How the FCC’s Voluntary Nutrition Label Program Could Equip Consumers to Shop for Secure Connected Devices

Americans are rightly concerned about what information their devices may be collecting about them and their family, and businesses would be wise to learn the lessons of tech policy past and address data privacy and security issues now to avoid fragmented, reactive regulation later. In November, the Federal Communications Commission closed the reply comment period for PS Docket No. 23-239, “Cybersecurity Labeling for Internet of Things, Notice of Proposed Rulemaking” (IoT NPRM). EPIC, represented by the Georgetown Law Communications and Technology Law Clinic, joined by coalition partners, filed a reply comment to this NPRM, proposing several key elements in the best interest of consumers and which companies should embrace.

Given the label’s primary goal of ensuring consumer confidence in the cybersecurity of their IoT devices, we urged the FCC to adopt a dual-layer labeling solution. This solution would include an easily glanceable primary label and a secondary label that displays additional cybersecurity and privacy information, empowering consumers to make an informed purchase at point of sale.   For the vast majority of products, we supported the FCC’s proposal that the product itself contain a mark–a “U.S. Cyber Trust Mark.” To qualify for the U.S. Cyber Trust Mark, our proposal would require the product itself to collect only the data necessary to provide its essential functions and services, a principle called data minimization that has been promoted since the Fair Information Practice Principles (FIPPs) of the 1970s but not adhered to in recent memory (although some regulators are looking to change this). Companies should design the product itself to include the mark. Additionally, the product box should include a primary label which displays a information most critical to the consumer’s evaluation of the product’s relative cybersecurity, including the kind of data the device collects (e.g. video, audio, physiological, geolocation, etc.) per Carnegie Mellon University CyLab’s model. The primary label on the product box should also include a URL and a QR code to connect the consumer to a website which hosts a secondary label that displays a set of more detailed information regarding the privacy and cybersecurity of the device. 

Our vision for the label also builds in cybersecurity best practices through a robust enforcement regime. Cybersecurity is a constantly evolving field, and capturing compliance at a single point in time is not enough to ensure consumer protection. We urge the FCC to conduct periodic recertification and post-certification audits to ensure that IoT device companies stay current in their cybersecurity practices. Additionally, we urge the FCC to implement a short cure period for devices discovered to be noncompliant with label obligations and representations. While robust enforcement of the label is necessary for success, immediate punishment does not fix the device vulnerability, leading to greater consumer risk. By using a short cure period, the FCC will incentivize companies to quickly patch any vulnerabilities, leading to safer devices for consumers.

Finally, and perhaps most importantly, we urged the FCC to not allow the label to be used as a way to avoid accountability for insecure devices. Many industry commenters urged the FCC to implement a “safe harbor” provision that would allow companies to use the label to avoid liability for harm resulting from insecure devices. As Commissioner Simington recently noted, this provision would be antithetical to the goals of the label, because allowing companies to evade liability for deficient cybersecurity practices merely by virtue of participating in the U.S. Cyber Trust Mark program would reduce incentives to keep devices secure, leaving consumers to bear the costs of insecure devices.

Much of the IoT industry has existed in a regulatory vacuum. This lack of regulation and failure to educate consumers has led to a market where consumers regularly are left having to deal with the fall out of cyber attacks and data breaches. While industry would prefer to handle the issue rather than be subject to regulatory compliance burdens, the FCC’s NPRM proposes a balance: you are not required to comply–the program is voluntary–but consumers will finally have a simple way of comparing products and making the best purchase for themselves.

We anticipate that once industry is required to either comply with the label or elect to deploy products without the U.S. Cyber Trust Mark, the market will indeed compel the companies that initially chose to deploy without the mark to ultimately voluntarily comply, and will guide consumers towards products that are more secure and privacy-protective. We expect that consumers will come to recognize the mark the way they do Energy Star products, and consumers will reject products which do not contain the U.S. Cyber Trust Mark.

In the absence of comprehensive federal privacy law in the United States, state and federal regulators have individually strived to protect consumers from unsecure devices and exploitative practices, creating a fragmented regulatory environment that good actors within industry claim to struggle to comply with. Indeed, the very first action item in the White House National Cybersecurity Strategy Implementation Plan is to task the Office of the National Cyber Director with harmonizing the various cybersecurity regulations that apply to critical infrastructure (find EPIC’s comments on that effort here). Notably, the third pillar of the National Cybersecurity Strategy emphasizes “making our digital ecosystem more trustworthy” by “promoting privacy and security of personal data.” Instead of inviting regulation in a reactive, fragmented manner, IoT and related companies should rally behind the reasonable principles of data minimization and simple disclosures to strengthen consumer trust in IoT devices.