Research
Exploring How Privacy and Security Factor into IoT Device Purchase Behavior
Despite growing concerns about security and privacy of Internet of Things (IoT) devices, consumers generally do not have access to security and privacy information when purchasing these devices. We interviewed 24 participants about IoT devices they purchased. While most had not considered privacy and security prior to purchase, they reported becoming concerned later due to media reports, opinions shared by friends, or observing unexpected device behavior. Those who sought privacy and security information before purchase, reported that it was difficult or impossible to find. We asked interviewees to rank factors they would consider when purchasing IoT devices; after features and price, privacy and security were ranked among the most important. Finally, we showed interviewees our prototype privacy and security label. Almost all found it to be accessible and useful, encouraging them to incorporate privacy and security in their IoT purchase decisions.
Which Privacy and Security Attributes Most Impact Consumers' Risk Perception and Willingness to Purchase IoT Devices?
In prior work, we proposed an Internet of Things (IoT) security and privacy label akin to a food nutrition label, based on input from experts. We conducted a survey with 1,371 Mechanical Turk (MTurk) participants to test the effectiveness of each of the privacy and security attribute-value pairs proposed in that prior work along two key dimensions: ability to convey risk to consumers and impact on their willingness to purchase an IoT device. We found that the values intended to communicate increased risk were generally perceived that way by participants. For example, we found that consumers perceived more risk when a label conveyed that data would be sold to third parties than when it would not be sold at all, and that consumers were more willing to purchase devices when they knew that their data would not be retained or shared with others. However, participants' risk perception did not always align with their willingness to purchase, sometimes due to usability concerns. Based on our findings, we propose actionable recommendations on how to more effectively present privacy and security attributes on an IoT label to better communicate risk to consumers.
Are Consumers Willing to Pay for Security and Privacy of IoT Devices?
Internet of Things (IoT) device manufacturers provide little information to consumers about their security and data handling practices. Therefore, IoT consumers cannot make informed purchase choices around security and privacy. While prior research has found that consumers would likely consider security and privacy when purchasing IoT devices, past work lacks empirical evidence as to whether they would actually pay more to purchase devices with enhanced security and privacy. To fill this gap, we conducted a two-phase incentivecompatible online study with 180 Prolific participants. We measured the impact of five security and privacy factors (e.g., access control) on participants’ purchase behaviors when presented individually or together on an IoT label. Participants were willing to pay a significant premium for devices with better security and privacy practices. The biggest price differential we found was for de-identified rather than identifiable cloud storage. Mainly due to its usability challenges, the least valuable improvement for participants was to have multi-factor authentication as opposed to passwords. Based on our findings, we provide recommendations on creating more effective IoT security and privacy labeling programs.
Is a Trustmark and QR Code Enough? The Effect of IoT Security and Privacy Label Information Complexity on Consumer Comprehension and Behavior
The U.S. Government is developing a package label to help consumers access reliable security and privacy information about Internet of Things (IoT) devices when making purchase decisions. The label will include the U.S. Cyber Trust Mark, a QR code to scan for more details, and potentially additional information. To examine how label information complexity and educational interventions affect comprehension of security and privacy attributes and label QR code use, we conducted an online survey with 518 IoT purchasers. We examined participants’ comprehension and preferences for three labels of varying complexities, with and without an educational intervention. Participants favored and correctly utilized the two higher-complexity labels, showing a special interest in the privacy-relevant content. Furthermore, while the educational intervention improved understanding of the QR code’s purpose, it had a modest effect on QR scanning behavior. We highlight clear design and policy directions for creating and deploying IoT security and privacy labels.
Ask the Experts: What Should Be on an IoT Privacy and Security Label?
Information about the privacy and security of Internet of Things (IoT) devices is not readily available to consumers who want to consider it before making purchase decisions. While legislators have proposed adding succinct, consumer accessible, labels, they do not provide guidance on the content of these labels. In this paper, we report on the results of a series of interviews and surveys with privacy and security experts, as well as consumers, where we explore and test the design space of the content to include on an IoT privacy and security label. We conduct an expert elicitation study by following a three-round Delphi process with 22 privacy and security experts to identify the factors that experts believed are important for consumers when comparing the privacy and security of IoT devices to inform their purchase decisions. Based on how critical experts believed each factor is in conveying risk to consumers, we distributed these factors across two layers---a primary layer to display on the product package itself or prominently on a website, and a secondary layer available online through a web link or a QR code. We report on the experts' rationale and arguments used to support their choice of factors. Moreover, to study how consumers would perceive the privacy and security information specified by experts, we conducted a series of semi-structured interviews with 15 participants, who had purchased at least one IoT device (smart home device or wearable). Based on the results of our expert elicitation and consumer studies, we propose a prototype privacy and security label to help consumers make more informed IoT-related purchase decisions.
An Informative Security and Privacy Nutrition Label for Internet of Things Devices
In recent years, IoT devices have soared in popularity among consumers around the world. A growing number of homes are now equipped with IoT devices to bring about benefits, ranging from improving energy efficiency to helping automate routine tasks. However, IoT devices within our homes also potentially expose users to a wide range of cybersecurity threats, including devices getting hacked or users' private information being sold to third parties. For users to better protect themselves against the potential risks of IoT devices, they need to know about the security capabilities of these devices, as well as what data devices collect and how data are used and stored. For example, during the Mirai botnet attack, hundreds of thousands of IoT devices around the world got targeted and infected, partially due to devices having insecure default passwords. These attacks could have been mitigated if consumers were more informed about the use of default passwords on their devices and the potential risks associated with it, and whether there was a way for them to change those passwords. Currently, this information is generally not readily available to consumers when they are making purchase decisions. One way to communicate information about the privacy and security practices of devices is through labels. Product labels are not a new concept; they have been around for decades to effectively inform consumers about food nutrients, over-the-counter drug dosage, and energy efficiency of appliances. Food nutrition labels in particular were developed to decrease obesity by helping consumers purchase healthier food products. Other objectives of food nutrition labels include encouraging food companies to compete to produce healthier products and allowing governments to support consumers' health-related behaviors without mandating specific nutritional requirements. In the context of privacy, researchers have found that ``privacy nutrition labels'' can be effective in conveying information to users visiting websites and using mobile apps. Indeed, Apple has recently started including app privacy labels in the iOS App store, generated from information submitted by app developers. Building on prior label design research, we designed a usable and informative privacy and security label for IoT devices. In this article, we first describe our IoT label design process and discuss proposals for privacy and security ratings. We then introduce our label specification and generator and discuss ways our label's machine-readable format can enable new uses of label information. Finally, we discuss label adoption and enforcement.