Billions of IoT devices—smart cameras, microphones, location trackers, and the like—are hidden in plain sight, and they’re tracking everything from our movements and activities to our voices or even our facial expressions. Fortunately, there’s an app and digital infrastructure that enables users to discover those devices, learn about the data they collect and any controls they might possibly give us such as opting in or out of their data collection and use practices.
The IoT Assistant app, developed by researchers in Carnegie Mellon University’s CyLab, allows users to explore a map of IoT devices around them, learn about the data these devices collect, what they do with the data, and whether they offer any privacy controls.
“New laws like the California Consumer Privacy Act and the General Data Protection Regulation call for increased transparency about the types of data being collected about people, how that data is used, and what options people are given,” says CyLab’s Norman Sadeh, a computer science professor in the Institute for Software Research (ISR) and the principal investigator of the Personalized Privacy Assistant Project. “Our app and infrastructure pave the way towards compliance, allowing people to take control of their privacy.”
Once they have downloaded the app on their mobile devices, users can immediately begin exploring a map of IoT devices around them; no account creation is required. By clicking on pins on the map, users can learn about a device’s data practices, including the types of data collected, how long the data is retained, with whom the data might be shared, and more.
If users want to focus on certain types of data collection around them—e.g. video capture, audio recording, or location tracking—they can select corresponding filters to only show the types of data collection they care about. Users can also choose among different notification options to decide what types of data collections around them they want to be alerted about and how often.
The IoT Portal, which houses the database of IoT devices and systems that show up in the IoT Assistant app, offers a collection of device templates that contributors can use depending on the types of devices they want to publicize, whether it is a Ring doorbell at their home, a Bluetooth location system in their store, or some other sensors.
IoT vendors can use the system to distribute templates that can be used to describe their IoT systems. If users want to publicize a device that doesn’t yet have a template, a wizard is available to guide them through a series of drop-down menus and help them describe their device, the data it collects, how that data is processed, including links to any privacy controls that might be offered.
“We want to make it very easy for people who deploy IoT technologies to publicize the presence of their resources and their data practices,” says Sadeh.
The portal is accessible not only by the owners of IoT devices, but also by volunteers who want to report devices they have spotted. Even if volunteer contributors don’t know all the details about a device, its owner, or the data it collects, they can enter partial descriptions of what they are confident they know.
“Even simple awareness is important,” says Sadeh.
The IoT Assistant app gained over 17,000 users in the first week after its soft launch earlier this year. So far, nearly 200,000 IoT resources in three continents (North America, Europe, and Australia) have been registered to the IoT Portal.
This project has been made possible by a large grant under DARPA’s Brandeis privacy research program as well as funding from the National Science Foundation’ Secure and Trustworthy Cyberspace program.