Bring Privacy To The Table: Interactive Negotiation for Privacy Settings of Shared Sensing Devices

To address privacy concerns with the Internet of Things (IoT) devices, researchers have proposed enhancements in data collection transparency and user control. However, managing privacy preferences for shared devices with multiple stakeholders remains challenging. We introduced ThingPoll, a system that helps users negotiate privacy configurations for IoT devices in shared settings. We designed ThingPoll by observing twelve participants verbally negotiating privacy preferences, from which we identified potentially successful and inefficient negotiation patterns. ThingPoll bootstraps a preference model from a custom crowdsourced privacy preferences dataset. During negotiations, ThingPoll strategically scaffolds the process by eliciting users’ privacy preferences, providing helpful contexts, and suggesting feasible configuration options. We evaluated ThingPoll with 30 participants negotiating the privacy settings of 4 devices. Using ThingPoll, participants reached an agreement in 97.5% of scenarios within an average of 3.27 minutes. Participants reported high overall satisfaction of 83.3% with ThingPoll as compared to baseline approaches.


INTRODUCTION
Sensor-laden Internet of Things (IoT) devices have become increasingly pervasive.These devices pose signifcant privacy risks because they can measure and collect a wide array of data, including sensitive information such as identity, facial features, and voice [52,65,76,100,114].Thus, researchers have proposed several ways to improve and manage privacy risks posed by IoT [28,34,40,53,113].However, a key challenge here is associated with devices placed in shared environments.Such environments have multiple users, and the sensed information is not limited to that of the owner or the person deploying the sensor.Anyone who happens to be in the same physical space gets captured.Still, a typical bystander, visitor, or incidental user does not have the awareness or ability to control what data is collected [25,68,69,110].
Recognizing this challenge, several research eforts have investigated enhancing the data collection transparency [3,28,36,37,101,109] and provide control mechanisms [12,116] for incidental users.However, handling conficts between the privacy preferences of diferent stakeholders in an environment still remains challenging.For example, users may have varying levels of concerns about the privacy implications of a constantly listening but not recording microphone in a conference room.One straightforward approach to resolving confict is democratization, such as in HiveMind [58], where a thermostat in a shared public space is controlled using a voting mechanism.Although a similar democratic setup can possibly work for privacy preferences, prior research in other domains has demonstrated that negotiation helps resolve conficts [88,112] and brings benefts such as enhancing social relationships [72].
In this paper, we present ThingPoll, a negotiation tool that empowers incidental users to interactively negotiate the privacy settings of IoT devices with other users.ThingPoll, solicits the preferences and opinions of diferent stakeholders, mediates the negotiation process toward confict resolution, and reaches consensus quickly.We situate ThingPoll in the context of a gathering at a user's house and ground our fndings as interactions between the homeowners and their guests.We frst conducted a need-fnding study to understand how people verbally negotiate IoT privacy preferences.Here, we observed that unsystematic conversations, repetitive behavior, unequal speaking opportunities, and needless explanations are common sources of inefciency.On the other hand, if someone shepherds the conversation and ensures everyone timely expresses their preferences, the negotiations are more efcient.Based on these observations, we derive a set of design guidelines to create an efcient, intuitive, fair, and usable tool for negotiating privacy settings.
We used the observations and insights from the frst study, to design ThingPoll.ThingPoll notifes incidental users (guests) about the sensing and data collection behaviors of IoT devices in the homeowner's home.It then allows the guests to express their preference and guides the negotiation among the guests and the homeowners.To speed up the consensus-building process, ThingPoll estimates each user's preference during negotiation by building and using their privacy profle [5,33,60,64,76].To build these profles, we extended Emami et al.'s work [76] to shared space situations and recruited 198 Amazon Mechanical Turk workers to provide their privacy preferences in hypothetical scenarios.Once the model has a warm start, ThingPoll continually refnes the users' preference estimation and proposes more suitable device confgurations without imposing excessive user burden.
To evaluate ThingPoll, we conducted a user study with 10 groups of 3 participants each who negotiated their privacy settings on 4 hypothetical IoT devices in a smart home.ThingPoll helped participants reach an agreement on 97.50% device scenarios, within an average duration of 3.27 minutes for the negotiations to complete for each device.In addition, our data shows an overall satisfaction rate of 83.3% among our participants with the outcome using ThingPoll, much higher than other mediation approaches such as maintaining the status quo by going with homeowner's confguration: 50.0%, majority vote: 56.7%, and veto vote: 56.7%.We highlight several implications of our research, which may help inspire future research on IoT privacy tools for shared spaces.
In summary, we make the following key contributions: • We derived design implications and guidelines for the IoT privacy negotiation system based on observing 12 participants verbally negotiate shared device privacy preferences and prior research.• We built ThingPoll, a privacy negotiation system that notifes users of data collection behaviors, estimates users' preferences and efciently guides the negotiation for IoT device confgurations in shared spaces.• Through a user study of 30 participants, we demonstrated the promises of negotiation-based methods as suggested by increased user satisfaction with a high agreement rate compared to current social norms.• We share lessons and implications from our study, which could help inspire future research on IoT privacy tools for shared spaces.

RELATED WORKS AND INITIAL DESIGN CONSIDERATIONS 2.1 Privacy Challenges of Incidental Users
Several studies highlight users' unawareness of data collected by IoT devices and inability to voice their preference [68,69,108,110].A bystander's perception of privacy is closely linked to the context of the shared environment, such as the social relationships between the incidental user and homeowner, device location, and the perception of its processing power [25,108,110].Studies have highlighted the need to take context into account when estimating incidental user privacy preferences.Importantly, the process of making privacy decisions can be exhausting for the user as they have to navigate technical intricacies [39,93,96].The situations worsens when they have to make decisions every time they enter a shared IoT space and with the additional social pressure [20].Consequently, it is crucial to aim for efciency and minimize user burden in designing systems that assist incidental users' privacy management.
Several studies have also provided evidence of the cooperative nature of guests and homeowners in resolving privacy tension, especially when in close social relationships.Marky et al. suggest that most owners are comfortable with adjusting their smart home devices for visitors, while guests hope to be informed about the sensor data collection [69].Similarly, Cobb et al. showed that most homeowners are willing to turn of devices to make guests feel more comfortable, provided they live together or have close relationships [25].Moreover, guests become more comfortable with allowing data collection if provided information and their consent is sought [67,100].These fndings indicate that guests and homeowners are likely willing to cooperate to fnd acceptable IoT device privacy confgurations.

Multi-User IoT Systems
Several research teams have built systems for IoT device management for multi-user use cases.Zeng et al. [115] designed an app that managed access for multiple users based on roles and notifed relevant users when a device is being controlled.Similarly, Kratos [94] focuses on resolving conficting demands of multiple users through policy negotiation based on user priorities and roles indicated by pre-defned policy profles.HiveMind [58] gathers preference votes from multiple users in public spaces and dynamically adjusts actuator confgurations in public spaces to optimize for the overall utility.Similarly, Chaki et al. [21] present a framework based on the Analytic Hierarchy Process (AHP) using pre-defned priorities of contextual factors for multi-user smart homes.However, these systems are not tailored for privacy management and do not enable users to share and mediate concerns.
Prior work has also explored providing privacy notifcations and controls to incidental users for IoT sensors.IoT Personal Privacy Assistant [28] is a mobile app that notifes users of nearby IoT devices and allows users to opt in or out of data collection.TEO [116] provides ephemeral shared ownership to IoT sensor data for incidental users of AirBNBs using cryptographic mechanisms.Similarly, Spacelord [12] allows incidental users to set shared devices to temporarily run only user-trusted software while the untrusted code and confgurations are removed.However, these systems do not inherently support negotiations between incidental users and owners of the device upon conficting preferences.

