Frequently Asked Questions - Updated December 9, 2020
 

These FAQs cover both the IoT Portal and the IoT Assistant App

 
The IoT Privacy Infrastructure Team

We have organized our FAQs around a few different topics. We hope this increases the chance you find an answer to your question(s). If you don’t find an answer or would like to send us feedback, please email us at cmu-iotpi-owner@lists.andrew.cmu.edu. While we are a research team and have limited resources, we will aim over time to incorporate answers to as many questions as possible - this may be your exact question or a question we deemed similar to the one you submitted. For a more general understanding of how our infrastructure works, please visit: https://www.iotprivacy.io/about.

Links to different topics:

Topic 1: What does the IoT Privacy Infrastructure do? What am I supposed to do?

FAQ: On the app, I don’t see any IoT Resources on the map. Is something wrong?
 
There are billions of IoT resources deployed out there, but only tens of thousands have been registered on our IoT portal so far. We expect this number to grow in the weeks and months to come. When you launch the app, it will only show you IoT resources around your location. You may very well be in a place where no IoT resource has been registered yet. Feel free to move around the map and refresh your screen. It shouldn’t take too long before you see some IoT resources, especially if you zoom out a little. Note also that, for efficiency reasons, the IoT Assistant app does not display more than 75 IoT resources at a time. These will be the resources centered around the location you picked (by default your current location if you have granted the assistant access to your location). If you have selected to filter IoT resources based on criteria such as the type of data they collect, you will only see resources that satisfy these criteria. If you want to, you can relax your filtering criteria. And, finally, consider using our IoT portal and help us build a more complete list of IoT resources. Go to the dashboard on our portal, and use the ‘create resource’ button to start the process. Or better, click ‘request a registry’ to ask that we create a registry you can manage for your neighborhood, your company, or some other community, and encourage your friends or colleagues to help you populate the registry with descriptions of IoT resources.
 
FAQ: I created an account on your portal. Now what?
 
While our IoT Assistant app is there to help people discover IoT resources around them, our IoT Portal is there to help you publicize IoT resources you know about - whether you own/control these resources or just spotted them. This could be a smart doorbell with a camera facing the street, a network of microphones deployed in your neighborhood to detect shootings, a network of WiFi devices tracking your location inside a building, or a presence sensor in a meeting room. Whatever it is, go to the portal’s dashboard and use our ‘create resource’ button to describe the resource and then publish it in a registry that covers its location. If you can’t find a registry, just request we create one for you by clicking ‘request registry’, and, if you would like, invite others to also publish resource descriptions in it - your neighbors, your colleagues, your friends, your family, etc.
 
FAQ: There are a bunch of cameras in my neighborhood. Should I create a listing for each one of them, or could I just create a single entry for all of them?
 
That’s an excellent question. Describing a collection of sensors that collect the same data, are operated by the same entity and follow the same data practices as a single resource is absolutely fine - and more efficient. But if you are looking at different types of resources operated by different entities, you should really describe them as separate resources. For instance, a collection of surveillance cameras operated by a single mall operator in a given mall can be described as a single resource with a range that covers the entire mall. But different cameras operated by different stores inside the mall - some possibly using facial recognition or some other AI software and each with possibly different retention policies, should really be described as separate resources.

Topic 2: Are you really concerned about my privacy?

FAQ: Do I need a user account to use the IoT Assistant app?
 
By and large, you do not need an account to use the IoT Assistant app, as long as you are OK with just using its basic functionality, namely discovering IoT resources around you and their data practices. However, the IoT Assistant app also supports functionality that enables users to configure privacy options made available by some IoT resources. This functionality requires that we authenticate you. When you use privacy options made available to you by 3rd party IoT resources such as opting in or out of some practice, these 3rd parties also need to authenticate you. Each 3rd party currently uses its own authentication mechanism and is responsible for enforcing the privacy settings it makes available to you.
 
FAQ: Why do I need a user account to use the IoT Portal?
 
