The Federal Trade Commission (FTC) submitted public comments to the US Department of Commerce’s National Telecommunications and Information Administration (NTIA) in connection with the NTIA’s draft guidance on improving the security of Internet of Things (IoT) devices. The FTC’s comments focus on ensuring that manufacturers better inform consumers about security updates.
The FTC suggests in the public comments that consumers would benefit, prior to purchasing an IoT device, from clear information about the device manufacturer’s support period. In particular, the FTC suggests that manufacturers should disclose a minimum support period with a clear start date or, preferably, a clear end date. With such advance disclosure about the support period, consumers would be better equipped to compare devices. In addition, the FTC suggests that manufacturers should disclose if an IoT device will stop working or become highly vulnerable to attack after the support period ends—especially where consumers would expect that a similar “dumb” device (such as a refrigerator or toaster) would have a longer, safer lifespan even after support has lapsed.
Additionally, the FTC suggests that manufacturers should consider using a uniform notification method to inform consumers about security updates. A notice on a device’s screen or in the notification center of a device-related app are examples of easily accessible ways for consumers to receive such notifications. Consumers are oftentimes unaware that security updates are available or needed, so effective notifications are a critical component in the maintenance of IoT device security. The FTC also suggests that, at the point of sale of an IoT device, manufacturers could offer consumers the option to sign up for affirmative notifications related to security support, including when the support period is about to end.
Lastly, the FTC takes issue with the NTIA’s suggestion that IoT device manufacturers inform consumers about the update process and how the manufacturer secures updates—arguing that this information is of little benefit to consumers and risks being technically arcane and therefore difficult for consumers to understand. Moreover, the FTC suggests that if such information is combined with what the FTC views as more important information about security updates, consumers may balk at the volume and level of technical detail and skip reading the information altogether.