Play Video

App tells you who’s collecting your data and why

A new app called IoT Assistant informs users about what Internet of Things technologies are around them and what data they’re collecting, researchers report.

People navigating through the digital landscape of the internet today are bombarded with notices about how their data is collected. But in the physical world where Internet of Things technologies increasingly track our activities–few, if any, notices are provided.

The new app and its infrastructure could help address this problem.

IoT Assistant app to the rescue

Consider public cameras with facial recognition and scene recognition capabilities, Bluetooth beacons surreptitiously tracking your whereabouts at the mall, or your neighbor’s smart doorbell or smart speaker. The IoT Assistant app will let you discover the IoT devices around you and learn about the data they collect. If the device offers privacy choices like opting in or out of data collection, the app will help you access these choices.

The app is available for both iOS and Android phones.

“Because of new laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), people need to be informed about what data is collected about them and they need to be given some choices over these processes,” says Norman Sadeh, a CyLab faculty member in Carnegie Mellon University’s Institute for Software Research (ISR) and the principal investigator on the project.

“We have built an infrastructure that enables owners of IoT technologies to comply with these laws, and an app that takes advantage of this infrastructure to empower people to find out about and control data collected by these technologies.”

Right now, some public spaces under surveillance might have signs that say, “This area is under surveillance,” informing people in the vicinity that video may record them. But Sadeh says that this isn’t enough.

“These signs tell you nothing about what is being done with your footage, how long it’s going to be retained, whether or not it uses facial recognition, or with whom this is going to be shared,” says Sadeh.

“Under regulations like GDPR and CCPA, there are requirements to more explicitly communicate not just the presence of these technologies and what they collect, but to also give people some control over what is being collected and how the data can be used.”

Easy to use

While end-users may use the app to see information about IoT devices around them, owners of IoT devices may use a cloud-based online portal to publish the presence of their IoT devices in registries spanning different areas. Organizations such as mall operators, shop owners, universities, or individuals can request the creation of registries where they can control the publication of IoT technologies in different areas.

The infrastructure is hosted in the cloud and designed for easy use.  For instance, pre-made templates for commonly used off-the-shelf IoT devices are available for people to edit and easily publish in registries.

“We’ve done the work for you,” says Sadeh. “All you need to do is start adding your IoT resources so you can be in compliance with today’s privacy laws.”

DARPA’s Brandeis privacy research program and the National Science Foundation’ Secure and Trustworthy Cyberspace program funded the work. Additional researchers from Carnegie Mellon and Syracuse University contributed to the work.

Source: Carnegie Mellon University