[iot-wg] "Nutrition labels for IoT"

from: https://pluralistic.net/2020/06/09/war-crimes/#iot

Nutrition labels for IoT

A group of CMU researchers just presented "What Should Be on an IoT
Privacy and Security Label?" at the IEEE Symposium on Security &
Privacy. They present a model for "privacy labels" to clarify the
privacy implications of IoT gadgets.

https://www.computer.org/csdl/proceedings-article/sp/2020/349700a771/1j2LfTRYbNC

I confess that I was skeptical of this, but the labels themselves are
*really* good, clear and legible.

https://www.wired.com/story/iot-security-privacy-labels/

But...The more I think about this, the more my skepticism returns. We've
seen tools like Privacy Badger and Ghostery that tell you how your data
is being used by the websites you visit, but these haven't shown much
efficacy in changing sites' behaviors.

Historically, the best counter to these "antifeatures" in technology has
come from a) self-help measures and b) regulation.

We didn't kill pop-up ads by notifying users of which sites had pop-up
ads so they could choose to go elsewhere. We gave them pop-up blockers.

Today, the best way to deal with your alarm about Privacy Badger
warnings is to beef up your script-, tracker- and ad-blocking.

https://www.eff.org/deeplinks/2019/07/adblocking-how-about-nah

And there's a role for regulation here, too, which can take many forms.
We can simply prohibit certain conduct, like collecting, retaining or
selling data outside of a highly constrained set of circumstances.

Or we could establish a federal privacy law with a private right of
action, so users could sue companies that leaked their data and collect
statutory damages - a measure that would cause every  insurer to
instantaneously withdraw coverage for every surveillance tech company.

Don't get me wrong. I love these labels. But there is a huge danger in
documenting bad conduct without providing a means to counter it - the
danger that you train people to accept the bad conduct as inevitable.