Privacy labels on the Internet of Things (IoT)

The Internet of Things (IoT) comprises all interlinked computing, digital, and mechanical devices capable of transferring data between one another. Basically, those are your smart TVs, home assistant devices, cars, thermostats, speaker systems, and any other type of smart device you could think of (yes, this includes your smartphone, laptop, and tablet). Basically, anything that can collect and transfer data to other IoT devices is an IoT device.

With the increasing popularity and implementation of IoT devices in our everyday lives, problems related to their security and privacy are starting to become more and more prevalent.

One of the key concerns that both users and security experts have with such interconnected devices is how easy it oftentimes is to hack into them. We can say that your iPhone or laptop are relatively secure because they have a number of protective features in place that has gone through years of evolution to fight even the most advanced forms of malware and hacker attacks. However, what about your smart car or your Alexa dot? These, and many other IoT devices, are very attractive targets for online criminals and scammers because they oftentimes lack the needed levels of security. And to make matters even worse, since all these devices are connected, a single weak link could mean that everything connected to the same network gets infected as well. This could easily mean that your whole home could get hacked due to a single, not properly-secured IoT device.

Another major concern about IoT devices is that their privacy is oftentimes not very (if at all) transparent. This means that a given device may be collecting all kinds of data from you without your knowledge which is something you may not otherwise allow if you knew about it. Virtual privacy has never been a bigger point of discussion than it is now – our devices are no longer restricted to only tracking our browsing history. Now, some of them can use our cameras, microphones, and physical locations to improve their functions and “learn” how to be more useful to us. However, not everyone would be okay with that and it is, therefore, necessary that people are given the opportunity to prevent the gathering of personal data by their devices or to, at the very least, have access to detailed information about exactly what data is getting collected and for what purpose it is being collected.

The suggested solution

Obviously, it would be an insurmountable task (at least for the time being) to force all developers of IoT devices to ensure high levels of security for the devices they put on the market. At the same time, the collection of personal data by these devices is not going to stop any time sooner considering the different benefits it brings to both users and developers as well as the fact that the market itself “requires” modern devices to be that way in order for their creators to remain competitive.

Considering these two points, researchers from Carnegie Mellon University suggested a simple, yet effective solution that could potentially significantly improve the overall security and privacy levels of IoT devices. What was suggested by the university’s research team during last month’s IEEE Symposium on Security & Privacy was that manufacturers put a label on each of their devices that clearly states the device’s security and privacy characteristics, including what types of sensors it has, whether they are used for data collection, the purpose of such data collection, how secure the authentication is, information about security updates, and more. The idea is that users would be informed right out of the gate about what the levels of security and privacy are on the device they are about to get.

Having access to such information in the same way that the labels of smartphones and computers tell you how much RAM the device has or what model its Processor unit is would benefit users in several ways:

• First, it will help them make more informed choices on which device to buy (or not buy) based on the security/privacy characteristics of said device. This would, in turn, help keep one’s private IoT network safer due to the inclusion of devices that have higher quality in terms of security.
• Secondly, this will likely drive developers to put greater care and effort into manufacturing devices that have higher levels of security.
• Thirdly, it will help users get a better understanding of the reasons behind the different forms of data collection that may take place while using a given device. If developers are more transparent and upfront regarding the data collection conducted by their devices, this could help establish more trust within users. For example, there may be a legitimate reason that would benefit the user for their smart fridge to collect data through a built-in microphone. However, if it is not explicitly stated by the manufacturer, users would lose their trust and become suspicious of the whole concept.

Of course, providing detailed information about the safety and privacy of the product that anybody could easily understand on a small label is not always going to be achievable. This is why the project also suggests the addition of a “secondary” label that would be digitally accessible through a URL or a QR code. In that second label, more detailed information would be provided to users who want to learn more about the security and privacy specifics of the devices or to those who don’t fully understand the information provided on the printed “primary” label.

Implementation

According to the team of researchers at Carnegie Mellon University, there has been quite a lot of interest in their labeling project from both private-sector and governmental companies. However, it all must start with the manufacturers of IoT devices – one or more of them need to spearhead the implementation of such device labels in order for the project to take off. Although this would undoubtedly take some time, such standardization could indeed happen in the foreseeable future, considering that other teams of researchers from different countries have also been conducting tests in the area of IoT product labeling and standardization. Should such a thing end up happening, it could be a major step in further implementing smart tech in our everyday lives as it will improve the trust users have in such devices and provide them with greater comfort and confidence in using them.