FCC Proposes Voluntary Security Labels For ‘Internet Of Things’ Devices Most Companies Will Probably Ignore
from the regulatory-theater dept
While government leaders spent the last three years hyperventilating about TikTok, less talked about has been the dodgy “internet of things” (IOT) space; a broad assortment of mostly overseas-made techno doodads with paper-grade security and privacy standards that Americans connect to home and business networks with reckless abandon.
“Smart” TVs, fridges, and other internet-connected devices that experts have been warning us about for more than a decade often lack even fundamental security and privacy protections.
Enter the government, which is contemplating a new voluntary privacy and security label for IOT devices that manufacturers may or may not ever actually adhere to. According to separate FCC and White House announcements, the idea came from FCC boss Jessica Rosenworcel, and involves putting a “U.S. Cyber Trust Mark” (aka a sticker) on products that adhere to certain privacy and security standards:
“As proposed, the program would leverage stakeholder-led efforts to certify and label products, based on specific cybersecurity criteria published by the National Institute of Standards and Technology (NIST) that, for example, requires unique and strong default passwords, data protection, software updates, and incident detection capabilities.”
FCC Commissioner Nathan Simington this week spent some time over at Hacker News discussing the new proposal, which is only in its early stages. He requested that folks who’ve had problematic privacy or security issues with IOT devices file their thoughts with the FCC during the public comment process:
“If you want to influence the process, you have until September 25th, 2023 (midnight ET) to file comments in the rulemaking proceeding.[4] Filing is easy: go to https://www.fcc.gov/ecfs/search/docket-detail/23-239 and click to file either an ‘express’ comment (type into a textbox) or a ‘standard’ comment (upload a PDF). Either way, the FCC is required to consider your arguments. All options are on the table, so don’t hold back, but do make your arguments as clear as possible, so even lawyers can understand them.”
The program will initially take aim at stuff like smart refrigerators, TVs and fitness trackers. Eventually it will shift to routers, where lax security has also long been a problem. It’s certainly not the first time government or other organizations have advocated for more robust IOT standards. Consumer Reports in 2017 proposed an open source IOT standards system that (IIRC) never really went anywhere.
I don’t think this is a terrible idea, I just have my doubts that this FCC can actually implement and enforce it at any scale. This is an FCC that’s effectively given up on consumer protection or seriously regulating broadband industry giants under its direct authority, so the idea that it’s going to consistently play hardball with a universe of dodgy IOT device makers seems somewhat laughable.
This kind of voluntary stuff is fairly standard for the FCC’s Rosenworcel, who is also proposing an entirely voluntary broadband “nutrition” label consumer groups already say lacks the kind of detail or rigor to be genuinely useful to consumers being ripped off by their local broadband monopoly.
It’s a sort of regulatory theater. Made worse in an environment where Congress is too corrupt to implement meaningful reform. You design programs that look like they’re tackling a major problem, but you make them voluntary — out of fear that being tough with larger companies might upset them. For example, the FCC’s nutrition label voluntarily asks broadband monopolies to be transparent about their high prices, but it never addresses the real cause of high broadband prices (unchecked monopoly power).
Most careerist regulators don’t want to actually regulate. They want to bide their time until their next political promotion or industry or think tank gig, usually through performative solutions that look good but don’t actually fix the underlying problem. Genuine reformers with the kind of fierceness needed to implement real reform genuinely aren’t treated well by entrenched power (see: Gigi Sohn).
Here, we’re asking an underfunded and understaffed agency to create a label system for a massive ocean of interconnected markets and thousands of different companies all over the globe. And we’ve made it voluntary. Many of the worst offenders when it comes to IOT security come from China, where companies could care less what Jessica Rosenworcel or the FCC think about much of anything.
