IoT Privacy and Security: Will Product Labels Help Buyers?Food-Like Labeling for Connected Devices Developed by Carnegie Mellon University
With internet connectivity getting added to an increasing number of products, new privacy and security risks abound. Buyers, however, may be unaware.
But a team of Carnegie Mellon University researchers aims to change that, by spelling out those risks on labels that get added to every connected device being offered for sale.
What risks do purchasers face? On the privacy side, they range from software on devices - as well cloud-based infrastructure - collecting their personal data, so vendors and their business partners can sell it to others. On the security front, products might lack signed firmware updates or have credentials that are weak by default (see: Survey: Security Concerns Slow Down IoT Deployments).
But a team at Carnegie Mellon University is attempting to shine a light on these problems by developing a new, concise label that lists privacy and security risks in detail.
The goal is for purchasers to be able to see, at a glance, what a device does - or fails to do - before deciding whether or not to buy it. To make the labels easy to parse, the researchers have modelled them after nutrition packaging labels, which spell out metrics such as calories and saturated fat content.
As with food, without clear labeling, many individuals would struggle to understand essential details. For connected devices in particular, understanding what a device does, or what it connects to, can be challenging. Many vendors' privacy policies also feature legal arcana that don't clear the fog. In-depth technical test results, when offered, may require expert-level abilities to parse.
Consumers Demand Details
Getting clear insights into how any given connected device functions may often come about only after information security or privacy researchers have conducted a digital forensic examination of device hardware and software and published their findings (see: Don't Hug These Internet-Connected Stuffed Toys).
But the Carnegie Mellon researchers say consumers continue to have an increased appetite for discussing privacy and data security. These concepts have become more mainstream thanks to questions about how online advertising systems function, and how social media giants such as Facebook amass, store, share and sometimes lose control of people's personal information.
Consumers also having growing concerns over the potential risks posed by so-called smart devices, a team of Carnegie Mellon researchers - Pardis Emami-Naeini, with Yuvraj Agarwal, Lorrie Faith Cranor and Hanan Hibshi - note in a research paper presented at the 41st IEEE Symposium on Security and Privacy held last month.
"All consumer participants discussed how difficult it is for them currently to find information related to privacy and security of smart devices before purchasing them," the researchers write. "They all reported that they would like to have an IoT security and privacy label available at the point of sale, mainly to be as informed as possible."
To identify how to best develop such a label, the researchers interviewed 22 privacy and security experts to see which aspects they felt were most important to convey to consumers, and selected what they saw as being the best suggestions. Then they tested labels with this information with 15 consumers who had purchased IoT devices. One test, for example, involved looking at boxes for hypothetical cameras that each had a label with security and privacy information.
Because distilling privacy and security concepts in a concise fashion isn't necessarily the easiest task, there are actually two labels: one is a primary label that can be displayed on a box containing an IoT device. The other is a QR code - contained on that label - that leads to more detailed information online. The researchers have also created an online tool allowing manufacturers to data and generate their own labels.
The secondary label shares more detailed information, including how long a company retains any collected data, the purpose of any data collection and whether the data is linked to data obtained from other sources. Also, the secondary label details whether or not the manufacturer has a bug bounty program.
"Since the word 'bug bounty' was not immediately clear to consumer participants, we changed the wording to vulnerability disclosure and management, which was more understandable to them," the researchers write.
Experts interviewed by the team also felt it'd be good to include a privacy and security star rating, similar to the Energy Star rating system seen on household appliances in the United States. The idea also resonated with the consumers interviewed by the researchers.
Such an idea isn't new. Sen. Ed Markey, D-Mass., and Rep. Ted W. Lieu, D-Calif., introduced "Cyber Shield" legislation in Congress in October 2017. Their bill proposed creating a voluntary cybersecurity certification program for IoT device security. They reintroduced the bill in October 2019.
A star-rating system would further simplify the at-a-glance perspective. But some experts interviewed by the researchers pointed out companies may game the system to get, say, five stars regardless whether the product deserves the rating.
One unnamed academic told the researchers: "The problem I have with ratings like this is that everybody's gonna get a five star, because everybody's gonna figure out how to get the five stars."
An alternative would be to create baseline or minimum security standards, rather than a five-star rating system. Groups active in this area include Consumer Reports' Digital Standard, UL's IoT Security Rating Levels and YourThings, which is run by Astrolavos Lab at the Georgia Institute of Technology in Atlanta.
But there are potential drawbacks to using that model. "Since the lowest certification level indicates a safe device, there is a risk that manufacturers will aim to achieve the lowest level and not bother pursuing higher levels," the researchers write.
They also note that "market competition may encourage manufacturers to pursue higher certification levels, especially for devices where the consequences of security breaches are most severe."
The researchers say they're continuing to study this issue, but are already in discussions with connected device manufacturers to gauge their interest in using such a label. Consumers have told the researchers that they would pay a premium for devices that carry such a label.
Executive Editor Mathew Schwartz contributed to this report.