The White House is moving forward with an IoT security and privacy label, with plans to have a formal label by spring of 2023. To kickstart the effort, it invited officials from government, industry, academia, and consumer organizations to discuss what the label should cover and how to implement any labeling scheme. The White House has indicated it would like to model the program off of the Energy Star label operated by the Environmental Protection Agency.
Attendees at the Wednesday event heard from four organizations, each with their own plans for IoT security: CyLab, the security and privacy research institute at Carnegie Mellon University (CMU); the ioXt Alliance; the Connectivity Standards Alliance (home of the Matter standard); and the Consumer Technology Association, or CTA, which puts on the annual Consumer Electronics Show (CES). The goal was to create a cybersecurity label for consumer devices as called for by an executive order issued in May 2021 by President Biden.
If all of this feels familiar, it’s because we’ve already seen a few iterations of a nutrition-style cybersecurity label. CMU’s CyLab first proposed one back in 2020. Then in February of this year the National Institute of Standards and Technology (NIST) released a 27-page document describing a label with many similar elements.
The CyLab proposal is for a two-layered label, with the first layer accessible on the side of a product box and a second one that can be accessed via a QR code or link that provides more details. The first layer would indicate what sensors are on the device and what data they collect and share. It would also showcase the existing security update plans and how the device is secured, as you can see in the image above.
The second layer would provide even more information, such as how long data collected from the device gets retained, details about its encryption scheme, any vulnerability disclosures, as well as the device’s software bill of materials. While I heartily endorse sharing all of this information and view doing so as very pro-consumer, given how extensive the amount of information CyLab is proposing to include is, I can’t imagine that all of it will make it into the formal White House plan.
NIST’s plan is a bit broader and proposes that the label include certain basics, but is neither wedded to the idea of a single label covering all devices or clear as to how one would be implemented. (I covered what it would require pretty extensively in this story.) In addition to the idea of a label, it’s worth pointing out that the newly released Matter home interoperability standard also provides for some security, such as requiring local encryption and over-the-air updates.
The ioXt Alliance, which also presented at the event on Wednesday, has a less rigorous security framework that is designed for both apps and devices. Instead of a label on devices, it proposes a sticker that companies get if they either self-certify that they are following good security practices or if they go through the formal ioXt certification process. Letting companies self-certify is a way to ensure any smaller companies that are trying to follow the framework can get a certification without paying for a formal audit and certification process. But it’s also a way for unscrupulous companies to say they are following the rules, get the mark, and then reap the benefits of that mark without actually being secure.
And the certification process is one area where the White House’s plans are up in the air. There will be some kind of label, but who will administer it and whether or not it will be mandatory or merely a suggestion are still unknown. The specific items on the label are also unknown, but Yuvraj Agarwal, an associate professor of computer sciences at CMU and member of the CyLab Institute, and who presented at the meeting, told me he felt confident that the White House sees the importance of including privacy and security as part of the label.
“Originally the focus was on security, but based on the comments, privacy factors are something people are even more interested in,” he said. “Both security and privacy are security, but people don’t want to do much for privacy because privacy is really about disclosures and figuring out the process of those disclosures.”
He said he made a point of explaining to the meeting’s participants that most of the information that would be on the CyLab label is already in their privacy policies, but it’s in a 50-page document that no one reads. So why not make that information more accessible to consumers?
I imagine that big companies don’t want to share exactly how much data they are collecting and how long they keep it because that information would not make consumers very happy. Placing such policies on a label would also mean a company would have to update the label every time that company’s privacy policy changes.
As a consumer, I’d love this, because it could essentially freeze some aspects of data collection for a specific device — even if the maker of that device was bought by another company. I can’t tell you how often a device I use gets acquired by a company and then, a year or two later, the data policies change. Part of this makes business sense; after all, an acquisitive company doesn’t want to have to maintain separate databases and practices for dozens of acquisitions. But the real-world harms can be frustrating.
If you purchased a Nest thermostat in 2013 and were trying to avoid Google, for example, the $250 thermostat installed on your wall would start sharing data with Google just a few years later, meaning you’d have to accept that fact or replace your Nest with a new thermostat. A label doesn’t make this scenario impossible, but it does make changing privacy settings much less casual. And that’s a good thing.
That said, it also opens up potential liabilities for businesses, so expect to see some pushback on a labeling scheme from that camp. Businesses will want to retain as much flexibility as possible and reduce transparency about both privacy and some security practices called for in a label. Some will argue that publishing software bills of materials (as NIST generally promotes and the CyLab label requires) will open them up to hackers who know what to attack.
At a minimum, I hope that the whatever style of label is decided upon is made mandatory and requires basic security features such as encryption, over-the-air-updates, vulnerability disclosures and patching schedules, and multi-factor authentication, and that it ensures access to the device is controlled. I also hope it provides information related to privacy, such as disclosing the particular sensors on a device as well as how the data is shared, how long it is stored, and whether or not it is actively sold.
While the industry has started to enforce better cybersecurity through efforts such as ioXt and Matter, I believe that we should do more, both on the security side and by making sure that privacy is an essential part of any IoT cybersecurity label. We have until next spring to make it happen.
I’m so glad to see this attention being paid to security of IOT devices.
I’ve seen in other articles that Singapore already has such a labeling system for consumer devices, and that Finland and Germany have adopted that. Perhaps that’ll help kickstart the US effort?