New Infrastructure Will Enhance Privacy in Today's Internet of Things

CMU researchers have created an suite of tools that give people more information about the IoT technologies around them and the data they collect.

People navigating the digital landscape of today's internet are bombarded with notices about how their data is being collected. But in the physical world — where internet of things (IoT) technologies increasingly track our activities — few, if any, notices are provided.

A team of Carnegie Mellon University researchers has created an app and an entire infrastructure to change that.

The IoT Privacy Assistant, launched this week, is an app that informs users about what IoT technologies are around them and the data they're collecting.

Consider public cameras with facial-recognition and scene-recognition capabilities, Bluetooth beacons tracking your whereabouts at the mall, or your neighbor's smart doorbell. The IoT Privacy Assistant app will let you discover the IoT devices around you and learn about the data they collect. If the device offers choices such as opting in or out of data collection, the app will help you decide.

The app is available for both iOS and Android phones.

"Because of new laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), people need to be informed about what data is collected about them and they need to be given some choices over these processes," said Professor Norman Sadeh, a CyLab faculty member in CMU's Institute for Software Research and the principal investigator on the project. "We have built an infrastructure that enables owners of IoT technologies to comply with these laws, and an app that takes advantage of this infrastructure to empower people to find out about and control data collected by these technologies."

Right now, some public spaces under surveillance might have signs that say, "This area is under surveillance," informing people in the vicinity that video of them may be recorded. But Sadeh says this isn't enough.

"These signs tell you nothing about what is being done with your footage, how long it's going to be retained, whether or not it uses facial recognition, or with whom this is going to be shared," says Sadeh. "Under regulations like GDPR and CCPA, there are requirements to more explicitly communicate not just the presence of these technologies and what they collect, but also to give people some control over what is being collected and how the data can be used."

While end users may access the app to see information about IoT devices around them, owners of IoT devices may use a cloud-based online portal to publish the presence of their IoT devices in registries spanning different areas. Both organizations and individuals can request the creation of registries where they can control the publication of IoT technologies in different areas. The infrastructure is hosted in the cloud and designed to be easy to use. For instance, premade templates for commonly used off-the-shelf IoT devices are available for people to edit and easily publish in registries.

"We've done the work for you," Sadeh says. "All you need to do is start adding your IoT resources so you can be in compliance with today's privacy laws."

This project has been made possible by a large grant under the Defense Advanced Research Projects Agency's Brandeis privacy research program, as well as through funding from the National Science Foundation's Secure and Trustworthy Cyberspace program. Other members of the team include Yuanyuan Feng, Justin Donnell, Yoshi Torralva, Akshath Jain, Salil Deshpande, and Yaxing Yao.

 

For More Information
Byron Spice | 412-268-9068 | bspice@cs.cmu.edu
Virginia Alvino Young | 412-268-8356 | vay@cmu.edu