Negotiation for Privacy Preference
Using negotiation as a technique to mediate privacy preferences has been studied in a few contexts such as social media, mobile apps, and IoT.For example, Baarslag et al. [10] studied negotiation for mobile app permissions.Further, Filipczuk et al. [41] extended the negotiation model to integrate the uncertainty of user preferences in user-service negotiation.Similarly, Alanezi et al. [4] proposed an automatic negotiation mechanism that automatically fnds a consensus on device confguration based on pre-defned privacy policies.However, these methods are limited to bilateral negotiation, where an agent representing the user proposes ofers to the opponent to maximize the user's benefts.In addition, several works explored multi-party privacy preference confict resolution and negotiation solutions on social media [98,99,102].Recently, Ogunniye and Kökciyan [80] proposed a method to resolve privacy conficts using an ontology of contextual integrity.ELVIRA [74,75] is an agentbased system that recommends explainable solutions to multi-user privacy conficts.Similarly, PARCCART [30] focuses on building trust from users through concealment, equity, collaboration, and explainability.While not directly targeting our application scenario, these methods provide useful insights into the theoretical design of our negotiation system.
Researchers have studied IoT privacy negotiation behaviors and perceptions.The work closest to our use case is by Alshehri et al. [7], in which 460 crowd workers were surveyed to understand guest and homeowner negotiation behaviors with a digital agent.Their results verifed that social relationships and roles can infuence the negotiation process.Apart from this, Wang et al. [105] conducted a vignette study with 867 participants, suggesting the privacy sensitivity of the IoT device is signifcantly associated with AirBnB visitors' tendency to negotiate their privacy preference with the hosts.Although these studies shed light on the nuances of negotiation, they are still insufcient to translate into a clear blueprint for a negotiation system and investigate how an actual negotiation system may beneft users.

Social, Psychological, and Political Views on Negotiation
It is widely accepted that negotiation can be viewed as distributive or integrative depending on the objective [104].In distributive negotiation, the outcome is achieved within a zero-sum game, while in integrative negotiation, greater overall benefts can be achieved through fnding mutual interests [104].Mixed-motive negotiation can have both distributive and integrative components [2].The nature of the negotiation infuences the modeling approaches [57] as well as the negotiator's behavior, such as more cooperation in integrative than in distributive negotiation [97].One important factor in negotiations is power [56].Kabanof [54] and Schaerer et al. [92] showed negotiators with high power are likely to gain competitive benefts in distributive games.Wei et al. [106] suggested power diference among negotiators facilitates greater joint gains than equal power situations provided they have prosocial motivation.These fndings underscore the importance of considering power dynamics in system design, especially in smart home settings where homeowners typically have more power but also exhibit prosocial tendencies [25,69].
Another dimension to consider is justice.Justice not only serves as an ethical aim but also enhances agreement acceptance and promotes cooperative behavior [48,55].Consequently, in the context of shared IoT device negotiations, the system should aim for transparency and information clarity [13], equitable voice for users, impartial decisions, and confict resolution.Moreover, many personal characteristics are shown to afect the negotiation process and outcomes.Barry & Friedman [15] studied the impact of personality traits on negotiations and discovered that agreeableness and extraversion may harm the negotiator's individual gain in distributive negotiations.Beersma et al. [19] discovered that prosocial groups tend to achieve better joint outcomes, possibly due to enhanced levels of trust and reduced contentious behavior within these groups.Fehr et al. [38] examined the evolutionary evidence supporting altruistic punishment and cooperation in brain neural circuits.These fndings highlight the need to account for users' unique mental states in designing efective negotiation systems while also cautioning against unfairly exploiting altruistic or agreeable individuals.

Summary of Initial Design Implications
Based on the literature review, including privacy challenges for incidental users of IoT, multi-user IoT systems, privacy negotiations, and political, social, and psychological aspects of negotiation studies, we summarize three initial design implications: Implication ○ 1 : Privacy negotiations between smart home visitors and homeowners for IoT devices are largely cooperative and integrative.Implication ○ 2 : Negotiations needs to be time efcient and low efort.Implication ○ 3 : Negotiations should ensure respectful and fair treatment of users and provide information transparency.

METHODOLOGY
We followed an iterative design process, as summarized in Figure 1.We frst conducted a formative study to inform the design of the negotiation system, ThingPoll, and fnally conducted a summative study.All human-subject studies are approved by our institution's IRB.In this section, we describe an overview of our methodology for designing, building, and evaluating ThingPoll.Observing Negotiations.Negotiation through conversation is a complex yet spontaneous task for human beings, which involves communicating and keeping track of each user's preferences, resolving conficts, etc.While existing works in social science, political science, and psychology have discovered valuable insights into how human beings negotiate, it is still unclear how these insights are transferable to the context of IoT privacy negotiation.Thus, we conducted a study with 12 participants to observe how humans negotiate about privacy confgurations of a smart home.In this study, we aimed to answer the following research questions: Ideation for System Design.We conducted a detailed literature review, including privacy challenges for incidental users of IoT, multi-user IoT systems, privacy negotiations, and political, social, and psychological aspects of negotiation studies.Then, to ground these fndings from prior works in the context of privacy negotiation on shared IoT devices, we consolidated prior work with our fndings on participant observations.Together, we distill our discoveries into 6 design implications.Based on these implications, we outlined 4 high-level design decisions for ThingPoll.We describe the details of our ideation process in Section 5.
Prototype Development.Based on the design implications and decisions, we built ThingPoll, a privacy negotiation system tailored for IoT devices in shared spaces.ThingPoll features a preference profle model built from crowdsourced survey data we collected from 198 workers from Amazon Mechanical Turk (MTurk) and a structured system-mediated negotiation approach that queries user preferences and suggests likely acceptable confgurations.Thing-Poll adopts a preference elicitation approach and maximizes the integrative gain by iteratively refning its modeling of all users' preferences.We describe ThingPoll in detail in Section 6.
Testing Artifact.We fnally conducted our summative experimental evaluation.In the end, 30 participants completed this study.We divided participants into groups of three and they used ThingPoll to negotiate privacy preferences on four imaginary IoT devices in a smart home.Through this study (detailed in Section 7.), we aim to answer the following research questions: RQ2(a) How practical, efective, and satisfying is ThingPoll in helping users negotiate privacy confgurations in a shared space?RQ2(b) How does the negotiation approach compare to baseline non-negotiation approaches?

STUDY 1: OBSERVATION OF VERBAL PRIVACY NEGOTIATIONS
We conducted a study to observe how humans behave when negotiating smart home privacy confgurations and inform the design of ThingPoll.

