Contribute to an app trying to stop IoT surveillance

I’m going to keep this article really short to help make up for the tome of an essay above, although the topic is related. This week, Carnegie Mellon released what it’s calling the IoT Privacy Assistant app, which shows users the location of nearby devices that could gather data about them. The app, which is free, gives users the address of the devices, an image of them, and whatever the app knows about their data retention policies.

I didn’t have a chance to confirm the accuracy of the app’s data retention policies in the time between Carnegie Mellon’s announcement and the publication of this newsletter, but this effort to make local surveillance visible makes me really happy. In my case, the app pulled up a bunch of security cameras attached to banks along with cameras used by the government to track the line of cars waiting to get on the ferry from my island home to Seattle.

I was disappointed that the app didn’t pick up my local devices on the network, but that’s because no one has apparently shared that my Eufy doorbell, for example, might pick up their face or license plate and share that with me. If I want to track more devices I need to publish them on the app myself.

I can become a contributor to the network and submit my own devices or devices I find while rambling around my neighborhood. To do that, I have to register on the IoT Privacy website and fill out a report. As part of that process, I have to acknowledge that I am over 18 and that my work will become part of a research study. If I decide to delete my account, all of the devices I have contributed will also be deleted unless I transfer ownership of those items to someone else.

So if you are a ride-or-die reporter of data-collecting IoT devices in your area, be aware that your reports will be public and part of this research. I tried to create a resource for my Eufy doorbell and it took me about five minutes before I hit a wall. It asked me questions about my device’s data-sharing and retention practices that I doubt many consumers would know, such as who would have access to the data and how long it would be stored. It also asked for access to various APIs, which I didn’t have.

The goal is to get vendors of connected devices to create registries for those devices, then let users claim them or report them. So without vendors on board, it may just continue to show me nearby surveillance cameras and nothing more. But while that’s helpful, I’d love to see more people claiming and reporting their own devices — and for the vendors themselves to get involved.