We’re looking for systems thinkers to help prototype and pilot a next-gen product labeling system. We’ll be filling contract and full-time roles starting this Fall. If you’re interested in working with CR on this, drop us a line at digitallab@cr.consumer.org so we can explore how we might work together.
In this note, we’re sharing some of our preliminary thinking to get your feedback. The ideas presented here are early and we’ll continue updating this space as our work progresses.
The basic idea
At the grocery store we can read and compare nutritional information, thanks to the standardized Nutrition Facts label. At big box retailers, we can review Energy Guide estimates of the annual energy consumption of appliances. What if all connected devices sold came with the equivalent of a privacy & cybersecurity “nutritional label”?
Instead of telling consumers how many calories a product has, or how much it costs to power, an IoT label would communicate things like what kinds of data the product collects, how long the product will receive security updates, and other important information to help consumers make informed decisions.
The state of play
Our colleagues at the Carnegie Mellon CyLab have been working on this concept for several years. You can check out their test label here. And this idea continues to gain support among policymakers and industry. In May 2022, NIST released guidance on how a national cybersecurity labeling scheme should work, drawing on feedback from over 100 stakeholders (including CR).
But there is not yet a product labeling mandate on the horizon, which means the task of moving from concept to execution falls to industry, academia and non-profit groups like Consumer Reports.
So we’re looking for entrepreneurs, engineers, and strategists to help us design a system that meets the needs of consumers, manufacturers, and public policy. Our goal is to bootstrap a system that can generate high quality, trustworthy labels at scale—informing and educating all kinds of consumers—while we work through the contours of a national strategy and the roles of participating actors.
Some initial thinking
CR is interested in a system that’s based on machine readable data about product’s privacy and security factors, and which enables a range of downstream applications of label information: on product packaging an in-store displays; accessed through consumers’ mobile devices at point of sale; embedded in digital storefronts, in comparison shopping services, and in other settings and applications to be determined.
In this way, we can ensure IoT product labels are not just static snapshots — and instead present relevant, up-to-date information depending on the contexts where the information is delivered.
This is an exciting and challenging design problem. While there’s no “one size fits all” approach to representing the cyber safety of a particular product, consumers must be able to gain meaningful insight from glancing at a label, and be able to trust in the integrity of the overall system. This implies a significant consumer education lift that would need to be coordinated with many public and private actors.
At the same time, manufacturers need the right incentives and protections to disclose product information — and information disclosed should ideally be verifiable, with repercussions for companies that misrepresent their products.
Finally, because consumers will not value labels if they are only available on a piecemeal basis, the national IoT labeling program should also aspire to make labels universally available and comparable— even if manufacturer participation is voluntary.
One possible approach
We assume that the national labeling program will be administered by a public-private consortium. That consortium would make manufacturers eligible for a “cyber safety” trustmark If they fulfill a set of baseline privacy and security requirements.
Complementing this, we imagine an information service to which manufacturers and third-parties will be encouraged to make cryptographically signed assertions about product security and privacy factors.
These assertions can be published to any endpoint, but are intended especially for submission to a central “registry” that would be operated for public benefit. The registry will be an open system that invites manufacturers and third-party certification groups to submit attestations, so that the registry gradually accumulates high-quality structured data. The registry will also provide APIs and modular designs so that third-party application developers can embed label information in various contexts.
Manufacturers who wish to demonstrate to consumers their participation in the national program should be able to look to the registry as a possible “turnkey” solution for generating and displaying a compliant label.
Based on this high-level vision, we’re setting out to:
- encode a set of expectations about product security and privacy factors manufacturers should voluntarily disclose,
- define a simple protocol for manufacturers and third-parties to attest to product security and privacy factors, and
- prototype a central information service or “registry” that enables retrieval and display of label information according to common interface guidelines.
Get in touch
We’d love to hear your feedback about the approach. We’ll be talking to consumers, manufacturers, certification groups, security and usability experts and others to iterate on this plan.
And if this sounds like an interesting challenge, we invite you to get in touch. We’re looking for thought partners, engineers and systems thinkers who deeply grok privacy, security, and consumer protection to build out the strategy. We will be filling contract and full-time roles starting this Fall, so if you’re interested in working with CR, drop us a line at digitallab@cr.consumer.org.