Study Design
We based the verbal negotiation task on two smart home devices, with specifcations summarized in Table 1.Participants were arranged into groups of 3 and assigned one of two roles: homeowner or guest.According to where the participant's preferences are on the privacy-functionality1 spectrum, we assigned the role of the homeowner to the participants who are more functionality-oriented, and the guest role to more privacy-oriented participants.This assignment refects more real world settings assuming that a typical smart-home owner would value functionality over privacy when compared to a typical guest.It also creates more preference conficts, as opposed to random assignment of roles, thus proving more opportunities to observe and resolve conficts using negotiation.
Based on participant availability, we conducted this study either on-site or on a video call.We started the study by asking the homeowner to confgure the devices in a hypothetical home.Next, we asked them to imagine two guests visiting their smart homes with two IoT devices, for which they would need to negotiate their preferred privacy confgurations.The participants were free to structure their verbal communication and negotiation as they wished.The researchers observed and audio-recorded the process without interrupting the participants unless they needed assistance to understand the device's behavior or deviated from the task.We limited the negotiation time to 15 minutes for two devices to prevent stressing participants.We compensated all participants with $5 USD for their time.

Participants
We recruited 12 participants (4 groups) from our institution's student community (demographics in Table 2), who owned and used at least one smart home device to ensure all participants had basic knowledge and experience with them.

Findings
Among the four groups, only one group completed negotiations for both devices, while other groups spent most of their time on the frst device, leaving insufcient time for the second one.We transcribed the audio recordings and coded each part of the conversation by extending the previous coding method [31,49,50,82,86] to better suit the IoT privacy-functionality negotiation domain.Overall, we discovered seven distinct types of negotiation behaviors, as shown in Table 3. Participants spent the majority of their time expressing and explaining their preferences (27.7% and 47.1%, respectively).
We further broke down the components of the explanations for preferences and found that all explanations revolve around two main issues: whether the privacy invasion is distressing or whether the functionality is important.The verbs used to describe privacy issues can be roughly categorized into expressing the concern, expressing no concern, expressing the concern is understood, alleviating the concern, expressing concern is resolved.Of these, expressing privacy concern (45.5%), alleviating privacy concern (16.7%), expressing no privacy concern (10.6%) account for the majority of preference explanation time.

Observations and Discussion
Lengths and Timing of Explanation.Although detailed explanations can help the negotiator win distributive benefts [81], it is a time-consuming process [49,107].Consistent with these claims, we observed explaining one's preference was the biggest time sink during a negotiation.However, such an explanation is not always needed if everyone would easily approve of this user's opinion.For instance, at the beginning of the conversation, one user in Group 2 spent 89 seconds explaining their discomfort with storing raw audio data.It turned out that both the homeowner and the other guest shared or understood their concern.Unequal Opportunity to Express.Similar to the trend seen in prior literature [43,47,91], we found that spontaneous discussion can lead to an imbalance in opportunities for users to express their preferences.In all groups except Group 4, the most outspoken participant spoke more than twice as the least outspoken participant.Although there may be legitimate reasons for this, such as stronger preferences, it nonetheless raises a concern about equity.Time to Move Forward.We observed that sometimes participants spent extra time repeating the reasons or benefts despite reaching a partial agreement on the device.Such interactions did not help in terms of reaching an agreement for the whole device.Managing Preference.Sometimes participants lost track of each other's preferences.For instance, in Group 3, a guest mentioned their preference for functionality to be of.The conversation was then dominated by the other two participants, who reached an agreement to keep that functionality on.At this point, the frst guest restated their concern and the negotiation continued longer.
Mediator and Discussion Lead.We observed that Group 4 showed a distinct pattern of negotiation, where the homeowner played the role of a mediator.The homeowner frst solicited everyone's preference, and each user answered this question in one or two sentences without explaining any reasons.Then the homeowner said, 'yeah, I think we can turn of personalized music' when knowing one guest was uncomfortable, and the other was fexible on this.Then, the group was able to move on to discuss other concerns.As prior work shows, an efective mediator can promote confict resolution by shaping the negotiation process and prioritizing negotiation issues [18,62,83].This might be one of the reasons why Group 4 fnished negotiation the quickest.

Summary of Additional Design Implications
In additiotn to the three insights from prior research, we here summarize the new insights for designing a negotiation system specifcally for shared IoT devices: Implication ○ 4 : Users in privacy negotiations on shared IoT devices may beneft from focused and directed guidance.Implication ○ 5 : It can be challenging for users to keep track of and reason with everyone's preferences.Implication ○ 6 : Unconstrained negotiation may favor outspoken users, leading to unequal opportunities for expression.

THINGPOLL SYSTEM DESIGN IDEATION 5.1 System-Mediated Negotiation
Based on prior research and our observations, a system-mediated approach is promising to meet the aforementioned goals of negotiation (Implication ○ 1 ∼ ○ 4 ) and alleviates cognitive burden in managing and reasoning users' preference (Implication ○ 5 ).The mediator role may reduce the burden of expressing preference and making concessions [85], and possibly alleviate social pressure.In addition, it may improve procedural justice by providing everyone opportunities to voice their preferences (Implication ○ 3 and ○ 6 ), thereby improving satisfaction with the outcomes [87].Creating integrative value and optimizing for joint gain requires an accurate understanding of each user's preferences and mutual interests [29,35].Prior work has established privacy profles in IoT to predict the user's preference [5,33,60,64,76].Furthermore, to resolve conficts, some users will have to change their initial preferences, suggesting the need to solicit user's preferences and mutual interests and update all users' preferences during negotiation.

Structured User-System Interaction
Another consideration is user interaction with the system, such that it is intuitive and efortless (Implication ○ 2 ).Based on our observation from Study 1 and prior works, users explain preferences typically around functionality-privacy trade-ofs.Thus, we believe that a structured interaction can sufciently express most of the reasons for preferences, making the negotiation more goaloriented (Implication ○ 4 ) and enable equalized expression power (Implication ○ 6 ).In addition, as we observed in Study 1, users specifcally consider the other person's opinion when making a concession.Thus, we decided to include the needs and the rationale of other users when making a confguration suggestion, as useful context, similar to a face-to-face interaction.We believe that revealing the consequences and benefts to the other user promotes empathy and facilitates concessions due to the improved motivation of prosocial behavior [17,26].

Assumptions
We have assumed that achieving joint gains and resolving conficts efciently are the primary goals of negotiation around the privacy settings of IoT devices.However, other values in real-world negotiations, such as enhancing social intimacy or enjoying engaging conversations, may be neglected.We also assume a certain level of trust that users have in our system.Our proposed design should be viewed as one possible pathway among many that meet the specifc needs and dynamics observed in IoT privacy negotiations.

Summary of Design Goals
In summary, we outline the following high-level design goals for a negotiation system: Design ○ 1 : The system should mediate and direct the negotiation process to optimize for joint gain and efciency.Design ○ 2 : The system should maintain a user preference model, updating it through preference elicitation.Design ○ 3 : The system should embrace structured interaction characterized by privacy and functionality features.Design ○ 4 : The system should provide a contextualized negotiation prompt and explanations.

THINGPOLL SYSTEM IMPLEMENTATION
Based on the insights and our design goals, we developed ThingPoll, a privacy negotiation system for IoT devices in shared spaces.We start with an overview of the negotiation workfow from a user's perspective.Next, we describe our profle modeling approach and user preference estimation.Finally, we describe our negotiation model from an algorithmic perspective.

