Carnegie Mellon Researchers Design 'Nutrition Label' For The Internet Of Broken Things

from the watching-you-watching-me dept

Thanks to a laundry list of lazy companies, everything from your Barbie doll to your tea kettle are now hackable. Worse, these devices are now being quickly incorporated into some of the largest botnets ever built, resulting in devastating and historic DDoS attacks. In short: thanks to "internet of things" companies that prioritized profits over consumer privacy and the safety of the internet, we're now facing a security and privacy dumpster fire that many experts believe will, sooner or later, result in even bigger security and privacy headaches than we're seeing today.

One problem is that consumers often don't know what they're buying, which is why groups like Consumer Reports have been working on an open source standard to include security and privacy issues in product reviews. Another big problem is that these devices are rarely designed with GUIs that provide transparent insight into what these devices are doing online. And unless users have a semi-sophisticated familiarity with monitoring their internet traffic via a router, they likely have no idea that their shiny new internet-connected doo-dad is putting themselves, and others, at risk.

This lack of transparent data for the end user also extends to company privacy policies and company privacy practices, which are often muddy and buried beneath layers of fine print, assuming they're even truthful in the first place.

Enter the CyLab Security and Privacy Institute at Carnegie Mellon, where researchers say they're hoping to create a standardized "nutrition label" of sorts for IOT devices. Researchers say the labels will provide 47 different pieces of information about a device’s security and privacy practices, including the type of user and activity data the device collects, with whom the data is shared, how long the device retains data, and how frequently this data is shared. The goal is to take something incredibly confusing to the average user and simplify it in a way that's more easily understandable.

To do so, the researchers say they consulted with 22 security and privacy experts across industry, government, and academia to design the easy to understand labels:

They've also built a label generator for those interested. Ideally, by including more accurate labels and privacy and security issues in reviews, you could ideally shame at least some companies into trying a little harder, and help consumers and businesses alike avoid platforms and companies that pretty clearly couldn't care less about end user privacy and security. A more detailed breakdown of a device's habits would be available for experts or researchers looking to know more about a particular device or its habits:

"We have designed a that includes a simple, understandable primary layer for consumers and a more detailed secondary layer that includes information important to experts. The primary layer is designed to be affixed to device packaging or shown on an online shopping website, while the secondary layer can be accessed online via a URL or QR code."

One interesting finding from the researchers: consumers polled were interested in paying more to have this kind of insight into what a product actually does. Granted such labels are only useful if they're actually used, and there's a long list of overseas Chinese companies that will see no penalty for not including them (though the lack of such a label could be a deterrent from buying such products). To be truly effective, you'd likely need to incorporate such requirements as part of the United States' first actual privacy law for the internet era, should such legislation ever actually get crafted.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, internet of things, iot, nutrition label


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 9 Jun 2020 @ 4:52pm

    These labels are awesome but if it's left to manufacturers to put these on their products, who decides what goes on the labels? And who verifies it? These could easily be used to give a false sense of security if they're loaded with bullshit.

    reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 10 Jun 2020 @ 12:01am

      Re:

      "These could easily be used to give a false sense of security if they're loaded with bullshit."

      Or worse, being too factual for the average consumer to make heads or tails of;

      "May contain traces of zero-day exploits."
      "Contains, in order of line volume; C++, Python, Perl, Cobol, Fjölnir"
      "Last patch date"
      "version 5.2065521"
      "Oracle SQL standard applied"
      "BOFH approved"
      "No liability assumed for PEBKAC"

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jun 2020 @ 5:05pm

    Well, y'all are in luck ...
    now on sale - internet connected Big Mouth Billy Bass

    reply to this | link to this | view in chronology ]

  • icon
    Upstream (profile), 9 Jun 2020 @ 5:09pm

    Princeton IoT Inspector ?

    Has anyone used this? I don't have Windows 10 or any IoT junk, so I am kind of out of the loop. The website says Linux and macOS versions are due this month, but I am betting they will be delayed.

    reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 9 Jun 2020 @ 5:26pm

      Re: Princeton IoT Inspector ?

      I don't have any IOT devices either, nor Windows 10, but after a quick look at this link it appears they are collecting a lot of information as well. A better question might be, are these people to be trusted with what they want from you?

      reply to this | link to this | view in chronology ]

      • icon
        Upstream (profile), 9 Jun 2020 @ 7:10pm

        Re: Re: Princeton IoT Inspector ?

        Seems like mostly innocuous stuff, primarily about the IoT device and what it is sending and where it is sending it. This is info they would need to do any research on IoT devices. And it explains how to limit data collection:

        You can also manually exclude devices by either powering them down while setting up IoT Inspector, or specifying their MAC addresses.

        If you do not want IoT Inspector to collect data from a particular IoT device (e.g., because it collects sensitive medical information), please disconnect it from the network now, before you start running IoT Inspector. If you are unable to disconnect it (e.g., because you need to keep the device running, or because you do not know how to disconnect it), you cannot use IoT Inspector.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Jun 2020 @ 2:08pm

        Re: Re: Princeton IoT Inspector ?

