Guidance on how manufacturers of Internet of things (IoT) devices should communicate with consumers about security upgrades for those devices was adopted during a June 18 virtual meeting of a multistakeholder process organized by the National Telecommunications and Information Administration. The four-page document approved by the group advises providers of IoT devices to “consider communicating to consumers prior to purchase” whether a device can receive security upgrades, how those upgrades will be delivered, and the date on which the device will no longer receive upgrades.
“The ideal level of detail and the method of communication may differ across manufacturers, software providers, and product and service categories, as well as across buyer types,” it says. “These voluntary communications may evolve over time as threats, solutions, and products change, and as needed to be consistent with consumers’ familiarity, expectations, and security needs.”
The document is one of four that the group hopes to produce as it looks for voluntary steps the industry could take to make IoT devices more secure. A draft of the document was published in April and the Federal Trade Commission recently offered its input, based on its experiences enforcing consumer protection laws in emerging industries such as IoT.
At its next meeting, scheduled for Sept. 12, the group will see if it can find consensus on the remaining documents and will talk about how to ensure that its work has an impact on the industry. It is planning to promote the work at conferences and through various trade associations. —Tom Leithauser, firstname.lastname@example.org