Negotiation Workfow Overview
The overall workfow of ThingPoll is shown in Figure 2. Thing-Poll mediates the negotiation process (Design ○ 1 ) by strategically querying specifc users to understand their preferences or to suggest likely acceptable confgurations to everyone.

Initial Profile Assignment.
In a new space with IoT sensors, the sheer number of potential privacy confgurations can overwhelm incidental users, which can be alleviated by building a privacy profle model to recommend privacy settings [5,60,76].For the initial profle assignment, a user provides their privacy preferences for three imagined IoT scenarios.Using the user's responses, ThingPoll assigns them a profle that best fts their preference and subsequently uses the profle to predict their likely preference for other devices and scenarios (Design ○ 2 ), as elaborated in Section 6.2.

Functionality Preference
Selection.Device functionality is key for users to allow/deny data collections [63,76].Both the homeowner and guests are asked about the importance of each device's functionality, allowing our system to prioritize the ones users care about.In addition, it personalizes the negotiation as ThingPoll reveals who benefts from the sensed data (i.e., the user giving high importance to the functionality), giving others additional context to evaluate the risks and benefts (Design ○ 4 ).

Preference Elicitation Through
Qerying.While useful, the initial profle assignment cannot capture the user's preference for all situations.Furthermore, during negotiation, users' preferences may change based on others' preferences.In alignment with Design ○ 3 , ThingPoll asks two types of queries to the user to fnd more suitable suggestions.A Privacy Query asks about their level of comfort in accepting some privacy-sensitive data for a specifc functionality being collected (Figure 2, Step 2.1).A Functionality Query asks a user whether they would turn of a functionality given another user's privacy concerns (Figure 2, Step 2.2).The responses are on a 5-point Likert scale ranging from Very Uncomfortable to Very Comfortable.ThingPoll triggers a Functionality Query only when users choose Uncomfortable or Very Uncomfortable to a Privacy Query because it is more intuitive for users to reason about why they may need to give up functionality (i.e., to address someone's privacy concerns) than the other way around.During negotiation, ThingPoll determines when to issue queries and their content, as elaborated in Section 6.3.

Configuration Suggestion.
A device Confguration specifes the complete data collection behavior of a device.ThingPoll displays the confguration and device attributes (e.g., position) in an intuitive and consistent IoT privacy label [36,37] (Design ○ 3 ).An agreement is reached only when everyone agrees to a device confguration.If users reject a confguration, they can specify the reason, such as undesired data collection, storage, or sharing, or if some functionality they want is not supported.During negotiation, ThingPoll decides whether to suggest a confguration or to query a user based on the state of the negotiation and the user preference estimation (Design ○ 1 ).Since confgurations take more time to read and comprehend, they are only suggested when ThingPoll has higher confdence that they will be accepted by everyone.

Profle Modeling in Shared Sensing Space
Building a user preference profle model is crucial for ThingPoll to characterize each user's preferences and guide the negotiation (Design ○ 2 ). Figure 3b illustrates the steps involved to do so.3).Each user may receive one or more queries of each type and confguration.The process concludes when when everyone accepts a suggested confguration or if someone quits (not shown).

Data Sources and Data Collection.
Inspired by prior works on privacy preference modeling [5,33,60,64,76], we deployed surveys on MTurk to create privacy profles that bootstrap ThingPoll with initial preferences.Each survey participant is shown six scenarios of shared sensing devices, in which they are either a homeowner with guests visiting their home or vice-versa.Between each scenario, we varied 10 factors: Location, User Role, Social Relationship, Device Type, Data Type, Data Granularity, Frequency, Retention, Sharing, Purpose.Table 5 shows the diferent factors and their levels.Many of these factors were proposed in prior research [37], which we extend further to include more detailed social contextual factors for shared spaces [25,68,69,108,110].Following Emami-Naeni et al. [76], we generated all possible combinations of the factors and pruned them down to 60 practical and meaningful scenarios.We passed these combinations to a custom template to convert them to prose, which we then edited manually.An example scenario is shown below: You are visiting your friend Alice's home with your friend Bob.The living room has a microphone sensor that passively collects raw sound data, which is used for falling detection.The raw sound data is sent to a third party to detect falling events, and the sound data is stored for at most one month.
We grouped the 60 scenarios into ten sets of surveys of six scenarios each, and we carefully arranged the scenarios so that the levels of each factor were balanced in each survey.We deployed the 10 sets of the survey on mTurk and selected Master workers with 95% or above approval rate.Participants were screened to ensure that they own and use at least one smart sensing device, who were then asked to complete the main survey.Participants indicated their own preference and "concession preference" provided another user was uncomfortable with the participants' default preference on a fve-point Likert scale.We compensated participants $0.5 USD for the screening and $1.5 USD for the main survey.In total, we received 198 completed responses, which led to 1188 individual and concession preference responses (198 workers x 6 scenarios).

User Profile
Model.Our profle model aims to estimate users' preferences and the probability of them conceding to others' preferences.We use a Bayesian Network [46], a probabilistic graphical model representing conditional dependencies of random variables in a Directed Acyclic Graph (DAG) due to its fexibility in estimating the probabilities from any combination of variables, in contrast with ML models used by prior work [60,64,76].This fexibility aligns with ThingPoll, which uses both partial ofers (i.e., Query) and complete ofers (i.e., Confguration).It also enables using prior domain knowledge to learn a model without extensive data collection [24].The high-level structure of our model is illustrated in Figure 3a.Based on diferent user traits, the sensitivity of the sensed and collected data, and contextual information, users can have diferent perceived levels of risk and benefts, afecting their preferences.Our model includes three variables representing orthogonal dimensions infuencing user preferences: Concern, Practicality, Altruism.While Concern and Practicality are associated with perceived risk and benefts, respectively, Altruism afects how much users are willing to give up their own preference in consideration of others.To reduce model complexity and make the learning feasible, we aggregate Device Type, Data Type, Frequency into Data Sensitivity.We aggregate Retention and Sharing into Access Sensitivity based upon prior domain knowledge [76,105,108].Data Sensitivity and Access Sensitivity each have three discrete levels: low, medium, and high.Further details about our model are in Appendix A.1.

Learning and Clustering Preference Profiles.
In Figure 3b, we present the steps to learn the Bayesian Network model and fnd preference profle clusters.First, we initialize the model based on the inherent semantics of the variables and heuristic rules.For example, a person with high Concern is more likely to have high Perceived Risk than an average user, even when the Data Sensitivity and Access Sensitivity are not high.Then, using survey data, we applied the Expectation-Maximization (EM) algorithm to learn the parameters of the model along with the user traits (i.e., Concern, Practicality, and Altruism) estimates for each participant.While a one-size-fts-all model may not accurately predict individual preferences, creating a distinct model for each person is challenging due to data collection constraints.Therefore, inspired by prior works [33,64], we used K-means clustering to create profles et al. [64], leading to seven clusters, whose centroids and respective participant percentages are shown in Fig. 4a.
We illustrate the individual and concession preferences results in Figure 4b and Figure 4c, respectively, for all seven profles.Consistent with our hypothesis, users with high practicality and low concern (Profle 1) are more willing to keep devices ON, while those with high concern and low practicality (Profles 6 and 7) are more inclined to keep devices OFF.Participants with high altruism (Profles 1,2 and 5) tend to concede more to accommodate others.Note that even for profles with low altruism, the mean concession preference is still around neutral, suggesting that people are, in general, willing to consider others' preferences.Interestingly, homeowners tend to concede more, indicating their willingness to accommodate their guests.Data collection for security and safety and devices related to security and safety are associated with less fexibility, which can be due to people being less willing to compromise on these features, even if they lead to privacy concerns.

