Americans are rightly concerned about what information their devices may be collecting about them and their family, and businesses would be wise to learn the lessons of tech policy past and address data privacy and security issues now to avoid fragmented, reactive regulation later. In November, the Federal Communications Commission closed the reply comment period for PS Docket No. 23-239, “Cybersecurity Labeling for Internet of Things, Notice of Proposed Rulemaking” (IoT NPRM). EPIC, represented by the Georgetown Law Communications and Technology Law Clinic, joined by coalition partners, filed a reply comment to this NPRM, proposing several key elements in the best interest of consumers and which companies should embrace.
Given the label’s primary goal of ensuring consumer confidence in the cybersecurity of their IoT devices, we urged the FCC to adopt a dual-layer labeling solution. This solution would include an easily glanceable primary label and a secondary label that displays additional cybersecurity and privacy information, empowering consumers to make an informed purchase at point of sale. For the vast majority of products, we supported the FCC’s proposal that the product itself contain a mark–a “U.S. Cyber Trust Mark.” To qualify for the U.S. Cyber Trust Mark, our proposal would require the product itself to collect only the data necessary to provide its essential functions and services, a principle called data minimization that has been promoted since the Fair Information Practice Principles (FIPPs) of the 1970s but not adhered to in recent memory (although some regulators are looking to change this). Companies should design the product itself to include the mark. Additionally, the product box should include a primary label which displays a information most critical to the consumer’s evaluation of the product’s relative cybersecurity, including the kind of data the device collects (e.g. video, audio, physiological, geolocation, etc.) per Carnegie Mellon University CyLab’s model. The primary label on the product box should also include a URL and a QR code to connect the consumer to a website which hosts a secondary label that displays a set of more detailed information regarding the privacy and cybersecurity of the device.
Our vision for the label also builds in cybersecurity best practices through a robust enforcement regime. Cybersecurity is a constantly evolving field, and capturing compliance at a single point in time is not enough to ensure consumer protection. We urge the FCC to conduct periodic recertification and post-certification audits to ensure that IoT device companies stay current in their cybersecurity practices. Additionally, we urge the FCC to implement a short cure period for devices discovered to be noncompliant with label obligations and representations. While robust enforcement of the label is necessary for success, immediate punishment does not fix the device vulnerability, leading to greater consumer risk. By using a short cure period, the FCC will incentivize companies to quickly patch any vulnerabilities, leading to safer devices for consumers.
Finally, and perhaps most importantly, we urged the FCC to not allow the label to be used as a…