CMU Presents Internet of Things Privacy and Security Research at White House Summit
A researcher from Carnegie Mellon University's CyLab Security and Privacy Institute outlined an effective Internet of Things security labeling strategy Wednesday during an IoT security summit with the White House.
Yuvraj Agarwal, an associate professor in the School of Computer Science's Software and Societal Systems Department (S3D) and the College of Engineering's Electrical and Computer Engineering Department, shared CyLab's latest research into providing information to consumers about the privacy and security of connected devices.
"Consumers have smart doorbells, smart thermostats, voice assistants as well as other IoT devices in their homes, and are growing increasingly concerned about the security and privacy risks," Agarwal said. "We need to provide consumers with readily accessible information to help them make informed decisions about what they bring into their homes."
While IoT devices provide numerous benefits, from improving energy efficiency to helping automate routine tasks, they've also been used to spy on consumers and as stepping stones to much larger infrastructure attacks. Unease about sensitive data being sold or shared with third parties has also heightened.
Despite these growing concerns about the security and privacy of IoT devices, consumers generally do not have access to security and privacy information when making purchase decisions. Legislators have proposed adding succinct, consumer-accessible labels, but they have not provided guidance on what these labels should include.
CyLab faculty and students have been working on this problem since 2018. They have pioneered research exploring how privacy and security factors into IoT device purchase behaviors, investigating what should be included on IoT privacy and security labels, and uncovering whether consumers are willing to pay for products with better security and privacy practices.
Earlier this year Agarwal published "An Informative Security and Privacy 'Nutrition' Label for Internet of Things Devices" with Lorrie Cranor, a professor in S3D and the Engineering and Public Policy Department, and Pardis Emami-Naeini, an assistant professor at Duke University who earned her Ph.D. at CMU in 2020. The overview paper describes their journey to design an IoT security and privacy label, and introduces a free, easy-to-use label generator that enables device manufacturers to create product-specific labels.
During the White House summit, Agarwal presented the group's label specification and research findings, which describe a consumer-tested solution that could immediately be implemented across the IoT industry and provide consumers with much-needed information about these devices. Their latest research also shows that consumers are willing to pay significant premiums for IoT devices with security and privacy features clearly stated on a consistent label.
Product labels are not a new concept. For decades they have been used effectively to inform consumers about food nutrients, over-the-counter drug dosage and energy efficiency of appliances. While food nutrition labels were developed to help consumers purchase healthier food products, they also encourage competition between food companies to produce more nutritious products and allow governments to support consumers' health-related behaviors without mandating specific nutritional requirements. In the context of privacy, CyLab researchers have found that "privacy nutrition labels" can be effective in conveying information to users visiting websites, using mobile apps and incorporating IoT devices into their homes.
More information is available on CyLab's IoT Security and Privacy Label website.