Profile Assignment and Preference Prediction.
To assign a new user to a profle, ThingPoll asks the user's preferences for three shared sensing scenarios (2 questions per scenario), as shown in Figure 2b-Step 0. We iterate over the potential trait values of the 7 centroids and assign them to the profle that best aligns with their responses.We evaluated the performance of profle assignment and preference prediction using 5-fold cross-validation.The training folds were used to jointly learn the model parameters and participants' trait values and subsequently fnd profle clusters.In the test fold, for each participant, we use three scenarios to infer the profle of the participant and the other three scenarios to test the prediction accuracy.Following previous works [76], we convert the preference into binary decisions for evaluation by splitting the preferences at neutral (exclusive) into two classes.Overall, our model predicts individual preference at 70.03% accuracy and concession preference at 86.02% accuracy with an assigned profle.

System-Mediated Negotiation Modeling
We now describe our approach to model the system-mediated multiuser privacy negotiation underlying ThingPoll.We focus on the intuition and the essential aspects of our algorithm and provide a detailed formulation in Appendix A.2.

Negotiation Seting.
For simplicity, we describe our negotiation modeling for a single device, as the negotiation does not carry through any states across devices.Formally, users are represented as = { 1 , ..., }, which can be either guests or the homeowner.
The negotiation domain can be modeled as the space of 0 − 1 assignment to issues represented as Ω = (Ω 1 , ..., Ω ) corresponding to the available functionalities of this device.Note that this does not mean all functionalities have to be binary ON-OFF.Still, any functionality with more than two options can be binarized with a constraint that, at most, one of the binarized functionalities can be ON simultaneously.Each functionality will require a corresponding privacy specifcation, such as a minimum required data retention.
The system at each round may choose either to propose a confguration = ( 1 , ..., ) to every user or a query that elicits the user's preference through the interface as described in Section 6.1.3and Section 6.1.4.A user can utilize this proposal of confguration or query to voice the user's preference, denoted as .Based on this response, the system integrates the new information in updating its preference model of this user.An agreement is reached when every user in the session agrees to one common assignment .

User Decision Modeling.
One key quantity in the negotiation model is to estimate how likely a user is to accept a confguration (Design ○ 2 ).Note that a user might still accept a confguration, even when this deviates from the user's own preference, in consideration of the needs of others.We defne a user would accept a confguration either the user prefers or the user concedes when the user does not initially prefer it, which is denoted as: , where (accept ) and (concede ∧ ¬ concede ) are directly derived from the profle model's estimation and later updated by the user's responses.The overall probability of reaching an agreement for a confguration is calculated as the product of all users accepting all functionalities of the devices, denoted as (agree ).Prediction of user response to queries is computed similarly, except that the response is estimated over the fve-point Likert scale instead of binary acceptance.

Evaluating Gains.
Acting as a negotiation mediator, Thing-Poll proposes a series of confguration proposals, represented by the = ( (1) , ..., ( ) ), where denotes the fnal proposal or the negotiation's deadline.Reaching an agreement on the confguration ( ) is associated with a gain, denoted as ( ( ) ).This gain value encapsulates both the degree of alignment with individual user preferences and the benefts of the functionalities within the      confguration.In addition, the negotiation has a base gain for reaching an agreement because simply allowing the event to happen as planned and preventing the breakage of the relationship [72] can be rewarding outcomes for the users.To estimate the efcacy of a given policy, we introduce the myopic expected gain (, ), which is the expectation of the negotiation outcome gains based on the current estimation of user preference .Intuitively, a high is associated with reaching an agreement earlier and the alignment of each user's individual preference.In addition, both and are also functions of the current estimate of user preference .This means refning the understanding of a user's preference can potentially help the system fnd a more satisfying policy, which may converge faster and align better with the user's true preference.

Optimal
Qerying and Configuration Suggestion.While a complete confguration is the only defned way to reach an agreement, queries may further refne the current belief of users' preferences so that the next suggested confguration may become more acceptable for users.On the other hand, overwhelming the users with unsatisfying confgurations or unnecessary queries can jeopardize both efciency and usability.ThingPoll strategically balances this exploitation and exploration by measuring the Expected Value of Information (EVOI) [11].Essentially, measures the expected increment on if a query is to be asked.Let be the responses from all relevant users, for if the system asks the query , the of can be written as: At each round, the system fnds an optimal privacy query based on and compares it with the user burden of sending the query.If the net efect of the query appears positive, then the system will propose the query to the target user.Otherwise, the system proposes the frst confguration from the optimal policy with the highest .6.3.5 User Feedback Integration.The core of the feedback integration is to update the user's preference and acceptance probability based on the historical responses.It is worth noting that this procedure is not only crucial in updating the preferences across each round of actual user feedback but also happens when exploring the hypothetical responses as the system searches for the optimal query.ThingPoll incorporates three feedback mechanisms from users: Privacy Query, Functionality Query, Confguration.Although the Bayesian Network can also be updated with new responses, we found the preference after the update is less predictable and causes excessive latency when searching for the optimal policy and query.Since our main focus is to assist negotiation, we will leave the study on the long-term preference profle learning and efectiveness as a potential future direction.Instead, we adopt a set of heuristic rules to update our preference estimation only for the current negotiation device.For example, if a user responds to a privacy query, indicating feeling comfortable with some invasive data collection for one functionality, then ThingPoll assumes that this user can always accept a confguration that turns OFF this functionality due to the privacy concern.These heuristics ofer a quick and predictable path to update user preference estimations, efectively guiding the negotiation process.

