IoT goods, software and digital services to be evaluated for privacy and security

Consumer Reports, a US non-profit group whose extensive reviews of consumer goods have helped the public make informed and better choices for many decades, has announced that it will start evaluating products and services for privacy and data security.

IoT security standard

“We think it’s unfair and unrealistic to expect consumers to constantly play defense when the products and services they use aren’t engineered with basic privacy and security protections built in,” the group noted.

Why an IoT security standard is needed

But to be able to evaluate a product on these things, there has to be a standard for manufacturers and service providers to be able to follow, and against which their products will be tested.

The organization therefore moved to create such a standard, with the help of three other organizations:

  • Disconnect, a company that makes user-friendly software for blocking data-trackers and other privacy invasions;
  • Ranking Digital Rights (RDR), a non-profit research project that pores through privacy policies and other information that companies disclose to users;
  • Cyber Independent Testing Lab (CITL), a non-profit software security-testing organization headed by infosec expert Peiter “Mudge” Zatko.

They have provided a working version of the Digital Standard, and have asked the public to comment on it and make it better.

About the standard

The standard addresses four distinct set of questions:

1. Is the product/service built to be secure? Built with best security practices in mind? How are safety features implemented? Is it reliable?

2. Does the product/service preserve consumer privacy? Is the company willing and able to address reports of vulnerabilities? Is it protected from known software vulnerabilities? Does the company push out regular security updates for the software? Is the information provided by users encrypted? Does it require users to set a good password? Can users control the data that is shared with the manufacturer/service provider? Is information are deleted when the consumer leaves the service? And more.

3. Is the product owned by the consumer? Does the company prohibit use of the product with other products? Does the consumer own every part of the product? Can he or she resell it? Will it still be functional in the long run? Can the product be fixed by parties other than the manufacturer, and will the consumer be penalized if it does so?

4. Is the company ethical? Is it publicly committed to respecting users’ human rights to freedom of expression and privacy? Does it have mechanisms to implement these commitments? Can consumers easily find, read, and understand the privacy policy and/or terms of service? Does the company comply only with legal and ethical third-party requests for user information? Is the company transparent about its practices for sharing user data with the government and other third parties? Is the software open source? And so on.

“The standard should be easy enough for consumers without a technical background to understand, yet sophisticated enough to guide testing organizations such as Consumer Reports as we develop precise testing protocols. We want to rate products on measures such as security, in much the same the way we currently assess products for physical safety and performance,” Consumer Reports explained.

In the process of creating the current draft, the four organizations tested portions of it by applying them to real products, as a way to refine the standard and see how it’s working and whether it’s a good fit.

Make the IoT security standard matter

By asking for comments, they want to make sure that the public is involved in the creation of the standard and to buy into its usefulness.

“What matters for now isn’t that every detail is correct. The important thing is for the idea of a digital consumer-protection standard to take hold,” they noted.

The need for such a standard is great, as internet-connected devices are becoming ubiquitous. It’s also a great way to raise consumers’ expectations about security and privacy.

“If Consumer Reports and other public-interest organizations create a reasonable standard and let people know which products do the best job of meeting it, consumer pressure and choices can change the marketplace. We’ve seen this repeatedly over our 80-year history,” the non-profit concluded.