Abstract: Smart heating applications promise to increase energy efficiency and comfort by collecting and processing room climate data. While it has been suspected that the sensed data may leak crucial personal information about the occupants, this belief has up until now not been supported by evidence. In this work, we investigate privacy risks arising from the collection of room climate measurements. We assume that an attacker has access to the most basic measurements only: temperature and relative humidity. We train machine learning classifiers to predict the presence and number of room occupants and to discriminate between different types of activities. On data that was collected at three different locations, we show that occupancy can be detected from data measured by a single sensor with up to 93.5% accuracy. One can even distinguish between the cases that no, one, or two persons are present with up to 66.4% accuracy. Moreover, the four actions reading, working on a PC, standing, and walking, can be discriminated with up to 56.8% accuracy, which is likewise clearly better than guessing (25%). Constraining the set of actions allows to achieve even higher prediction rates. For example, we discriminate standing and walking occupants with 96.3% accuracy. In addition, we show that the accuracy can be increased in most cases if an attacker has access to measurements from two different sensors located in the same room. Our results provide evidence that even the leakage of such ‘inconspicuous’ data as temperature and relative humidity can seriously violate privacy.