STUDY 2: EVALUATION OF PRACTICALITY AND EFFICIENCY OF THINGPOLL 7.1 Study Procedure
The study gathers subjective and objective measures of ThingPoll's performance and learns the distribution of perceptions of privacy in a shared smart home environment.We gain insights into user experiences, including the workload, perceived advantages and disadvantages of the approach, and the users' willingness to adopt such negotiation apps in real life.The user study was conducted in two phases: Profle Generation and Multi-User Negotiation.Thirty participants completed the two phases of this study and we summarized their demographics in Table .6. None of these participants were in the verbal negotiation study.
7.1.1Phase 1: Profile Generation.We initially created individual user profles.This process involved participants indicating their individual and concession preferences in three hypothetical scenarios.We then asked participants for frst names of three close contacts and acquaintances.We kept the contacts' names confdential and used them solely for emulating real-world social relationships during the multi-user negotiation session in Phase 2. We then explained the study and demonstrated ThingPoll to the participants.= 7.1.2Phase 2: Multi-User Negotiation.In phase 2, we placed participants in hypothetical situations where they were either visiting someone's house or hosting some guests.We simulated the social context of the participants as either contacts or acquaintances of each other.These simulated social contexts aimed to mirror real-life situations where the negotiation dynamics of close contact might be diferent from that of an acquaintance.We did not use deception and participants were informed that there would be no real participation from their contacts.Participants were divided into groups of three, with one homeowner and two guests.We frst selected homeowner participants based on their preference for functionality over privacy, to emulate typical early adopters.Guest participants were then matched with the homeowners randomly.We randomly assign the social context to half of the groups as close contact while the other groups are assigned to have acquaintance.
The study began by asking the homeowners to confgure the devices to a setup they were most comfortable with.After that, each group used ThingPoll to negotiate the privacy settings of four devices in a random order.We summarized the setup of the four devices in Table 7.After negotiations, we asked each guest user to confgure the devices to their most preferred settings as their true preference.Then, we generated majority and veto vote results (defned as the most privacy-preserving setting chosen among the three users).We then asked participants to rank the outcomes of all four approaches: Negotiation, Majority Vote, Veto Vote, and Homeowner's Preference.Finally, participants were asked to fll in a post-study questionnaire, where we asked participants to refect on the satisfaction and experience of negotiation and baseline approaches.

Negotiation Workload
The average time to complete the negotiation of all four sensor devices was 786 seconds (13.1 minutes, = 337 seconds).The fastest group spent only 218 seconds (3.6 minutes), while the slowest group spent 1357 seconds (22 minutes).Fig. 5a shows the breakdown of the time consumption for each of the four devices in one session, including the completion time and active time.The completion time is the time it takes either reach an agreement or give up.Since ThingPoll takes synchronized responses from users, users often need to wait for other users' responses before moving on.Thus, we defne active time as the time elapsed between when the system shares new information with the user and when the user submits a response.Compared to completion time, active time is a more precise indicator of the efort that a user spends on processing the received information and making a decision.We observed a strong learning efect.Negotiations for frst device took more time ( = 288.3,= 176.7)and had a larger standard deviation in time to fnish than for the other three devices ( = 165.1,= 108.9).We verifed this learning efect by measuring response times, as shown in Fig. 5b.The response time measures the time it takes for a user to respond to a single action.
We used the NASA Task Load Index (TLX) [45] with a 7-point Likert scale to measure the workload levels for the participants.Here, we show the results for Mental Demand, Temporal Demand, Efort, and Frustration levels in Fig. 5c.The value selected on each task load measurement is scaled from 0 to 100.Overall, ThingPoll demonstrates high usability and low workload for most participants.Most participants believed ThingPoll imposes a low physical workload ( = 24.6), and most users do not feel frustrated ( = 26.7)or rushed ( = 31.2) in completing the task.Nevertheless, a few participants believed this process was mentally demanding ( = 44.3).We believe the mental demand is due to understanding the technical details of the data collection, envisioning a hypothetical scenario, and resolving confict.

Negotiation Outcomes using ThingPoll
In this section, we focus on analyzing the outcomes of negotiation in terms of satisfaction and meeting users' demands for privacy and functionality in shared sensing spaces.We investigate the preferences on functionality and privacy are afected by users' roles.
7.3.1 Qantitative Evaluation.When initially setting up the devices, on average, homeowners enabled 77.8% functionalities from the full confguration space.The guest users then indicate their preferences on any additional functionalities that should be turned of to protect their privacy.Overall, guest users were uncomfortable with 43.6% of the functionalities enabled by the homeowner, implying a critical need to account for incidental users' privacy concerns.
Overall, with ThingPoll, participants obtained a 97.5% agreement rate.One group (out of 10) was not able to reach an agreement on one device due to an unsolvable dispute between two users.Throughout all other negotiations, we observed that 73.5% of the privacy concerning functionalities enabled by the homeowner were agreed to be disabled or turned to less invasive options.Guest users conceded the remaining 26.5% of the privacy-concerning functionalities after negotiations.7.3.2Qalitative Evaluation.Participants' satisfaction levels with the outcomes from Negotiation and the three baseline approaches are shown in Fig. 6.Negotiation Approach (NG).The negotiation approach generated the most satisfying outcome, with an overall satisfaction rate of 83.3%.This high satisfaction is shown among both homeowners (70%) and guests (90%).As G10 pointed out, 'the system strives to satisfy everyone's privacy preferences as much as possible in a well-structured manner.'G6 stated, 'It was easy.Most of the preferences I have were more liberal in comparison to other people.For one location, other people were respecting of my wishes to remove sensors in one round of negotiation, which was good.' An important reason behind the high satisfaction is the ability to share needs and concerns.Even in cases where the outcome  diverges from what the user originally prefers, it may still be more satisfying to be able to communicate preferences.For instance, G11 said, 'I am overall satisfed with the result, it's just regarding turning on the functionality of detecting fres in the kitchen.I feel like it's somehow very important to me, but considering my close friend wants to turn it of, I agreed to turn it of, but I would wish to keep it.But I understand that's why we need to negotiate.'Homeowner's Preference (HP).The Homeowner's Preference approach is the current state of the world.Yet, it is the approach that has the lowest overall satisfaction rate among guest users (45%).Importantly, some homeowners expressed their concerns that they cannot accommodate their guests' needs in this approach.For instance, H8 indicated 'I mean, for me as the homeowner, it's great.But I would defnitely like to have those conversations with friends, especially if they actually feel uncomfortable.' Majority Vote Approach (MV).This approach has a higher overall satisfaction rating but lower ability to preserve functionality than Homeowner's Preference.Some users believed that this approach would work well in general 'In most cases, the majority vote works fne.Unless there is a strict confict and subtle variations in privacy preferences', as stated by G2.One crucial limitation of a majority vote is that it might neglect minority voices.As G3 stated, 'without negotiation my minority view stood no chance'.Veto Vote Approach (VV).This approach is the most strict approach that biases the decision towards maximizing privacy protection.Thus, this approach gets high satisfaction in protecting users' privacy (73.3%).On the other hand, due to its strictness, it also has the lowest satisfaction rating on preserving functionalities (43.3%), especially for homeowners (10%).

Negotiation Experience using ThingPoll
According to users, the biggest advantage of the Negotiation Approach compared to the rest is the ability for users to voice their preferences, regardless of being in the minority or majority.The drawback is that the efort it takes to fnish the negotiation is less predictable beforehand.As G14 mentioned, 'overall, it is good to The pressure imposed on users when not able to resolve may stress users as well.For example, G3 stated 'it was somewhat annoying because the other party wouldn't change their mind.' We measured participants' experience for each of the key features of our app, as shown in Figure 7.These features include informing users of data collection, consideration of own privacy, consideration of others' privacy, automatic suggestion with reduced user efort, and clear explanation of risks and benefts.All users selected somewhat agree or above for feeling informed of sensors and data collection in progress, suggesting that our adoption of privacy nutrition labels [37] in the negotiation setting is very benefcial and efective for guest users.
According to the responses from the participants, the willingness to adopt our ThingPoll app for privacy negotiation in shared space is promising.Many users found the application useful in easing the process of privacy negotiation.Another essential beneft, as discussed by many participants, was the app's ability to reduce the awkwardness associated with verbal negotiations.G7 said '(without having this app) I don't even know how to start this conversation'.G2 envisioned, 'this app would reduce the inertia to ask for your own privacy preferences, and make it a norm during social gatherings to be respectful of everyone's privacy preferences'.The capability of ThingPoll to reduce social awkwardness appears to be even more important when users in a shared space are not familiar with each other.For instance, G12 said 'when there are lots of people and people don't know each other very well, the app saves negotiation time and reduces awkwardness and social stress'.
Some users indicated that anonymity might make negotiations more efective.For example, G16 wishes there was anonymity as a guest user, commenting that "the probability (to use the app) is not very high, because this is not anonymous".Participants suggested several other improvements.For instance, H2 believed that 'users will most likely not know and not be able to read their devices' privacy features.It might take some efort to educate general users'.Another recurring suggestion is that the negotiation is synchronized.As G19 stated 'if I have to wait to do it with others at the same time, feel like it defeats the purpose of avoiding awkwardness since we have to openly schedule a time for it'.

