Products shared within households need better privacy controls for individuals

I have an internet-connected bathroom scale. The idea of the scale talking to a service on the web to log my weight seemed frivolous at first, but lately I’ve realised that logging weight is one of the least important parts of the system.

Making data input easy and effortless helped me record weight regularly, and connecting the device to the network has other benefits. Fitbit allows a single account to be connected to multiple scales. I can weigh myself on my partner’s scale, or on my own, and Fitbit doesn’t care which physical object I use.

The fact that multiple people can use a single object to input data into separate accounts is useful, but the way permissions are handled is simplistic.

I can invite others to use the scale, but there’s no idea of ownership of the physical object. Each user has exactly the same permissions: they can invite others to use the scale, remove people from having access to the scale (including the original “owner”), and change display settings, including which units the scale uses.

If you don’t have access to the scale, you can still weigh yourself as a “guest”. Guests don’t have any privacy. Anyone whose account is connected to the scale can view the guest weight log, which includes a timestamp and the weight. I share a household with people who don’t have Fitbit accounts, and I feel very uneasy about having access to information which should remain private unless someone chooses to share it.

The scale “recognises” the person standing on it by making a guess—if your last recorded weight was 120 pounds, then a person weighing 122 pounds two days later is likely to be you. It works well most of the time, because usually there are only a few accounts connected to each scale, and each person will have a slightly different weight.

Unfortunately this isn’t always the case. I was a little alarmed to have Fitbit tell me that my partner, who was in different city at the time, had used my scale late at night. The person using the scale must have been equally alarmed when the scale greeted them using my partner’s name.

The metadata in the recent weight log is visible to everyone. When the scale recognises someone, it hides their weight from other users of the scale, but even though others can’t tell how much I weigh, they can tell when I weighed myself. A lot can be inferred from that data, especially if you have access to other information about me. I weigh myself every day after waking up, so the log tells you when I was at home, and what time I got up. Imagine if a person with an abusive, possessive partner forgets to weigh themselves while their partner is away. Fitbit’s idea of what it means to share a device within a household could put their users in danger.

Even in situations where there is no physical danger it can still be undesirable to share information in this way. What if the scale is shared by a household made up of strangers living together, or by multiple generations with separate expectations of privacy? By itself the weight log may be innocuous, but coupled with other information it may reveal things that weren’t meant to be shared.

The ideal approach would be to connect multiple accounts to the same physical device, but allow the accounts to be fully separate. You should only be able to see your own data. Sharing a bathroom with other people doesn’t necessarily mean you’re prepared to share personal details with them.

Managing access to shared physical objects within a household is not an easy design task, but even software products meant to be shared don’t necessarily get it right.

I have a Netflix account, and the plan I chose allows me to watch content on two devices simultaneously, which means I can share it with my partner. Netflix is clearly designed to be shared: it allows you to create multiple “profiles”. Each profile receives its own film and TV suggestions, but they still share the same account. I had to share my password in order to give my partner access to my account.

Once given access to an account, anyone can view the owner’s credit card details, change their plan, view and change anything relating to their (or anyone else’s) profile. My guess is that one account with multiple profiles makes it easier to use Netflix on shared devices in the living room, such as an Apple TV or a PlayStation, but I can think of several ways this could have been managed without requiring full account access.

Apple’s Family Sharing is intended to make it easier to share purchases between multiple devices within a household, and to manage purchasing permissions for minors.

When you join a Family Sharing family, you can see everyone else’s location and start sharing yours. You can turn it off, of course, but the assumption guiding this design decision is that it’s normal for members of the household to know one another’s location 24/7. Turing it off has to be a deliberate act, which may have its own consequences within a family.

When creating products intended to be used by whole households, their designers should to account for household relationships that come in all shapes and sizes, ranging from loving and intimate, through indifferent, to downright hostile.

In the case of my Aria scale, I didn’t realise my daily log was being shared, and the scale’s guests have no idea that I can easily check their weight. Products that share any data between multiple users based on their household proximity or family relationship have a responsibility to communicate clearly and upfront what exactly is being shared and how.