CR is currently building a next-gen IoT product labeling system to help consumers make informed decisions about the security and privacy of their IoT devices. We are seeking thought partners, advisors and mentors to help support the CR design of an IoT nutrition label. If you’re interested in working with CR on this, drop us a line at innovationlab@cr.consumer.org so we can explore how we might work together.
The basic idea
At the grocery store we can read and compare nutritional information, thanks to the standardized Nutrition Facts label. At big box retailers, we can review Energy Guide estimates of the annual energy consumption of appliances. What if all connected devices sold came with the equivalent of a privacy & cybersecurity “nutritional label”?
Instead of telling consumers how many calories a product has, or how much it costs to power, an IoT label would communicate things like what kinds of data the product collects, how long the product will receive security updates, and other important information to help consumers make informed decisions.
The state of play
Our colleagues at the Carnegie Mellon CyLab have been working on this concept for several years. You can check out their test label here. And this idea continues to gain support among policymakers and industry. In May 2022, NIST released guidance on how a national cybersecurity labeling scheme should work, drawing on feedback from over 100 stakeholders (including CR). But there is not yet a product labeling mandate on the horizon, which means the task of moving from concept to execution falls to industry, academia and non-profit groups like Consumer Reports.
Over the next two years, CR will develop and pilot a functional IoT label that will communicate to consumers things like what kinds of data their IoT product collects, how long the product will receive security updates, and other important information to help consumers make informed decisions. This work will lay the foundation for a new IoT cybersecurity label scheme that can inform and empower consumers with immediate, clear, and actionable insights while driving upstream improvements by manufacturers.
The road ahead
We’re looking for entrepreneurs, engineers, and strategists to support the CR design of an IoT product labeling system. The label is currently in the prototype stage. We’ve built a sandbox to play with the iterative design of an IoT security label that meets the needs of consumers, manufacturers, and public policy. Additionally, in order to refine the delivery system of the label, CR will be running an intensive program summer 2023 with students and stakeholders to move our prototype to pilot. The program will be structured as a 10 week paid intensive in NYC where students research, test and bring a user centric privacy & cybersecurity nutritional label to life. The program is hybrid with both in person and remote opportunities. We are currently sourcing mentors to support this program.
Get in touch
We’d love to hear your feedback about our approach. We’ll be talking to consumers, manufacturers, certification groups, security and usability experts and others to iterate on this plan. And if this sounds like an interesting challenge, we invite you to get in touch. We’re looking for thought partners, engineers and systems thinkers who deeply grok privacy, security, and consumer protection to build out the strategy. We are looking for mentors and will be filling contract and full-time roles starting in the Fall. If you’re interested in working with CR, drop us a line at innovationlab@cr.consumer.org.