Consumer Groups Stress Need for Smart Device Labeling Program
Groups including the Electronic Privacy Information Center (EPIC) and Consumer Reports (CR) supported robust rules as part of the FCC’s proposed cybersecurity labeling program for smart devices in reply comments posted Monday in docket 23-239. In a letter posted last week, CTA, CTIA and other industry groups laid down a marker, saying the program should be voluntary and based on existing National Institute of Standards and Technology (NIST) guidance (see 2311090033).
“As the popularity and development of IoT devices grows globally, examples of privacy and security breaches continue to proliferate,” EPIC said. “A number of high-profile instances involving the hacking of video- and audio-enabled devices have rightly raised concerns among consumers regarding the safety of IoT devices.” But the information available to consumers is too often hard to locate and can’t be read until a device is purchased, EPIC said.
Once consumers have access to the information, “it’s largely too long and technical for the average buyer to use and make an informed decision,” the group said. Equipment makers also “often prematurely halt device support and inadequately communicate the length and scope of security support,” EPIC added.
CR said the rules should also take into account the almost 700 million wired IoT devices released globally. “Figuring out how to display the mark and which elements to include at various layers is probably the most important aspect of this program after defining the security criteria that products should meet in order to achieve the label,” CR said. The group said information should include “a minimum supported product lifetime based on the manufacturer’s willingness to provide security updates and cloud services,” discussed on the package or available through a QR code, as well as shared in the IoT registry.
CTIA urged the FCC to take a cautious approach in comments posted Monday. “A centralized, government-run or -managed IoT Registry that is saturated with information about participating devices creates enormous challenges and is the wrong approach for this program,” CTIA said. The group said while it supports self-certification as an option, that shouldn’t “undermine integrity in the program.” The FCC “should remain focused on the device level for the program at this time but should be open to expanding to the product level to the extent that relevant frameworks and conformance assessment methodologies evolve to enable product-level testing and assurance,” CTIA said.
The Information Technology Industry Council (ITI) said it initially believed the FCC should focus the program on using NIST’s IoT product definition rather than its IoT device definition. But ITI said it now recognizes that “inclusion of components such as specialty networking/gateway hardware, companion application software, and backends … would likely delay ... deployment” and could “unnecessarily complicate the Program in its nascent stage, jeopardizing manufacturer participation and undermining consumer education.” The group urged the FCC to seek further comment on whether to focus on devices or products. “Because we expect development of the Program to be iterative in light of the multitude of complex questions still to be addressed, it makes sense to start with a more targeted scope and expand as NIST and other standards-setting bodies develop mature, consensus-based security standards for the additional aspects that compose an ‘IoT product,’” ITI said.
Manufacturers, trade associations and “independent assessors” agreed in initial comments that the rules should be based on NIST standards, said NTCA. “As an active participant in numerous public and private sector cybersecurity efforts, NTCA affirms the value of collaborative, iterative efforts that update and refine preemptive and responsive actions,” the group said.