FTC Offers Advice to NTIA Group Looking at IoT Security Patching

The best way to ensure the security of Internet of things devices would be for manufacturers to provide “secure products that receive automatic security updates during the device’s reasonable lifespan,” the Federal Trade Commission said today. Manufacturers that instead decide to allow consumers to choose whether they want security upgrades “should carefully evaluate the effectiveness of their disclosures,” the FTC said in comments submitted to a multistakeholder group examining IoT security upgradability that was convened by the National Telecommunications and Information Administration.

“Providing consumers with certain security-related information can empower their purchasing and use decisions,” the FTC told the NTIA multistakeholder group.  “At the same time, we note that effective notification is difficult to get right.  Poor disclosures, including overly extensive disclosures, can actually impede consumers’ ability to make informed choices.”

The NTIA group issued draft recommendations in April addressing how manufacturers should communicate with customers about the upgradability of IoT devices (TR Daily, April 26). The FTC said it agreed with recommendations that manufacturers should provide “pre-sale communication of clear, actionable information” about how long a product would be supported by the manufacturer. But the FTC advised giving consumers additional information about the product.  For example, consumers should have enough information to decide whether the additional cost of a “smart” device, which might eventually become unsupported by its manufacturer, is worth it.

“The commission recommends that if a ‘smart’ device will stop functioning or become highly vulnerable when security support ends, and if consumers would expect a similar ‘dumb’ device to have a longer, safer lifespan, then manufacturers should disclose those key use limitations to consumers prior to purchase,” the FTC said.

The NTIA working group is planning to hold two more meetings, one this month that has not yet been scheduled, and one in the fall to release its findings. It did not specifically solicit comments on its ongoing work, but the FTC voted 2-0 to share what it has learned about IoT devices in various FTC proceedings. —Tom Leithauser, tom.leithauser@wolterskluwer.com

Courtesy TRDaily