FTC Releases Set of Guidelines for IoT Device Manufacturers

Subscribe To Download This Insight

3Q 2017 | IN-4645

In June 2017, the Federal Trade Commission (FTC) released an updated set of guidelines for how and when device manufacturers should inform consumers about the level of security in their connected products. The FTC’s overarching mission is to promote consumer protection. As billions of these devices continue to be used by not only consumers, but also enterprises, the FTC’s comments serve to improve security in Internet of Things (IoT) devices while still allowing end-users to realize the enormous benefits of their Internet-connected devices. The recently issued suggestions are not going to be immediately enforced by the FTC but are rather an attempt to ensure that future regulations accurately reflect end-users’ actual experiences and apprehensions with IoT devices.

Registered users can unlock up to five pieces of premium content each month.

Log in or register to unlock this Insight.

 

Comments on IoT Security

NEWS


In June 2017, the Federal Trade Commission (FTC) released an updated set of guidelines for how and when device manufacturers should inform consumers about the level of security in their connected products. The FTC’s overarching mission is to promote consumer protection. As billions of these devices continue to be used by not only consumers, but also enterprises, the FTC’s comments serve to improve security in Internet of Things (IoT) devices while still allowing end-users to realize the enormous benefits of their Internet-connected devices. The recently issued suggestions are not going to be immediately enforced by the FTC but are rather an attempt to ensure that future regulations accurately reflect end-users’ actual experiences and apprehensions with IoT devices.   

Elements of Updatability

IMPACT


The guidelines, called the Elements of Updatability, were based on input from the Communicating Upgradability and Improving Transparency Working Group at the National Telecommunications and Information Administration (NTIA), a multi-stakeholder group including industry, government, and consumer representatives. The working group identified flexible best practices for companies looking to implement security updates and how to communicate those updates to consumers. The Elements of Updatability divides its guidelines into two groups: key elements that device manufacturers should inform consumers about before sale since they could affect purchasing decisions and additional elements that manufacturers should communicate either pre-purchase or post-purchase.  

The following are the key elements that manufacturers should communicate to consumers before purchase of the device:

  1. whether the device can receive security updates;
  2. how the device receives security updates; and
  3. the anticipated timeline for the end of security support.

Additionally, the working group advised that manufacturers should consider adopting a uniform notification method that consumers can sign up for so that consumers are aware of any updates to their devices. Moreover, consumers should be reminded with real-time notifications when support is about to end. The working group found that providing automatic updates was a way for manufacturers to skirt many of these issues and that some information, like how manufactures secure updates and the update process itself, may confuse consumers by overloading them with too much information to shift through.   

Where the Burden Falls

COMMENTARY


These guidelines have yet to become enforceable regulations whereby the FTC would not penalize companies that violate them. The FTC accomplishes this by seeking monetary redress or other relief for consumers that have been negatively impacted by a company’s acts or practices. It is important to note that these are simply guidelines. With the constant flood of mergers and acquisitions within this space, it is seemingly impossible for a company to provide an anticipated timeline for the end of security support for a product. However, this is a factor that greatly influences consumer purchasing decisions. The FTC noted in its release that it issues these guidelines in lieu of enforcement and pointed to the recent example of Nest cutting support for the Revolv Smart Home Hub less than 18 months after it had been sold to consumers. The FTC stated that its decision to decline enforcement in that case was because:

  1. there were a limited number of devices sold;
  2. the company decided to offer full refunds to all purchasers; and
  3. the company prominently promoted its refund policy to consumers.

As the IoT market continues to mature, the burden of securing these devices is increasingly falling on the device manufacturer’s themselves. In January 2017, ARRIS announced the industry’s first gateway with the McAfee Secure Home Platform by Intel Security. While developers, manufacturers, and consumers have cared about the features and cost of the device over the security of said devices, security cannot be overlooked any longer. Government entities like the FTC, FBI, and DHS have had to issue warnings, guidelines, and complaints to both manufacturers and consumers to address the issue of security without offering blanket regulations that could hinder growth in the wider IoT market. These guidelines avoid those blanket regulations by educating consumers about connected devices while also offering best practices for manufacturers to deliver those products and services.     

Services