stored indefinitely" with a − of 0.0001. Additionally, we have plotted the percent sum graph between the users and nonusers (cf. Figure 7a), where we also observe the mean rank for prior experienced device users is higher (284.98) than for nonusers (255.94). Overall, we always observed the users are more comfortable in sharing their information for all of the 7 transmission principles and 6 recipients. The TEE group had 428 participants answered questions about having prior experience with an IoT device vs. 82 participants having none. Similar to TEE, we observed significant differences for all transmission principles and recipients. Additionally, we observed the user comfort was higher for users having prior experience compared to nonusers. This is reflected in Figure 7b for "if information is stored indefinitely. "

DISCUSSION
We analyze our survey responses to find insights into IoT privacy norms under TEE in the smart home context. The following discussions incorporate our findings into design implications on the usage of TEE for IoT device manufacturers, policymakers, and regulators.

TEES CAN HELP LEVEL THE PLAYING FIELD BETWEEN SMALL AND ESTABLISHED COMPANIES
Prior literature has shown that users are more likely to trust IoT and other devices manufactured by established companies such as Amazon, Apple, or Google [40,58]. Interestingly, our results in Section 4.3 show that the inclusion of a TEE in devices manufactured by small companies closed this gap and led to average user acceptance scores that were on par with those for more established companies (cf. Figure 4). This provides a pathway for smaller companies to articulate a value proposition that is meaningful to potential users,  Figure 7: Distribution of average acceptance scores as a percent sum graph between nonusers and users for transmission principles if information is stored indefinitely. The IoT device users were more comfortable in sharing the information irrespective with or without TEE seen in Figure 7a and Figure 7b.
and perhaps can pave the way to growing market share for these manufacturing companies. At a minimum, this would offer a wider array of device options for users without requiring users to lower their standards as they related to fear of data breaches or other security issues [11,28,33,35,54], and will allow users to make purchase choices based upon features afforded by the device regardless of whether the device was manufactured by a small or established companies. In the best case, increased uptake of TEE-enabled devices manufactured by smaller company could help create a competitive marketplace that incentivizes all manufacturing companies to prioritize data protection as a first-order priority.

FEWER NOTIFICATIONS ARE REQUIRED
Smart home app developers, device manufacturers, and service providers often push numerous notifications to the end user, often as reminders of data collection practices or events detected. Users do not typically change the device settings after initial installation and configuration and tend to ignore most of the notifications, which results in lower usability [59] and notification saturation for the user [30]. Additionally, recent work has shown that users who are highly concerned about their data, express a desire for additional push notifications providing information about how their data is being used and stored [21].
As observed in Section 4.2 with TEE, there was a 17.27% change in average acceptance scores for the non-null transmission principle "if you are notified." This indicates that notifications played a less significant role in acceptance in TEE-enabled data-sharing scenarios, which presents an opportunity to reduce their use in the smart home environment.
Decreasing the number of notifications experienced by a given user may help reduce notification fatigue, and enable vendors to interact with users more substantively via the notifications that do get sent. This may lead to increased awareness of device activities and engagement in a smart home.

TEES IMPACT FIXED-DURATION DATA RETENTION CONCERNS
Sections 4.1 and 4.2 indicate that the presence of a TEE in smart home devices increases user acceptance of information retention for fixed periods of time (e.g., 1-3 months) as compared to scenarios without a TEE. Given that the features of most smart home devices are based upon fixed usage of data (e.g., responding to verbal commands, detecting events in a video stream), the inclusion of a TEE that enforces these retention constraints may lead to an increase of device adoption by users who would otherwise be skeptical of the data collection practices of a manufacturing company. The findings indicate that device manufacturers and service providers remain transparent with their data retention practices, and support emerging regulatory frameworks that place purpose-and retention-based limits on the use of personal information [12,15].

USERS NO LONGER DIFFERENTIATE BETWEEN AUDIO AND VIDEO DATA UNDER TEES
In Section 4.4, we observed that in information flows without TEEs, users indicated a higher average acceptance for audio as compared to video data. Prior work [39,65] has shown similar findings. Interestingly, in information flows with TEEs, we observed an increase in average acceptance for sharing video data that was nearly at the same level as for audio data. This indicates that differences in user acceptance as a function of sensor modality may level out in the presence of TEEs. This is of particular importance as devices incorporate larger collections of sensors, e.g., as in the case of general-purpose sensing infrastructures [36].

