Share this page!

Lea Kissner Profile picture
Twitter logo
1 Feb, 18 tweets, 4 min read
Last talk at #enigma2021 for today by Pardis Emami-Naeini on "PRIVACY AND SECURITY NUTRITION LABELS TO INFORM IOT CONSUMERS"

usenix.org/conference/eni…
Toilets are getting smarter (and more invasive)
People keep buying smart devices, but they're worried about them. Which makes sense because they keep getting hacked!
Also IoT companies are forgetful, like when Google forgot to tell people that Nest camera included a microphone.

... and there are lots of these things we don't know yet, like how Amazon employees were listening to Alexa recordings.
Users don't know enough about the data sharing and selling practices of these devices. Our proposal? A label for smart devices.

This is the most recent version of this label [apologies I cannot type this out there are pictures]
Multi-step path to label design
1. Large-scale surveys
2. Consumer interviews
3. Expert interviews
4. Consumer interviews
What privacy factors are people concerned about?
* Type of data
* Location
* Retention time
Found that context was more important than individual factors, so need to show the data holistically rather than focusing on particular factors in isolation
Social influence factors
* level of expertise (friend vs expert)
* consensus level (strong vs weak)
* difference of opinion (consistent vs inconsistent)
Used these in experiments to show a social cue to some users e.g. "85% of users allowed this collection"

Experiments showed that both friends and privacy experts influenced privacy decisions
Studies showed positive attitude towards labels:
* almost everyone wanted security and privacy information before purchase
* would be willing to pay 10-30% more for this information
Privacy and security are latent concerns
* they might not think to be worried about it up front, but when Alexa starts laughing out of nowhere they get freaked out
* so putting security and privacy information up front can help people make choices which take this into account
Policy makers are excited about nutrition labels

... but why? And why aren't they thinking about privacy? What should be on the label
Held an expert panel
* ended up with so much stuff that they broke it up into two layers with different levels of detail (one online, so it can be more detailed and easily updated)
Consumer semi-structured interviews
* non-comparative (hey it's a label) and comparative (which label is better)
* most consumers didn't understand the information but still wanted it
[ ... this doesn't mean they'll use it in practice, of course ]
Labels are not just for normal consumers but also for experts and tech policy folks
Hey, want to be the first adopter of these labels? They want to work with you! There's a tool.

Also, can encourage IoT security and privacy labels to regulators and policy folks.

Demand transparency.
Visit iotsecurityprivacy.org to see more

[end of talk]

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Lea Kissner

Lea Kissner Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @LeaKissner

Lea Kissner Profile picture
3 Feb
Next up at #enigma2021, Alex Gaynor from @LazyFishBarrel (satirical security company) will be talking about "QUANTIFYING MEMORY UNSAFETY AND REACTIONS TO IT"

usenix.org/conference/eni…
Look for places where there are a lot of security issues being handled one-off rather than fixing the underlying issue Image
We tried to fix credential phishing mostly by telling people to be smarter, rather than fixing the root cause: people being able to use phished credential.

2-factor auth just ... fixes the problem. ImageImage
Read 15 tweets
Lea Kissner Profile picture
3 Feb
It's time to talk about @zoom_us security over @zoom_us at #enigma2021 by Merry Ember Mou with the talk "BUILDING E2EE AND USER IDENTITY"

usenix.org/conference/eni…
Zoom's launched end-to-end encryption 5 months after the white paper was published
* prevents eavesdroppers between users who are speaking to each other
* protection against compromised servers Image
[ here's the E2EE whitepaper from Zoom]

github.com/zoom/zoom-e2e-…
Read 20 tweets
Lea Kissner Profile picture
3 Feb
@carmelatroncoso is speaking about "CONTACT TRACING APPS: ENGINEERING PRIVACY IN QUICKSAND" at #enigma2021

usenix.org/conference/eni…
Engineering contact-tracing apps has been a marathon

Why make them?
* manual contact-tracing became totally overwhelmed with covid cases
* can we supplement with technology? Image
Constraints: security and privacy
* protect from misuse: surveillance, target marginalized individuals, etc.
* purpose limitation by default
* hide user's identity, location, behaviour
* preserve system integrity
Read 18 tweets
Lea Kissner Profile picture
3 Feb
In more pandemic talks at #enigma2021, Mark Funk is here to talk about "DESIGNING VERIFIABLE HEALTH SOLUTIONS FOR GLOBAL PANDEMIC"

usenix.org/conference/eni…
This is about work done with a nonprofit to try to find a way to prevent infected people from entering a location in a privacy-preserving way.

(Stopped this work when it became clear that this was being built for a world which wouldn't exist any time soon.) Image
Right now, we ask people to self-diagnose, which requires on diagnosis and truthfulness

There are stronger mechanisms like PCR tests Image
Read 25 tweets
Lea Kissner Profile picture
3 Feb
Last day of #enigma2021 and we're kicking off with @cooperq from @EFF talking about "DETECTING FAKE 4G LTE BASE STATIONS IN REAL TIME"

usenix.org/conference/eni…
Focus on tech which targets at-risk people (e.g. activists, rights defenders, sex workers) Image
What is a cell site simulator?

*transmitter or receiver which intercepts metadata from cell phones, often by pretending to be a legit cell tower Image
Read 21 tweets
Lea Kissner Profile picture
2 Feb
Last talk at #enigma2021 today is @iMeluny speaking about "DA DA: WHAT SHARK CONSERVATION TEACHES US ABOUT EMOTIONALITY AND EFFECTIVE COMMUNICATION STRATEGIES FOR SECURITY AND PRIVACY"

usenix.org/conference/eni…
I dreamt of being a shark scientist and worked my ass off to get a scholarship to one of the top programs. My career took a loop, but to this day I find lessons from sharks for security and privacy.
Lessons:
Incidents are emotional
* Risks will never be zero
* Public is ill-informed and fear is common
* science-based policy is not the norn Image
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @LeaKissner has new unrolls!

Check out other threads from @LeaKissner!

Read all threads by @LeaKissner