The White House is pressing ahead with putting the IoT security and privacy label, with plans to have an official label by the spring of 2023. To begin the effort, it called on officials from government, industry, academia, and consumer organizations to discuss what the rating should cover and how to implement any scheme to put tags. The White House has indicated its desire to model the program off the Energy Star label administered by the Environmental Protection Agency.
Wednesday’s event attendees heard from four organizations, each with their own plans for IoT security: CyLab, the Security and Privacy Research Institute at Carnegie Mellon University (CMU); ioXt Alliance; Communication Standards Alliance (home of the material standard); and the Consumer Technology Association, or CTA, which participates in the annual Consumer Electronics Show (CES). The goal was to create a cybersecurity poster for consumer devices as advocated by Executive order issued in May 2021 by President Biden.
If this all sounds familiar, it’s because we’ve already seen some iterations of the feed-style cybersecurity label. CMU’s CyLab was first proposed back in 2020. Then in February of this year, the National Institute of Standards and Technology (NIST) released a 27-page document Label description With many similar items.
CyLab’s proposal is for a two-layer label, with the first layer accessible on the side of the product box and the second layer accessible via a QR code or link providing more details. The first layer refers to the sensors on the device and the data they collect and share. It will also display the current security update plans and how to secure the device, as you can see in the image above.
The second layer will provide more information, such as how long the data collected from the device has been kept, details about its encryption scheme, and expose any vulnerabilities, as well as a list of device software materials. While I strongly support sharing all of this information and see doing so very pro-consumer, given how broad the amount of information CyLab is proposing to include, I can’t imagine that all of it will make it into the official White House plan.
NIST’s plan is a bit broader and suggests that the naming includes certain basics, but it is not tied to a single naming idea that covers all devices or clear as to how this should be implemented. (I covered what it might take Pretty much in this story.) In addition to the label idea, it should be noted that the newly released Home Interoperability Standard Matter is also Provides some securitysuch as requesting local encryption and over-the-air updates.
The ioXt Alliance, which also presented at the event on Wednesday, has Less stringent security framework It is designed for both applications and devices. Instead of the label on the devices, the label suggests companies get if they self-certify that they follow good security practices or if they go through the official ioXt certification process. Allowing companies to self-certify is a way to ensure that any smaller companies that try to follow the framework obtain certification without paying the costs of a formal audit and certification process. But it’s also a way for unscrupulous companies to say they follow the rules, get the mark, and then reap the rewards of that mark without actually being safe.
The certification process is one of the areas in which the White House plans are presented. There will be some sort of naming, but who will manage it and whether it will be mandatory or just a suggestion is still unknown. The specifics on the label are also unknown, but Yuvraj Agarwal, an associate professor of computer science at CMU and a member of the CyLab Institute, who presented at the meeting, told me he feels confident the White House sees the importance of including privacy and security as part of the label.
“The focus was originally on security, but based on the comments, privacy factors are something people care about more,” he said. “Both security and privacy are security, but people don’t want to do much for privacy because privacy is really about the disclosure of information and the discovery process of that information being disclosed.”
He said he made a point to meeting participants that most of the information that will be on the CyLab label is already in their privacy policies, but is in a 50-page document that no one reads. So why not make this information more accessible to consumers?
As a consumer, I love this, because it can basically freeze some aspects of data collection for a particular device – even if the maker of that device is bought by another company. I can’t tell you how often a company gets a device that I use, and after a year or two, the data policies change. Part of this makes business sense; After all, an acquisition company doesn’t want to have to maintain separate databases and practices for dozens of acquisitions. But the real world damage can be frustrating.
If you bought a Nest thermostat in 2013 and you’re trying to avoid Google, say, your $250 wall-mounted thermostat will start sharing data with Google after only a few years, which means you’ll have to accept that fact or Replace your Nest with a new thermostat. The label doesn’t make this scenario impossible, but it does make changing your privacy settings less of an offer. This is a good thing.
However, it also unlocks potential liabilities for companies, so expect to see some undoing of the labeling scheme from this camp. Companies will want to maintain as much flexibility as possible and reduce transparency about both the privacy and some of the security practices required on the label. Some would argue that posting software bills of materials (as NIST generally promotes and requires the CyLab tag) will open them up to hackers who know what to attack.
At a minimum, I would hope that any label style that is specified is mandatory and requires basic security features such as encryption, over-the-air updates, vulnerability detection, patch schedules, multi-factor authentication, and ensures device access is controlled. I also hope it provides privacy-related information, such as the detection of certain sensors on the device as well as how data is shared, how long it is stored, and whether or not it is actively sold.
As the industry begins to enforce better cybersecurity through efforts like ioXt and Matter, I think we should do more, both in terms of security and by making sure that privacy is an essential part of any IoT cybersecurity brand. We have until next spring to make it happen.