773x175--14-58-38

The 2nd European Workshop on Usable Security (EuroUSEC) will be an affiliated workshop at the 2nd IEEE European Symposium on Security and Privacy (EuroS&P) on April 29, 2017 in Paris at UPMC Campus Jussieu.

EuroUSEC is soliciting “previously unpublished work offering novel research contributions in any aspect of human factors in security and privacy for end-users and IT professionals,” including but not limited to:

  • innovative security or privacy functionality and design
  • new applications of existing models or technology
  • field studies of security or privacy technology
  • usability evaluations of new or existing security or privacy features
  • security testing of new or existing usability features
  • longitudinal studies of deployed security or privacy features
  • studies of administrators or developers and support for security and privacy
  • psychological, sociological and economic aspects of security and privacy
  • the impact of organizational policy or procurement decisions
  • methodology for usable security and privacy research
  • lessons learned from the deployment and use of usable privacy and security features
  • reports of replicating previously published studies and experiments
  • reports of failed usable privacy/security studies or experiments, with focus on the lessons learned

The submission deadline is March 17, 2017 and full instructions are published on the event homepage.

All affiliated workshops are listed on the EuroS&P 2017 homepage.

Academics Conference HCI Privacy by Design Privacy Impact Assessment Security

598x544-19-12-19

Challenge.gov, the official organizer of US federal tech/science competitions, has unveiled the Privacy Policy Snapshot Challenge with a top prize of $20,000 (runners-up: $10k and $5k).

Submissions are being accepted until April 10, 2017.

In their own words, they

call for designers, developers, and health data privacy experts to create an online Model Privacy Notice (MPN) generator. The MPN is a voluntary, openly available resource designed to help health technology developers who collect digital health data clearly convey information about their privacy and security policies to their users. Similar to a nutrition facts label, the MPN provides a snapshot of a product’s existing privacy practices, encouraging transparency and helping consumers make informed choices when selecting products. The MPN does not mandate specific policies or substitute for more comprehensive or detailed privacy policies.

An effective MPN would have to simplify nuanced information about multiple stakeholders’ complex data collection, retention, sharing and usage practices. It must also prioritize the importance of a variety of objective facts about devices, their documentation and methods of consent acquirement. Crucially, it should foresee ways in which manufacturers might attempt to game the evaluation system, and mitigate those possibilities.

Though this challenge only considers technology collecting health data, it will be instructive for similar initiatives in many other IoT fields. It’s a useful step in supporting the right of consumers to have transparent information about diverse privacy and security practices.

Full conditions and requirements can be found on the contest homepage.

Data Protection Health Privacy Policies Security Transparency User Control Wearables

Day 2 of CES comes to a close, and two trends from Day 1 remain: I saw more robots that do face recognition, and I remain underwhelmed. Today, I walked the cartoonishly huge Las Vegas Convention Center (LVCC), which was dedicated to automotive technology, more robots, more health tech, displays, and accessories. The LVCC is different from the Sands, which I walked on Day 1, in that it’s full of big, established manufacturers: Panasonic, LG, Samsung, Mercedes, Jaguar, Qualcomm, Volkswagen, and so on. The Sands had smaller companies, startups, and university-supported products. After two full days of walking the convention, the technology that made the strongest showing was:

  • Virtual Reality
  • Drones
  • Robots
  • Camera products
  • Automotive (inside the cockpit)

Honorable mention goes to gesture control. I was surprised by the poor showing of health-oriented products. There were plenty of fitness products, but these were the ho-hum Fitbit-like wearables we’ve seen for some time now. I’m not a gamer, but I was quite impressed with the immersive VR tech I played with.

