February 19, 2020
New infrastructure will enhance privacy in today's Internet of Things
People navigating through the digital landscape of the Internet today are bombarded with notices about how their data is being collected. But in the physical world where Internet of Things technologies increasingly track our activities—few, if any, notices are provided.
A team of Carnegie Mellon researchers just created an app and an entire infrastructure to address this. The Internet of Things (IoT) Assistant app, launched this week, is an app that informs users about what IoT technologies are around them and what data they are collecting.
Consider public cameras with facial recognition and scene recognition capabilities, Bluetooth beacons surreptitiously tracking your whereabouts at the mall, or your neighbor's smart doorbell or smart speaker. The IoT Assistant app will let you discover the IoT devices around you and learn about the data they collect. If the device offers privacy choices like opting in or out of data collection, the app will help you access these choices.
"Because of new laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), people need to be informed about what data is collected about them and they need to be given some choices over these processes," says Professor Norman Sadeh, a CyLab faculty member in Carnegie Mellon's Institute for Software Research and the principal investigator on the project. "We have built an infrastructure that enables owners of IoT technologies to comply with these laws, and an app that takes advantage of this infrastructure to empower people to find out about and control data collected by these technologies."
Right now, some public spaces under surveillance might have signs that say, "This area is under surveillance," informing people in the vicinity that video of them may be recorded. But Sadeh says that this isn't enough.
"These signs tell you nothing about what is being done with your footage, how long it's going to be retained, whether or not it uses facial recognition, or with whom this is going to be shared," says Sadeh. "Under regulations like GDPR and CCPA, there are requirements to more explicitly communicate not just the presence of these technologies and what they collect, but to also give people some control over what is being collected and how the data can be used."
While end-users may use the app to see information about IoT devices around them, owners of IoT devices may use a cloud-based online portal to publish the presence of their IoT devices in registries spanning different areas. Organizations such as mall operators, shop owners, universities, or individuals can request the creation of registries where they can control the publication of IoT technologies in different areas. The infrastructure is hosted in the cloud and is designed to be easy to use. For instance, pre-made templates for commonly used off-the-shelf IoT devices are available for people to edit and easily publish in registries.
"We've done the work for you," says Sadeh. "All you need to do is start adding your IoT resources so you can be in compliance with today's privacy laws."
This project has been made possible by a large grant under DARPA's Brandeis privacy research program as well as funding from the National Science Foundation' Secure and Trustworthy Cyberspace program.