DISCUSSION
In this section, we discussed the broader implications of the study that may afect or inspire future research and development of privacy tools for shared sensing devices.

Variability in Opinions and Behaviors
Power of Owners.Feedback from participants has shown a divide: while some homeowners believe they should have the fnal say, others believe in prioritizing the comfort of their guests.Some guest users also believe they should be obligated to follow the homeowner's setup.The exact acceptable balance and ethical boundaries of power distribution still remain an open question.Social Awkwardness.We observed that the perceived social awkwardness of negotiations varies drastically among individuals, which might be afected by factors such as social relationship [25,108] and culture [71,73].Apart from objective factors, personal characteristics [71] and culture [73] might also infuence how individuals experience and manage these potentially awkward situations.We speculate that ThingPoll is more likely to reduce social awkwardness among those who feel uncomfortable discussing the topic in person.Preference Flexibility.In alignment with previous work [25,67,69,100], we observed most users are willing to consider other people's opinions and be cooperative.While some participants were steadfast in their privacy views, others demonstrated fexibility and a willingness to concede.Consequently, the system must navigate between fairness, which might cause the process to become ineffcient due to being stopped by the steadfast user, and efciency, which risks exploiting altruistic users.The exact balance between the two, however, is more open-ended and can vary given diferent situations and contexts.

Acceptability and Practicality of Negotiation
A system-mediated negotiation system is a promising direction to manage multi-user privacy confgurations.Yet, systems like ThingPoll face several practical challenges to encourage broader acceptance.This subsection outlines key issues concerning the acceptance and practicality of ThingPoll.Cognitive Load of Negotiation Making privacy decisions is often demanding for individual users [39,93,96].Negotiation adds another layer of complexity [59], making the process of setting privacy preferences for shared devices particularly strenuous.ThingPoll moderates this process by automatically reasoning with users' preferences and presenting confgurations succinctly through privacy labels [36,37].However, exploring additional methods to alleviate cognitive burden remains an important area for future investigation.

Negotiation and Context
The contextual integrity theory suggests that privacy expectations and norms are inherently contextdependent, varying with the social setting, the nature of collected information, etc. [1,8,9,70,78,80].Moreover, negotiation is also inherently infuenced by context, such as power, social relationships, interpersonal trust, time constraints, as well as traits and capabilities of the participating individuals [14,44,51,61,92,95,106,117].ThingPoll models context that afects both individual privacy decisions and negotiation among guests and homeowners.For other application scenarios, it is important to adjust the system based on context that may afect privacy decisions and negotiation behaviors.Compatibility and Interoperability In the deployment of a negotiation solution to manage shared device privacy, the interface between the negotiation system and the existing IoT device ecosystem needs to be established.Although many industrial and standardization eforts have been made to enhance interoperability among IoT devices [27,79,89], for privacy negotiation specifcally, it is essential to have each smart sensing device provide detailed privacy requirements and confgurable privacy settings through a unifed communication protocol and accessible to incidental users.

Future Directions for Negotiation Systems
Having discussed the practicality concerns, we now delve into specifc features that could refne the negotiation system based on the feedback and observations of participants using ThingPoll.Asynchronous Negotiation.The evaluation showed ThingPoll users spend tremendous time waiting for other people's responses.Therefore, one potential direction is to enable asynchronous interactions among the system and users.For instance, a nudge-like style, such as privacy notifcations on mobile devices, can make the interaction less intrusive and disturbing.Such design will require more subtle negotiation mechanisms integrating responses at various times, handling unresponsive users, etc. Expression Freedom and Constraints.We designed ThingPoll to intentionally constrain the verbosity of explaining preference reasons for efciency and fairness.However, several participants pointed out their wish to speak up and their reasons directly to the other users.We believe the merits and demerits of permitting free explanations in privacy negotiations remain an open question.Future negotiation tools might experiment with adjustable constraints or employ Natural Language Processing (NLP) techniques to ofer privacy content summary, explanations, or recommendations [22,23,111].Furthermore, it might be worthwhile for subsequent studies to investigate the optimal trade-ofs between explanation depth and negotiation efciency.Optional Anonymity.In our design, ThingPoll does not employ anonymity mechanisms to help participants relate the reasons behind the prompts.Even if anonymity was an option, it was not difcult to associate the negotiation behavior with a specifc person, given the size and familiarity of the negotiation users.However, for some users, anonymity might be a useful option in further reducing the discomfort of users in voicing their preferences.Optional Opt-Out Negotiation.Given that many users either do not care about privacy or trust their homeowners, they may choose to opt out of the negotiation.One direction could be delegating the right of consent to other trusted entities such as friends, homeowners, experts, or AI [77].Moreover, homeowners should also be able to select which devices they would allow for negotiation.Explanability.ThingPoll was designed to make its suggestions relatable by revealing how decisions align with users' preferences and identifying the benefting user.However, the decision process itself, including the preference prediction and searching of confguration and queries, is concealed from users.Future work may consider integrating explainability into the negotiation system to enhance decision transparency and trust [74,75].Simultaneously, it is critical to limit the amount of information and cognitive load.

