FCC Proposes Voluntary Security Labels For ‘Internet Of Things’ Devices Most Companies Will Probably Ignore
from the regulatory-theater dept
While government leaders spent the last three years hyperventilating about TikTok, less talked about has been the dodgy “internet of things” (IOT) space; a broad assortment of mostly overseas-made techno doodads with paper-grade security and privacy standards that Americans connect to home and business networks with reckless abandon.
“Smart” TVs, fridges, and other internet-connected devices that experts have been warning us about for more than a decade often lack even fundamental security and privacy protections.
Enter the government, which is contemplating a new voluntary privacy and security label for IOT devices that manufacturers may or may not ever actually adhere to. According to separate FCC and White House announcements, the idea came from FCC boss Jessica Rosenworcel, and involves putting a “U.S. Cyber Trust Mark” (aka a sticker) on products that adhere to certain privacy and security standards:
“As proposed, the program would leverage stakeholder-led efforts to certify and label products, based on specific cybersecurity criteria published by the National Institute of Standards and Technology (NIST) that, for example, requires unique and strong default passwords, data protection, software updates, and incident detection capabilities.”
FCC Commissioner Nathan Simington this week spent some time over at Hacker News discussing the new proposal, which is only in its early stages. He requested that folks who’ve had problematic privacy or security issues with IOT devices file their thoughts with the FCC during the public comment process:
“If you want to influence the process, you have until September 25th, 2023 (midnight ET) to file comments in the rulemaking proceeding. Filing is easy: go to https://www.fcc.gov/ecfs/search/docket-detail/23-239 and click to file either an ‘express’ comment (type into a textbox) or a ‘standard’ comment (upload a PDF). Either way, the FCC is required to consider your arguments. All options are on the table, so don’t hold back, but do make your arguments as clear as possible, so even lawyers can understand them.”
The program will initially take aim at stuff like smart refrigerators, TVs and fitness trackers. Eventually it will shift to routers, where lax security has also long been a problem. It’s certainly not the first time government or other organizations have advocated for more robust IOT standards. Consumer Reports in 2017 proposed an open source IOT standards system that (IIRC) never really went anywhere.
I don’t think this is a terrible idea, I just have my doubts that this FCC can actually implement and enforce it at any scale. This is an FCC that’s effectively given up on consumer protection or seriously regulating broadband industry giants under its direct authority, so the idea that it’s going to consistently play hardball with a universe of dodgy IOT device makers seems somewhat laughable.
This kind of voluntary stuff is fairly standard for the FCC’s Rosenworcel, who is also proposing an entirely voluntary broadband “nutrition” label consumer groups already say lacks the kind of detail or rigor to be genuinely useful to consumers being ripped off by their local broadband monopoly.
It’s a sort of regulatory theater. Made worse in an environment where Congress is too corrupt to implement meaningful reform. You design programs that look like they’re tackling a major problem, but you make them voluntary — out of fear that being tough with larger companies might upset them. For example, the FCC’s nutrition label voluntarily asks broadband monopolies to be transparent about their high prices, but it never addresses the real cause of high broadband prices (unchecked monopoly power).
Most careerist regulators don’t want to actually regulate. They want to bide their time until their next political promotion or industry or think tank gig, usually through performative solutions that look good but don’t actually fix the underlying problem. Genuine reformers with the kind of fierceness needed to implement real reform genuinely aren’t treated well by entrenched power (see: Gigi Sohn).
Here, we’re asking an underfunded and understaffed agency to create a label system for a massive ocean of interconnected markets and thousands of different companies all over the globe. And we’ve made it voluntary. Many of the worst offenders when it comes to IOT security come from China, where companies could care less what Jessica Rosenworcel or the FCC think about much of anything.
I’d love to be wrong and see this program develop into a useful framework that elevates more trustworthy brands and provides consumers some long-overdue guidance on privacy and security. The underlying aspiration is sound. I’ve just been watching this agency long enough to know that it lacks the backbone or courage required to implement any reform that seriously challenges the interest of big companies (again see the sleazy, bipartisan undermining of Gigi Sohn, or the FCC’s multi-decade failure to hold predatory giants like AT&T, Comcast, Verizon, or Charter accountable for much of anything).
That’s not to say that consumers shouldn’t participate in the FCC rulemaking process, it’s still within the realm of the possible that the agency could be prodded into developing a backbone.