At the intersection of health and automotive was Mercedes. They put sensors in the steering wheel of one of their cars to detect heart rate. If the car determined that you were stressed, it could alter the interior conditions: lighting, music, and – I kid you not – aroma. The glove box contains a scent cartridge that it would introduce into the airflow system to aromatherapy you back to your happy place. Mercedes took the idea that ‘technology companies are really lifestyle companies’ a bit too far – the car offers you suggestions on how to live a fitter, healthier existence based on what it detects and knows about you. Being alone in a car can be a place of respite… I sure as heck don’t want to be nagged about my sloth while I’m driving an expensive car to In-N-Out Burger.

aaeaaqaaaaaaaac6aaaajdk1ngvmnwq5ltmxmzytngq4ys1intkzlwe3mgvlmzjiodrhoa

Day 2 was replete with robots. LG seems to want to bring WALL-E to life with its airport information robot, lawn mower robot, and household ‘Hub robot.’ Robots from less well-known manufacturers were also in full force, and as I mentioned in yesterday’s wrap-up, face recognition appears to be de rigueur. Wavebot, which looks like something you squeeze to plop out cookie dough or raw falafels, was being marketed as a butler/watchdog that continually roams your house. Both it and other robots on display were not working because of the usual convention WiFi failures, so I didn’t really get a sense of their value… or likelihood of killing me and my family because the face recognition broke. My big takeaway was: The Age of Household Robots is nowhere near.

However… virtual assistant technology seems to be galloping at a rapid clip. I saw several integrations of Alexa into non-cyclindrical devices. Volkswagen introduced it into their cars, LG put it in a fridge, and a small robot named Lynx allows Alexa to bumble around your house and wave at you. Toyota built its own chirpy virtual ‘companion’ named Yui that merges the virtual assistant with self-driving. Unsurprisingly, this was merely a concept demo. Sidebar: all of these virtual assistants are so nice. I’m from New York originally – will someone please build me an Alexa/Siri mod that makes it cranky and profane? “Siri, what’s the temperature?” “Stick yer friggin’ head out the window and check yourself, ya schmuck.” “Thanks, Siri… you feel like family.”

Qualcomm showed off a super tiny camera and sensor, which seemed ideal for integration into… well… anything. The person I spoke to mentioned toys, and after December’s ugly story about wildly insecure IoT toys that can be used to spy on children, this development made me more concerned than excited.

Ultimately, I found Day 2 less satisfying than Day 1, in large part because the big manufacturers are trotting out incremental product advancements, rather than the risker, more interesting technology that smaller companies are launching. On the whole, CES failed to excite me; I am aware that writing that puts me at odds with lots of other analysts who want to tell you how amazing everything is. Still, a few things inspired me, a few surprised me, and some products just seemed stupid.

With regard to privacy, this was a Consumer Electronics Show, and so the products were mainly ones that we would bring into close contact with our lives – on our person, in our cars, and in our homes. So, for me, the privacy issues raised are:

  • Encroachment on intimacy: household robots, toys and other near at hand objects with cameras and other sensors means increased collection of intimate moments and activities.
  • Further disappearance of surveillance technology: smaller cameras means less awareness of being monitored and recorded.
  • Normalization of child surveillance: cameras in the home and toys means much more collection of children’s behavior and interactions.
  • Expansion of stakeholders: decreasing costs to include cameras, microphones and other monitoring devices means it’s easier for new entrants into technology markets to introduce monitoring features. Will those new entrants know how to handle intimate personal data respectfully?

I expand on these concerns in my report, Privacy and the Internet of Things, which you can download for free from O’Reilly. And, while CES didn’t impress very much, I at least did not see things that filled me with terror. I did find a bust of Siegfried & Roy, which made the whole trip worthwhile.

Conference Connected Cars Data Ownership Drones Intimacy Security Smart Home Toys User Control Wearables

ces2017

Today was the first official day of 2017’s Consumer Electronics Show in Las Vegas, and I walked the show floor to see this year’s upcoming products and meditate on their privacy implications. I’m a nerd and geek at my core, and this was my first time at CES, so I was excited.

The first stop was a small section dedicated to technology for mothers and babies. The very limited number of companies was surprising to me, but one vendor told me this was because a) CES had only begun this topic area last year, and b) there were already well-established mother/baby technology shows elsewhere, and CES was seen to be both expensive and lacking in a critical mass of interested clientele. The first company I encountered was Mamava, who made privacy booths for mothers to express breast milk. Mainly, as a technology, this was about physical privacy rather4 than informational privacy, though there were some IoT-like features in the form of mobile phone-based unlocking and awareness of who was inside the booth. Next was a company called Bloomlife, who made what they claimed was the first IoT contraction sensor for consumer use. My presumption is that until the data they collect is shared with a HIPAA-covered entity, they would not be subject to HIPAA themselves, which is yet another glaring problem with sectoral privacy legislation. The mother/baby area was paired with beauty products, and aside from impressive wearable, self-contained breast pumps and questionable laser hair regrowth solutions, there wasn’t much interesting.

