Toward De Designing Pri rivacy and Security La Label for or IoT IoT De Devices Pardis Emami-Naeini , Henry Dixon, Yuvraj Agarwal, Lorrie Cranor, Hanan Hibshi pardis@cmu.edu
Roa oadmap to o de design IoT IoT Priv rivacy and and Sec ecurit ity Labe abel • Interviewing average consumers about their IoT-related purchase behavior • Conducting expert elicitation study with privacy and security experts • Going back to average consumers to test the usability and effectiveness of IoT privacy and security label • Incentivizing IoT companies to adopt labeling 2
Exp xploring Ho How Priv rivacy and Secu curity Fact ctor in into IoT IoT De Device Purchase Be Behavior Pardis Emami-Naeini , Henry Dixon, Yuvraj Agarwal, Lorrie Cranor
4
5
6
7
privacy? security? 8
no privacy or security information is available 9
10
11
12
13
no privacy or security information is available 14
Pol olic icymakers cal alled for or IoT IoT lab labels 15
Pol olic icymakers cal alled for or IoT IoT lab labels but no specific guidelines 16
Rese esearch qu questio ions • How much do consumers know about the privacy and security of their IoT devices? • In what way would consumers like to consider privacy and security when making IoT-related purchase decisions? • How useful and effective would privacy and security labels be for consumers when purchasing IoT devices? 17
We e recr ecruit ited 24 par partic icip ipants to o in interv rvie iew • One hour semi-structured interview • 14 female and 10 male • 8 with technical backgrounds • Average age: 36 • Compensated with $25 Amazon gift card most common devices our participants had 18
In Interviews wit ith IoT IoT de devic ice owners • Pre-purchase behavior • Post-purchase behavior • IoT device privacy and security • Value of privacy and security in purchase decisions • Privacy and security label evaluation 19
We e de desig igned pr priv ivacy an and sec security ty lab labels ls for or 3 hypothetic ical l IoT IoT de devic ices 20
Our ur in inspir iratio ion Kelley, Patrick Gage, Joanna Bresee, Lorrie Faith Cranor, and Robert W. Reeder. "A nutrition label for privacy." In Proceedings of the 5th Symposium on Usable Privacy and Security , ACM 2009. 21
Labe abel for or a a sm smar art sec securit ity cam amera Factors are from our SOUPS’17 paper: general information Naeini, Pardis Emami, et al. "Privacy expectations and preferences in an IoT world." privacy information security information general information 22
Gen eneral in informatio ion 23
Priv rivacy in informatio ion 24
Sec ecurit ity in informatio ion 25
Ter ermin inolo logy to o rep eport sm small ll nu numbers about a few some most almost all half 0% 25% 45% 50% 75% 100% 55% none half all 26
Ter ermin inolo logy to o rep eport sm small ll nu numbers about a few some most almost all half 0% 25% 45% 50% 75% 100% 55% none half all 27
Ter ermin inolo logy to o rep eport sm small ll nu numbers about a few some most almost all half 0% 25% 45% 50% 75% 100% 55% none half all 28
Priv rivacy an and sec securit ity kno nowledge was as li limit ited • Privacy defined as having control over personal data active • Security was defined as device getting hacked passive • About half were unable to differentiate between privacy and security • Most with pre-purchase or post-purchase concerns were better able to differentiate between privacy and security 29
Priv rivacy an and sec securit ity ar are e val alued • Almost all wanted to know about privacy and security before the purchase • Almost all were willing to pay a premium for such info (10%-30%) • Assurance of being protected • Peace of mind 30
Pos osit itiv ive attit titude toward lab labels ls • Interviewees found the labels • Understandable • Easy to read • Useful • Almost all liked the label concept • Independent privacy and security ratings • Choices to control privacy and security 31
Mor ore focus on on convenience tha than sec securit ity • Almost all liked automatic security updates • Almost all preferred fingerprints over passwords • Almost all favored optional Internet connectivity over required connectivity takeaway: align security with convenience 32
Priv rivacy an and sec securit ity ar are e la latent concerns • About half had unprompted privacy and security concerns • Almost all had prompted privacy and security concerns, mostly caused by: • Media reports • Friends’ opinions HAHA • Devices acting weird 33
Desi esign gui uideli line: la layered lab label • Participants requested more information on some factors • Definition of some of the terms (e.g., identifiable data) • Encryption protocols • Privacy and security star ratings 34
Labe abels ar are e pr promis ising, but but ar are e no not en enough • Readily available information at the point of sale • Labels need to be adopted • Mandated by regulations • Voluntary adoption • The default should always be safe 35
Labe abel de desig ign in in pr prog ogress • Consumers have limited privacy • Currently conducting expert and security knowledge elicitation study (under submission) • All want to know about privacy • Next to conduct user study with and security at the point of sale average consumers • All found our labels to be usable and informing • Most liked the ratings • Most liked the choices 36
Recommend
More recommend
