When hungry consumers want to know how many calories are in a bag of chips, they can check the nutrition label on the bag. When those same consumers want to check the security and privacy practices of a new IoT device, they aren’t able to find even the most basic facts.
Not yet, at least.
In a new study published in the proceedings of the IEEE Symposium on Security & Privacy, a team of researchers in Carnegie Mellon University’s CyLab have developed a prototype security and privacy “nutrition label” that performed well in user tests. To develop the label, the team consulted with a diverse group of 22 security and privacy experts across industry, government, and academia.
The team also developed an IoT label generator for manufacturers to use to easily create labels for their devices.
“Survey results show that the vast majority of people are concerned about the security and privacy practices of devices, so we need to provide them with this information,” says CyLab’s Pardis Emami-Naeini, the study’s lead author and a recent Ph.D. recipient in Societal Computing in the School of Computer Science. “The display of this information should be concise and understandable, akin to a nutrition label on food products.”
The display of this information should be concise and understandable, akin to a nutrition label on food products.Pardis Emami-Naeini, lead author of study and recent Ph.D. recipient in Societal Computing, School of Computer Science
A recording of Emami-Naeini’s presentation of the study can be viewed here.
A recent survey conducted by the Economist Intelligence Unit found that 89 percent of participants are uncomfortable with their personal data being shared with third parties without consent. Ninety-two percent of participants said they think it is important to inform consumers when personal data is being collected.
“Despite these concerns, people cannot find information about the privacy and security practices of devices at the moment of purchase,” says Emami-Naeini.
The team’s label consists of a primary layer meant to be displayed on the outside of a device’s box, which conveys the most important information such as the type(s) of data the device collects, for what purpose, and with whom the data is shared. By scanning a QR code on the primary layer, consumers have access to a secondary layer of the label online that contains additional information such as how long the device retains data, and how often it is shared. Combined, both layers display 47 different pieces of information about a device’s security and privacy practices.
Serving as a backdrop to the development of an IoT label, privacy regulations are calling for more transparency in how consumer data is collected and used. The Cyber Shield Act hopes to create a set of standards for IoT devices and then give labels to products that meet those standards. Similar efforts are moving forward internationally in the United Kingdom, Finland, and Singapore.
The team is currently in discussions with IoT device manufacturers and retailers, looking for companies interested in being early adopters of the label. Their goal is for their label to become an industry standard so that consumers would be able to readily learn about privacy and security features of their IoT devices and compare these features across devices, just as consumers compare calories and cholesterol in different food products.
The researchers are currently honing in on one particular finding in their study: that consumers are willing to pay a premium for devices that have a label like the one they developed.
“We want to conduct a realistic study to determine exactly how much consumers are willing to pay, as this would incentivize companies to adopt the label and be more transparent,” says Emami-Naeini.
Other authors on the study included Associate Professor of Computer Science Yuvraj Agarwal, Information Networking Institute Research and Teaching Scientist Hanan Hibshi, and CyLab director Lorrie Cranor. Emami-Naeini was co-advised by Agarwal and Cranor.