Consumer Reports Publishes Draft Cyber Standard

Consumer Reports said new standards will push better security and privacy protections for connected products.

In-brief: Consumer Reports released a draft standard for security digital devices, calling on manufacturers to secure their products and give consumers the right to repair them. 

Citing a lack of consensus on security standards for the Internet of Things and the deregulatory mood in Washington D.C., Consumer Reports, the U.S. based consumer product rating firm, has released what it is calling a draft privacy and security standard for connected devices that will encourage device makers to produce secure products and to act ethically.

The Digital Standard, as Consumer Reports has dubbed it, is a response to numerous hacks of vehicles, IP enabled home surveillance cameras and calls on manufacturers to conduct security tests of their products, ensure the privacy and security of customer data, allow product owners to repair and tinker with their products and act ethically. The guidelines are just the latest in a string of similar announcements from both private and public sector organizations. However, the high public profile of Consumer Reports as a consumer product rating firm will give added weight and importance to the guidelines.

The organization outlined its vision in an article posted on Monday, saying that standards released thus far have been too narrowly focused on a single area, such as privacy policies or the security of connected devices. Besides “none of them has gained wide support.” The group cited the deregulatory mood in Washington D.C. as a motivation to push private standards.

“Some protections are actively being rolled back—the Federal Communications Commission (FCC) recently blocked a new rule that would have added data security protections for internet users,” Consumer Reports noted.

The group partnered with security and privacy groups to craft the guidelines. Among them were Cyber Independent Testing Lab (CTIL), an independent firm created by noted security expert and former DARPA technology chief Peiter “Mudge” Zatko and Sarah Zatko.  The Zatkos’ work grew out of an Obama Administration effort to craft standards akin to those used by Underwriters Labs to test electrical products. The two have created tools that evaluate the security of software that runs connected products, detecting whether “well-accepted security practices have been followed that reduce the risks from attackers, malware, and other threats.” Other partners include Disconnect, a company that makes digital privacy tools and Ranking Digital Rights (RDR), a nonprofit research project that vets privacy policies for companies selling connected products and other technology.

The Standard weighs design features such as if consumer data is encrypted and whether the manufacturer continually updates its software with security patches. It considers what kind of data is being collected and whether users are informed of that, as well as whether data and customer information is deleted when customers close accounts. Importantly: the new standards plant a flag for the “right to repair,” encouraging makers to recognize the owner’s right to repair their product.

“Copyright laws are important, but they can also be abused. In general, when consumers buy products, we think they should be able to alter, fix, or resell them,” Consumer Reports writes.

[Read more Security Ledger coverage of Right to Repair bills.]

The proposed framework has good company. More than 20 similar standards and frameworks have been floated in recent years by both private industry, non-profit groups and government agencies, said Joshua Corman, the co-founder of I Am The Cavalry, a group that promotes issues related to online safety, privacy, security and public health.

By virtue of its name recognition and reputation with consumers, the Consumer Reports IoT standards could help focus consumers’ attention on issues like privacy and security and thereby drive up demand for those features, Corman said.

“Clearly its noteworthy that Consumer Reports has joined the fray,” he said, noting competing standards and initiatives by Underwriters Labs, OWASP, the Online Trust Association and others. “People will definitely take notice.”

However, he said the standards focus mostly on privacy and data security and fail to address larger , systemic issues such as public safety and the possibility of cyber physical impacts of attacks.

A good next step would be for the various, competing standards to be simplified either by a government agency or recognized standards body.

“The market isn’t going to tolerate a Tower of Babel,” Corman said.