Next was the main show floor of the Sands Hotel, which was dedicated to health, sports, wearables, robots, and 3D printing, and a special area for startups, university-led products, and those that received government funding. 3Honestly, not much blew me away; my inner geek was not very satisfied. From a privacy perspective, I took note of the proliferation of cameras, which is a long established trend. I encountered a British company called Lyte who made sports sunglasses with an embedded HD camera. I noted that they did not have an external light indicating that they were recording, which would be a more privacy-positive feature, supporting the principle of transparency (e.g., notification). The CEO, whom I interviewed, said that this was because their key market was sports enthusiasts, and the glasses would be used in a sports context rather than just for looking cool in public. He said that as they look towards a more general user base, they would consider such things as an indicator light. I saw a number of robots with cameras in their heads, sometimes with face recognition capabilities, which of course makes me wonder about their data collection practices, i.e., who gets that face data, and is children’s data treated with greater care.

I’m quite interested in smart jewelry, in large part because great design is quite difficult. So often, technology just looks like… more technology, so I’m always pleased to see creative, artistic IoT products. One caught my eye today: the Leaf, by Bellabeat, which is an activity, sleep, stress, and menstrual cycle tracker. One of the touted features of the IoT is its unobtrusiveness, and the Leaf certainly makes its technology disappear.

1

The product that stood out the most for me today was not about data collection, networking, or connecting the physical world to the virtual one. It’s called the Gyenno Spoon, and it does one thing: it helps people with Parkinson’s and other tremors to use a spoon. That’s it. The video below illustrates how profoundly difficult it is to eat for people who suffer from tremors, and shows how an advancement like the Gyenno Spoon can improve well-being and dignity. I’ve been working in technology for over 20 years, and few things have moved me as much as this.

Finally, I chatted with a body camera 8manufacturer who was moving from supplying law enforcement to selling his product to other professionals. In my interview with the founder, he told me how lawyers, doctors, and tow truck drivers wanted a device to record their interactions so as to have evidence of their activities and to prevent harassment. Again, the theme of camera proliferation appeared, and I can’t help but wonder about the continuing normalization of citizens video surveilling each other. I suppose it’s time to read more about surveillance studies. At least the Venture body camera has a recording indicator light.

Tomorrow, the main show floor at the Las Vegas Convention Center! Now, I’m off to find a buffet.

Conference Data Protection Intimacy Law Transparency Wearables

ces

Hello from CES 2017! I’ll be blogging and tweeting from the show floor of the 2017 Consumer Electronics Show in Las Vegas about the latest IoT technology and their privacy and security implications. Follow me on @GiladRosner and @IoTPrivacyForum for updates.

– Gilad

Conference

iot_contest_banner

The Federal Trade Commission (FTC) is offering $25,000 (and runner-up prizes) for a “technical solution” that would protect consumers from the security risks of running out-of-date software on IoT devices in their homes.

Demonstrating growing concern about the security/privacy vulnerabilities of billions of connected devices, the FTC is hoping that the winning efforts will benefit the entire IoT spectrum, which goes far beyond the range of connected appliances, meters, screens, toys and gadgets expected to live in the residential home of the future.

The FTC’s press release states:

An ideal tool might be a physical device that the consumer can add to his or her home network that would check and install updates for other IoT devices on that home network, or it might be an app or cloud-based service, or a dashboard or other user interface. Contestants also have the option of adding features such as those that would address hard-coded, factory default or easy-to-guess passwords.

Such solutions could be scalable to entire workplaces, offering widespread protection against security threats.

Contest submissions will be accepted from March 1st until midday May 22, 2017. See the challenge homepage for further details.

The IoT Privacy Forum encourages more of such government contests addressing privacy and security concerns in the IoT. Since privacy is more often a cost center rather than a revenue source, money and attention from government actors is a great way to stimulate markets and technology.

Data Protection Policy Privacy by Design Security Smart Home