Problem
Smart devices are becoming more common, but not all of them are designed with basic security features. Communities around the world are trying to lessen the security risks for these devices. These efforts include setting up security principles and labels that signal compliance with IoT security requirements. However, it can be confusing for consumers to interpret these labels. Consumers might also be unable to tell these similar yet different labels apart when making purchase decisions. In 2021, President Biden signed an Executive Order on Improving the Nation’s Cybersecurity (14028) directing the National Institute of Standards and Technology (NIST) to develop cybersecurity criteria for a consumer IoT labeling program. On July 18, 2023, the Biden Administration unveiled a new “U.S. Cyber Trust Mark” program to be headed up by the Federal Communications Commission (FCC). In light of this recent news, it’s important to understand how existing international labeling schemes work.
Methodology
This article aims to provide an overview of the global IoT label schemes and clarification for IoT label stakeholders and consumers. With a comparative law method, the author compared and contrasted the relevant documents from the United Kingdom, European Standards Organization (ETSI), Finland, Singapore, Germany, and Australia. Consumers should be able to understand the main differences between existing labeling schemes with this overview. It is beneficial to have these clear mappings of different IoT labeling standards when researching for smart device purchases.
Findings
These global IoT security efforts can be categorized into two groups: provisions and labeling schemes. The former lays out principles and requirements for IoT stakeholders; the latter establishes criteria to award IoT labels. The provisions and labeling schemes go hand in hand as some provisions were used as requirements for IoT label applications.
Figure 1. The progress of IoT security and privacy policies and labeling schemes
Provisions
Code of Practice for Consumer IoT Security from the United Kingdom is the first document that provides principles for IoT stakeholders. However, it is ESTI 303 645 (2020) from ETSI that stands out as the most important document, if not the most important. ETSI 303 645 includes 13 provisions applicable to all consumer smart devices, such as “communicate safely” and “ensure software integrity”. The full list can be found here. These provisions are not mandatory but recommended baselines for smart device stakeholders, such as manufacturers and retailers. ESTI 303 645 has become the foundation for the international IoT label assessment standard as requirements from ESTI 303 645 are adopted by countries as their labeling criteria. Therefore, though it starts out as a set of voluntary requirements, they gradually become more impactful over the years.
Labeling Schemes
Finland, Singapore, and Germany are the three countries that have established their own IoT labeling schemes. All labeling schemes are voluntary and refer to ESTI 3030 645 as their requirements for IoT labels. Online registry portals where consumers can search up relevant information about products awarded with IoT labels are available for all three countries.
Finland and Germany both have binary label models. The biggest difference lies in the involvement of third-party inspections. Products need to fulfill all 13 requirements and pass independent inspection in Finland; manufacturers can apply for a label in German once they have self-declared the fulfillment of the requirements.
On the other hand, Singapore adopts a layered model. For the first two levels of Singapore labels, products only need to self-declare to the extent of their compliance with the provisions. The last two levels require different independent inspections, such as binary analyses and penetration tests.
Countries have been actively working together toward a more harmonized global IoT labeling scheme. Finland, Singapore, and Germany have signed a memorandum and agreed with the following mapping: Finland labels are equivalent to Singapore level 3 and German labels are equivalent to Singapore level 2. Based on the strictness of the assessment from strict to lex, the labels can be roughly ranked as follow (fr): Singapore level 4, Singapore level 3 ≃ Finland, Singapore level 2 ≃ German, Singapore level 1.
Recommendation
IoT label stakeholders should lay out meaningful security and privacy requirements. To retain their credibility on the market, stakeholders should routinely update to enforce compliance diligently. Stakeholders should launch educational programs for consumers that are learning about smart devices. These educational information and materials should be accessible for consumers.
Labels should provide sufficient information, such as data type collected, update dates, data sharing policies. Besides individual labels, stakeholders should also have corresponding product registry accessible to the public at all times. Consumer Reports has been building our own IoT label and IoT reference system. The IoT reference system is the backbone of the label as it will streamline the label generating process. We are actively working toward bringing the IoT reference system to life that will inform consumers about the security and privacy details of smart devices.
What’s Next
Now we have a better understanding of the global landscape, we need your input to help build our own IoT label in the United States. Sign up for our CR Security & Privacy Labels for Smart Devices survey here! A 10-minute survey with you, will allow us to better understand what information is important and how the design of these labels can better suit your needs.
