Carnegie Mellon Researchers Design 'Nutrition Label' For The Internet Of Broken Things
from the watching-you-watching-me dept
Thanks to a laundry list of lazy companies, everything from your Barbie doll to your tea kettle are now hackable. Worse, these devices are now being quickly incorporated into some of the largest botnets ever built, resulting in devastating and historic DDoS attacks. In short: thanks to "internet of things" companies that prioritized profits over consumer privacy and the safety of the internet, we're now facing a security and privacy dumpster fire that many experts believe will, sooner or later, result in even bigger security and privacy headaches than we're seeing today.
One problem is that consumers often don't know what they're buying, which is why groups like Consumer Reports have been working on an open source standard to include security and privacy issues in product reviews. Another big problem is that these devices are rarely designed with GUIs that provide transparent insight into what these devices are doing online. And unless users have a semi-sophisticated familiarity with monitoring their internet traffic via a router, they likely have no idea that their shiny new internet-connected doo-dad is putting themselves, and others, at risk.
This lack of transparent data for the end user also extends to company privacy policies and company privacy practices, which are often muddy and buried beneath layers of fine print, assuming they're even truthful in the first place.
Enter the CyLab Security and Privacy Institute at Carnegie Mellon, where researchers say they're hoping to create a standardized "nutrition label" of sorts for IOT devices. Researchers say the labels will provide 47 different pieces of information about a device’s security and privacy practices, including the type of user and activity data the device collects, with whom the data is shared, how long the device retains data, and how frequently this data is shared. The goal is to take something incredibly confusing to the average user and simplify it in a way that's more easily understandable.
To do so, the researchers say they consulted with 22 security and privacy experts across industry, government, and academia to design the easy to understand labels:
They've also built a label generator for those interested. Ideally, by including more accurate labels and privacy and security issues in reviews, you could ideally shame at least some companies into trying a little harder, and help consumers and businesses alike avoid platforms and companies that pretty clearly couldn't care less about end user privacy and security. A more detailed breakdown of a device's habits would be available for experts or researchers looking to know more about a particular device or its habits:
"We have designed a that includes a simple, understandable primary layer for consumers and a more detailed secondary layer that includes information important to experts. The primary layer is designed to be affixed to device packaging or shown on an online shopping website, while the secondary layer can be accessed online via a URL or QR code."
One interesting finding from the researchers: consumers polled were interested in paying more to have this kind of insight into what a product actually does. Granted such labels are only useful if they're actually used, and there's a long list of overseas Chinese companies that will see no penalty for not including them (though the lack of such a label could be a deterrent from buying such products). To be truly effective, you'd likely need to incorporate such requirements as part of the United States' first actual privacy law for the internet era, should such legislation ever actually get crafted.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, internet of things, iot, nutrition label
Reader Comments
Subscribe: RSS
View by: Time | Thread
These labels are awesome but if it's left to manufacturers to put these on their products, who decides what goes on the labels? And who verifies it? These could easily be used to give a false sense of security if they're loaded with bullshit.
[ link to this | view in chronology ]
Re:
"These could easily be used to give a false sense of security if they're loaded with bullshit."
Or worse, being too factual for the average consumer to make heads or tails of;
"May contain traces of zero-day exploits."
"Contains, in order of line volume; C++, Python, Perl, Cobol, Fjölnir"
"Last patch date"
"version 5.2065521"
"Oracle SQL standard applied"
"BOFH approved"
"No liability assumed for PEBKAC"
[ link to this | view in chronology ]
Well, y'all are in luck ...
now on sale - internet connected Big Mouth Billy Bass
[ link to this | view in chronology ]
Re:
They should just make an offline one with a flashcard on which an audio file is used so you could customize the thing.
[ link to this | view in chronology ]
Re: Re:
"so you could customize the thing."
Animate a Billy Bass Mouth With Any Audio Source
State Of The Art Big Mouth Alexa Bass
[ link to this | view in chronology ]
Re: Re: Re:
Thanks a bunch!
[ link to this | view in chronology ]
Princeton IoT Inspector ?
Has anyone used this? I don't have Windows 10 or any IoT junk, so I am kind of out of the loop. The website says Linux and macOS versions are due this month, but I am betting they will be delayed.
[ link to this | view in chronology ]
Re: Princeton IoT Inspector ?
I don't have any IOT devices either, nor Windows 10, but after a quick look at this link it appears they are collecting a lot of information as well. A better question might be, are these people to be trusted with what they want from you?
[ link to this | view in chronology ]
Re: Re: Princeton IoT Inspector ?
