App Discovers Internet of Things Devices, Alerts Consumers

By Claire Swedberg

Carnegie Mellon University's IoT Assistant provides GPS-based alerts regarding devices within a person's vicinity and offers options for viewing cameras, beacons and other wireless devices that might be collecting or sharing data.

Researchers at  Carnegie Mellon University's  CyLab have built an app aimed at discovering Internet of Things (IoT)-based wireless devices and sharing information about them with smartphone users based on their GPS location. The IoT Assistant app is available for free at  Google Play and Apple's  App Store. Researchers also created an  IoT Privacy Infrastructure Portal where IoT companies can publicize their resources and users can discover IoT resources in parts of the world. The solution was developed with funding from the  Defense Advanced Research Projects Agency, the  Air Force Research Laboratory and the National Science Foundation.

The app, formally released this year, is intended to notify individuals regarding any IoT devices collecting data within their vicinity, and to publicize any privacy choices made available by the IoT resource providers, such as opting in to or out of data collection, or governing how the collected information is used. Users cannot manage settings through the app itself, but instead are redirected via the app to IoT provider sites where they can adjust settings for that particular system.

Norman Sadeh

The solution is designed not only to provide consumers with greater control over their own data and privacy, but also to serve as a vehicle for owners of the IoT systems to publicize the presence of their resources and data practices, says Norman Sadeh, a Carnegie Mellon professor in the Institute for Software Research and a principal investigator on CyLab's Personalized Privacy Assistant Project. This, he explains, can help them comply with regulations, share data about what their technology does and enable settings on users' phones.

With the app, Sadeh says, those who control IoT resources—such as mall operators, corporate offices, banks, amusement parks, cities or local governments—can share information about how they are collecting data, for what purpose, and the settings or controls available to the public. Most of the time, he adds, people will not notice the presence of these resources. Many devices are visible—for instance, technology hanging above a traffic light—but it's difficult to determine what those objects are and what their purpose might be. They could be RFID antennas, cameras, microphones or biosensors, and the mystery grows as more devices proliferate, as do privacy concerns.

"We've created a system to allow people to discover what these resources are," Sadeh states, as well as what they may do with the data being collected. He cites the ubiquity of cameras, though other IoT devices are deployed indoors and outdoors, including wayfinding and push-notification beacons using Bluetooth Low Energy (BLE); asset and personnel location tracking via RFID, UWB or LoRa; and similar IoT technologies for wireless access control. Even as the number of IoT solutions grows, Sadeh notes, "There is no technology today to automatically identify IoT resources around you."

The app was designed to provide two methods for accessing IoT system data. In a mall or amusement park, signage with a QR code could be posted publicly for app users. The users could scan the QR code, and their phone would display a list of all IoT devices in use at that location. They could then select which items they would like to learn more about, such as viewing how the data is being used, whether it is shared and if users can opt out—which could mean data would not be shared, for instance. Users could request to receive a copy of their own data, though options are limited regarding what the IoT provider allows.

"We can only do advertising of that functionality," Sadeh says. "The actual function of sharing that information is the responsibility of the vendor." The system offers another option for accessing IoT data, but that doesn't require the QR code. With the second option, the smartphone, with the app open, would simply track the phone's GPS location and continually search for IoT devices affiliated with that specific area. That option may often be the only practical one, he notes, since QR codes could be difficult to post or locate. For instance, some sensors may cover a wide area, and deciding where signage and QR codes would be posted could pose a challenge.

"As you go about your activities, the mobile app will be sensing resources nearby," Sadeh explains. Users can configure settings in the app to indicate how often they wish to be notified, as well as the types of systems they want to detect. "We don't want to overwhelm them with warnings every five seconds," he states, but to instead provide relevant information. To enable this capability, users can establish their requirements in the app's settings, and the solution can then begin configuring their data according to previous requests.

As with the QR scan-based method, a user viewing IoT devices of interest can select any systems listed, such as a BLE beacon, in order to learn more about them. The user can then visit the device owner's site and manage what data these IoT systems can collect about that individual, along with what they can do with that information. The data is supplied to the IoT Assistant application by IoT product owners.

There are benefits for IoT system providers to participate, Sadeh says, citing such regulations as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in Europe, which require those deploying technology to be transparent with those affected by it. Companies deploying IoT solutions can use the IoT Privacy Infrastructure portal app to ensure they are complying with such regulations, by sharing information with app users about their system and enabling privacy settings.

In some jurisdictions, Sadeh says, companies are legally obligated to indicate their presence. On the other hand, he reports, other businesses choose to be transparent simply for moral reasons. For those declaring their technology for display in the system, the app comes with templates to enable them to easily report what is being installed. "Informing people is an important first step," he states. Users can then authorize the collection of data. Volunteers can connect to the IoT Privacy portal, where they can create an account and provide descriptions of the IoT resources they wish to make discoverable by those using the app.

The app is currently available in the United States, Canada, Australia, New Zealand, parts of Europe and the United Kingdom, and CyLab expects its use to increase over time as more IoT devices are reported and as a growing number of consumers participate. To date, approximately 2,000 resources are displayed, primarily cameras. Urban areas have a greater diversity of technologies, Sadeh says, including BLE beacons, microphones, biometric sensors and RFID readers.

The data is categorized in the app and is represented by different colors in 10 different categories. The app has a patent pending, and the researchers hope to commercialize the system. "We're keeping our eyes open for commercial opportunities," Sadeh states. "First, we're trying to get more traction from vendors." Downloads have been in the tens of thousands so far, he notes, and with the release of the first version, there were 17,000 downloads during the first week. "There will be more value as we get more resources. It's clear that we are just scratching the surface."