When hungry consumers want to know how many calories are in a bag of chips, they can check the nutrition label on the bag. When those same consumers want to check the security and privacy practices of a new IoT device, they aren’t able to find even the most basic facts.
Not yet, at least.
A team of researchers in Carnegie Mellon University’s CyLab have developed a prototype IoT security and privacy “nutrition label” that performed well in user tests. To develop the label, the team consulted with a diverse group of 22 security and privacy experts across industry, government, and academia.
The team also developed an IoT label generator for manufacturers to use to easily create labels for their devices.
“Survey results show that the vast majority of people are concerned about the security and privacy practices of devices, so we need to provide them with this information,” says CyLab’s Pardis Emami-Naeini, the study’s lead author and a recent Ph.D. recipient in Societal Computing in the School of Computer Science.
“The display of this information should be concise and understandable, akin to a nutrition label on food products.”
A recent survey conducted by the Economist Intelligence Unit found that 89 percent of participants are uncomfortable with their personal data being shared with third parties without consent. Ninety-two percent of participants said they think it is important to inform consumers when personal data is being collected.
“Despite these concerns, people cannot find information about the privacy and security practices of devices at the moment of purchase,” says Emami-Naeini.
How does the IoT security label work?
The team’s label consists of a primary layer meant to be displayed on the outside of a device’s box, which conveys the most important information such as the type(s) of data the device collects, for what purpose, and with whom the data is shared.
By scanning a QR code on the primary layer, consumers have access to a secondary layer of the label online that contains additional information such as how long the device retains data, and how often it is shared. Combined, both layers display 47 different pieces of information about a device’s security and privacy practices.
Serving as a backdrop to the development of an IoT security label, privacy regulations are calling for more transparency in how consumer data is collected and used. The Cyber Shield Act hopes to create a set of standards for IoT devices and then give labels to products that meet those standards. Similar efforts are moving forward internationally in the United Kingdom, Finland, and Singapore.