IoT security and privacy have become increasingly hot topics in recent months as various members of the IoT ecosystem have realized their business prospects and levels of customer trust could improve with an increased focus on these issues.
Amid this environment, a variety of ideas have emerged regarding how to communicate information about the privacy levels of different IoT products that are being put in front of consumers. Carnegie Mellon University’s (CMU) CyLab Security and Privacy Institute has a novel approach that the team there has been working on for years: a privacy label for products that closely resembles the nutrition label found on food packages.
Yuvraj Agarwal, who is an associate professor in CMU’s Software and Societal Systems department, and a member of the CyLab team, presented the privacy label concept to attendees of a recent IoT security summit at the White House that was organized by the National Security Council. The event also was attended by representatives of the National Institute of Standards and Technology.
“I talked about our work and our four-year journey to designing the privacy label, and figuring out what should be on that label,” Agarwal said. The label can contain, among other things, a link to the product manufacturer’s privacy policy, the type of sensors used, what parties data is shared with, whether or not data is stored on the device and in the cloud, as well as information about automatic security updates, and more. (See the label and a video explaining it here.)
“We actually did expert studies with a lot of policy people, government people, manufacturers, CISOs and others to know what should be on the label and how it should be presented,” Agarwal said.
Internationally, there is movement in several regions to create some sort of privacy labels for IoT, so CyLab is among the parties that are trying to help the U.S, keep up with that effort. While several different ideas are circulating, the CyLab team is hoping industry groups can reach agreement on some kind of uniform adoption strategies for IoT privacy labels. Right now, the CyLab label is license-free and royalty-free to use, but Agarwal noted it could be more effective on a broad basis if government and industry follow the model of how the U.S. Department of Energy and manufacturers adopted the ENERGY STAR label for energy-efficient products.
While there has been an assumption among makers of consumer IoT products than consumers do not want to pay more for security and privacy assurances to be associated with their devices, Agarwal said CyLab has conducted research that suggests this is not the case.
He commented, “What we found was that U.S. consumers did want this information, and they understood the risk and the perils of a device that is not patched or not updated, and does not have clear disclosures of what data is captured and what kind of sensor it has and what that sensor does. Consumers want this information.”