You are here: Home > Participate > Join a Discussion > RIPE Forum
RIPE Forum v1.4.1

IoT Working Group

Threaded
Collapse

[iot-wg] "Nutrition labels for IoT"

User Image

Vesna Manojlovic

2020-06-11 10:36:59 CET

RIPE NCC staff member

from: https://pluralistic.net/2020/06/09/war-crimes/#iot

Nutrition labels for IoT

A group of CMU researchers just presented "What Should Be on an IoT
Privacy and Security Label?" at the IEEE Symposium on Security &
Privacy. They present a model for "privacy labels" to clarify the
privacy implications of IoT gadgets.

https://www.computer.org/csdl/proceedings-article/sp/2020/349700a771/1j2LfTRYbNC

I confess that I was skeptical of this, but the labels themselves are
*really* good, clear and legible.

https://www.wired.com/story/iot-security-privacy-labels/

But...The more I think about this, the more my skepticism returns. We've
seen tools like Privacy Badger and Ghostery that tell you how your data
is being used by the websites you visit, but these haven't shown much
efficacy in changing sites' behaviors.

Historically, the best counter to these "antifeatures" in technology has
come from a) self-help measures and b) regulation.

We didn't kill pop-up ads by notifying users of which sites had pop-up
ads so they could choose to go elsewhere. We gave them pop-up blockers.

Today, the best way to deal with your alarm about Privacy Badger
warnings is to beef up your script-, tracker- and ad-blocking.

https://www.eff.org/deeplinks/2019/07/adblocking-how-about-nah

And there's a role for regulation here, too, which can take many forms.
We can simply prohibit certain conduct, like collecting, retaining or
selling data outside of a highly constrained set of circumstances.

Or we could establish a federal privacy law with a private right of
action, so users could sue companies that leaked their data and collect
statutory damages - a measure that would cause every  insurer to
instantaneously withdraw coverage for every surveillance tech company.

Don't get me wrong. I love these labels. But there is a huge danger in
documenting bad conduct without providing a means to counter it - the
danger that you train people to accept the bad conduct as inevitable.


Andreas Härpfer

2020-07-11 17:23:06 CET

> On 11. Jun 2020, at 10:36, Vesna Manojlovic <BECHA _at_ ripe _dot_ net> wrote:
> 
> from: https://pluralistic.net/2020/06/09/war-crimes/#iot
> 
> Nutrition labels for IoT
> 
> A group of CMU researchers just presented "What Should Be on an IoT
> Privacy and Security Label?" at the IEEE Symposium on Security &
> Privacy. They present a model for "privacy labels" to clarify the
> privacy implications of IoT gadgets.
[...]


Just came across a noteworthy remark regarding these nutrition labels
in RISKS 32.01 (http://catless.ncl.ac.uk/Risks/32.01#subj14):

>>>
From: "Keith Medcalf" <kmedcalf _at_ dessus _dot_ com>
Subject: IoT Nutrition Labels

The major items missing from the "Nutrition Label" is whether or not the
"Thing" will still "Thing" when the "Internet" is not and never has been
present.

Without that information it is impossible for any rational decision to be made and one must assume that the "Thing" will not "Thing" and is therefore completely unsuitable for use.
>>>