Carnegie Mellon Researchers Design 'Nutrition Label' For The Internet Of Broken Things

from the watching-you-watching-me dept

Thanks to a laundry list of lazy companies, everything from your Barbie doll to your tea kettle are now hackable. Worse, these devices are now being quickly incorporated into some of the largest botnets ever built, resulting in devastating and historic DDoS attacks. In short: thanks to “internet of things” companies that prioritized profits over consumer privacy and the safety of the internet, we’re now facing a security and privacy dumpster fire that many experts believe will, sooner or later, result in even bigger security and privacy headaches than we’re seeing today.

One problem is that consumers often don’t know what they’re buying, which is why groups like Consumer Reports have been working on an open source standard to include security and privacy issues in product reviews. Another big problem is that these devices are rarely designed with GUIs that provide transparent insight into what these devices are doing online. And unless users have a semi-sophisticated familiarity with monitoring their internet traffic via a router, they likely have no idea that their shiny new internet-connected doo-dad is putting themselves, and others, at risk.

This lack of transparent data for the end user also extends to company privacy policies and company privacy practices, which are often muddy and buried beneath layers of fine print, assuming they’re even truthful in the first place.

Enter the CyLab Security and Privacy Institute at Carnegie Mellon, where researchers say they’re hoping to create a standardized “nutrition label” of sorts for IOT devices. Researchers say the labels will provide 47 different pieces of information about a device?s security and privacy practices, including the type of user and activity data the device collects, with whom the data is shared, how long the device retains data, and how frequently this data is shared. The goal is to take something incredibly confusing to the average user and simplify it in a way that’s more easily understandable.

To do so, the researchers say they consulted with 22 security and privacy experts across industry, government, and academia to design the easy to understand labels:

They’ve also built a label generator for those interested. Ideally, by including more accurate labels and privacy and security issues in reviews, you could ideally shame at least some companies into trying a little harder, and help consumers and businesses alike avoid platforms and companies that pretty clearly couldn’t care less about end user privacy and security. A more detailed breakdown of a device’s habits would be available for experts or researchers looking to know more about a particular device or its habits:

“We have designed a that includes a simple, understandable primary layer for consumers and a more detailed secondary layer that includes information important to experts. The primary layer is designed to be affixed to device packaging or shown on an online shopping website, while the secondary layer can be accessed online via a URL or QR code.”

One interesting finding from the researchers: consumers polled were interested in paying more to have this kind of insight into what a product actually does. Granted such labels are only useful if they’re actually used, and there’s a long list of overseas Chinese companies that will see no penalty for not including them (though the lack of such a label could be a deterrent from buying such products). To be truly effective, you’d likely need to incorporate such requirements as part of the United States’ first actual privacy law for the internet era, should such legislation ever actually get crafted.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Carnegie Mellon Researchers Design 'Nutrition Label' For The Internet Of Broken Things”

Subscribe: RSS Leave a comment
Scary Devil Monastery (profile) says:

Re: Re:

"These could easily be used to give a false sense of security if they’re loaded with bullshit."

Or worse, being too factual for the average consumer to make heads or tails of;

"May contain traces of zero-day exploits."
"Contains, in order of line volume; C++, Python, Perl, Cobol, Fjölnir"
"Last patch date"
"version 5.2065521"
"Oracle SQL standard applied"
"BOFH approved"
"No liability assumed for PEBKAC"

Upstream (profile) says:

Re: Re: Princeton IoT Inspector ?

Seems like mostly innocuous stuff, primarily about the IoT device and what it is sending and where it is sending it. This is info they would need to do any research on IoT devices. And it explains how to limit data collection:

You can also manually exclude devices by either powering them down while setting up IoT Inspector, or specifying their MAC addresses.

If you do not want IoT Inspector to collect data from a particular IoT device (e.g., because it collects sensitive medical information), please disconnect it from the network now, before you start running IoT Inspector. If you are unable to disconnect it (e.g., because you need to keep the device running, or because you do not know how to disconnect it), you cannot use IoT Inspector.