I’d love to be wrong and see this program develop into a useful framework that elevates more trustworthy brands and provides consumers some long-overdue guidance on privacy and security. The underlying aspiration is sound. I’ve just been watching this agency long enough to know that it lacks the backbone or courage required to implement any reform that seriously challenges the interest of big companies (again see the sleazy, bipartisan undermining of Gigi Sohn, or the FCC’s multi-decade failure to hold predatory giants like AT&T, Comcast, Verizon, or Charter accountable for much of anything).
That’s not to say that consumers shouldn’t participate in the FCC rulemaking process, it’s still within the realm of the possible that the agency could be prodded into developing a backbone.
Filed Under: fcc, internet of things, iot, privacy, routers, security, security labels, smart devices, smart refrigerators, smart tvs
Comments on “FCC Proposes Voluntary Security Labels For ‘Internet Of Things’ Devices Most Companies Will Probably Ignore”
I expect this will be as useful as when Energy Star approved the gasoline powered alarm clock.
Stickers are nice, I would prefer a standard of opt-in for any and all internet connection requirements. If the device being sold will only operate when connected to the internet, they need to state such very clearly. In addition, they need to identify any and all options and features that will not work unless connected to the internet, or require payment for them to operate.
Re:
I think this is a good idea on paper, but wouldn’t forcing companies to make all their IoT software opt-in be compelled speech?
Sadly, I doubt many consumers would care about the disclaimers. They would eventually be similar in effect to those “Cancer and reproductive harm” warnings.
Re: Re:
“wouldn’t forcing companies to make all their IoT software opt-in be compelled speech?”
I fail to see the logic here.
Stopping a bait ‘n swap scam would be compelled speech too I guess. Your rights are violated because you were stopped from doing harm to others .. interesting concept.
Re: Re:
How can a voluntary program be forced anything?
“Voluntary” IOT Security Labels contradicts the whole concept of government Regulation.
That widespread concept demands that government experts determine the best ways to do things in selected private sector areas and require all perspns to obey the government rules developed.
Voluntary-Regulation is an oxymoron.
Re:
Movie ratings have entered the chat
I much prefer the idea of a voluntary standard to something like what was recently covered here by Cathy Gellis: https://www.techdirt.com/2023/09/06/move-over-software-developers-in-the-name-of-cybersecurity-the-government-wants-to-drive/
Re:
Given that a certain sense of latitude and trust comes with the word ‘voluntary’, we know for a fact that any and all industries uniformly subscribe to the Number One tenet in the military – Never Volunteer For Anything!
And thus we have rules and regulations. Q.E.D.
Re: Re:
There are plenty of voluntary standards that have been widely adopted by industry, including those developed by ANSI and ISO.
Re: Re: Re:
And do you realize how long it took to get those standards in place? Decades. And they aren’t all voluntary, some of the ANSI stuff is mandatory, as for example, motorcycle helmets. Every state requires riders to have (and use!) one that adheres to ANSI Z90.1 (IIRC). Many more examples can be found, I’m sure, but the point is, ‘voluntary’ usually doesn’t become mandatory for some time, unless a veritable rash of deaths occur in a very short time frame – that usually gets the attention of both the public and the legislative bodies.
Re: Re: Re:2
“do you realize how long it took to get those standards in place?”
Things worth doing are worth the time it takes.
Re: Re: Re:2
1) The DOT standard is not quite the ANSI standard
https://motorhelmets.com/pages/resources-dot-helmet
2) Not all states require a helmet
https://www.iihs.org/topics/motorcycles/motorcycle-helmet-laws-table
The bare minimum
At the bare minimum they should at least advise device makers to have something obvious about changing the default password. The router makers are good about that, but who thinks about changing the password on a fridge?
This is what the National Cyberstupidity Stategy should be about. Enforce non-crap security on the dumpsterfire of things, drop the other crap and end the spooks hoarding vulnerabilities.
Couldn't
Couldn’t care less.
Could not.
It literally makes no sense if you say “could care less” in this context.
Couldn’t.
Couldn’t.
Couldn’t.