Assumptions and Limitations
Awareness of Privacy Risk.Our research operated under the assumption that all participants make well-informed choices regarding their privacy preferences.Yet, due to a lack of comprehensive knowledge, users often might select preferences that deviate from their true desires or best interests if they were fully informed [16,84].Enhancing the public's privacy awareness and knowledge has historically proven challenging across various digital platforms, including mobile systems [6], web browsing [42], and even IoT [52].While enhancing privacy awareness and knowledge represents a distinct challenge outside the scope of this research project, we believe it is an essential step to protect the privacy of incidental users.Device Behavior Disclosure.We assumed that all the information disclosed by the manufacturer or service providers was complete and accurate.However, in the real-world scenario, disclosures by device manufacturers can sometimes be ambiguous, outdated, or even misleading [66].On the other hand, various communities strive to bring accurate personal data collection information to the end-users [37,90,103].Still, it is essential to acknowledge that in a less-than-perfect disclosure environment, user trust and behavior might vary, potentially impacting the applicability and efcacy of our fndings.Simplifed Ownership and Social Relationship.In this work, we assumed the homeowner is also the only device owner.In the real world, there can be more complicated situations where multiple residents share a home or where there are several guests, each with distinct social relationships with one another.While the underlying framework of ThingPoll is technically adaptable, certain modifcations, such as in the preference profle model, may be necessary.Additionally, the social dynamics and design requirements might also be needed to accommodate these varied living arrangements and interpersonal interactions.Simulated Negotiation Scenarios.For this application domain, it was currently challenging to recruit participants who planned on social gathering spontaneously and had enough compatible real-world confgurable smart devices with complete privacy information disclosure.For this reason, we used simulated scenarios for negotiation while still ensuring the most real-world context, such as by bringing participants' contact names.Although simulation has been a common approach in studying negotiation [32,55,82,106] and privacy decisions [7,76], we believe an in-the-wild study, if feasible in the future, will be benefcial in revealing more real-world intricacies, such as when negotiation is regarded as a distraction instead of a primary goal.Participants and Selection Criteria.Due to the early emergence of IoT technology, we constrained our study to participants who owned and used at least one smart sensing IoT device to a baseline familiarity with the technology to make informed decisions and interactions during our study.However, it's important to note that those unfamiliar with IoT devices might have diferent perspectives.The evaluation of ThingPoll involved 30 participants, a sample size that may not always ofer sufcient statistical power to establish signifcant trends.Consequently, the fndings should be considered more indicative and exploratory rather than defnitive.

CONCLUSION
In this paper, we presented our pathway to developing an interactive negotiation solution to manage IoT privacy preferences from multiple users in shared sensing spaces.We presented our novel privacy negotiation tool ThingPoll that allows multiple users to negotiate privacy preferences in shared space to help them reach an agreement.Based on our evaluation, ThingPoll demonstrated high usability and efectiveness in managing privacy preferences in smart home visitor scenarios and received high satisfaction from both guests and homeowner users.As the landscape of smart home devices continues to grow, we envision ThingPoll as a pioneering tool, paving the way for future research in negotiation-based approaches to IoT privacy.In the near future, these advancements will bring a harmonious and privacy-aware environment for both owners of devices and incidental users.

A PROFILE AND NEGOTIATION MODELING A.1 Profle Model
The detailed structure of the Bayesian Network used for ThingPoll profle model is shown in Table 8 and Figure 8.The preference distributions for user are denoted as , which is initialized by the Bayesian Network model and is updated as the negotiation moves forward.Let be the specifcations of a single-issue confguration or a query , which includes a description of one enabled functionality and its privacy requirements.Let = {0, 0.25, 0.5, 0.75, 1.0} denote the Likert scale options from strongly uncomfortable to strongly comfortable.The Bayesian Network model can be used to estimate the probability of each feasible response of the individual preference ∈ and the concession preference ∈ , denoted as ( | , ) and ( | , , ) respectively.
Still, the user can to a suggestion that deviates from the user's initial preference, even when it is not higher than neutral, denoted as 0− = {0, 0.25, 0.5}.The probability of the user while initially does not is calculated as the sum over all eligible assignments of and : To predict the response to queries, we consider the user would select if either the user wants to select initially or the user concedes to select when initially preferring anything below .
Similarly, we represented the probability of selecting response ∈ for privacy query and or functionality query as either the user initially wants to select the response without conceding to any higher response, or initially a lower response but conceding (16) Imagine, alternatively, you did not go through the negotiation.
Instead, the app takes the Majority Vote (i.e., the privacy confguration that most people agree on takes precedence) and confgures the devices accordingly.Please rate the following statements regarding the Majority Vote (No Negotiation) approach.
Options: Strongly Disagree, Disagree, Somewhat Disagree, Neither Agree Nor Disagree, Somewhat Agree, Agree, Strongly Agree.(a) The Majority Vote approach protects my privacy as I wish.(b) The Majority Vote approach preserves the utility I want from the devices.(c) I'm satisfed with the result of the Majority Vote approach overall.
(17) How does the Majority Vote (No Negotiation) approach compare to the Negotiation approach?Please explain your reasons.
Zhou et al.
(18) Imagine, alternatively, you did not go through the negotiation.Instead, the app takes the Veto Vote (i.e., the most restrictive privacy confguration takes precedence) and confgures the devices accordingly.Please rate the following statements regarding the Veto Vote (No Negotiation) approach.Options: Strongly Disagree, Disagree, Somewhat Disagree, Neither Agree Nor Disagree, Somewhat Agree, Agree, Strongly Agree.(a) The Veto Vote approach protects my privacy as I wish.(b) The Veto Vote approach preserves the utility I want from the devices.(c) I'm satisfed with the result of the Veto Vote approach.(19) How does the Veto Vote (No Negotiation) approach compare to the Negotiation approach?Briefy explain your preference.
(20) Are there any other comments, suggestions, and thoughts about the study that you would like to share with the researchers?

Figure 1 :
Figure 1: An overview of the methodology.

Figure 2 :
Figure 2: An overview of the ThingPoll workfow (a) and the ThingPoll UI (b).In Step 0, users provide their privacy preference for three hypothetical shared sensing scenarios used to assign them a profle.In Step 1, every user indicates how important each device's functionality is.Next, ThingPoll utilizes each user's preference model to issue Privacy Queries about their comfort level for data collection and access (Step 2.1) and Functional Queries about giving up utility (Step 2.2).ThingPoll fnally suggests a Confguration if it is likely to be accepted by everyone (Step 2.3).Each user may receive one or more queries of each type and confguration.The process concludes when when everyone accepts a suggested confguration or if someone quits (not shown).

Figure 3 :
Figure 3: (a) ThingPoll uses a Bayesian Network to model user profles.Before the negotiation, User Traits variables are assigned by answering privacy preference questions on three shared sensing scenarios.During negotiation, Context, Sensitivity, Purpose, and User Traits are supplied as input variables to the Bayesian Network model, which then estimates the conditional probabilities of Individual Preference and Concession Preference.(b) We applied Expectation Maximization (EM) to jointly optimize the Bayesian Network model on the mTurk survey response data and user trait values of survey participants, which are then clustered into seven distinct types of profles.

Figure 4 :
Figure 4: Seven profle clusters were identifed using K-Means clustering on estimated trait values.(a) showed the seven profle cluster centroids; (b) showed the average response to individual preference for each factor mentioned in the scenario; (c) showed the average response to concession preference for each factor mentioned in the scenario.Values are scaled from 0 to 100 for visualization.The factors are sorted by the average individual preference, from most (left) to least invasive (right).

Figure 5 :
Figure 5: Empirical Evaluation of User Workload Using ThingPoll: (a) User Time Consumption on Completing Negotiation; (b) User Average Response Time of Each Action in Negotiation; (c) NASA Task Load Index (TLX)

Table 2 :
Study 1 Participants Demographic Information

Table 3 :
Observed Verbal Negotiation Interaction Types and Time Consumption

Table 4 :
Verbal Negotiation Time Across 4 Groups

Step 0 Profile Assignment Step 1 Functionality Preference Selection Step 2.1 Privacy Query Step 2.2 Functionality Query Step 2.3 Configuration Suggestion
(b) ThingPoll App User Interface

Table 6 :
Study 2 Participants Demographic Information

Table 7 :
Phase 2 Study Negotiation Device Confguration Space