At the grocery store, we can read and compare nutritional information, thanks to the standardized Nutrition Facts label. At big box retailers, we can review Energy Guide estimates of the annual energy consumption of appliances. What if all connected devices on the market came with the equivalent of a privacy & cybersecurity “nutritional label?” Instead of telling consumers how many calories a product has, or how much it costs to power, an IoT label would communicate things like what kinds of data the product collects, how long the product will receive security updates, and other important information to help consumers make informed decisions.
Our colleagues at the Carnegie Mellon University (CMU) CyLab have been working on this concept for several years. You can check out their test label here. This idea continues to gain support among policymakers and industry. In May 2022, NIST released guidance on how a national cybersecurity labeling scheme should work, drawing on feedback from over 100 stakeholders (including Consumer Reports).
Consumer Reports and its partners are dedicated to building an IoT privacy and security labeling system for public benefit. We’re building a prototype that will inform national and international efforts to provide consumer IoT privacy and security disclosures at scale.
The Summer Ahead
This summer, we will refine our data model and delivery system via an intensive IoT Design Fellowship that will move us towards a real-world pilot. That’s why we’re especially excited to note that Dr. Pardis Emami-Naeini will be working with us this summer to continue driving this idea from concept to execution, acting as lead advisor to our IoT Design Fellowship program.
Pardis brings to the program years of experience in IoT security, privacy, and human-computer interaction. During her PhD at the CMU School of Computer Science, she has led the research and design efforts of the CyLab IoT Security and Privacy Label. Now she is continuing her leadership role in this extensive effort as an Assistant Professor of Computer Science at Duke University. Her research on IoT Security and Privacy Label has informed the National Institute of Standards and Technology (NIST), Consumer Reports, and the World Economic Forum toward designing usable and informative security and privacy labels for smart devices.
We took some time to ask Pardis a few questions to help our prospective applicants learn a bit more about what’s in store for the summer ahead!
Dan – Why have you dedicated your research to IoT labeling?
Pardis – One of the pressing challenges of smart devices, such as smart speakers or smart security cameras, is their lack of usable transparency for consumers. Currently, buyers of such smart products have no easy way to find information about security and data practices of these devices. Informing consumers’ purchase decision making could also mean empowering them to make protective decisions, which has been an important objective for me. I found the idea of the label to be simple enough for consumers to accept, but at the same time powerful to enable them to make informed and protective purchase decisions. That is why I have been working on this topic for the past few years.
Dan- Where are we now in the U.S. with the IoT security labels and what do you think the future of IoT labels looks like?
Pardis – With the recent Executive Order from the White House regarding labeling of smart devices, I would say that we are very close to having a national security and privacy label for smart devices in the US. There are still several open questions that we need to answer before designing an acceptable and effective label, for example, how we can incentivize manufacturers to adopt the label and disclose information. That being said, I am very hopeful that with our current research efforts on this topic, we will soon see such labels in the market.
Dan- What do you hope to accomplish by working with CR and the team this summer?
Pardis – Consumer Reports is well positioned to make tremendous progress in understanding the needs of critical stakeholders, including consumers of devices and device manufacturers. My hope for this collaboration over the summer is to work with the CR Fellows to get closer to the design of an IoT label that consumers understand and device manufacturers are willing to adopt. Designing such a labeling scheme requires extensive consumer and expert research, which I am excited to work with the CR Fellows on over the summer.
Dan- What research questions will you be focusing on with the IoT Design Fellows?
Pardis – We will start with several research questions and we will add to the list as we progress. We will explore what privacy and security factors consumers would like to see on the label and how this information should be presented to them to be usable and informative. In addition, we will surface the challenges that manufacturers face to disclose security and privacy information and identify methods that can be used to incentivize them to improve their practices and provide transparency over the security and privacy behavior of their smart devices.
Dan- Anything else you’d like to share with the CR community?
Pardis – I am beyond excited to be on board with the wonderful CR community and explore how we can translate the research findings into real-world IoT labels that inform and empower consumers to make protective decisions about their devices.