Recognizing consumer concerns about security and patchability, an industry working group of organizations in the Internet of Things (IoT) industry is taking important steps to ensure that IoT manufacturers provide more readily-available information to consumers through boxes and labels on their products. The NTIA’s IoT Communicating Upgradability and Improving Transparency Working Group recently released draft guidance entitled “Communicating IoT Device Security Update Capability to Improve Transparency for Consumers,” which encourages the use of FDA-style labels on IoT devices to address certain core security issues.
The Guidance recommends three “Key Elements” that should be communicated to consumers via labels:
Whether the device can receive security updates
This one is simple: Can the device be patched or otherwise updated as new versions of software become available?
How the device receives security updates
Let consumers know if new software can be pushed over the air to the device without consumer interaction, or if they will need to connect it to a computer, or bring it into a repair shop for updates.
When security updates will likely end
Will you commit to provide software updates for a set period of time? The Guidance recommends using specific dates (January 1, 2025) rather than more vague time periods like “two years.”
The Guidance suggests incorporating three additional elements into labels to help consumers:
- How will the user be notified about security updates? Does an Internet connected washing machine have a red light indicator when it is time to update the security? Does the manufacturer send an email when an update is available?
- What happens when the device no longer receives security update support? Will any functionality be downgraded? If there is an online dashboard for an Internet enabled coffee maker, for instance, will the dashboard disappear after a set time? Will the basic product features still work, for example to brew coffee, but not connect to extended online services?
- How the manufacturer secures updates, or how the process is reasonably secure. Explain how you will maintain the integrity of the update process, without confusing consumers with dense technical language.
In designing any labels on their products, the guidance encourages manufacturers to use clean, simple, designs and to avoid excessive fine print or legalese. Try to avoid using overly technical jargon, and highlight the important information for consumers.
Here is a sample label for a hypothetical Internet enabled tea kettle:
The NTIA’s IoT Communicating Upgradablity and Improving Transparency Working Group is continuing to meet as part of the NTIA IoT Multistakeholder process and refine this draft guidance. We will continue to monitor the Multistakeholder meetings and provide updates.