UNDERSTANDING OF TEE IMPROVES THE ACCEPTANCE OF INFORMATION FLOWS
Our survey analysis in Section 4.6 showcased that users who correctly answered questions about TEE functionality expressed a higher degree of comfort in sharing data across all transmission principles. The average acceptance scores were higher in participants understanding TEE correctly for consent, purpose, notifications, and data retention principles (cf. Figure 6), except for indefinite storage. It showed us that the participants with correct understanding are more likely to share the information for all the principles except for indefinite storage. Prior work shows that new technologies take time to adapt as users are reluctant to adapt [23,37], and IoT devices are in their nascent stage. In [64], the authors discuss the user's mental model of IoT devices' security risks and privacy concerns due to a lack of awareness. The authors recommend providing more information to the users about IoT devices working. It supports our findings that a better understanding of TEE will influence the privacy choices made under TEE, similar to threat models understood by the user after receiving more information. Device manufacturers, service providers, or policymakers cannot just assume by stating the usage of secure technologies users are willing to share more.

CENTRALITY OF FEW PRIVACY NORMS REMAINS UNCHANGED WITH TEES
The concept of consent has a pivotal role in data-sharing privacy norms, and prior studies have established it by showing the higher comfort of the participants in sharing the information after consent [8,9,17,39,65]. Our survey illustrated the acceptance scores were higher for both groups with and without TEE for the transmission principle "if you have given consent" in Section 4.2. Similarly, we did not see any significant change in user acceptance in scenarios that involved indefinite data collection, regardless of whether a TEE was present in the smart home device. This aligns with previous studies [8,9,39,65] in which users disliked indefinite data sharing and indicates the centrality of retention in shaping information-sharing norms, again shown in Section 4.2. Furthermore, we did not observe any significant change in user acceptance in scenarios that involved other people as the subject of sensing in the smart home for having TEE in the information flows. It coincides with the previous work where authors often suggest a bystander is a complex problem of the relationship between owners and individuals and the devices' purpose in a shared space [4,24,55,63]. Additionally, users' prior experience with devices impacts the acceptance of sharing the information across all of the privacy norms, as seen in Section 4.7 (cf. Figure 7). Similar results were observed in [8], where users were more comfortable in sharing the information compared to nonusers. But compared to prior work [8] we had fewer nonusers, it illustrates the nonusers seen here are lagging in adoption, and as per [48], these are nonusers who haven't used the technology yet.
The device manufacturers, service providers, and policymakers should note that indefinite time storage of information, consent, bystander privacy, and device experience issues cannot be solved with the induction of secure technologies like TEE. The fundamentals of digital privacy norms for indefinite time storage and obtaining consent play an important role in user comfort and are unlikely to be overcome through the introduction of new hardware alone. Bystander privacy and device usage experience is a complex problem that requires a longitudinal study with the contextualization of space, social status/dynamics, and purpose. Furthermore, there may be an alteration in privacy norms after the adoption of devices by nonusers. The device manufacturers, service providers, and policymakers need to understand constant updates and surveys would be required to follow the ever-evolving privacy norms.

LIMITATIONS
Our terminology of "small vs. established" companies does not fully capture the nuance of this space, as established companies may be small in size, and there may exist large but non-mainstream vendors. As a result, participant's perception and understanding of small vs. established companies may benefit from further exploration using different terminology (e.g., "emerging vs. established").
Our survey examined a cloud-based TEE deployment model. However, other models for TEE deployment do exist, e.g., edge, fog, and local (i.e., on-device). These alternate deployment models for TEE placements, as well as their combinations, will result in different information flows that may influence the comfort of a user. Additional research is necessary to quantify the potential performance impacts of TEE use in IoT settings (in any deployment model) and the influence that these overheads have on users' perceptions. Furthermore, it would be informative to add a third condition to our study, which explicitly compares end-to-end encryption of information flows with TEE-enabled information flows.
Additionally, we have measured privacy based on survey responses and quantitative analysis from a US population that does not account for the real-world practices of the participants. This includes the case in which participants may have over-ascribed a sense of trust in TEE scenarios simply because they leverage a TEE. A further investigation of perceived vs. actual benefits of TEEs is a subject of future research. Additionally, our results do not generalize to non-US populations. While we made efforts to avoid straight-lining in our responses, there is still the possibility of erroneous data collection. Use of a longitudinal diary, log study, or qualitative interviews would help validate our findings and is left as future work. Finally, our survey examined two types of IoT devices: smart speakers and smart cameras. Our results may not generalize to other types of IoT devices.

