Carnegie Mellon University

Stillframe of the livestreamed event showing a dozen or so people gathered around a semi circular conference table, the signage in the background reads "US Cyber Trust Mark"

July 18, 2023

Agarwal presents at White House's launch of new IoT cybersecurity labeling system

By Ryan Noone

On Tuesday, Carnegie Mellon University’s CyLab Security and Privacy Institute met with government officials and technology industry leaders, as the White House launched its new Internet of Things (IoT) cybersecurity labelOpens in new window.

School of Computer Science Associate Professor Yuvraj Agarwal represented CMU at the event, sharing key findings from CyLab’s five-plus years of IoT security and privacy label research.

The emergence of IoT technology has provided consumers with numerous benefits, from improving energy efficiency to helping automate routine tasks. However, there are growing concerns about the security and privacy of these devices, and unease around sensitive data being sold or shared with third parties.

“We’re seeing baby monitors with cameras that strangers can access over the Internet and smart thermostats that don’t disclose the use of microphones,” says Lorrie Cranor, director of CyLab and professor in CMU’s Software and Societal Systems and Engineering and Public Policy departments. “Consumers are rightfully concerned about the security and privacy of IoT devices.”

Since 2018, CyLab faculty and students have advocated for IoT labels to empower consumers by providing the knowledge necessary to make informed purchasing decisions.

Led by Cranor and Agarwal, the team has explored how privacy and security factors into IoT device purchase behaviors, finding a willingness among consumers to pay significant premiums for products featuring a consistent label that highlights positive security and privacy features.

Last year, Agarwal, Cranor, and Pardis Emami-Naeini, a Carnegie Mellon alum and assistant professor at Duke University, published an overview paper titled “An informative Security and Privacy ‘Nutrition’ Label for Internet of Things Devices,” describing their journey in designing an IoT security and privacy label. They also launched a free, easy-to-use generator, allowing device manufacturers to create product-specific labels.

We designed our label through a multi-step process that involved extensive research with both consumers and experts,” says Agarwal. “Our current IoT label highlights the most actionable information for consumers, covering both security and privacy factors.”

During a previous White House meeting in October 2022, Agarwal presented a briefing on Carnegie Mellon’s IoT label, offering a consumer-tested solution that could be immediately implemented across the IoT industry.

Since then, Agarwal and Cranor continue to have a seat at the table, serving on a working group tasked with moving the IoT labeling initiative forward and meeting with several organizations, including industry associations, to share their research on the topic.

In their most recent study, Agarwal and Cranor surveyed over 500 IoT device purchasers, showing them three potential designs of varying complexity for IoT product packaging labels. The low complexity design simply included a shield and QR code, the medium complexity version added a few key security and privacy characteristics, and the high complexity design included extensive security and privacy information.

Consumers overwhelmingly preferred the design with the most information, although they also found the medium complexity design to be understandable and helpful for choosing a product to purchase. A majority of consumers were dissatisfied with the low complexity design, identifying it as their least favorite option.

“We’ve found that consumers want to know about IoT products' security and privacy properties and that having this information influences their risk perception and willingness to purchase smart devices,” says Agarwal. “Our latest research shows that while accessing this information through a QR code can be helpful, consumers prefer to have important security and privacy information readily available on product packaging.”

During the White House event, the administration revealed its new IoT mark that, alongside a QR code, is geared towards helping consumers identify which products meet a set of baseline security and privacy practices, something Agarwal and Cranor hope industry leaders will be quick to adopt.

“As the details of IoT package labels are finalized, we’d like to see a consensus around including some basic information about sensor data collection next to the mark to help consumers gain a quick understanding,” says Cranor. “We’re looking forward to working with industry groups to standardize the details of these labels based on the results of our consumer research.”

To learn more about CyLab’s research around IoT security and privacy labels, visit https://www.iotsecurityprivacy.org