Pioneering research in IoT device privacy and security

The rise of Internet of Things (IoT) devices — smart and internet-connected devices — in American homes and workplaces has ushered in an era of unparalleled convenience and connectivity. Yet, this digital revolution comes at a cost: The erosion of user' privacy and concerns about their security.

From home security cameras that can be used to spy on occupants to smart vacuum cleaners taking intimate photos, these technologies often serve as silent witnesses to moments we would rather keep private.

The truth is, IoT's ceaseless data collection and transmission create a digital footprint that is frequently beyond our control. This unchecked invasion of personal privacy jeopardizes how consumers view emerging technologies that were once developed to solve a problem. As homes and cities become more connected, the question that looms large is whether people are willing to pay premium prices for IoT devices that bring a sense of privacy and trustworthiness.

Yuvraj Agarwal, a trailblazing researcher in IoT device technology, is at the forefront of addressing these critical issues. Supported by a U.S. National Science Foundation award, his work is fostering the development of secure and privacy-respecting IoT devices and influencing industry practices and national policies on privacy labeling standards.

Fortifying device security

The need for better privacy and security solutions is becoming increasingly urgent as the IoT ecosystem expands rapidly. International Data Corporation forecasts the number of connected IoT devices to reach 41.6 billion by 2025. With this explosive growth, the options for cybercriminals also expand exponentially.

Agarwal and his collaborators Pardis Emami-Naeini and Lorrie Cranor propose a novel solution:  IoT security and privacy labels. Much like nutrition labels on food products, these IoT labels would provide consumers and organizations essential information about the security and privacy attributes of IoT devices. The goal is to empower individuals and businesses to make informed choices, taking into account security and privacy when selecting IoT products.

Design of IoT labl
Credit: Pardis Emami-Naeini Carnegie Mellon University; Yuvraj Agarwal Carnegie Mellon University; Lorrie Faith Cranor Carnegie Mellon University; Hanan Hibshi Carnegie Mellon University
Primary layer of the label, designed to be printed on product packaging or to appear on a product website. View the latest label design at www.iotsecurityprivacy.org.

Their team's early research highlighted a clear consumer desire for readily accessible security and privacy information regarding IoT products. This information was identified as a critical factor influencing purchase decisions. However, this vital information was often lacking, confusing, inconsistent and presented in an unwieldy manner that hindered product comparisons. This initial insight ignited a five-year journey aimed at developing the Carnegie Mellon University IoT security and privacy label, supported by an array of in-depth studies with consumers and security and privacy experts.

Through IoT privacy labels, Agarwal envisions the development of industry-wide standards and best practices that empower consumers to drive the responsible collection and use of data. By advocating for increased transparency, accountability and ethical conduct, Agarwal is helping reshape the landscape of IoT industry practices.

"If manufacturers and developers begin incorporating these labels into their devices, consumers will not only be better informed, but these labels can also be leveraged by entities such as Consumer Reports, the Federal Trade Commission, the Federal Communications Commission and other regulatory agencies to verify claims and ensure accountability," says Agarwal.

U.S. Cyber Trust Mark

The Biden administration recently announced the U.S. Cyber Trust Mark program, intended to equip consumers with the resources needed to make well-informed choices regarding the security levels of products they bring into their homes. Several manufacturers and retailers indicated their commitment to advance this program, including Amazon, Best Buy, Google, LG Electronics USA, Logitech and Samsung Electronics.

Consumers would see a unique shield logo affixed to products that meet baseline cybersecurity criteria. Devices set to be impacted by the ruling include fitness trackers, home assistants and security cameras, as well as community-wide devices such as climate monitoring systems.

"Our IoT Security and Privacy Label work is attempting to influence how the U.S. Cyber Trust Mark program will be organized, what the requirements will be for getting the mark, what security and privacy factors will be included, etc.," Agarwal says.

One of the biggest challenges to the implementation of privacy labels is that compliance with the policy is voluntary. Nonetheless Agarwal and his team are working with various organizations such as the Connectivity Standard Alliance, responsible for the Matter IoT standard, and Consumer Reports, a nonprofit organization that advocates for marketplace fairness, to develop programs and initiatives that complement the broader U.S. program.

IoT security camera label
Credit: Pardis Emami-Naeini Carnegie Mellon University; Yuvraj Agarwal Carnegie Mellon University; Lorrie Faith Cranor Carnegie Mellon University; Hanan Hibshi Carnegie Mellon University
A user study participant comparing the privacy and security practices of two hypothetical smart security cameras

“What is going to incentivize developers and manufacturers to do the right thing? I believe it will all start with manufacturers who are being compliant already in terms of their security and privacy and that could be a market force for the rest," Agarwal says.

Inspired by the success of the Department of Energy and Department of Defense's ENERGY STAR® program, several ideas are being considered, including sustained consumer education and online advertising campaigns to enlighten users about the U.S. Cyber Trust Mark, with leading retailers and academic institutions playing pivotal roles.

Global effort

While standardization of privacy and security labels would make it easier for consumers and buyers to make informed purchasing decisions, it poses a grand challenge due to distinct regulations, requirements and cultural norms regarding data protection and privacy around the globe. These differences make it difficult to create a one-size-fits-all privacy label that can cater to the diverse needs and expectations of consumers and comply with the intricate legal frameworks of multiple jurisdictions.

"Fifty-five countries have some sort of IoT labeling programs underway. Many of them are based on a European standard, which we also incorporated in our framework. However, Europe is looking to move forward with requiring these labels," Agarwal said. "Meanwhile, in the U.S., these programs are voluntary. As a manufacturer, you have to figure out how to comply with requirements from different countries. … There is an opportunity for the U.S. to help lead this process of standardization based on what consumers really want."

According to Agarwal, achieving a harmonized global standard for privacy and security labels that accommodate regional cultural and policy differences remains a complex endeavor, necessitating careful consideration of how to strike a balance between uniformity and adaptability. He and his team actively collaborate with international partners, sharing their research insights and making recommendations to impact current and future privacy label programs.

"Our privacy labels have been shared under an open Creative Commons license to drive adoption," said Agarwal. "The idea is to create an ecosystem of open science that is available to everyone, no matter your geographic location."