CONCLUSION
This paper builds upon prior work leveraging the contextual integrity framework to explore user acceptance of information scenarios in the context of smart homes. Unlike prior work, we specifically investigate whether the incorporation of low-cost cloud-based Trusted Execution Environments (TEEs) into IoT devices has the potential to shift the privacy landscape in a meaningful way. Through a between-subject survey of 1049 participants, we have found that use of TEEs can lead to changes in user perceptions of privacy across several important dimensions, yet does not change other long-standing norms around data collection and sharing.
Important changes in user perception occur around themes of data retention, device manufacturer, and sensing modality. Namely, users were more comfortable with information flows originating from smart home devices across recipients and transmission principles when these flows were mediated by sensors that included cloud-based TEEs. The inclusion of cloud-based TEEs in smart speaker and camera platforms also eliminated differences in comfort with sensing these types of data that existed in scenarios that do not include TEEs and are documented elsewhere in the literature. Finally and importantly, we found that the inclusion of cloud-based TEEs also eliminated differences in user acceptance of smart home devices manufactured by large vs. small manufacturing companies that existed in scenarios that do not include TEEs and are documented elsewhere in the literature. These findings pave the way for the development of richer sensing platforms, increased vendor options for users, and trust in limited-retention data collection.
Importantly, we found that the inclusion of TEEs is not a panacea and that certain well-documented privacy norms are unaffected. User desire for consent prior to data collection and discomfort with indefinite data storage are unaffected by the presence of a TEE. This demonstrates the need for adoption and enforcement of privacy regulations that ensure that these principles are respected. Similarly, concerns around bystander data collection are unimpacted by the presence of a TEE, which further supports the centrality of this concern in our increasingly sensor-rich environments.
A    Table 8: Mann Whitney's U test for subject of sensing effect for transmission principles and recipients for both groups with and without TEE using within subject analysis. Reporting values for significant differences. * stands for ≤ 0.004.

C AVERAGE ACCEPTABILITY SCORES FOR OTHER DEVICES AT PLACE'S
The average acceptability scores are shown in Figure 8

D DEMOGRAPHICS
The distribution of participants in the survey is shown in Figure 9 by gender, Figure 10 by age, Figure 11 by household income, and Figure 12 by IoT device ownership.

E IUIPC SCORES
The overall IUIPC scores in both groups is shown in Table 9.   Table 9: IUIPC scores of participants in both groups without and with TEE. We have reported the mean ( ) and the standard deviations ( ) of the scores.

F SURVEY INSTRUMENT F.1 SURVEY OVERVIEW
Before presenting the CI question a brief overview was given to participants shown in Figure 13.

F.2 NULL TRANSMISSION PRINCIPLE QUESTIONS
• Without TEE: A Sender from Vendor records Sender-DataType of Subject in your smart home. In your opinion as the device owner, how acceptable is for the Vendor to send Sender-DataType of Subject to the following recipients? • With TEE: A Sender from Vendor records Sender-DataType of Subject in your smart home. In your opinion as the device owner, how acceptable is for the Vendor to send Sender-DataType of Subject to the following types of recipients when data processing occurs within a Trusted Execution Environment (TEE)?
The null transmission principle questions for Without TEE group is shown in Figure 14 and for With TEE group shown in Figure 1a. In Figure 9a shows the Without TEE group gender distribution and Figure 9b shows for With TEE group

F.3 NON-NULL TRANSMISSION PRINCIPLE QUESTIONS
Each recipients was enquired for the non-null transmission principles with its purpose. The Without TEE group non-null transmission principle questions is shown in Figure 15, and for With TEE group shown in Figure 1b.

F.4 SURVEY SELECTION PARAMETERS
Before presenting the question, the participants were randomly assigned to a group with TEE or without TEE. With TEE group had CI questions with information flows having the TEE and Without TEE group had CI questions regarding the existing information flows. After the group selection a random selection of parameters was done for Sender, Sender's Data Type Vendor, Subject. All parameters were selected from Table 10. In Figure 10a shows the Without TEE group age distribution and Figure 10b shows for With TEE group

F.5 QUESTIONERS FOR TEE GROUP AFTER VIDEO
(1) Non-authorized persons can modify/change the nature of the algorithm being used or gain access to the image database. (2) The Face recognition algorithm can only unlock the video data locked with face recognition algorithm lock. For the rest of the algorithms, the video data remains locked. (3) After locking the video data, a non-authorized person is able to access or alter the video data.

F.6 VIDEO LINKS
(1) Video shown to cloud-based TEE group: https://youtu.be/RsGSqjsXIiY (2) Video shown to without TEE group: https://youtu.be/XOT9vfxzz3U   Figure 11: Household Income distribution of the participants in the survey. In Figure 11a shows the Without TEE household income distribution and Figure 11b shows for With TEE group (a) IoT device owners/usage distribution of participants without TEE group (b) IoT device owners/usage distribution of participants with TEE group Figure 12: IoT device owners/usage distribution of the participants in the survey. In Figure 12a shows the Without TEE IoT device owners/usage experience distribution and Figure  12b shows for With TEE group