FTC Submits Comments on IoT Device Security to NTIA Working Group
On Monday, the FTC submitted comments to the draft National Telecommunications and Information Administration (NTIA) guidance intended to improve Internet of Things (IoT) device security and increase consumer transparency. While recognizing the benefits (and proliferation) of IoT devices, the Commission’s comments caution that such benefits can only be realized when device manufacturers both incorporate – and adequately inform consumers of – reasonable security measures.
The comments begin by highlighting several “lessons learned” from FTC enforcement actions involving IoT devices such as home security cameras, baby monitors, and smart TVs. Specifically, the Commission explains that such actions emphasize the need for manufacturers to take reasonable security measures and to continuously manage security risks. The comments, in addition, note the several policy initiatives, consumer and business educational materials, and company-specific guidance (in lieu of enforcement) intended to assist IoT manufacturers with device security.The Commission also recommends several changes to the NTIA guidance’s “Elements of Updatability”:
- Edits to “Key Elements” Prior to Purchase – The Elements of Updatability recommend three pre-sale “key elements”: (1) disclosure of whether the device can receive security upgrades, (2) disclosure of how the device receives such upgrades, and (3) the anticipated timeline for the end of security support. The FTC recommends that manufacturers disclose the minimum support period, rather than an anticipated timeline, as well as disclose if the device will lose functionality or become highly vulnerable when security support ends.
- Edits to “Additional Elements” Before or After Purchase – The FTC adds several “additional elements” that manufacturers should consider conveying to consumers, either before or after purchase. Such additional elements include (1) adopting a uniform notification method to, for example, notify consumers of updates (if updates are not automatic); (2) enabling consumers to sign-up for affirmative security support notifications that are separate from marketing communications; and (3) providing real-time notifications when support is about to end.
- Omission of One “Additional Element” – The FTC also advises omission of the “additional element” describing the update process, explaining that such description imposes costs on manufacturers with little benefit to consumers who can “feel overburdened by choice and ignore critical information.”