About

In recent years, IoT devices have soared in popularity among consumers around the world. A growing number of homes are now equipped with IoT devices to bring about benefits, ranging from improving energy efficiency to helping automate routine tasks. However, IoT devices within our homes also potentially expose users to a wide range of cybersecurity threats, including devices getting hacked or users' private information being sold to third parties. For users to better protect themselves against the potential risks of IoT devices, they need to know about the security capabilities of these devices, as well as what data devices collect and how data are used and stored. For example, during the Mirai botnet attack, hundreds of thousands of IoT devices around the world got targeted and infected, partially due to devices having insecure default passwords. These attacks could have been mitigated if consumers were more informed about the use of default passwords on their devices and the potential risks associated with it, and whether there was a way for them to change those passwords. Currently, this information is generally not readily available to consumers when they are making purchase decisions. One way to communicate information about the privacy and security practices of devices is through labels. Product labels are not a new concept; they have been around for decades to effectively inform consumers about food nutrients, over-the-counter drug dosage, and energy efficiency of appliances. Food nutrition labels in particular were developed to decrease obesity by helping consumers purchase healthier food products. Other objectives of food nutrition labels include encouraging food companies to compete to produce healthier products and allowing governments to support consumers' health-related behaviors without mandating specific nutritional requirements. In the context of privacy, researchers have found that privacy nutrition labels'' can be effective in conveying information to users visiting websites and using mobile apps. Indeed, Apple has recently started including app privacy labels in the iOS App store, generated from information submitted by app developers. Building on prior label design research, we designed a usable and informative privacy and security label for IoT devices. In this article, we first describe our IoT label design process and discuss proposals for privacy and security ratings. We then introduce our label specification and generator and discuss ways our label's machine-readable format can enable new uses of label information. Finally, we discuss label adoption and enforcement.