CyLab Presents at White House's Launch of New IoT Cybersecurity Labeling System
Carnegie Mellon Associate Professor Yuvraj Agarwal shares CyLab's research during the White House's launch of its new IoT cybersecurity label. Source: White House Live Stream
On Tuesday, Carnegie Mellon University’s CyLab Security and Privacy Institute(opens in new window) met with government officials and technology industry leaders as the White House launched its new Internet of Things (IoT) cybersecurity label(opens in new window).
School of Computer Science Associate Professor Yuvraj Agarwal(opens in new window) represented CMU at the event, sharing key findings from CyLab’s five-plus years of IoT security and privacy label research.
The emergence of IoT technology has provided consumers with numerous benefits, from improving energy efficiency to helping automate routine tasks. However, there are growing concerns about the security and privacy of these devices, and unease around sensitive data being sold or shared with third parties.
“We’re seeing baby monitors with cameras that strangers can access over the Internet and smart thermostats that don’t disclose the use of microphones,” said Lorrie Cranor(opens in new window), director of CyLab and professor in CMU’s Software and Societal Systems and Engineering and Public Policy departments. “Consumers are rightfully concerned about the security and privacy of IoT devices.”
Since 2018, CyLab faculty and students have advocated for IoT labels to empower consumers by providing the knowledge necessary to make informed purchasing decisions.
Led by Cranor and Agarwal, the team has explored how privacy and security factors into IoT device purchase behaviors, finding a willingness among consumers to pay significant premiums for products featuring a consistent label that highlights positive security and privacy features.
Last year, Agarwal, Cranor, and Pardis Emami-Naeini, a Carnegie Mellon alumna and assistant professor at Duke University, published an overview paper titled “An Informative Security and Privacy ‘Nutrition’ Label for Internet of Things Devices(opens in new window),” describing their journey in designing an IoT security and privacy label. They also launched a free, easy-to-use generator(opens in new window), allowing device manufacturers to create product-specific labels.
“We designed our label through a multi-step process that involved extensive research with both consumers and experts,” said Agarwal. “Our current IoT label highlights the most actionable information for consumers, covering both security and privacy factors.”
During a previous White House meeting in October 2022(opens in new window), Agarwal presented a briefing on Carnegie Mellon’s IoT label, offering a consumer-tested solution that could be immediately implemented across the IoT industry.
Agarwal and Cranor continue to have a seat at the table, serving on a working group tasked with moving the IoT labeling initiative forward and meeting with several organizations, including industry associations, to share their research on the topic.
In their most recent study, Agarwal and Cranor surveyed over 500 IoT device purchasers, showing them three potential designs of varying complexity for IoT product packaging labels. The low complexity design simply included a shield and QR code, the medium complexity version added a few key security and privacy characteristics, and the high complexity design included extensive security and privacy information.
Consumers overwhelmingly preferred the design with the most information, although they also found the medium complexity design to be understandable and helpful for choosing a product to purchase. A majority of consumers were dissatisfied with the low complexity design, identifying it as their least favorite option.
“We’ve found that consumers want to know about IoT products' security and privacy properties and that having this information influences their risk perception and willingness to purchase smart devices,” said Agarwal. “Our latest research shows that while accessing this information through a QR code can be helpful, consumers prefer to have important security and privacy information readily available on product packaging.”
During the White House event, the administration revealed its new IoT mark that, alongside a QR code, is geared toward helping consumers identify which products meet a set of baseline security and privacy practices, something Agarwal and Cranor hope industry leaders will be quick to adopt.
“As the details of IoT package labels are finalized, we’d like to see a consensus around including some basic information about sensor data collection next to the mark to help consumers gain a quick understanding,” said Cranor. “We’re looking forward to working with industry groups to standardize the details of these labels based on the results of our consumer research.”
Learn more about CyLab’s research around IoT security and privacy labels(opens in new window).
By: Name Peter Kerwin Name Ryan Noone