A researcher from Carnegie Mellon University's CyLab Security and Privacy Institute(opens in new window) outlined an effective Internet of Things (IoT) security labeling strategy Wednesday during an IoT security summit with the White House.
Yuvraj Agarwal(opens in new window) (pictured), an associate professor in the School of Computer Science(opens in new window)'s Software and Societal Systems Department(opens in new window) (S3D) and the College of Engineering(opens in new window)'s Electrical and Computer Engineering Department(opens in new window), shared CyLab's latest research into providing information to consumers about the privacy and security of connected devices.
"Consumers have smart doorbells, smart thermostats, voice assistants as well as other IoT devices in their homes, and are growing increasingly concerned about the security and privacy risks," Agarwal said. "We need to provide consumers with readily accessible information to help them make informed decisions about what they bring into their homes."
While IoT devices provide numerous benefits — from improving energy efficiency to helping automate routine tasks — they've also been used to spy on consumers and as steppingstones to much larger infrastructure attacks. Unease about sensitive data being sold or shared with third parties has also heightened.
Despite these growing concerns about the security and privacy of IoT devices, consumers generally do not have access to security and privacy information when making purchase decisions. Legislators have proposed adding succinct, consumer-accessible labels, but they have not provided guidance on what these labels should include.
CyLab faculty and students have been working on this problem (opens in new window)since 2018. They have pioneered research exploring how privacy and security factors into IoT device purchase behaviors(opens in new window), investigating what should be included on IoT privacy and security labels(opens in new window), and uncovering whether consumers are willing to pay for products with better security and privacy practices(opens in new window).
During an IoT summit at the White House, a CMU researcher shared the university's latest research into providing information to consumers about the privacy and security of internet-connected devices, including efforts to create a security and privacy labels.
"We need to provide consumers with readily accessible information to help them make informed decisions about what they bring into their homes." —Yuvraj Agarwal
Earlier this year Agarwal published "An Informative Security and Privacy 'Nutrition' Label for Internet of Things Devices(opens in new window)" with Lorrie Cranor(opens in new window), a professor in S3D and the Engineering and Public Policy Department(opens in new window), and Pardis Emami-Naeini, an assistant professor at Duke University who earned her Ph.D. at CMU in 2020. The overview paper describes their journey to design an IoT security and privacy label, and introduces a free, easy-to-use label generator that enables device manufacturers to create product-specific labels.
During the White House summit, Agarwal presented the group's label specification and research findings, which describe a consumer-tested solution that could immediately be implemented across the IoT industry and provide consumers with much-needed information about these devices. Their latest research also shows that consumers are willing to pay significant premiums for IoT devices with security and privacy features clearly stated on a consistent label.
Product labels are not a new concept. For decades they have been used effectively to inform consumers about food nutrients, over-the-counter drug dosage and energy efficiency of appliances. While food nutrition labels were developed to help consumers purchase healthier food products, they also encourage competition between food companies to produce more nutritious products and allow governments to support consumers' health-related behaviors without mandating specific nutritional requirements. In the context of privacy, CyLab researchers have found that "privacy nutrition labels" can be effective in conveying information to users visiting websites, using mobile apps and incorporating IoT devices into their homes.
More information is available on CyLab's IoT Security and Privacy Label website(opens in new window).