Researchers at the Carnegie Mellon CyLab Security & Privacy Institute in Pennsylvania have developed a privacy-sensitive architecture for developers to build smart-home apps.

Many internet-connected devices such as smart speakers share data to the cloud when people interact with them. But how do they know the speaker isn’t always listening? How do they know it’s not sharing more information than necessary to fulfil the request? There’s currently no way to check, but CyLab researchers are close to solving this.

“People are concerned that their devices are capturing and sharing too much data,” said CyLab’s Haojian Jin, a PhD student in the university’s Human-Computer Interaction Institute. “Companies want to tell users that they only collect certain pieces of information, but they currently have no way to actually prove it.”

Jin and a team of researchers have developed a privacy-sensitive architecture for developers to build smart-home apps, which the team refers to as Peekaboo. The system takes requests from developers to share certain pieces of data and ensures only the essential pieces of data to fulfil their request are shared with them.

The system was described in a paper presented at the IEEE Symposium on Security & Privacy last month.

“In the privacy world, we have a principle called data minimisation,” said Jin. “The companies that collect the data should only be collecting the minimum amount of data to fulfil their objectives.”

This concept is even written into the EU’s GDPR, Jin pointed out. Article 5 (1) (c) of the GDPR reads: “Personal data shall be limited to what is necessary in relation to the purposes for which they are processed.”

Under the Peekaboo architecture, developers first declare all the data they intend to collect and under what conditions, where those data are being sent, and the granularity of the data themselves, for example, whether they’d like to collect the number of hours watched on a smart TV per week, per month, per quarter and so on. Then, an in-home hub mediates between all devices in the home and the outside internet.

“The hub enforces the sharing of only data declared by the developer,” said Jin. “And users and third-party auditors can inspect the incoming data requests as well as the outgoing data flows.”

The essence of the Peekaboo architecture, Jin said, is that users can have more control over their data. If a developer sends in a request to collect a piece of information such as the number of hours of spent watching a smart TV in a single day, the user can modify the request on the hub to share only the number of hours spent watching their smart TV over a whole month, if they’re more comfortable with that.

In addition, Peekaboo in the future could help make privacy nutrition labels, which are now being deployed by both Apple and Google, more accurate. Right now, there is no way to enforce and verify that apps are behaving consistently with their privacy nutrition labels, which are produced manually by developers and have been found to be inaccurate at times. But since Peekaboo both enforces and verifies data sharing in accordance with developers’ requests, privacy nutrition labels could be automatically generated and updated to portray data collection and use accurately.

Lastly, as the IoT continues to grow and people accumulate hundreds of IoT devices in their homes, Peekaboo can help manage the smart home holistically.

“The Peekaboo protocol will allow users to manage privacy preferences for all of their devices in a centralised manner through the hub,” Jin said. “Imagine not just a privacy nutrition label for an individual device, but a privacy nutrition label for an entire home.”

This work was funded in part by Cisco, Infineon, National Science Foundation and CyLab’s Secure & Private IoT Initiative.