This comment has been flagged by the community. Click here to show it.

Anonymous Coward says:

Nutrition Racism

Often cash crops —like sugar and coffee— are cultivated at the
expense of agricultural production which could feed the people. This is a
main cause of famine and malnutrition in the world. Coffee alone is the
primary economic life-blood of ten underdeveloped countries.

White people should not be allowed to eat. Ever.

This comment has been flagged by the community. Click here to show it.

Anonymous Coward says:

Re: Class Racism

Class analysis should not use the borders of the US like blinders on
a horse. This deprives us of the full picture and throws strategy into chaos.
Domestic class analysis must be integrated with the reality of US imperialism
as a world economy. There is one system operating internally and externally:
there is a unified strategy for power and control although the application
and tactics vary greatly; there is one main class enemy. Class analysis must
see the entire system mid realistically take account of imperial plunder, the
distorting culture of privilege and racism, and the realities of national

Eat White People! It solves every problem! Global warming will end when white people are gone! Racism will be gone! Class will be gone! We will all be equal non-white people! If any new white people are born, eat them too! Even a little white! Even if they have white teeth! Eat them all!

This comment has been flagged by the community. Click here to show it.

Anonymous Coward says:

Re: You lost me at...

Carnegie Mellon was a leading anti-imperialist organization in the Techdirt movement.
Historically, students play an advanced and militant role in anti-imperialist
struggle, opposing war and racial injustice and white privilege. The revolt at Columbia University
was a catalyst which exploded the previous era of resistance into a popular
revolutionary movement of students and young people. The street battles at
the Democratic National Convention in Chicago several months later led to
further occupations and demonstrations involving hundreds of thousands of
Techdirt militants. The demonstrations built on each other; each struggle was unique
and beautiful. The vitality of SDS and Techdirt was rooted in its local experiences and the
application of national programs to different regions and conditions
—applying the lessons of Columbia, films on Cuba, building alliances with a
Black Student Union, Techdirt Division. The taste of liberation, the intense struggles,
transformed our identifications, our lives, our sexuality, too. Mike, for example. He loves trans ladies now. Everybody knows that.

At this point, some new contradictions appeared.

What does this have to do with anything in America today, you ask? It’s a long struggle by people who are now really old, like my sister. She went to Radcliffe, did I mention that? And, she married an Ayers. That’s new, right? Hadn’t thought about THAT in a long time. She had Ayers kids, too. They’re AntiFa leaders, now. Same philosophy, get it? It’s recycling – recycle the old tired bullshit leftist propaganda into new tired leftist bullshit propaganda. That’s what Obama did for America, and that’s why we need a New America – Omerica! Obama America, forever!

Scary Devil Monastery (profile) says:

Re: Re: You lost me at...

"Carnegie Mellon was a leading anti-imperialist organization in the Techdirt movement. "

Know how we can tell you’re a troll, bro? And i notice you managed to swing your usual "But Obama!" in again.

So tell me, just when was it that white supremacists became addicted to pulling blackface improv acts pretending to be what you guys think a black activist sounds like?

Because if it’s all just a secret yearning to be "cooler" by being a black fascist rather than a white one I’ll have to disappoint you – black people in the US don’t have the same liberty to be as openly malicious as you people always are.

This comment has been deemed insightful by the community.
Anonymous Coward says:

Needs more info

How about categories like

  • Manufacturer can brick this device remotely
  • Needs a server/service provided by the manufacturer/third party to function
  • Uses open protocol / proprietary protocol (with list of protocols)
  • Needs a (paid) subscription to function as advertized
  • Needs your wifi details to function properly
harryg123 says:

what if...

what’s to stop Chinese (or any) companies from simply lying on the "nutrition label"? E.g., saying they don’t sell data when in reality they do. Or don’t submit personally-identifiable data, but do reveal ‘metadata’ than can be aggregated such that user information becomes identifiable.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...