We are now living in the age of the “Internet of Things” or IoT where a plethora of devices, sensors and apps collect enormous amounts of what can be incredibly personal data about us. From our own smartphone apps to various apps in the businesses or institutions that we frequent, such as health care providers, to sensors and devices and cameras in the public sphere, more and more of our data is being regularly identified, collected and utilized by others than we could ever know.
In some cases, our data is abused—bundled and packaged with other data and sold to questionable intermediaries. A significant portion of this data could be healthcare-related in nature making the situation all the more sensitive. After all, not only are there some regulations and laws, at least in America, governing the use of our personally identifiable health information, but also there is a fundamental need for us to be able to enhance and administer our own privacy in such a new IoT reality—the possible abuses such an infrastructure can enable are real. Enter a study from Carnegie Mellon University in Pittsburgh, PA where a research team has developed a powerful IoT Privacy Assistant App.
Why was this App Developed?
In this age, we are bombarded with vast collection of apps, devices and gadgets collecting our data—from online cookies to offline, where all sorts of devices, sensors and gadgets are identifying who we are, what we are doing and even tracking how long we frequent a location, etc. A multitude of new trackers, such as Bluetooth beacons via a neighbors’ smart technology next door could track our personal information. In this IoT world, a new privacy infrastructure needs to be enabled and this app is contributing to that movement.
Who Designed the IoT Privacy Assistant app?
Professor Norman Sadeh and team with the Cylab Faculty. Carnegie Mellon was the principal investigator on this study which led to the design of the app.
Why did Carnegie Mellon design this app?
Carnegie Mellon researchers from the Institute for Software Research believe it is critically important in this age for consumers/citizens be able to understand what devices/gadgets/sensors are presently tracking or collecting an individual’s personal data (especially health-related data), what personal data they are collecting and how are they using such data and importantly, if there are options to “opt out” that people have the ability to do so. And with new laws such as General Data Protection (GDPR) and the California Consumer Privacy Act (CCPA) individuals have a right to be made aware of what data is being collected about them and need to be given choices such as potentially to opt out.
What are some Relevant Legal and Compliance Drivers?
Because of new laws, such as the General Data Protection Regulations and the California Consumer Privacy Act, people need to be informed about what data is being collected about them, whether they are on the internet or just walking down the street. This app will offer facilities or websites that collect health information about individuals and A) make them aware that data is being collected, B) afford them the option to “opt out” if the various data collection device program supports opt out and, C) actually opt out so that thereafter the device, sensor or gadget is not collecting that personal data any more.
Does the Carnegie Mellon Cylab offer some Examples?
Yes. In one example of a Cylab video, Professor Sadeh demonstrates how the system works. In this scenario, he walks by a research laboratory entrance door where a device on the wall in front of the lab is collecting personal information (via his smart phone). Professor Sadeh launches his IoT Privacy Assistant app, installed on his smartphone, and checks to determine if the app can identify the “resource” (e.g. the device on the wall), which he does—the IoT Privacy Assistant App is aware of the device on the wall as a resource that is called “Lab Location Tracking” and the assistant app informs the professor not only the name of the device and who owns it (e.g. Carnegie Mellon) but also what the device is doing—e.g. collecting data about people within 5 meters of range of the device, such as who the person is, and that it retains that data for one month. In this example, the device offers an “opt out” feature so using the IoT Assistant, Professor Sadeh opts out so that he isn’t tracked anymore.
How was this Project/Study Funded?
This initiative was funded by DARPA’s Brandeis privacy research program and the National Science Foundation’ Secure and Trustworthy Cyberspace program.
Professor Norman, Assistant Professor, Institute for Software Research, Co-Director Privacy Engineering Program