Seems like mostly innocuous stuff, primarily about the IoT device and what it is sending and where it is sending it. This is info they would need to do any research on IoT devices. And it explains how to limit data collection:
[ link to this | view in chronology ]
Re: Re: Princeton IoT Inspector ?
I don't have any of the above either, but now i am conflicted and mostly unmotivated to research what they have to say about themselves. At the moment, anyway. But interesting nonetheless.
[ link to this | view in chronology ]
The sad part is the idea of a "nutrition label" for these internet-connected products needed to exist in the first place.
Really just encapsulates what's wrong with the Internet Of Broken Things.
[ link to this | view in chronology ]
The technological solution is possible but no one seems willing or able to implement it
[ link to this | view in chronology ]
Nutrition Racism
Often cash crops —like sugar and coffee— are cultivated at the
expense of agricultural production which could feed the people. This is a
main cause of famine and malnutrition in the world. Coffee alone is the
primary economic life-blood of ten underdeveloped countries.
White people should not be allowed to eat. Ever.
[ link to this | view in chronology ]
Class Racism
Class analysis should not use the borders of the US like blinders on
a horse. This deprives us of the full picture and throws strategy into chaos.
Domestic class analysis must be integrated with the reality of US imperialism
as a world economy. There is one system operating internally and externally:
there is a unified strategy for power and control although the application
and tactics vary greatly; there is one main class enemy. Class analysis must
see the entire system mid realistically take account of imperial plunder, the
distorting culture of privilege and racism, and the realities of national
division.
Eat White People! It solves every problem! Global warming will end when white people are gone! Racism will be gone! Class will be gone! We will all be equal non-white people! If any new white people are born, eat them too! Even a little white! Even if they have white teeth! Eat them all!
[ link to this | view in chronology ]
You lost me at...
You lost me at Carnegie Mellon
[ link to this | view in chronology ]
Re: You lost me at...
Carnegie Mellon was a leading anti-imperialist organization in the Techdirt movement.
Historically, students play an advanced and militant role in anti-imperialist
struggle, opposing war and racial injustice and white privilege. The revolt at Columbia University
was a catalyst which exploded the previous era of resistance into a popular
revolutionary movement of students and young people. The street battles at
the Democratic National Convention in Chicago several months later led to
further occupations and demonstrations involving hundreds of thousands of
Techdirt militants. The demonstrations built on each other; each struggle was unique
and beautiful. The vitality of SDS and Techdirt was rooted in its local experiences and the
application of national programs to different regions and conditions
—applying the lessons of Columbia, films on Cuba, building alliances with a
Black Student Union, Techdirt Division. The taste of liberation, the intense struggles,
transformed our identifications, our lives, our sexuality, too. Mike, for example. He loves trans ladies now. Everybody knows that.
At this point, some new contradictions appeared.
What does this have to do with anything in America today, you ask? It's a long struggle by people who are now really old, like my sister. She went to Radcliffe, did I mention that? And, she married an Ayers. That's new, right? Hadn't thought about THAT in a long time. She had Ayers kids, too. They're AntiFa leaders, now. Same philosophy, get it? It's recycling - recycle the old tired bullshit leftist propaganda into new tired leftist bullshit propaganda. That's what Obama did for America, and that's why we need a New America - Omerica! Obama America, forever!
[ link to this | view in chronology ]
Re: Re: You lost me at...
"Carnegie Mellon was a leading anti-imperialist organization in the Techdirt movement. "
Know how we can tell you're a troll, bro? And i notice you managed to swing your usual "But Obama!" in again.
So tell me, just when was it that white supremacists became addicted to pulling blackface improv acts pretending to be what you guys think a black activist sounds like?
Because if it's all just a secret yearning to be "cooler" by being a black fascist rather than a white one I'll have to disappoint you - black people in the US don't have the same liberty to be as openly malicious as you people always are.
[ link to this | view in chronology ]
Needs more info
How about categories like
[ link to this | view in chronology ]
What the hell happened?
I thought we were over these utterly illiterate "series of tubes" suggestions of regulation by completely inapplicable analogy by the mid 00s at latest when they became laughingstocks.
[ link to this | view in chronology ]
Great... Now we'll have the Internet of Broken Nutrition.
[ link to this | view in chronology ]
Brick By
They also need a "Brick By" date, the date after which the company may brick the device. It may well be earlier than the security updates date.
[ link to this | view in chronology ]
what if...
what's to stop Chinese (or any) companies from simply lying on the "nutrition label"? E.g., saying they don't sell data when in reality they do. Or don't submit personally-identifiable data, but do reveal 'metadata' than can be aggregated such that user information becomes identifiable.
[ link to this | view in chronology ]
Re: what if...
That is what Princeton IoT Inspector is for.
[ link to this | view in chronology ]