Internet, Privacy Groups Urge CPSC to Regulate IoT Device Security Risks
The Consumer Product Safety Commission was right to exclude cybersecurity and privacy concerns when it undertook its review of the potential safety issues and hazards for IoT consumer devices (see 1803290032 and 1806150044), said the Association of Home Appliance Manufacturers (AHAM) and U.S. Chamber of Commerce in comments posted Friday in docket CPSC-2018-0007. Internet and privacy groups and think tanks disagreed, arguing security and privacy concerns aren’t part of CPSC’s historical purview but can’t be divorced from the physical harms that IoT devices risk inflicting on consumers.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
AHAM “agrees” the CPSC lacks the “authority” to address “personal data security or privacy implications of connected devices,” said the association. “Other agencies address those issues and CPSC need not take a leadership role in that space.” AHAM thinks IoT device safety standards “should reduce unreasonable risks, but they should not stifle innovation,” it said. It “disagrees with the notion that remote operation” of internet-connected devices “should be categorically prohibited when consensus standard requirements are viable means to mitigate such risks,” it said. “Potential hazards associated with connectivity safety” are best addressed through “the relevant product-specific consensus standards,” it said.
The U.S. Chamber “commends” CPSC “for recognizing that government, industry, standards organizations, and consumer advocates must work collaboratively to develop a framework for best practices, and for wisely excluding personal data security and privacy from its inquiry,” it said. “Voluntary best practices and standards for IoT abound,” it said. “Existing standards addressing IoT security, cybersecurity, and physical safety are related. These voluntary, industry-led, and global standards are driving towards secure, flexible, and interoperable solutions.”
The agency “should not act in response to hypothetical harm” of IoT devices, said the chamber. Though the risk of fire and shock in consumer products are “actual harms, it is unclear how these potential hazards are uniquely affected by or present with IoT,” it said. “They are the same risks as with unconnected consumer products. Connectivity alone is not a new area of risk.”
The Electronic Privacy Information Center disagrees the commission lacks authority to police security and privacy risks of IoT devices, said the center. “The biggest threat to privacy and security in consumer products is posed by the" IoT, with devices that “track personal data by seamlessly integrating into the consumers’ activities and lifestyles,” it said. “They blend into everyday objects, and are not readily discernible as an internet-connected device with the capacity to sense, collect, and transmit large-scale personal data.”
IoT technology “is encapsulated in small unobtrusive devices, often without a direct user interface like a screen,” said EPIC. “Ubiquity of IoT sensors and their amassment of granular data pose significant privacy concerns that could threaten the physical safety of consumers.” It’s “incumbent” on CPSC to “regulate the privacy and security of IoT devices,” it said. “CPSC is the best equipped federal agency to address the complexities of IoT -- through its interdisciplinary structure of economists, engineers, and lawyers, and the resources to test for security lapses and recall faulty devices before they enter the commerce stream.”
Though “no doubt” the IoT “presents enormous value, poorly designed and inadequately secured devices can present risks to consumers' safety and can be exploited for costly cyber-attacks,” said the Center for Democracy and Technology. It wants CPSC to “recognize the unique scope and characterization of IoT devices and how this impacts hazardization considerations,” and to “identify existing IoT standards to bolster security practices across different consumer product domains.” The agency also should “collaborate with relevant stakeholders to provide guidance to consumers and manufacturers on IoT-related informational harms,” beginning to “track IoT products, including component disclosures and IoT designations, for complaint databases,” it said.
The Center for Data Innovation disagrees CPSC should steer clear of the security and privacy risks of IoT devices, said the think tank. “Pay attention to certain cybersecurity threats, a risk that it has not traditionally considered, but resist creating any prescriptive rules for IoT devices.” The center worries that a smart home appliance “could overheat to the point of causing a fire,” it said. “While many IoT devices do not present safety risks, some do, and regulators should pay attention to those potential risks.”
The Internet Society urges CPSC to “consider potential hazards posed by insecure IoT products to both users of the products and to the wider Internet ecosystem,” it said. IoT systems “must be secured against risks to other networks and users (outward security) as well as risks to their users and assets (inward security),” it said. “Both inward and outward security carry potential hazards for consumers. An insecure device could be attacked and made to malfunction.”
Rather than wash its hands of cybersecurity concerns in this review, the agency should “encourage industry adoption of a growing range of cyber insurance offerings,” said the Mercatus Center at George Mason University. IoT involves “a complex and ever-changing global ecosystem,” it said. “The role of the CPSC and other agencies in addressing cyber insecurity is to foster the ecosystem’s ability to adapt and learn. This requires an approach that emphasizes resilience as the end goal.”