Smart Devices: Putting a Premium on Peace of Mind

Cybersecurity labels for smart gadgets are coming. Are consumers willing to pay to know their risks before they buy?

How much is peace of mind worth when it comes to smart gadgets? Credit: AndreyPopov.
How much is peace of mind worth when it comes to smart gadgets? Credit: AndreyPopov.

DURHAM , N.C. -- Two out of five homes worldwide have at least one smart device that is . Soon, that new smart TV or robot vacuum you鈥檝e been considering for your home will come with a label that helps you gauge whether the device is secure and protected from bad actors trying to spy on you or sell your data.

In July, the White House plans to roll out voluntary labeling for internet-connected devices like refrigerators, thermostats and baby monitors that meet certain cybersecurity standards, such as requiring data de-identification and automatic security updates.

For tech companies that choose to participate, the good news is that there is a market for such a guarantee. A of U.S. consumers shows that they are willing to pay a significant premium to tell which gadgets respect their privacy and are safe from security attacks before they buy.

But voluntary product labels may not be enough if the program is going to protect consumers in the long run, the authors of the study caution.

鈥淒evice manufacturers that do not care about security and privacy might decide not to disclose at all,鈥 said 老牛影视 assistant professor of computer science , who conducted the survey with colleagues at Carnegie Mellon University. 鈥淭hat鈥檚 not what we want."

Duke Science and Technology scholar Pardis Emami-Naeini led the design of early prototypes of a security and privacy label for smart devices, which were based on the nutrition labels for food products.

The average household in the U.S. now has connected to the internet, all collecting and sharing data. Fitness trackers measure your steps and monitor the quality of your sleep. Smart lights track your phone鈥檚 location and turn on as soon as you pull in the driveway. Video doorbells let you see who鈥檚 at the door -- even when you鈥檙e not home.

But for all their convenience, today鈥檚 smart gadgets still have some privacy and security . You may have read the stories about strangers , companies about customers and their passwords, or smart TVs while you are watching them.

suggests that the number of attacks on smart devices doubled in the first half of 2021 alone, going from 639 million to 1.5 billion in just six months.

The new program, which resembles the 30-year-old Energy Star labeling program for appliances that meet certain energy efficiency standards, would 鈥渞aise the bar鈥 for cybersecurity in the home, the White House said in a .

Companies that practice transparency would certainly help people make more informed choices about their next smart gadget purchase, said Emami-Naeini, who has been collaborating with government officials and non-governmental stakeholders to inform the design of the cybersecurity label in the U.S. But are such labels a selling point for their products?

In a survey of 180 U.S. consumers, she and colleagues set to find out.

In an experiment conducted online, the researchers asked people to choose between discount offers on two smart devices based on labels showing different levels of protection.

For instance, a coupon worth $15 towards the purchase of a smart speaker that receives automatic security updates, versus $35 off for a smart speaker with no security updates. So a privacy-conscious consumer has to make a trade-off at the time of purchase -- is the more secure product worth paying closer to full price?

The findings show that people are willing to shell out up to 50% more for devices labeled with reassuring information about how they deter attackers or safeguard users鈥 data, as opposed to devices with no label that leave them in the dark.

鈥淐onsumers are willing to pay significant premiums to have security and privacy labels,鈥 Emami-Naeini said.

鈥淗owever, consumers aren鈥檛 as skeptical as we might hope when information is withheld from them,鈥 she added.

When given a choice between a device with a label suggesting that it might not be the safest and no label at all, respondents were willing to pay more for an unlabeled device with no information at all about its security protocols and practices.

鈥淭hat was a big surprise,鈥 Emami-Naeini said.

Without information to the contrary, respondents said they simply assumed that items without warnings were no riskier than other models on the market.

Theoretically, tech companies could take advantage of such charitable assumptions to withhold information they鈥檇 rather their customers didn鈥檛 see, Emami-Naeini said.

That鈥檚 because currently the label proposed for the U.S. is optional on the part of device makers; manufacturers aren鈥檛 required to participate.

Consumers may start to see the new cybersecurity labels on U.S. store shelves as early as 2024. Other countries including , and are deploying similar programs to certify safe smart devices.

But the new research suggests that allowing device makers to either highlight or hide their security practices could make it all too easy to game the system. Companies who fear that transparency might stigmatize their products or cost them customers could simply opt out, Emami-Naeini said.

鈥淲e recommend having a mandatory security and privacy label,鈥 Emami-Naeini said.

The researchers will present their findings August 9 at the 32nd USENIX Security Symposium in Anaheim, California.

This research was supported by the Carnegie Mellon University CyLab Security and Privacy Institute, and by a grant from the National Science Foundation (SaTC-1801472).

Citation

"Are Consumers Willing to Pay for Security and Privacy of IoT Devices?" Pardis Emami-Naeini, Janarth Dheenadhayalan, Yuvraj Agarwal, Lorrie Faith Cranor. 32nd USENIX Security Symposium. Aug. 9-11, Anaheim, California.