In recent years, a massive number of devices have emerged with the capability to connect to the Internet, thereby providing people with unprecedented benefits. These Internet of Things (IoT) devices are increasingly used to improve energy efficiency, home security, and convenience. The cybersecurity threats of these devices, however, are not as appealing as their benefits. One explanation for these overwhelmingly challenging risks of IoT devices could be overlooking privacy and security early on in the product life cycle due to lack of resources (e.g., expertise, money). Integrating privacy and security safeguards into IoT devices could reduce their risks or mitigate their potential harms. At the same time, IoT manufacturers are not transparent about their privacy and security practices, leaving consumers with little information when purchasing IoT devices. This lack of information at the time of purchase could result in people bringing home a vulnerable device and easily scaling up the threat by connecting the device to their home network. Despite growing concerns about the privacy and security of IoT devices, people have difficulty specifying their privacy and security preferences and considering them when making IoT-related purchase decisions. To enable informed decision making during the purchase process of IoT devices, we need to understand how people feel about the privacy and security implications of these devices. Moreover, effective ways of communicating important privacy and security factors to consumers of IoT devices need to be carefully studied. In this talk, we first explore the factors influencing users' privacy concerns and preferences toward data collection of smart devices. Next, we discuss how users' IoT-related privacy decision making would be influenced when receiving social cues from privacy experts and friends. Following our overarching goal to inform privacy-related decision making, we delve into designing a label to effectively inform consumers about the privacy and security practices of smart devices at the time of purchase. We propose creating a usable privacy and security nutrition label for IoT practices, building on prior projects that have used nutrition labels in other privacy contexts. To specify the actual content of such a label, we conduct a study with experts from diverse domains and identify 47 privacy, security, and general attributes to include on a two-layer label. Finally, we evaluate the efficacy of attribute-value pairs presented on the label in conveying risk to consumers as well as its effect on their willingness to purchase the smart device.
Pardis is currently a postdoctoral scholar at University of Washington, working with Tadayoshi Kohno and Franziska Roesner. She received a B.Sc. degree in computer engineering from Sharif University of Technology, and M.Sc. and Ph.D. degrees in computer science from Carnegie Mellon University (CMU). As part of her doctoral research, she developed a usable privacy and security label for smart devices to inform consumers’ Internet of Things-related purchase decisions. She was selected as a Rising Star in electrical engineering and computer science in October 2019, and was awarded the CMU CyLab presidential fellowship for the 2019-2020 academic year.
Hosted by: Adam Bates