Multistakeholders Adopt Voluntary Guidance on Communicating IoT Device Upgradability to Consumers

Stakeholders – collaborating as part of a National Telecommunications and Information Administration (NTIA)-convened multistakeholder process on Internet of Things (IoT) security upgradability and patching – reached consensus on voluntary guidance intended to assist manufacturers who decide to communicate IoT device update capability to consumers.  The ability for connected devices to receive security upgrades is critically important for mitigating vulnerabilities after devices have found their way into the hands of consumers.  Operating on the premise that consumers may desire basic information about whether and how devices receive security upgrades, stakeholders identified “elements of IoT security updatability” that manufacturers may consider communicating to consumers. 

The document organizes these elements into two categories: “key elements” manufacturers should consider voluntarily communicating to consumers prior to purchase and “additional elements” manufacturers should consider voluntarily communicating to consumers either prior to or following purchase.  Key elements include:

• Whether the device can receive security updates;
• How the device receives security updates; and
• Anticipated timeline for the end of security update support.

Additional elements include:

• How the user is notified about security updates;
• Consumer options in the event the device no longer receives security update support; and
• How the manufacturer secures updates.

Precisely how to communicate this information and the appropriate level of detail to provide to consumers is best left to the manufacturer.  Stakeholders observed that “[t]hese voluntary communications may evolve over time as threats, solutions, and products change, and as needed to be consistent with consumers’ familiarity, expectations, and security needs.”

The Federal Trade Commission (FTC) weighed in on a draft version of the document to caution stakeholders against unduly burdening businesses and inadvertently impeding consumers’ ability to make informed choices.  First, the FTC emphasized that there is no such thing as perfect security, but that security is a continuous process of risk management.  “In deciding whether and how to patch devices, manufacturers must balance the benefits of safeguarding against various threats with the considerable costs of developing, testing, and deploying software updates,” the Commission wrote.  Second, the FTC observed that consumer notification is difficult to get right, and over notification could cause consumers to tune out critical information.

Accordingly, the FTC recommended a series of changes to the proposed elements of IoT security updatability, a few of which were incorporated into the final version.  Manufacturers are encouraged in the voluntary guidance document to review the FTC’s comments for the agency’s views on IoT security updatability and related matters.