Evaluating the Contextual Integrity of Privacy Regulation: Parents' IoT Toy Privacy Norms Versus COPPA

Increased concern about data privacy has prompted new and updated data protection regulations worldwide. However, there has been no rigorous way to test whether the practices mandated by these regulations actually align with the privacy norms of affected populations. Here, we demonstrate that surveys based on the theory of contextual integrity provide a quantifiable and scalable method for measuring the conformity of specific regulatory provisions to privacy norms. We apply this method to the U.S. Children's Online Privacy Protection Act (COPPA), surveying 195 parents and providing the first data that COPPA's mandates generally align with parents' privacy expectations for Internet-connected "smart" children's toys. Nevertheless, variations in the acceptability of data collection across specific smart toys, information types, parent ages, and other conditions emphasize the importance of detailed contextual factors to privacy norms, which may not be adequately captured by COPPA.Comment: 18 pages, 1 table, 4 figures, 2 appendice

Machine Learning DDoS Detection for Consumer Internet of Things Devices

An increasing number of Internet of Things (IoT) devices are connecting to the Internet, yet many of these devices are fundamentally insecure, exposing the Internet to a variety of attacks. Botnets such as Mirai have used insecure consumer IoT devices to conduct distributed denial of service (DDoS) attacks on critical Internet infrastructure. This motivates the development of new techniques to automatically detect consumer IoT attack traffic. In this paper, we demonstrate that using IoT-specific network behaviors (e.g. limited number of endpoints and regular time intervals between packets) to inform feature selection can result in high accuracy DDoS detection in IoT network traffic with a variety of machine learning algorithms, including neural networks. These results indicate that home gateway routers or other network middleboxes could automatically detect local IoT device sources of DDoS attacks using low-cost machine learning algorithms and traffic data that is flow-based and protocol-agnostic.Comment: 7 pages, 3 figures, 3 tables, appears in the 2018 Workshop on Deep Learning and Security (DLS '18

A Developer-Friendly Library for Smart Home IoT Privacy-Preserving Traffic Obfuscation

The number and variety of Internet-connected devices have grown enormously in the past few years, presenting new challenges to security and privacy. Research has shown that network adversaries can use traffic rate metadata from consumer IoT devices to infer sensitive user activities. Shaping traffic flows to fit distributions independent of user activities can protect privacy, but this approach has seen little adoption due to required developer effort and overhead bandwidth costs. Here, we present a Python library for IoT developers to easily integrate privacy-preserving traffic shaping into their products. The library replaces standard networking functions with versions that automatically obfuscate device traffic patterns through a combination of payload padding, fragmentation, and randomized cover traffic. Our library successfully preserves user privacy and requires approximately 4 KB/s overhead bandwidth for IoT devices with low send rates or high latency tolerances. This overhead is reasonable given normal Internet speeds in American homes and is an improvement on the bandwidth requirements of existing solutions.Comment: 6 pages, 6 figure

Exchanging Culture For Politics: Stratagems Of Recourse To Tribe And Tradition In Development Discourse

RUP Occasional Paper.The general subject of this paper (1) is the exploration of some common elements in utterance patterns in commentary on, and analysis of, public affairs and development. In brief: spoken or written recourse to a mode or style of cultural discourse is examined. Specifically the focus is on a development discourse, which turns heavily on 'culture exchanged for politics'. Since politics is partly about economics, one could add '... and for economics'. This paper aims to examine such exchange

Bougainville reconstruction aid: what are the issues?

‘Today, mipela finisim war bilong Bougainville’, (‘Today, the war in Bougainville has ended’) said Sam Kauona, the Commander of the Bougainville Revolutionary Army, at the ceasefire signed 30 April 1998. This followed the previous November’s truce. It had become clear by 1997 that a military solution was not possible, that the conflict ‘had many basic sources’, and that a desire for peace was widespread and growing especially in the areas most affected by the conflict (Interdepartmental Committee 1997). It was recognised also that the conflict began because of problems peculiar to Bougainville, and has extended and deepened to a large degree because of tensions within Bougainville. Any lasting solutions…must as much as possible come from Bougainvilleans. By a non-Bougainvillean, but also someone who has never even visited that Province or worked anywhere in Papua New Guinea for decades (and then only for a few months in Port Moresby at the Central Planning Office), this essay on aid issues is therefore highly speculative. It proceeds only by generalization and deduction from what appear to be comparable situations in other parts of the world. No two wars are the same. Obviously Biafra decades ago, then Mozambique, Somalia, Liberia and Rwanda more recently, Bosnia and Afghanistan still, Cambodia, and Rwanda again, are not Papua New Guinea ten or five years ago or now. But some commonalities can perhaps be found. At the time of writing (May 1998), the Prime Minister of Papua New Guinea is assuring Bougainvilleans that they have his support for the task of peace and re-building in a spirit of self-reliance and autonomy. It appears that all Bougainville parties now wish for some types of aid, using mainly Bougainvillean inputs, to rehabilitate basic services so as to meet immediate health, education and local roads needs. To judge from reports of demands for more of the types of basic livelihood packs AusAID has provided thus far, this aid response seems to have been appropriate. What is not requested (nor, thus far, supplied) is aid for projects such as airport and seaport rebuilding. This is ruled out because of the strategic implications of such projects for what is feared might become a return to the ‘development’ of old in the province, before the crisis, now in its tenth year. And this, overall, is the position taken here. Contrary to the development-led approach to reconstruction proposed in an inter-agency UNDP document (Rogge 1995), this paper takes the position that ‘development’ ought not to be the watchword. Rather, as post-war aid needs for reconstruction are ascertained, it is a word in reconstruction aid discourse to watch. Humanitarian concerns, rules and conditionalities should be uppermost. Confronted with such situations, perhaps there are new challenges for ways of thinking about aid responses. This paper attempts to identify some.AusAI

User Perceptions of Smart Home IoT Privacy

Smart home Internet of Things (IoT) devices are rapidly increasing in popularity, with more households including Internet-connected devices that continuously monitor user activities. In this study, we conduct eleven semi-structured interviews with smart home owners, investigating their reasons for purchasing IoT devices, perceptions of smart home privacy risks, and actions taken to protect their privacy from those external to the home who create, manage, track, or regulate IoT devices and/or their data. We note several recurring themes. First, users' desires for convenience and connectedness dictate their privacy-related behaviors for dealing with external entities, such as device manufacturers, Internet Service Providers, governments, and advertisers. Second, user opinions about external entities collecting smart home data depend on perceived benefit from these entities. Third, users trust IoT device manufacturers to protect their privacy but do not verify that these protections are in place. Fourth, users are unaware of privacy risks from inference algorithms operating on data from non-audio/visual devices. These findings motivate several recommendations for device designers, researchers, and industry standards to better match device privacy features to the expectations and preferences of smart home owners.Comment: 20 pages, 1 tabl