S3D faculty presents IoT privacy and security label research at White House summit

On Wednesday, Carnegie Mellon University CyLab Security and Privacy Institute and the Software and Societal System Department (S3D) took part in the White House’s Internet of Things (IoT) security summit to discuss what’s needed to foster an effective IoT security labeling ecosystem.

“Consumers have smart doorbells, smart thermostats, voice assistants, as well as other IoT devices in their homes, and are growing increasingly concerned about the security and privacy risks,” says Yuvraj Agarwal, associate professor in CMU’s Software and Societal Systems Department (S3D).

“We need to provide consumers with readily accessible information to help them make informed decisions about what they bring into their homes.”

While IoT devices provide numerous benefits, from improving energy efficiency to helping automate routine tasks, they’ve also been used to spy on consumers and as a stepping stone to much larger infrastructure attacks. Unease about sensitive data being sold or shared with third parties has also heightened.

Despite these growing concerns about the security and privacy of IoT devices, consumers generally do not have access to security and privacy information when making purchase decisions. While legislators have proposed adding succinct, consumer-accessible labels, they have not provided guidance on what the content of these labels should include.

CyLab faculty and students have been working on this problem since 2018; pioneering research that has resulted in several peer-reviewed papers that explore how privacy and security factors into IoT device purchase behaviors, investigate what should be included on IoT privacy and security labels, and uncover whether consumers are willing to pay for products with better security and privacy practices.

Earlier this year, Agarwal, along with Lorrie Cranor, professor in S3D and Engineering and Public Policy Department, and Pardis Emami-Naeini, assistant professor at Duke University who earned her Ph.D. at Carnegie Mellon in 2020, published “An Informative Security and Privacy “Nutrition” Label for Internet of Things Devices.” The overview paper describes their journey in designing an IoT security and privacy label and introduces a free, easy-to-use generator, enabling device manufacturers to create product-specific labels.

During the White House’s summit, Agarwal presented the group’s label specification, and their research findings, providing a consumer-tested solution that could immediately be implemented across the IoT industry and provide consumers with much-needed information about these devices. Their latest research also shows that consumers are willing to pay significant premiums for IoT devices with security and privacy features clearly stated on a consistent label.

 Product labels are not a new concept. For decades they have been used effectively to inform consumers about food nutrients, over-the-counter drug dosage, and energy efficiency of appliances. While food nutrition labels were developed to decrease obesity by helping consumers purchase healthier food products, they also encourage competition between food companies to produce more nutritious products and allow governments to support consumers’ health-related behaviors without mandating specific nutritional requirements. In the context of privacy, CyLab researchers have found that “privacy nutrition labels” can be effective in conveying information to users visiting websites, using mobile apps, and incorporating IoT devices into their homes.