Frequently Asked Questions - Updated February 20, 2020
 

These FAQs cover both the IoT Portal and the IoT Assistant App
The IoT Privacy Infrastructure Team

We have organized our FAQs around a few different topics. We hope this increases the chance you find an answer to your question(s). If you don’t find an answer or would like to send us feedback, please email us at cmu-iotpi-owner@lists.andrew.cmu.edu. While we are a research team and have limited resources, we will aim over time to incorporate answers to as many questions as possible - this may be your exact question or a question we deemed similar to the one you submitted. For a more general understanding of how our infrastructure works, please visit: https://www.iotprivacy.io/about.

Links to different topics:

Topic 1: What does this app do? What am I supposed to do?

FAQ: I created an account on your app but I don’t see any IoT Resources on the map. Is something wrong?
 
There are billions of IoT resources deployed out there, but only tens of thousands have been registered on our IoT portal so far. We expect this number to grow in the weeks and months to come. When you launch the app, it will only show you IoT resources around your location. You may very well be in a place where no IoT resource has been registered yet. Use our IoT portal and help us build a more complete list of IoT resources. Use the ‘create resource’ button to start the process. Or better, click ‘request a registry’ to ask that we create a registry you can manage for your neighborhood, your company, or some other community, and encourage your friends or colleagues to help you populate the registry. You may even consider throwing a “privacy pizza” party!
 
FAQ: I created an account on your portal. Now what?
 
While our IoT Assistant app is there to help people discover IoT resources around them, our IoT Portal is there to help you publicize IoT resources you know about - whether you control these resources or just spotted them. This could be a smart doorbell with a camera facing the street, a network of microphones deployed in your neighborhood to detect shootings, a network of WiFi devices tracking your location inside a building, or a presence sensor in a meeting room. Whatever it is, use our ‘create resource’ button to describe the resource and then publish it in a registry that covers its location. If you can’t find a registry, just request we create one for you by clicking ‘request registry’, and, if you would like, invite others to also publish resource descriptions in it - your neighbors, your colleagues, your friends, your family, etc.
 
FAQ: There are a bunch of cameras in my neighborhood. Should I create a listing for each one of them, or could I just create a single entry for all of them?
 
That’s an excellent question. Describing a collection of sensors that collect the same data, are operated by the same entity and follow the same data practices as a single resource is absolutely fine - and more efficient. But if you are looking at different types of resources operated by different entities, you should really describe them as separate resources. For instance, a collection of surveillance cameras operated by a single mall operator in a given mall can be described as a single resource with a range that covers the entire mall. But different cameras operated by different stores inside the mall - some possibly using facial recognition or some other AI software and each with possibly different retention policies, should really be described as separate resources.

Topic 2: Are you really concerned about my privacy?

FAQ: How can you be funded by DARPA and claim you care about my privacy?
 
Thanks for asking this question! We are a team of researchers at Carnegie Mellon University and are not employees of the Department of Defense (DoD). DARPA (the “Defense Advanced Research Agency”) funds all sorts of different university research projects. In fact, the Internet itself was developed with DARPA funding. The funding we receive from DARPA for this project comes under DARPA’s Brandeis Privacy program, a program focused on developing privacy-enhancing techniques.
 
Our team has been working on privacy-enhancing technologies for nearly 20 years and is deeply committed to protecting your privacy. We follow rigorous research protocols that are vetted by our University’s Internal Review Board and are also committed to following best security and privacy practices. This particular privacy infrastructure for the Internet of Things is designed to enhance privacy by empowering people to discover IoT resources around them and to control their data collection and use practices, when settings are available. In short, we are passionate about privacy and would never accept funding if we felt it interfered in any way with our commitment to privacy.
 
FAQ: Your consent form says “The Federal government ... will also have access to research records ...The research sponsor (DoD and NSF) representatives are authorized to review research records.” ...Does this mean DoD will see all the data you collect for your research?
 
The full text of our consent form reads: “The Federal government offices that oversee the protection of human subjects in research will also have access to research records to ensure protection of research subjects.” The “research records” mentioned here refer to the consent forms we are required to obtain prior to collecting data for our research - they do not refer to the actual data we collect. This is to protect you from unauthorized data collection. Our research is subject to strict federal regulation and all data we wish to collect for research is subject to a rigorous review process by Carnegie Mellon University’s Internal Review Board (or “IRB”). The review process is designed to ensure that our research protocols minimize risks to people who use our technology. In particular, this includes disclosing to you what data we collect for our research and obtaining your consent. The federal government wants to be able to audit us and verify that we have obtained consent from everyone we collected data from. This is what this standard (“boilerplate”) text, which is mandated by the government, is intended to say. We wish the wording was more straightforward.
 
FAQ: Why do I need to log in to use your app?
 
Because we are collecting data for our research about the way you use our app, we are required to obtain your consent. This is why we need to know who you are. In the future, we also plan to add functionality that will allow you to personalize some settings and also access other elements of functionality that will require that we authenticate you. In addition, when you use privacy settings made available to you by 3rd party IoT resources such as opting in or out of some practice, these 3rd parties also need to authenticate you. Each 3rd party currently uses its own authentication mechanism and is responsible for enforcing the privacy settings it makes available to you.
 
FAQ: Why do I need to agree to so many verbose documents?
 
We wish this process could be made much simpler but we are subject to multiple regulations. We need to obtain your consent to collect data about you for our research. We have tried to keep the consent form short, but we do want to be transparent and need to disclose enough details for you to be able to make an informed decision. Similarly, because our technology is available in a number of different countries (currently the United States of America, Canada, Australia, New Zealand, Iceland, Liechtenstein, Norway, Switzerland, the United Kingdom, or a member state of the European Union), we need to ensure that our privacy policy and privacy practices are compliant with applicable regulations in these different countries. Thank you for your understanding.
 

Topic 3: Something seems wrong

FAQ: I created an account but never received a verification email. What is going on?
 
You may want to try again. If you don’t see anything after a few minutes, please check your spam folder.
 
FAQ: How do I change my password?
 
If you need/want to change your password, you currently need to log out and use the “Forgot your password?” button. This will result in a reset link being emailed to you.
 
FAQ: I don’t see an answer to my question. I guess I’m out of luck.
 
If you don’t see an answer to your question, please email us at cmu-iotpi-owner@lists.andrew.cmu.edu. While we are a research team and have limited resources, we will aim over time to incorporate answers to as many questions as possible - this may be your exact question or a question we deemed similar to the one you submitted.