A new U.S. government seal of approval unveiled this week promises to help us ID the good ones and avoid the bad ones — if the gadget industry doesn’t water down the standards before they arrive in the coming months.
Called the U.S. Cyber Trust Mark, the label will be a bit like the Energy Star efficiency stickers you might have seen on refrigerators and air conditioners. This seal will appear on gadget boxes, likely with a QR code you can scan, and signals that the product includes key security and privacy features, such as software updates.
Announced by the White House on Tuesday, the Cyber Trust Mark will be run by the Federal Communications Commission, which is better known for certifying the radio signals coming out of devices. But this new security certification will be voluntary for gadget makers, and relies on the idea that companies will comply because they will want to compete on keeping us safe.
Initially, I was skeptical. Tech companies mostly compete on whiz-bang features and conveniences — or, in the age of Big Tech monopolies, hardly bother competing at all. Why doesn’t the government just make the worst security practices illegal?
“Laws come from Congress,” FCC chairwoman Jessica Rosenworcel told me in an interview. “Regulatory agencies have to use the laws they have to build policies that meet the moment.”
It’s true that waiting for new tech laws isn’t working out well for we the users. “It struck me that we should get this going now even if there are no new laws because the number of smart devices is growing so fast,” said Rosenworcel. (Has a connected gadget ever left you vulnerable? Send me an email.)
“I know it can be bewildering as a consumer,” she said. “I remember when my children were young and we were buying a baby monitor and I paused and thought: ‘Do I want it sending a feed to me that I can pick up on my phone? How fast can I make sure that I change the default password?’”
The FCC’s sister agency, the Federal Trade Commission, has brought dozens of cases against companies over data security. But the truth is those enforcement efforts have hardly scared gadget makers straight.
So think of the Cyber Trust Mark more as a carrot to encourage better behavior, said Justin Brookman, director of technology policy for Consumer Reports, who was at the White House for the launch. “I think it’s a good idea,” he said. “Maybe we can’t get rid of all the bad ones, so let’s at least promote the good ones.”
Now the devil is in the details
Here’s what I’ll be watching closely: The FCC announced the program, but it has yet to announce what sort of minimum standards that products will have to meet to get the seal.
The FCC hasn’t yet even specified what kinds of connected products could get a Cyber Trust Mark. Rosenworcel called out connected refrigerators, microwaves, televisions, climate control systems, fitness trackers and baby monitors. But what about speakers and doorbells and security cameras? And don’t forget cars! They’re now basically smartphones on wheels.
The standards will be set through a rulemaking process, where the FCC will gather feedback from consumers and the industry. (My colleague Tim Starks has more details on the process in his Cyber 202 newsletter.) They’ll follow guidance from the National Institute of Standards and Technology.
But I’m not sure we can trust an industry that’s been so cavalier with our data to push for a high standard. For example, requiring regular security updates seems like a good idea. But for how many years? (Some phone makers notoriously offer very few.) And how fast should consumers expect a Cyber Trust Mark product to deliver emergency patches to deal with newly discovered threats?
Requiring data encryption also seems like a good baseline. But will it need to be done in such a way that only the end user can access the data?
“Those details really matter,” Rosenworcel told me, though she said she wanted to collect more information before she stated her view on them.
At the launch event on Tuesday, Amazon and Samsung announced their commitment to the program. But neither company would answer my questions about what minimum standards they think the Cyber Trust Mark should include. The Consumer Technology Association, the industry group that runs the annual CES show in Las Vegas, has convened its own working groups to discuss these questions.
Also noticeably absent from the White House event was the biggest consumer tech company in the United States: Apple. An Apple spokesman didn’t reply to my request for comment.
Professor Lorrie Cranor of Carnegie Mellon University, whose research includes ways to make better security and privacy disclosures to users, said she hopes the final standard doesn’t gloss over privacy.
She and her colleagues have proposed including on the label itself basic information such as what data gets collected and shared. “We think it’s really important if you’re going to secure an [internet of things] device, you need to know what sensors are in the device. That’s part of security even though it’s also part of privacy,” she said.
She also wants user testing to be part of the process. “We want to test it with consumers and not just have a bunch of people in the backroom saying this is good,” she said.
When can we expect to see the badge on devices?
“These things don’t move fast,” said Rosenworcel. She wouldn’t commit to a timeline, but said her hope was to have systems up and running to make the label possible by the end of 2024.