"CyLab Presents IoT Privacy and Security Label Research at White House Summit"

The Carnegie Mellon University (CMU) CyLab Security and Privacy Institute recently attended the White House's Internet of Things (IoT) security summit to discuss what is required to foster an effective IoT security labeling ecosystem. Consumers have smart doorbells, smart thermostats, voice assistants, and other IoT devices in their homes and are concerned about security and privacy risks, according to Yuvraj Agarwal, associate professor in CMU's Software and Societal Systems Department (S3D). Therefore, it is essential to provide consumers with information to make informed decisions about what they bring into their homes. While IoT devices have numerous advantages, such as improving energy efficiency and automating routine tasks, they have also been used to spy on consumers and as a stepping stone to much larger infrastructure attacks. Concerns have also grown about sensitive data being sold or shared with third parties. Despite rising concerns about the security and privacy of IoT devices, consumers rarely have access to security and privacy information when making purchasing decisions. While legislators have proposed adding short, consumer-friendly labels, they have not specified what information these labels should contain. Since 2018, CyLab faculty and students have been exploring this issue, resulting in several peer-reviewed papers that investigate how privacy and security factors into IoT device purchase behaviors, what should be included on IoT privacy and security labels, and whether consumers are willing to pay for products with better security and privacy practices. Agarwal published "An Informative Security and Privacy' Nutrition' Label for Internet of Things Devices" earlier this year with Lorrie Cranor, professor in S3D and the Engineering and Public Policy Department, and Pardis Emami-Naeini, assistant professor at Duke University. The overview paper describes their journey in developing an IoT security and privacy label, and highlights a free, simple-to-use generator that allows device manufacturers to create product-specific labels. Agarwal presented the group's label specification and research findings at the White House summit, providing a consumer-tested solution that could be immediately implemented across the IoT industry and provide consumers with important information about these devices. Their most recent research also shows that consumers are willing to pay significant premiums for IoT devices that clearly state security and privacy features on a consistent label. This article continues to discuss CyLab's IoT privacy and security label research recently presented at the White House's IoT security summit.

CyLab reports "CyLab Presents IoT Privacy and Security Label Research at White House Summit"