FTC Suggests Considering Security Disclosure Rules for Connected-Device Makers

The government’s consumer safety advocate should consider requiring internet-connected device manufacturers to advertise which safety standards they’re following and which they aren’t, a Federal Trade Commission division said Friday.

If the Consumer Product Safety Commission mandated that disclosure, it would help consumers make smarter decision about the internet-of-things devices they purchase, the Trade Commission’s Bureau of Consumer Protection said in a public comments filing.

It would also make it easier for the Trade Commission’s enforcement division to go after IoT companies that misrepresent their security protections, the bureau said, noting that it would “provide an enforcement backstop to help ensure that companies comply with their certifications.”

The bureau stopped short of actually advocating that the Product Safety Commission require security transparency from IoT companies or take any other regulatory action.  

If the commission does introduce IoT regulations, however, it should take pains to be “technology-neutral and sufficiently flexible so that [regulations do] not become obsolete as technology changes,” the bureau said.

The bureau also recommended that the Product Safety Commission consider helping consumers sign up for email alerts about IoT devices that are recalled or that need software patches. The commission has a similar process for alerting about safety notifications regarding products for infants and toddlers, the bureau noted.

If the commission does institute an IoT alert system, it should allow consumers to opt out of marketing emails from companies, which will make them more likely to sign up, the bureau said.

The comments came in response to a call for public feedback about IoT devices and “consumer product hazards.”

The Public Safety Commission explicitly noted that it does not consider “personal data security and privacy issues” within the scope of “consumer product hazards.” The Federal Trade Commission bureau quibbled with that exclusion, however, noting that digital insecurities in IoT devices can affect much more than just privacy.

“For example, a criminal who hacks into a connected-home network could not only collect information about consumers who live in the house,” the bureau noted, “but also could activate or deactivate home security devices, potentially causing threats to personal safety.”