        I don't have any of the above either, but now i am conflicted and mostly unmotivated to research what they have to say about themselves. At the moment, anyway. But interesting nonetheless.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jun 2020 @ 5:31pm

    The sad part is the idea of a "nutrition label" for these internet-connected products needed to exist in the first place.

    Really just encapsulates what's wrong with the Internet Of Broken Things.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jun 2020 @ 6:04pm

    The technological solution is possible but no one seems willing or able to implement it

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 9 Jun 2020 @ 6:20pm

    Nutrition Racism

    Often cash crops —like sugar and coffee— are cultivated at the
    expense of agricultural production which could feed the people. This is a
    main cause of famine and malnutrition in the world. Coffee alone is the
    primary economic life-blood of ten underdeveloped countries.

    White people should not be allowed to eat. Ever.

    reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Anonymous Coward, 9 Jun 2020 @ 8:23pm

      Class Racism

      Class analysis should not use the borders of the US like blinders on
      a horse. This deprives us of the full picture and throws strategy into chaos.
      Domestic class analysis must be integrated with the reality of US imperialism
      as a world economy. There is one system operating internally and externally:
      there is a unified strategy for power and control although the application
      and tactics vary greatly; there is one main class enemy. Class analysis must
      see the entire system mid realistically take account of imperial plunder, the
      distorting culture of privilege and racism, and the realities of national
      division.

      Eat White People! It solves every problem! Global warming will end when white people are gone! Racism will be gone! Class will be gone! We will all be equal non-white people! If any new white people are born, eat them too! Even a little white! Even if they have white teeth! Eat them all!

      reply to this | link to this | view in chronology ]

  • icon
    ysth (profile), 9 Jun 2020 @ 9:28pm

    You lost me at...

    You lost me at Carnegie Mellon

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jun 2020 @ 9:51pm

      Re: You lost me at...

      Carnegie Mellon was a leading anti-imperialist organization in the Techdirt movement.
      Historically, students play an advanced and militant role in anti-imperialist
      struggle, opposing war and racial injustice and white privilege. The revolt at Columbia University
      was a catalyst which exploded the previous era of resistance into a popular
      revolutionary movement of students and young people. The street battles at
      the Democratic National Convention in Chicago several months later led to
      further occupations and demonstrations involving hundreds of thousands of
      Techdirt militants. The demonstrations built on each other; each struggle was unique
      and beautiful. The vitality of SDS and Techdirt was rooted in its local experiences and the
      application of national programs to different regions and conditions
      —applying the lessons of Columbia, films on Cuba, building alliances with a
      Black Student Union, Techdirt Division. The taste of liberation, the intense struggles,
      transformed our identifications, our lives, our sexuality, too. Mike, for example. He loves trans ladies now. Everybody knows that.

      At this point, some new contradictions appeared.

      What does this have to do with anything in America today, you ask? It's a long struggle by people who are now really old, like my sister. She went to Radcliffe, did I mention that? And, she married an Ayers. That's new, right? Hadn't thought about THAT in a long time. She had Ayers kids, too. They're AntiFa leaders, now. Same philosophy, get it? It's recycling - recycle the old tired bullshit leftist propaganda into new tired leftist bullshit propaganda. That's what Obama did for America, and that's why we need a New America - Omerica! Obama America, forever!

      reply to this | link to this | view in chronology ]

      • icon
        Scary Devil Monastery (profile), 11 Jun 2020 @ 1:49am

        Re: Re: You lost me at...

        "Carnegie Mellon was a leading anti-imperialist organization in the Techdirt movement. "

        Know how we can tell you're a troll, bro? And i notice you managed to swing your usual "But Obama!" in again.

        So tell me, just when was it that white supremacists became addicted to pulling blackface improv acts pretending to be what you guys think a black activist sounds like?

        Because if it's all just a secret yearning to be "cooler" by being a black fascist rather than a white one I'll have to disappoint you - black people in the US don't have the same liberty to be as openly malicious as you people always are.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jun 2020 @ 2:51am

    Needs more info

    How about categories like

    • Manufacturer can brick this device remotely
    • Needs a server/service provided by the manufacturer/third party to function
    • Uses open protocol / proprietary protocol (with list of protocols)
    • Needs a (paid) subscription to function as advertized
    • Needs your wifi details to function properly
    • ...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jun 2020 @ 10:49am

    What the hell happened?

    I thought we were over these utterly illiterate "series of tubes" suggestions of regulation by completely inapplicable analogy by the mid 00s at latest when they became laughingstocks.

    reply to this | link to this | view in chronology ]

  • identicon
    bobob, 10 Jun 2020 @ 1:12pm

    Great... Now we'll have the Internet of Broken Nutrition.

    reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 10 Jun 2020 @ 5:57pm

    Brick By

    They also need a "Brick By" date, the date after which the company may brick the device. It may well be earlier than the security updates date.

    reply to this | link to this | view in chronology ]

  • identicon
    harryg123, 15 Jun 2020 @ 7:38am

    what if...

    what's to stop Chinese (or any) companies from simply lying on the "nutrition label"? E.g., saying they don't sell data when in reality they do. Or don't submit personally-identifiable data, but do reveal 'metadata' than can be aggregated such that user information becomes identifiable.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.