Software Development
Cybersecurity / Data / Internet / Privacy / Resources

CMU’s CyLab wants to protect your data. Check out 3 studies it’s published to help do that

In which the university's Security and Privacy Institute demonstrates that cookie consent notices are unusable, constant smart device listening is preventable, and hidden cameras don't have to stay hidden.

Cybersecurity. By frederickmaheux
Pittsburgh has a long history of leadership in cybersecurity research, and that remains true today.

Carnegie Mellon University’s Security and Privacy Institute, aka CyLab, has remained active in conducting research as the technology of our daily lives has continued to change. Focused on ensuring user safety, privacy and security online, CyLab investigates topics including hardware security, software security, usability, cryptography and network security.

In the last month alone, students and faculty within the institute have authored several new studies regarding the prevalence of modern consent interfaces, smart home devices and hidden cameras. rounded up that work in an overview below, but be sure to read the full papers if you have time, and keep an eye on more to come out of CyLab in the future.

Cookie consent notices aren’t usable

Have you noticed that more websites are now asking for your consent to accept all cookies with the quick click of a button? What they’re really asking is whether or not they can collect and retain certain data on you, like what items you have in your e-shopping cart, which advertisements you click on, and your login information.

Cookies aren’t new, but legislation regulating them is. Because of the European General Data Protection Regulation, which became enforceable in May 2018, more websites are now required to ask user permission to collect cookies. New research from CyLab, however, found that approach is doesn’t make sense for your average internet user.

“A common reaction is to dismiss the interface as quickly as possible,” CyLab postdoctoral researcher Hana Habib said in a statement. “This suggests that these interfaces have usability problems.”

Though the interface gives users a chance to customize their cookie settings and have specific control over the data a website is allowed to track, that button tends to be much smaller and less eye-catching than the one to accept all cookies. And, because going through cookie settings requires a lot of time reading the fine print, users are quick to forego it without understanding what they’re actually allowing. In her new study, “‘Okay, whatever’: An Evaluation of Cookie Consent Interfaces,” Habib surveyed over 1,300 study participants across 12 consent interfaces to determine which features impacted usability the most. Read the full study here.

Stop your smart speakers from listening to you

Ever since the release of the Amazon Echo in 2014, one public concern around smart speakers (and other smart home devices with listening capabilities) has been how to prevent the device from listening all the time, even when you don’t want it to. So far, no one’s developed a way to know for sure whether a smart device is listening for more than just the relevant command. But hub-based privacy architecture developed by CyLab researchers hopes to find a solution.

“In the privacy world, we have a principle called ‘data minimization,’” said Haojian Jin, a Ph.D. student at CMU’s Human-Computer Interaction Institute, in a statement. “The companies that collect the data should only be collecting the minimum amount of data to fulfill their objectives.”

Peekaboo, as the new system is called, works by requiring smart device developers to declare thorough information on what data they plan to collect, what conditions they’ll collect it under, where the data will be sent and more. By hooking up Peekaboo to smart home devices, the hub enforces all of those conditions set forth by the developer, and allows any users or other auditors to inspect the data going in and out of those devices. In doing this, Peekaboo also centralizes control of all smart devices in a household, making data privacy management more efficient and easy for end users. Read the full paper on the tech here.

Find out if someone’s using a hidden camera on you

Ever wonder if someone’s snooping on you with a hidden camera? A team of researchers from CyLab created phone or laptop-based software to detect the presence of any Wi-Fi-connected IoT devices. While the use of home and business security cameras is becoming more common with new accessible technology, these devices can also create privacy violations when used in certain settings, like a hotel room or Airbnb.

Lumos, as the new software from the CyLab researchers is called, detects these cameras by finding the encrypted wireless packets associated with them, and labeling them for the end user in an augmented reality interface. To calculate the distance between the end user and a given IoT device, Lumos combines the Received Signal Strength Indicator (RSSI) with the visual inertial odometry information on the user’s mobile device.

“As the user walks closer to each device, the RSSI values corresponding to those data points increase and then reduce as she walks away from the device,” the researchers said in an academic paper on Lumos. “Lumos leverages the spatial measurements of RSSI values and their variations to estimate the location of each device.” The full team behind the work included Rahul Anand Sharma, Elahe Soltanaghaei, Anthony Rowe and Vyas Sekar.

In total, the researchers used Lumos to identify 44 different IoT devices across six different environments. Overall, it was able to identify hidden devices with 95% accuracy, they reported.

Sophie Burkholder is a 2021-2022 corps member for Report for America, an initiative of The Groundtruth Project that pairs young journalists with local newsrooms. This position is supported by the Heinz Endowments.
Companies: Carnegie Mellon University

Join the conversation!

Find news, events, jobs and people who share your interests on's open community Slack


Pittsburgh coworking guide: 17 places to find a desk, office, community and more

What AI means for the future of SaaS: Reality vs. hype

This Week in Jobs: A downpour of tech career opportunities with 24 open roles

Will the life sciences dethrone software as the king of technology?

Technically Media