IoT Nutrition Labels

The Internet of Things (IoT) is making computing ubiquitous. From smart TVs and speakers to video doorbells and connected appliances, we increasingly live in “smart homes.” Based on current estimates, there may be as many as 75 billion connected devices in use transmitting 80 zettabytes (80 trillion gigabytes) of data2 by 2025. These products have brought remarkable functionality and convenience to consumers, but they continuously introduce new privacy and cybersecurity risks, as well. With every connected device a consumer welcomes into their home, the potential “attack surface” increases. Many connected devices—even those offered by major manufacturers—lack basic security features such as strong encryption, mechanisms for software updates, or alerts when device security is breached, leaving consumers with little information on the security and privacy of their home devices.

At the grocery store we can read and compare nutritional information, thanks to the standardized Nutrition Facts label. At big box retailers, we can review Energy Guide estimates of the annual energy consumption of appliances. What if all connected devices sold came with the equivalent of a privacy & cybersecurity “nutritional label”? Instead of telling consumers how many calories a product has, or how much it costs to power, a security and privacy label would communicate things like what kinds of data the product collects, how long the product will receive security updates, and other important information to help consumers make informed decisions.

CR’s partners at the Carnegie Mellon CyLab have been working on this concept for several years. You can check out their test label here. And this idea continues to gain support among policymakers and industry. In May 2022, NIST released guidance on how a national cybersecurity labeling scheme should work, drawing on feedback from over 100 stakeholders (including CR). But there is not yet a product labeling mandate on the horizon, which means the task of moving from concept to execution falls to industry, academia and non-profit groups like Consumer Reports.

Our approach over the next two years is to develop an end-to-end open reference system for connected device labeling through which manufacturers can voluntarily attest to the security and privacy attributes of devices. The system will generate descriptive labels that are embeddable, understandable and designed to inform consumers about the security and privacy of their connected devices, at the point of purchase and throughout the lifespan of the device.

Over the next two years, CR will develop and pilot a functional security and privacy label that will communicate to consumers things like what kinds of data their IoT product collects, how long the product will receive security updates, and other important information to help consumers make informed decisions. This work will lay the foundation for a new IoT cybersecurity label scheme that can inform and empower consumers with immediate, clear, and actionable insights while driving upstream improvements by manufacturers.

In 2023, CR will:

• Continue testing the privacy and security of consumer IoT products
• Prototype a functional end-to-end IoT security labeling system
• Conduct usability testing, consumer education, and other validation work to prepare for a successful launch of a national consumer IoT labeling scheme; and
• Work with a group of IoT Design Fellows and subject matter experts to deliver a reference system that has been tested with manufacturers, retailers and consumers

If this sounds like an interesting initiative, we invite you to get in touch. We’re looking for thought partners, engineers and systems thinkers who deeply grok privacy, security, and consumer protection to build out the strategy. We will be filling contract and full-time roles too so if you’re interested in working with CR, drop us a line at innovationlab@cr.consumer.org.