Consumer Reports Will Begin Evaluating Connected Products for Privacy and Data Security

On February 28, 2017, Australian web security expert Troy Hunt revealed that Spiral Toys, the maker of the CloudPets line of stuffed animals, inadvertently exposed over 2 million voice recordings of users, in addition to e-mail addresses and password information for over 800,000 accounts. This hack was due to Spiral Toys using an Amazon-hosted service with no authorization required to store the recordings, along with the CloudPets service having overly permissive password policies. This is not the first time that connected toy products exposed the information of parents and their children. In November 2015, the VTech hack exposed the personal information of nearly 5 million adults and 200,000 children. As a direct result of these hacks and others, Consumer Reports announced in early March (2017) that it was going to begin evaluating connected products and services for privacy and data security. Additionally, Consumer Reports announced that it would create standards and test protocols for these connected products because the government is not adequately addressing the problems with these devices in the marketplace.     

Consumer Reports is not the first organization to attempt to address the issue of IoT security in the marketplace. While Consumer Reports claimed that the government was not adequately addressing the problems inherent in IoT security, multiple executive departments and legislative bodies attempted to address the issue. Instead of issuing blanket regulations, organizations from the executive branch of the government like the Federal Trade Commission (FTC), FBI, and US Department of Homeland Security (DHS) issued warnings and advisories directed at manufacturers or consumers, while directly issuing complaints against specific companies. In January 2017, the FTC filed a complaint against networking equipment manufacturer D-Link for alleged inadequate security measures that exacerbated the Mirai botnet attack in October 2016. In September 2015, the FBI issued a public service announcement warning of insufficient security protocols in IoT devices and of difficulties in patching these susceptibilities. Little guidance has come from legislative bodies, with a working group of public officials unable to conclude whether a solution should rely on industry established standards, agency recommendations, legislation, or a combination of the three. Consumers are not being protected, so Consumer Reports decided to take a comprehensive, market-wide approach to educating consumers and influencing device manufacturers. 

Consumer Reports has been issuing product testing and consumer research since 1936 and boasts 7 million subscribers. Consumer Reports is working with Disconnect, Ranking Digital Rights, and The Cyber Independent Testing Lab to create a collaborative standard that focuses on protecting user privacy. In November 2016, Consumer Reports released an article urging device manufacturers to do more to make their products secure: avoiding default passwords, encrypting all data generated on and by these devices, and enabling product updates. Consumer Reports is focused on creating a reasonable standard and informing consumers about which products adequately meet the standard, as well as those that do not by using specific and repeatable testing procedures that evaluate and compare products. The goal in establishing an industry standard is to encourage companies to act more responsibly and to show manufacturers and public officials what these standards can accomplish.

The hesitancy from the government to issue any regulations or guidance is due partly because the legislative and executive bodies do not want to impede the organic growth of a highly nascent and growing market. However, developers, manufacturers, and consumers cared more about the features and cost of devices rather than the security and privacy of these solutions, which essentially resulted in a fundamental market failure where the costs of these connected consumer devices are outweighing any potential benefits of using the devices. Consumers know they are at risk but are not taking proper precautions to protect themselves. Device manufacturers are not properly educating consumers on issues of privacy or security and are not taking proper courses of action. Consumers are not educated about these devices, device manufacturers are not educating consumers about the risks of these devices, and the government is not issuing any regulations. Therefore, other organizations, like Consumer Reports, decided to do their part to protect and educate consumers.