Cyber Mark Commenters Disagree on Consumers' Data Needs
Industry urged the FCC to proceed cautiously when crafting rules for the cybersecurity labeling administrators (CLAs) and for the lead administrator, who will oversee an IoT product registry under the cyber trust mark program. Commenters disagreed about how much data consumers will need to ensure their IoT products are safe.
Commissioners in March approved 5-0 a voluntary program while adopting a Further NPRM seeking comment on some details (see 2403140034). Comments were due Monday in docket 23-239. The cyber mark will appear on consumer IoT products with an accompanying QR code. It will be comparable to the Energy Star program, which certifies products as energy efficient.
Consumer and public interest groups, along with Carnegie Mellon and New York universities, stressed the importance of creating a program consumers will trust. “There should be a clear and public process” for handling complaints, they said. “If the issue is that a company has not applied for a mark, but is displaying it anyway, then that complaint should be brought to the FCC and the Lead Administrator,” the universities said: “If a company is fraudulently displaying the mark, the FCC should adopt disqualification procedures similar to ENERGY STAR’s.”
The consumer filing also urged that the FCC require release of a relatively broad amount of information as part of the label. The filing lists the types of sensors on a device “including cameras, microphones, thermometers, presence sensors, etc.” and “the data and the inferences those sensors collect especially if they can be used to detect location or sensitive information about a person.” Lack of a requirement that provides privacy information, “especially sensor data collection and its purpose is a serious oversight that must be corrected in order to meet the needs of American consumers and establish their trust in the program,” the filing said. Also signing the filing were Consumer Reports, Public Knowledge and the Electronic Privacy Information Center.
Information collected should be limited to a device's cybersecurity, the Consumer Technology Association commented. “Other information, such as the data a particular sensor collects or shares, is outside the scope of the Program” and is “often already available to the consumer and would crowd the IoT product label,” the CTA said. CTA also urged a “CLA-hosted, manufacturer-updated architecture” for the program. “This approach will facilitate the security, availability and integrity of IoT labels as well as support multiple display options and empower both manufacturers and the Commission to regularly update information so that consumers can use the IoT label easily and accurately.”
Applications to join the program should be treated as confidential, the Information Technology Industry Council said. “Besides discouraging manufacturer participation, a lack of confidentiality could also expose proprietary technology and trade secrets,” ITI said. The FCC shouldn’t require companies to detail the sensors in their IoT devices, the council said: “Such disclosures would create an added layer of complexity for consumers, defeating the label’s ease of use and cyber education goals, as well as discouraging participation in the program by manufacturers.”
The Association of Home Appliance Manufacturers (AHAM) said data provided should be limited to what interests consumers most. It could include “information regarding the device itself, such as the presence of cameras, microphones or other sensors,” AHAM said. Other security information provided in the registry could include “access control protections, whether data is encrypted, either while being transmitted or held on the device, and the manufacturer’s policies regarding security patches.”
CTIA said the FCC must make clear the program's costs and “develop funding approaches that meet the needs of the program without discouraging voluntary participation.” In selecting CLAs, the FCC should “require relevant experience but avoid unnecessary delay and expense by taking a flexible approach” on International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) accreditation requirements, CTIA said.
While ISO/IEC accreditation can be “helpful … for organizations with limited practical experience, it can be costly and time-consuming to obtain and is unnecessary for prospective CLAs that have demonstrated track records in managing similar certification programs.” CTIA called consumer education “critically important.”
NCTA emphasized getting the rules right. “Manufacturer applications for IoT products should be treated as presumptively confidential and be reasonably safeguarded through appropriate information security controls,” cablers said. In addition, the program should be practical and consumer friendly, NCTA said: “The registry should be designed and built for scalability, automation, and trust and security; contain reasonably current and relevant information; and provide centralized information on whether the product is still supported and in good standing with the Mark requirements.”