The IoT Portal enables users to create and publicize IoT resource descriptions, including managing IoT Registries, where others can also request to have their IoT resource descriptions publicized. The IoT Portal also enables users, including vendors, to share templates for different types of IoT resources - from IoT devices (e.g. Ring Doorbell) to IoT services (e.g. mall location tracking system, or surveillance cameras with facial recognition). We want to make sure that people take responsibility for the resource descriptions they publish and actually ask them to confirm that the data they publish is accurate to the best of their knowledge and that it complies with relevant laws. For these reasons, we need users of our IoT portal to authenticate. In addition, we are also collecting data on how people use our portal and are required to obtain consent prior to collecting this data. This is another reason why we need to know who our portal users are.
 
FAQ: Do I need separate accounts for the IoT Portal and the IoT assistant app?
 
No. The IoT Portal and the IoT assistant app share the same user account. Note that when you use the IoT Portal, you will need to complete a consent form for the collection of research data before you can use the Portal.
 
FAQ: How can you be funded by DARPA and claim you care about my privacy?
 
Thanks for asking this question! We are a team of researchers at Carnegie Mellon University and are not employees of the Department of Defense (DoD). DARPA (the “Defense Advanced Research Agency”) funds all sorts of different university research projects. In fact, the Internet itself was developed with DARPA funding. The funding we receive from DARPA for this project comes under DARPA’s Brandeis Privacy program, a program specifically focused on developing privacy-enhancing techniques.
 
Our team has been working on privacy-enhancing technologies for nearly 20 years and is deeply committed to protecting your privacy. We follow rigorous research protocols that are vetted by our University’s Internal Review Board and are also committed to following best security and privacy practices. This particular privacy infrastructure for the Internet of Things is designed to enhance privacy by empowering people to discover IoT resources around them and to control their data collection and use practices, when settings are available. In short, we are passionate about privacy and would never accept funding if we felt it interfered in any way with our commitment to privacy.
 
FAQ: Your consent form says “The Federal government ... will also have access to research records ...The research sponsor (DoD and NSF) representatives are authorized to review research records.” ...Does this mean DoD will see all the data you collect for your research?
 
The full text of our consent form reads: “The Federal government offices that oversee the protection of human subjects in research will also have access to research records to ensure protection of research subjects.” The “research records” mentioned here refer to the consent form we are required to obtain prior to collecting data for our research - they do not refer to the actual data we collect. This is to protect you from unauthorized data collection. Our research is subject to strict federal regulation and all data we wish to collect for research is subject to a rigorous review process by Carnegie Mellon University’s Internal Review Board (or “IRB”). The review process is designed to ensure that our research protocols minimize risks to people who use our technology. In particular, this includes disclosing to you what data we collect for our research and obtaining your consent. The federal government wants to be able to audit us and verify that we have obtained consent from everyone we collected data from. This is what this standard (“boilerplate”) text, which is mandated by the government, is intended to say. We wish the wording was more straightforward.
 
FAQ: Why do I need to agree to so many verbose documents?
 
We wish this process could be made much simpler but we are subject to multiple regulations. We need to obtain your consent to collect data about you for our research. We have tried to keep the consent form short, but we do want to be transparent and need to disclose enough details for you to be able to make an informed decision. Similarly, because our technology is available in a number of different countries (currently the United States of America, Canada, Australia, New Zealand, Iceland, Liechtenstein, Norway, Switzerland, the United Kingdom, and all member state s of the European Union), we need to ensure that our privacy policy and privacy practices are compliant with applicable regulations in these different countries. Thank you for your understanding.
 

Topic 3: Something seems wrong

FAQ: I created an account but never received a verification email. What is going on?
 
You may want to try again. If you don’t see anything after a few minutes, please check your spam folder.
 
FAQ: How do I change my password?
 
If you need/want to change your password, you currently need to log out and use the “Forgot your password?” button. This will result in a reset link being emailed to you.
 
FAQ: I don’t see an answer to my question. I guess I’m out of luck.
 
If you don’t see an answer to your question, please email us at cmu-iotpi-owner@lists.andrew.cmu.edu While we are a research team and have limited resources, we will aim over time to incorporate answers to as many questions as possible - this may be your exact question or a question we deemed similar to the one you submitted.
 
FAQ: I would like to provide feedback/suggestions for possible improvement of your solution, who should I contact?
 
We are constantly working to improve our app and portal and welcome any suggestions you may have. Please email us at cmu-iotpi-owner@lists.andrew.cmu.edu